Tag Archives: security

IT Security Brothers (http://itsb.pro)

Hi guys, I would like to present you our new project IT Security Brothers http://itsb.pro
We provide pentest, consultations and IT outsourcing services.
Feel free to hire us for IT jobs.

How to use LD_PRELOAD for cracking applications

How to use LD_PRELOAD for cracking applications.
test.cpp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#include<stdio.h>
#include<stdlib.h>
#include<cstring>
#include<iostream>
using namespace std;

int main()
{
  char *pre_pass = "a382fbe8e8f087352e250561d724c0a";
  char *salt =     "1qazxcvfdswer435tgbnhy67ujmkdfg";
  char pass[32];
  for(int i = 0; i < 32; i++)
  {
    int a = pre_pass[i];
    int b = salt[i];
    int c = (a + b)/2;
    pass[i] = c;
  }
  char user_input[32];
  cout << "Enter your password's md5 hash for enter to root access level" << endl;
  cout << "> ";
  cin.width(32);
  cin >> user_input;
  if ( strncmp( pass, user_input, 32)==0 )
    {
      cout <<  "Secret is " << pass << endl;
    }
  else
    {
      cout << "Access denied, fucking looser" << endl;
    }
  return 1;
}

Compile it with g++:
g++ test.cpp -o test

try to get pass ^_^
./test

1
2
3
Enter your password's md5 hash for enter to root access level
> asd
Access denied, fucking looser

How to hack it ? LD_PRELOAD is answer!

Let's take a look at code, we see that we have to get zero in the return value of strncmp, let's do it !
strncmp_lib.c

1
2
3
4
int strncmp(const char * string1, const char * string2, int num )
{
return 0;
}

compite it with gcc:
gcc -Wall -O2 -fpic -shared -ldl -o strncmp_lib.so strncmp_lib.c

and run:
LD_PRELOAD="./strcmp_lib.so" ./test

1
2
3
Enter your password's md5 hash for enter to root access level
> asd
Secret is IRLVobmOdUnJU535SfJQLW64lPOOcKd

crypto: gpg

gpg --list-keys // get a list of all keys installed in the system
gpg --list-sigs // get a list of all the keys in the system (with all signatures)
gpg --sign-key ID // to sign a key with a specific ID
gpg --import KEY // import the key into the system
gpg --export -a -o KEY.asc ID // export the key in ascii format to a file KEY.asc

FreeBSD 7-8 Exploit & Patch

Local Exploit ups right from the ordinary user to root.

http://seclists.org/fulldisclosure/2009/Nov/371

Launches the exploit from the user and get the root rights.

Patching:

cd /usr/src/libexec/rtld-elf
cp rtld.c rtld.c.bak
ee rtld.c

Find the part of the file:

if (!trust) {
unsetenv (LD_ «PRELOAD»);
unsetenv (LD_ «LIBMAP»);
unsetenv (LD_ «LIBRARY_PATH»);
unsetenv (LD_ «LIBMAP_DISABLE»);
unsetenv (LD_ «DEBUG»);

and change it to:

if (!trust) {
if (unsetenv (LD_ «PRELOAD») || unsetenv (LD_ «LIBMAP») ||
unsetenv (LD_ «LIBRARY_PATH») || unsetenv (LD_ «LIBMAP_DISABLE») ||
unsetenv (LD_ «DEBUG») || unsetenv (LD_ «ELF_HINTS_PATH»)) {
_rtld_error («environment corrupt; aborting»);
die ();
}
}

Next, write a make && make install, now you can check again exploit, it's work.