Breaking News



[*]

[email protected]:~/elfxtract$ python3 primary.py –file programvuln -a

_____ _ ________ ___ _
| ___| | | ___ / / | | |
| |__ | | | |_ V /| |_ _ __ __ _ ___| |_
| __|| | | _| / | __| ‘__/ _` |/ __| __|
| |___| |____| | / /^ |_| | | (_| | (__| |_
____/_____/_| / /__|_| __,_|___|__|

@aidenpearce369

***************************************************************************

> FILE INFO :

ELF Title : programvuln
ELF Kind : ELF 64-bit LSB shared object
ELF Arch : x86-64
ELF SHA1 Hash : BuildID[sha1]=cf149d97ad1e895561080b1f5c317bc5bc1e8652

This binary is dynamically equivalent & no longer stripped

********************** *****************************************************

> SHARED OBJECT DEPENDENCY :

linux-vdso.so.1 (0x00007ffd525a4000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd610d93000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd610fa1000)

***************************************************************************

> ELF SECURITY MITIGATIONS :

RELRO : Whole RELRO
STACK CANARY : No Canary came upon
NX BIT : NX disabled
PIE : PIE enabled
RPATH : No RPATH
RUNPATH : No RUNPATH

***************************************************************************

> POSSIBLE STRINGS :

nth paddr vaddr len size phase sort string
―――――――――――――――――――――――& #8213;―――――――――――――――――――――――――――――――
0 0x00002008 0x00002008 31 32 .rodata ascii You’ll have bypassed this serve as
1 0x00002028 0x00002028 12 13 .rodata ascii cat flag.txt
2 0x00002035 0x00002035 15 16 .rodata ascii Input your identify
3 0x00002045 0x00002045 13 14 .rodata ascii Your identify is

***************************************************************************

> RODATA HEXDUMP :

0x00002000 01000200 00000000 596f7520 68617665 ……..You’ll have
0x00002010 20627970 61737365 64207468 69732066 bypassed this f
0x00002020 756e6374 696f6e00 63617420 666c6167 unction.cat flag
0x00002030 2e747874 00456e74 65722079 6f757220 .txt.Input your
0x00002040 6e616d65 00596f75 72206e61 6d652069 identify.Your identify i
0x00002050 732000 s .

***************************************************************************

> ELF ENTRY POINT :

The get right to use level of the ELF is at 0x10c0

***************************************************************************

> HEADER MEMORY MAP :

Kind Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
0x00000000000002d8 0x00000000000002d8 R 0x8
INTERP 0x0000000000000318 0x0000000000000318 0x0000000000000318
0x000000000000001c 0x000000000000001c R 0x1
[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x00000000000006a8 0x00000000000006a8 R 0x1000
LOAD 0x0000000000001000 0x0000000000001000 0x0000000000001000
0x00000000000002b5 0x00000000000002b5 R E 0x1000
LOAD 0x0000000000002000 0x0000000000002000 0x0000000000002000
0x00000000000001c8 0x00000000000001c8 R 0x1000
LOAD 0x0000000000002da0 0x0000000000003da0 0x0000000000003da0
0x0000000000000270 0x0000000000000278 RW 0x1000
DYNAMIC 0x0000000000002db0 0x0000000000003db0 0x0000000000003db0
0x00000000000001f0 0x00000000000001f0 RW 0x8
NOTE 0x0000000000000338 0x0000000000000338 0x0000000000000338
0x0000000000000020 0x0000000000000020 R 0x8
NOTE 0x0000000000000358 0x0000000000000358 0x0000000000000358
0x0000000000000044 0x0000000000000044 R 0x4
GNU_PROPERTY 0x000000000 0000338 0x0000000000000338 0x0000000000000338
0x0000000000000020 0x0000000000000020 R 0x8
GNU_EH_FRAME 0x0000000000002054 0x0000000000002054 0x0000000000002054
0x000000000000004c 0x000000000000004c R 0x4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RWE 0x10
GNU_RELRO 0x0000000000002da0 0x0000000000003da0 0x0000000000003da0
0x0000000000000260 0x0000000000000260 R 0x1

***************************************************************************
[*] Loaded 14 cached gadgets for ‘programvuln’

> ROP GADGETS :

0x1017 : upload esp, 8;ret
0x1016 : upload rsp, 8;ret
0x1221 : move away;ret
0x128c : pop r12;pop r13;pop r14;pop r15;ret
0x128e : pop r13;pop r14;pop r15;ret
0x1290 : pop r14;pop r15;ret
0x12 92 : pop r15;ret
0x128b : pop rbp;pop r12;pop r13;pop r14;pop r15;ret
0x128f : pop rbp;pop r14;pop r15;ret
0x1193 : pop rbp;ret
0x1293 : pop rdi;ret
0x1291 : pop rsi;pop r15;ret
0x128d : pop rsp;pop r13;pop r14;pop r15;ret
0x101a : ret

***************************************************************************

> PLT TABLE :

__cxa_finalize : 0x1074
places : 0x1084
software : 0x1094
printf : 0x10a4
will get : 0x10b4

***************************************************************************

> GOT TABLE :

_ITM_deregisterTMCloneTable : 0x3fd8
__libc_start_main : 0x3fe0
__gmon_start__ : 0x3fe8
_ITM_registerTMCloneTable : 0x3ff0
__cxa_finalize : 0x3ff8
places : 0x3fb8
software : 0x3fc0
printf : 0x3fc8
will get : 0x3fd0

***************************************************************************

> FUNCTION TABLE :

__libc_csu_fini : 0x12a0
__libc_csu_init : 0x1230
win : 0x11a9
_start : 0x10c0
primary : 0x11d6

***************************************************************************

> POSSIBLE USER DEFINED FUNCTIONS :

win : 0x11a9
primary : 0x11d6

***************************************************************************

> ASSEMBLY AND DECOMPILED CODE :

[*] ASM – win :

┌ 45: sym.win ();
│ 0x000011a9 f30f1efa endbr64
│ 0x000011ad 55 push rbp
│ 0x000011ae 4889e5 mov rbp, rsp
│ 0x000011b1 488d3d500e00. lea rdi, str.You_have_bypassed_this_function ; 0x2008 ; “You’ll have bypassed this serve as” ; const char *construction
│ 0x000011b8 b800000000 mov eax, 0
│ 0x000011bd e8defeffff determine sym.imp.printf ; int printf(const char *construction)
│ 0x000011c2 488d3d5f0e00. lea rdi, str.cat_flag.txt ; 0x2028 ; “cat flag.txt” ; const char *string
│ 0x000011c9 b800000000 mov eax, 0
│ 0x000011ce e8bdfeffff determine sym.imp.software ; int software(const char *string)
│ 0x000011d3 90 nop
│ 0x000011d4 5d pop rbp
└ 0x000011d5 c3 ret

[*] DECOMPILED CODE – win :

void sym.win(void)

{
sym.imp.printf(“You’ll have bypassed this serve as”);
sym.imp.software(“cat flag.txt”);
go back;
}

[*] ASM – primary :

; DATA XREF from entry0 @ 0x10e1
┌ 77: int primary (int argc, char **argv, char **envp);
│ ; var char *s @ rbp-0x40
│ 0x000011d6 f30f1efa endbr64
│ 0x000011da 55 push rbp
│ 0x000011db 4889e5 mov rbp, rsp
│ 0x000011de 4883ec40 sub rsp, 0x40
│ 0x000011e2 488d3d4c0e00. lea rdi, str.Enter_your_name ; 0x2035 ; “Input your identify” ; const char *s
│ 0x000011e9 e892feffff determine sym.imp.places ; int places(const char *s)
│ 0x000011ee 488d45c0 lea rax, [s]
│ 0x000011f2 4889c7 mov rdi, rax ; char *s
│ 0x000011f5 b800000000 mov eax, 0
│ 0x000011fa e8b1feffff determine sym.imp.will get ; char *will get(char *s)
│ 0x000011ff 488d3d3f0e00. lea rdi, str.Your_name_is_ ; 0x2045 ; “Your identify is ” ; const char *construction
│ 0x00001206 b800000000 mov eax, 0
│ 0x0000120b e890feffff determine sym.imp.printf ; int printf(const char *construction)
│ 0x00001210 488d45c0 lea rax, [s]
│ 0x00001214 4889c7 mov rdi, rax ; const char *s
│ 0x00001217 e864feffff determine sym.imp.places ; int places(const char *s)
│ 0x 0000121c b800000000 mov eax, 0
│ 0x00001221 c9 move away
└ 0x00001222 c3 ret

[*] DECOMPILED CODE – primary :

// WARNING: [r2ghidra] Failed to check sort char * for variable s to Decompiler sort:

undefined8 primary(void)

{
undefined8 s;

sym.imp.places(“Input your identify”);
sym.imp.will get(&s);
sym.imp.printf(“Your identify is “);
sym.imp.places(&s);
go back 0;
}

***************************************************************************

> VULNERABLE FUNCTIONS :

Possible vulnerability places – Command Execution

0x000011ce e8bdfeffff determine sym.imp.software ; int software(const char *string)

Possible vulnerability places – Structure String

0x000011bd e8defeffff determine sym.imp.printf ; int printf(const char * construction)
0x0000120b e890feffff determine sym.imp.printf ; int printf(const char *construction)

Possible vulnerability places – Buffer Overflow

0x000011fa e8b1feffff determine sym.imp.will get ; char *will get(char *s)

***************************************************************************

[*]

Leave a Reply

Your email address will not be published. Required fields are marked *

Donate Us

X