From 52e3ab594b34bf309b8669fcaa855c295a00e114 Mon Sep 17 00:00:00 2001 From: Nicholas Hall Date: Thu, 14 Sep 2017 16:42:29 -0500 Subject: DC414 meeting presentation files --- notes.md | 13 ++++++++++ presentation | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++ src/secret.c | 19 +++++++++++++++ src/secret.h | 7 ++++++ src/strcmp.c | 27 ++++++++++++++++++++ what_is_hooking.png | Bin 0 -> 44030 bytes 6 files changed, 135 insertions(+) create mode 100644 notes.md create mode 100644 presentation create mode 100644 src/secret.c create mode 100644 src/secret.h create mode 100644 src/strcmp.c create mode 100644 what_is_hooking.png diff --git a/notes.md b/notes.md new file mode 100644 index 0000000..b7a6116 --- /dev/null +++ b/notes.md @@ -0,0 +1,13 @@ +# presentation software +sent - Simple plaintext presentation tool. +https://tools.suckless.org/sent/ + +# glibc version +ldd --version + +# glibc source +git://sourceware.org/git/glibc.git + +# compile as shared object +gcc -fPIC -c strcmp.c -o strcmp.o +gcc -shared -o strcmp.so strcmp.o diff --git a/presentation b/presentation new file mode 100644 index 0000000..0e1e009 --- /dev/null +++ b/presentation @@ -0,0 +1,69 @@ +Hooking on Linux Introduction + +What is hooking? + +@what_is_hooking.png + +Relies on dynamically linked binaries +\ +most binaries are dynamic. +$ file /usr/bin/* | grep dynamic | wc -l +1500 + +Hooking libc is an obvious choice +- open source +- everything uses libc + +Picking a libc function to hook +\ +strcmp: +compare two strings + +Why? Because: +\ +if strcmp("user password", saved_password) == 0 + Access granted +else + Access denied + +Goal: +print out saved password + +Step 1: +Find the source Luke + +Step 2: +Find the implementation + +Step 3: +Code your goals, you can do it! + +☢ Caveats ☢ + +Caveats +☢ retain the original implementation (or not) + +Caveats +☢ retain the original implementation (or not) +☢ segfaults + +Caveats +☢ retain the original implementation (or not) +☢ segfaults +☢ low level C can be hard + +Caveats +☢ retain the original implementation (or not) +☢ segfaults +☢ low level C can be hard +☢ segfaults + +Step 4: +isolate and compile as shared object + +Step 5: +trick the linker +\ +LD_PRELOAD is bae + +Questions? diff --git a/src/secret.c b/src/secret.c new file mode 100644 index 0000000..d4113b2 --- /dev/null +++ b/src/secret.c @@ -0,0 +1,19 @@ +#include +#include +#include "secret.h" + +int main(int argc, char* argv[]){ + if(argc <2){ + printf("Usage: %s \n", argv[0]); + return 1; + } + + UNHIDE_STR(pass); + + if(! strcmp(pass, argv[1])) + printf("Access granted\n"); + else + printf("Access denied\n"); + + return 0; +} diff --git a/src/secret.h b/src/secret.h new file mode 100644 index 0000000..d6ee2ea --- /dev/null +++ b/src/secret.h @@ -0,0 +1,7 @@ +#define A(c) (c)-0x19 +#define UNHIDE_STR(str) do { char *p = str; while (*p) *p++ += 0x19; } while (0) +#define HIDE_STR(str) do { char *p = str; while (*p) *p++ -= 0x19; } while (0) + +char pass[] = { + A('c'), A('a'), A('t'), A('z'), A('r'), A('u'), A('l'), 0 +}; diff --git a/src/strcmp.c b/src/strcmp.c new file mode 100644 index 0000000..d626bd3 --- /dev/null +++ b/src/strcmp.c @@ -0,0 +1,27 @@ +#include +/* Compare S1 and S2, returning less than, equal to or + greater than zero if S1 is lexicographically less than, + equal to or greater than S2. */ +int strcmp (const char *p1, const char *p2) +{ + const unsigned char *s1 = (const unsigned char *) p1; + const unsigned char *s2 = (const unsigned char *) p2; + unsigned char c1, c2; + + // print out input values + printf("strcmp('%s', '%s')", p1, p2); + do + { + c1 = (unsigned char) *s1++; + c2 = (unsigned char) *s2++; + if (c1 == '\0') { + // print return value + printf(" = %d\n", c1 - c2); + return c1 - c2; + } + } + while (c1 == c2); + + printf(" = %d\n", c1 - c2); + return c1 - c2; +} diff --git a/what_is_hooking.png b/what_is_hooking.png new file mode 100644 index 0000000..04742eb Binary files /dev/null and b/what_is_hooking.png differ -- cgit v1.2.3