Thứ Tư, 7 tháng 6, 2017

Havering about Stack Buffer Overflow Basic in x64

Posted by with No comments


Stack Buffer Overflow

       Before entering to content, I just want to say.... I am very happy, jubilant, and excited! Maybe with most of people this is very easy challenge, of course, it's basic challenge! However with me, a person, who have started for a short time, it is a big problem. OK! Come back to our Stack Buffer Overflow. The challenge I mentions to, this is ELF x64 - Stack buffer overflow - basic in root-me. I'll not analyzing deeper about this challenge because of forbiden, I just havering about Overflow!

Let's begin.

       Before solving it, I read some docs which root-me give as hint. This is EN - 64 Bits Linux Stack Based Buffer Overflow.pdf .
This is the first time I read a docs about 64-bits Stack! So wtf? Everything is nameless, strange with me! I do not know that "Do it know who I am?" , but I extractly that, I do not know what is it! First impression is RIP. :v I thought that it's kidding me, dafug, RIP, what is 'RIP'? Rest in Peace? maybe :D. But no, It is Instruction Pointer like EIP, however, in 64-bits every 'E' is 'R'. That the reason why I saw RIP, RSP,..

       Next to, it's size of memory address, there are a lot of different between 32-bits and 64-bits. In 64-bits user space just only use first 47-bits. If we pass parameters greater than 47-bits one, I'll raise exceptions.
This is original text: 

So memory addresses are 64 bits long,but user space only uses the first 47 bits; keep this in mind because if you specified an address greater than 0x00007fffffffffff, you'll raise an exception. So that means that 0x4141414141414141 will raise exception, but the address 0x0000414141414141 is safe.

       Saying maybe easy, in fact, I down-at-heel with them! :D I spend a evening to check, test, and to try anyways to do them. :downface:

    
      When I see the source code, I immediately think about address of 'CallMeMaybe' function! Right! I found its address, It's very simple!
And then I must put this address in somewhere, at which program can excute at sometimes. As we know, all program when begin, it's always push return address into stack :D, so that we can take advantage of it :p. That's easy, write a payload by any programing language you like and exploit! :D Ez.. I spent more than two days to read docs, try hard to solve it! :v Ez --> spent 2 days :v

Thứ Hai, 13 tháng 3, 2017

Introduce to Advanced Encryption Standard

Posted by with No comments

INTRODUCE TO AES

From G and Wiki, I knew a little bit of AES. For learning purpose, I rewrited it.
Advanced Encryption Standard is known by its original name Rijndeal. It have some features:
  •            Each cipher block have 128-bits length.
  •            There are 3 key size: 128, 192 and 256 bits length.
  •            There are many mode of AES such as: Electronic CodeBook, Cipher Block Chaining, Cipher FeedBlock, Output FeedBlock,Counter.
With very mode, it have some special features, which unsecure and secure. But, today I just introduce to some basic terms.
Let's me see.. first terms is Initialzation Factor (IV).

Thứ Sáu, 10 tháng 3, 2017

[CRYPTOPALS] How to Breaking repeating-key XOR

Posted by with No comments

For 3 weeks, It's time that I have solved this challenge! I though I would fail because my english was very bad and challenge, hints was writed by english.

Now, let's see what we have?
   I found some things good by google:
         1st:
The hardest exercise in the set by far, despite the problem description giving you a clear set of steps.
Use the length-normalised Hamming distance to guess the keysize. Contrary to the instructions which kinda indicate you need only consider the first and second blocks, I had to take the average normalised Hamming distance from the first block against all the others.
Break the input into blocks of keysize length, transpose them into a much smaller number (keysize) chunks (ByteString.transpose does the trick), crack each chunk using the code written for #3, concat the keys for each chunk. Done.
                2nd: Matasano Solution

            and so on...

Review the problem of challenge:
     
There's a file here. It's been base64'd after being encrypted with repeating-key XOR.
Decrypt it.

And hints:


Here's how:
  1. Let KEYSIZE be the guessed length of the key; try values from 2 to (say) 40.
  2. Write a function to compute the edit distance/Hamming distance between two strings. The Hamming distance is just the number of differing bits. The distance between:
    this is a test
    and
    wokka wokka!!!
    is 37. Make sure your code agrees before you proceed.
  3. For each KEYSIZE, take the first KEYSIZE worth of bytes, and the second KEYSIZE worth of bytes, and find the edit distance between them. Normalize this result by dividing by KEYSIZE.
  4. The KEYSIZE with the smallest normalized edit distance is probably the key. You could proceed perhaps with the smallest 2-3 KEYSIZE values. Or take 4 KEYSIZE blocks instead of 2 and average the distances.
  5. Now that you probably know the KEYSIZE: break the ciphertext into blocks of KEYSIZE length.
  6. Now transpose the blocks: make a block that is the first byte of every block, and a block that is the second byte of every block, and so on.
  7. Solve each block as if it was single-character XOR. You already have code to do this.
  8. For each block, the single-byte XOR key that produces the best looking histogram is the repeating-key XOR key byte for that block. Put them together and you have the key.
This code is going to turn out to be surprisingly useful later on. Breaking repeating-key XOR ("Vigenere") statistically is obviously an academic exercise, a "Crypto 101" thing. But more people "know how" to break it than can actually break it, and a similar technique breaks something much more important.
OK. Let's begin to break it!

Firstly, I try to find keylength of the key. Thank to Google.com.vn, I wrote a snippet to do it:

 This snippet I use to find hamming distance:
   
 and it is use to find normalize to determine which is keylength of key:
Run this snippet which random *keysizeMax*, I will get a probaly keysize.
      
2
2.25
-------
3
2.8333333333333335
-------
4
3.625
-------
5
2.6
29
2.8189655172413794
-------

Then, I just try one-by-one keysizes, I try to look up which keysize include english character, it's extractly keysize. In this case, the extractly keysize is 29.
 T
Ibhcl na ro
ncemmoiavano pt1dhgn an'  euY hbo.oxaa ef ygeyoar
hd
o e bc  n'ueoanteraayo yio
btdc,

Run `seq ` to brutefore key, we see T is match, next to second character of key.. we got
e
'eis adnnuuiM'a nelnsen'nol - yi
k shtrton ln mi nI rGihr  romSt YwiaYoaal  r,mry  yyy 
 emPohe,
repeat it to 29.. we will get full of key: "Terminator X: Bring the noise".

Thứ Hai, 6 tháng 3, 2017

[Algorithms] INSERTION SORT

Posted by with No comments

 INSERTTION SORT

 

According to Introduce to Algorithms, I coded a small program to solve Insertion sort problem! I present to you below:

Firstly, Let's see what the problem is?
                   Input: A sequence of n number <n1, n2,..n>
                   Output: A reordering <a'1, a'2,...a'n> of the input sequence such as a'1 < a'2 < a'3 <.... < a'n.
Next, What does pseudocode illustrate?


Trying to analyze it...
          Let "j" from 2 to length of A, "j" start at 2 caused by "j" is index of wrong array A, we set the index is 2 as a key to compare with the others.
          Call a variable "i" as explorer. It'll point to address of each member in array to find which is smaller from "j-1" to "1". If the previous char is smaller than the posterior one, they will be exchange each other. After that, set the next wrong of array to be a key and continue! Easy.

This is my code in C programming language :


Thứ Sáu, 16 tháng 12, 2016

ICMP ERROR MESSAGES

Posted by with No comments

ICMP ERROR MESSAGES

     Hi guys, as we know ICMP is a common protocol in TCP/IP suite. It is used conjunction with IP to provide diagnostics and control information of IP packets. 
ICMP included: ICMP Messages, ICMP Error Messages, ICMP Query/ Information Messages, Neighbor Discovery in IPv6,... And now, I'll talk recall about ICMP ERROR MESSAGES.

         Firstly, I'll talk about Extended ICMP & Multipart Messages. [RFC4884] specifies a method for extending the ultility of ICMP Messages by allowing an extension data structure to be appended to them. The extension data structure includes an extension header and extension objects that may contain a variable amount of data.When this extensions are used, the ICMP payload area containing the original datagram must be at least 128 bytes long.
The extension structure may be used with ICMPv4 Destination Unreachable, Time Exceeded, and Parameter Problem messages.

           Secondly, I'll present Destination Unreachable ( ICMPv4 type 3, ICMPv6 type 1) and Packet Too Big (ICMPv6 type2).
This type of messages is used to indicate that there are errors while delivered datagram all the way. There are 3 in 16 code of error are used. It's Host Unreachable (code1), Port Unreachable(code3), Fragmentation Required/ Don't Fragment Specified (code4), and Communication Administratively Prohibited (code 13).
                 * Host Unreachable and ICMPv6 Address Unreachable: this message is generated by a router or a host when it is required to send an IP datagram to host using direct delivery host but for some reason it can not reach to it.
                 * ICMPv6 No Router to Destination (Code 0): this message is indicated when a IP datagram can reach to destination by no router is present.
                 * ICMPv4 Packets Too Big (PTB): If the datagram does not fit into the MTU in use on the selected outgoing network interface, the datagram must be fragmented. If Dont Fragmet field was set in its IP Header, it will be dropped.
          Then, I talk about Redirect