Solved How to call functions of running process without injection (debug flags enabled, func offset known)

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

BenjaminMartin

Fleep Tier Donator
Nobleman
Sep 11, 2017
66
1,033
2
Game Name
N/A
Anticheat
N/A
Tutorial Link
N/A
How long you been coding/hacking?
1337
Coding Language
n/A
OS is linux. I have a "standalone" elf executable (not a shared library) that is compiled with debug flags. The functions are clearly labelled and exported in the symbol table. The function offsets are known and the same at runtime, ASLR is off.

The process is running with root privileges, but in this circumstance I am ONLY allowed to interact with it via user level privileges. OS specific privilege escalation vectors for interacting with it are out of the question. I cannot attach the target process to GDB or do any fancy injection that would require root priv. The file where the process is being executed is also write protected, but it is not read/execute protected.

I have a function of interest that I'd like to call. I know if we had root priv we could do memory mapping operations on the running process and call the function of interest b/c it is exported in symbol table. Is there any other way to trigger/call this function from user land?

I should mention that the process itself is built in a language with a specific runtime environment (think Java) and was created with debug flags. That said, I don't know if this runtime environment opens any doors for directly interacting with the running process from the outside WITHOUT root privileges. I don't know if that is a thing, I searched all over security exchange + stack overflow and didn't see anything would indicate it is.

It is riddled with debug calls (think printStack). Would this lend itself to any type of fault injection attack?

What else can I do?
 
Last edited:

BenjaminMartin

Fleep Tier Donator
Nobleman
Sep 11, 2017
66
1,033
2
Is this a CTF challenge?
For work. There's software that runs on our enterprise computers. I'm tasked with blackbox RE'ing it to find a vulnerability. Although not directly related to any specific games, there's some amazing reverse engineers on this website and I thought it would be an appropriate RE question to ask as it was about the RE process and more broadly about an attack vector
You could try finding a call to an unsafe function such as gets() and then overflow its buffer to write to the return address on the stack. Which would enable you to redirect codeflow. Thats even possible with Stack canaries enabled. Maybe that "printStack" function is unsafe?
I managed to find a remote access 0day on Monday through an attack vector unrelated to what we were discussing above. It wasn't easy to find, but long story short there was a disconnect between what the developers wrote and how their code was actually assembled + run in memory. It's their fault for not being good developers and working with a language they did not truly understand. None of this would've been possible (given the timeline) had they not compiled it with debug flags
 
Last edited:

BDKPlayer

No hack no life
Dank Tier VIP
Dank Tier Donator
Oct 31, 2013
383
13,688
36
Is this a CTF challenge? You could try finding a call to an unsafe function such as gets() and then overflow its buffer to write to the return address on the stack. Which would enable you to redirect codeflow. Thats even possible with Stack canaries enabled. Maybe that "printStack" function is unsafe?
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods