aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--notes.md13
-rw-r--r--presentation69
-rw-r--r--src/secret.c19
-rw-r--r--src/secret.h7
-rw-r--r--src/strcmp.c27
-rw-r--r--what_is_hooking.pngbin0 -> 44030 bytes
6 files changed, 135 insertions, 0 deletions
diff --git a/notes.md b/notes.md
new file mode 100644
index 0000000..b7a6116
--- /dev/null
+++ b/notes.md
@@ -0,0 +1,13 @@
+# presentation software
+sent - Simple plaintext presentation tool.
+https://tools.suckless.org/sent/
+
+# glibc version
+ldd --version
+
+# glibc source
+git://sourceware.org/git/glibc.git
+
+# compile as shared object
+gcc -fPIC -c strcmp.c -o strcmp.o
+gcc -shared -o strcmp.so strcmp.o
diff --git a/presentation b/presentation
new file mode 100644
index 0000000..0e1e009
--- /dev/null
+++ b/presentation
@@ -0,0 +1,69 @@
+Hooking on Linux Introduction
+
+What is hooking?
+
+@what_is_hooking.png
+
+Relies on dynamically linked binaries
+\
+most binaries are dynamic.
+$ file /usr/bin/* | grep dynamic | wc -l
+1500
+
+Hooking libc is an obvious choice
+- open source
+- everything uses libc
+
+Picking a libc function to hook
+\
+strcmp:
+compare two strings
+
+Why? Because:
+\
+if strcmp("user password", saved_password) == 0
+ Access granted
+else
+ Access denied
+
+Goal:
+print out saved password
+
+Step 1:
+Find the source Luke
+
+Step 2:
+Find the implementation
+
+Step 3:
+Code your goals, you can do it!
+
+☢ Caveats ☢
+
+Caveats
+☢ retain the original implementation (or not)
+
+Caveats
+☢ retain the original implementation (or not)
+☢ segfaults
+
+Caveats
+☢ retain the original implementation (or not)
+☢ segfaults
+☢ low level C can be hard
+
+Caveats
+☢ retain the original implementation (or not)
+☢ segfaults
+☢ low level C can be hard
+☢ segfaults
+
+Step 4:
+isolate and compile as shared object
+
+Step 5:
+trick the linker
+\
+LD_PRELOAD is bae
+
+Questions?
diff --git a/src/secret.c b/src/secret.c
new file mode 100644
index 0000000..d4113b2
--- /dev/null
+++ b/src/secret.c
@@ -0,0 +1,19 @@
+#include <stdio.h>
+#include <string.h>
+#include "secret.h"
+
+int main(int argc, char* argv[]){
+ if(argc <2){
+ printf("Usage: %s <secret_password>\n", argv[0]);
+ return 1;
+ }
+
+ UNHIDE_STR(pass);
+
+ if(! strcmp(pass, argv[1]))
+ printf("Access granted\n");
+ else
+ printf("Access denied\n");
+
+ return 0;
+}
diff --git a/src/secret.h b/src/secret.h
new file mode 100644
index 0000000..d6ee2ea
--- /dev/null
+++ b/src/secret.h
@@ -0,0 +1,7 @@
+#define A(c) (c)-0x19
+#define UNHIDE_STR(str) do { char *p = str; while (*p) *p++ += 0x19; } while (0)
+#define HIDE_STR(str) do { char *p = str; while (*p) *p++ -= 0x19; } while (0)
+
+char pass[] = {
+ A('c'), A('a'), A('t'), A('z'), A('r'), A('u'), A('l'), 0
+};
diff --git a/src/strcmp.c b/src/strcmp.c
new file mode 100644
index 0000000..d626bd3
--- /dev/null
+++ b/src/strcmp.c
@@ -0,0 +1,27 @@
+#include <stdio.h>
+/* Compare S1 and S2, returning less than, equal to or
+ greater than zero if S1 is lexicographically less than,
+ equal to or greater than S2. */
+int strcmp (const char *p1, const char *p2)
+{
+ const unsigned char *s1 = (const unsigned char *) p1;
+ const unsigned char *s2 = (const unsigned char *) p2;
+ unsigned char c1, c2;
+
+ // print out input values
+ printf("strcmp('%s', '%s')", p1, p2);
+ do
+ {
+ c1 = (unsigned char) *s1++;
+ c2 = (unsigned char) *s2++;
+ if (c1 == '\0') {
+ // print return value
+ printf(" = %d\n", c1 - c2);
+ return c1 - c2;
+ }
+ }
+ while (c1 == c2);
+
+ printf(" = %d\n", c1 - c2);
+ return c1 - c2;
+}
diff --git a/what_is_hooking.png b/what_is_hooking.png
new file mode 100644
index 0000000..04742eb
--- /dev/null
+++ b/what_is_hooking.png
Binary files differ