That means that you can see the function names! My favorite tool for analyzing binaries is IDA, but for our purposes, the nm command is more than sufficient:Įverything you see here is a symbol, and the ones with T in front are ones that we can actually call, but the ones that start with an underscore ('_') are built-in stuff that we can just ignore (in a "real" situation, you shouldn't discount something simply because the name starts with an underscore, of course). Let's assume for the purposes of this post that the binaries are compiled with symbols. If you grabbed our source code, you can simply run make after extracting it. We add - 00 to the command line to prevent the compiler from performing optimizations such as deleting unused functions under the guise of "helping". Put that in a file called jumpdemo.c and compile with the following command: gcc -g -O0 -o jumpdemo jumpdemo.c Printf("Can you call random_function()?\n") You can download this program as a 32- and 64-bit Linux binary, as well as the source code and Makefile, here Let's start by writing a simple toy program. With few exceptions (I've used a technique like this to break out of an improperly implemented sandbox before), this technique is primarily for analysis, not for exploitation or privilege escalation. This technique is useful for finding hidden functionality, but it's somewhat limited: it'll only work for applications that you're capable of debugging. In this post, we'll look at how we can find hidden functionality by jumping to random functions in-memory! This is normally a good way to crash the program, but who knows? You might find a gem! Sometimes reverse engineering is graceful and purposeful, where you thread the needle just right to figure out some obscure, undocumented function and how it can be used to the best of your ability. Immediately apply the skills and techniques learned in SANS courses, ranges, and summits
0 kommentar(er)
