Crack linux executable

Question

I have a linux executable and its disassembly (in particular, the program checks if I'm superuser, and if so, output some message by executing function "start_reactor" and exit; if I'm not a superuser the program call another function "check_password"), what I need is to find a way to crack it (execute function "start_reactor") by entering some specific string as an input for function "check_password".

Below is dissasembly of an executable..

08048504 <check_password>:
8048504:    55                   push   ebp
8048505:    89 e5                mov    ebp,esp
8048507:    b8 00 00 00 00       mov    eax,0x0
804850c:    5d                   pop    ebp
804850d:    c3                   ret    

0804850e <start_reactor>:
804850e:    55                   push   ebp
804850f:    89 e5                mov    ebp,esp
8048511:    83 ec 04             sub    esp,0x4
8048514:    c7 04 24 90 86 04 08 mov    DWORD PTR [esp],0x8048690
804851b:    e8 0c ff ff ff       call   804842c <printf@plt>
8048520:    c7 04 24 2e 00 00 00 mov    DWORD PTR [esp],0x2e
8048527:    e8 d0 fe ff ff       call   80483fc <putchar@plt>
804852c:    a1 60 98 04 08       mov    eax,ds:0x8049860
8048531:    89 04 24             mov    DWORD PTR [esp],eax
8048534:    e8 e3 fe ff ff       call   804841c <fflush@plt>
8048539:    c7 04 24 01 00 00 00 mov    DWORD PTR [esp],0x1
8048540:    e8 07 ff ff ff       call   804844c <sleep@plt>
8048545:    eb d9                jmp    8048520 <start_reactor+0x12>

08048547 <main>:
8048547:    55                   push   ebp
8048548:    89 e5                mov    ebp,esp
804854a:    83 ec 1c             sub    esp,0x1c
804854d:    c7 45 f8 be ba fe ca mov    DWORD PTR [ebp-0x8],0xcafebabe
8048554:    e8 e3 fe ff ff       call   804843c <getuid@plt>
8048559:    85 c0                test   eax,eax
804855b:    0f 94 c0             sete   al
804855e:    0f b6 c0             movzx  eax,al
8048561:    89 45 fc             mov    DWORD PTR [ebp-0x4],eax
8048564:    83 7d fc 00          cmp    DWORD PTR [ebp-0x4],0x0
8048568:    75 24                jne    804858e <main+0x47>
804856a:    c7 04 24 b0 86 04 08 mov    DWORD PTR [esp],0x80486b0
8048571:    e8 b6 fe ff ff       call   804842c <printf@plt>
8048576:    a1 60 98 04 08       mov    eax,ds:0x8049860
804857b:    89 04 24             mov    DWORD PTR [esp],eax
804857e:    e8 99 fe ff ff       call   804841c <fflush@plt>
8048583:    8d 45 e8             lea    eax,[ebp-0x18]
8048586:    89 04 24             mov    DWORD PTR [esp],eax
8048589:    e8 5e fe ff ff       call   80483ec <gets@plt>
804858e:    81 7d f8 be ba fe ca cmp    DWORD PTR [ebp-0x8],0xcafebabe
8048595:    74 18                je     80485af <main+0x68>
8048597:    c7 04 24 d8 86 04 08 mov    DWORD PTR [esp],0x80486d8
804859e:    e8 b9 fe ff ff       call   804845c <puts@plt>
80485a3:    c7 04 24 ff ff ff ff mov    DWORD PTR [esp],0xffffffff
80485aa:    e8 bd fe ff ff       call   804846c <exit@plt>
80485af:    83 7d fc 00          cmp    DWORD PTR [ebp-0x4],0x0
80485b3:    75 0f                jne    80485c4 <main+0x7d>
80485b5:    8d 45 e8             lea    eax,[ebp-0x18]
80485b8:    89 04 24             mov    DWORD PTR [esp],eax
80485bb:    e8 44 ff ff ff       call   8048504 <check_password>
80485c0:    85 c0                test   eax,eax
80485c2:    74 05                je     80485c9 <main+0x82>
80485c4:    e8 45 ff ff ff       call   804850e <start_reactor>
80485c9:    c9                   leave  
80485ca:    c3                   ret    
80485cb:    90                   nop    
80485cc:    90                   nop    
80485cd:    90                   nop    
80485ce:    90                   nop    
80485cf:    90                   nop    

..and result of a reverse ingeneering using IDA.

int __cdecl main()
{
  __uid_t v0; // eax@1
  int result; // eax@7
  char s; // [sp+4h] [bp-18h]@2
  int v3; // [sp+14h] [bp-8h]@1
  bool v4; // [sp+18h] [bp-4h]@1

  v3 = -889275714;
  v0 = getuid();
  v4 = v0 == 0;
  if ( v0 != 0 )
  {
    printf("Please enter the password to continue: ");
    fflush(stdout);
    gets(&s);
  }
  if ( v3 != -889275714 )
  {
    puts(" ");
    exit(-1);
  }
  if ( v4 || (result = check_password()) != 0 )
    start_reactor();
  return result;
}

I'm really new to Assembler.. :(

Answer 1

It's a buffer overflow exploitation.

You have to overflow s to write over v3 and v4.

This let me think that s is a char s[16] :

  char s; // [sp+4h] [bp-18h]@2  // 18h - 8h = 10h
  int v3; // [sp+14h] [bp-8h]@1

But in v3 you have to put in -889275714, so in hexadecimal 0xcafebabe (<3 it btw :D)

And then override the boolean with 0x01

so basically, you want to launch your binary with :

perl -e 'print "junk_for_sssssss\xbe\xba\xfe\xca\x01"' | ./binary

To be noted that you need to enter \xbe\xba\xfe\xca and not \xca\xfe\xba\xbe because of your potential little endian architecture

Answer 2

It appears to me you already know enough about the program. Run it using fakeroot (and maybe a VM - depending on where you got this from). Not that check_output does nothing but return 0, so there is no way to convince it to execute start_reactor without rewriting the assembly or starting it as root or with fakeroot.

08048504 <check_password>:
8048504:    55                   push   ebp      // function header
8048505:    89 e5                mov    ebp,esp  // function header
8048507:    b8 00 00 00 00       mov    eax,0x0  // result = 0
804850c:    5d                   pop    ebp      // function footer
804850d:    c3                   ret             // return to callee

Of course if you want to modify the file (on disk or in memory) then there are a million ways to crack this (eg. change some jump so that it points to the start_reactor function is a standard approach). And you could always reverse the start_reactor function itself, as it is rather short - in which case I would advice you to look for the individual commands via google and try to understand what it does yourself...