Stick a fork in echod - atlas again

echod is now on life support only. Officially dead, I now wish to clean up my sploit to have it continue execution. We'll have to see about that one. :\ Can't say I've ever written a sploit to return, but this seems like a great time to start.

It's actually been a week since I've been able to touch it, so I'm not feeling quite as lame as I was last week. Work has extended into the evenings and then there was the wedding I had to liven up :) (kudos to Ryan and Rachel!)

This round in my fight with echod was much less confounding. I had already structured the exploit code so I could tinker with the header (as the term suggests, I'm speaking of the initial set of bytes which hold the address to overwrite the return pointer and some other goodies used to reconstruct the stack... remember that everything is reversed). The string dynamically generates NOPs to correct the buffer size from any changes.

Since that was already in place, I simply pumped some net-bind shellcode through "reverse()" and appended the resulting string to the sploit header (thanks again, Metasploit!). This broke stuff at first. It seems some of the memory the shellcode was occupying gets altered before execution. Solution? Add some NOPs after the header, before the shellcode, and check again. I ended up using 96 (nice round number) NOPs for this as 32 and 56 were not enough. Surprisingly, that provided a stable/consistent exploit.

As an exercize, I then wrote three while loops:

*) one to check the service and restart it if dead

*) one to run the exploit, connect using netcat, read, then overwrite a simulated "key" file, like in the CTF

*) one to check the "key" file and overwrite it with the correct value if overwritten

These have been going now for some time and working quite nicely. Now, I just need to turn my attention to returning gracefully. I believe the appropriate course of action is to "mov 0x 0x4(%ebp)" and then call "ret" instead of calling "exit()". We'll see how that works out.

I'll let you know. I feel awful right now and am driving home from Skelletones, so coding has stopped. Between the fog and deer-hazards, blogging is all I can manage! Perhaps if I felt better ;)

@