Skip to main content

Posts

Showing posts from April, 2018

Why do we need Egg Hunters ?

In this post I am going to show you few examples of buffer overflow and why we need egghunters in certain scenarios For these examples I am going to turn of all security features and compile our code with few unsafe operation flags. Set the system with ASLR disabled - echo 0 | sudo tee /proc/sys/kernel/randomize_va_space Allow stack smashing - Compile the program with -fno-stack-protector Make stack executable - Compile the program with -z execstack  Lets get started with some simple vulnerable code Scenario 1 #include<stdio.h> #include<string.h> void main(int argc,char **argv){         char buffer[500];         strcpy(buffer,argv[1]);         printf("%s",buffer); } dibyendu@ubuntu:~/Desktop/b0f$ gdb -q ./b0f.o Reading symbols from /home/dibyendu/Desktop/b0f/b0f.o...(no debugging symbols found)...done. (gdb) r $(python -c 'print "A"*100+"B"*200+"C"*300+"D"*400+"E"*50

SLAEx86 : Coding a custom TCP Reverse Shell Shellcode for Linux x86 with Assembly

A shell is a small program that takes input from the user and sends it back to operating system and vice versa. In this writeup I will show you how we can create a custom tcp bind shell shellcode. So how does TCP Reverse exploit shell work ? In a TCP Reverse shell exploit shellcode is more effective than bind shell. It might happen the victim firewall may block the incoming connection. So instead of opening the port at the victim side we will open a port at the attacker side. We ask the victim machine to connect back to us on successfull execution of the shellcode. So we on attacker side will listen for an incoming connection and when the attacker connect to the listening port,  on the victim side it will open up a shell and transfer the control to the attacker. So the attacker now has a shell access to the victims machine and can run any commands. So there are few points I need to make clear while I write this post 1. The code that I have written went through  lot of  debugging

SLAEx86 : Coding a custom TCP Bind Shell Shellcode for Linux x86 with Assembly

A shell is a small program that takes input from the user and sends it back to operating system and vice versa. In this writeup I will show you how we can create a custom tcp bind shell shellcode. So how does TCP Bind exploit shell work ? In a TCP Bind Shell Exploit Shellcode, the exploit listens for an incoming connection and when the attacker connect to the port on which the exploit runs , it will open up a shell and transfer the control to the attacker. So the attacker now has a shell access to the victims machine and can run any commands. So there are few points I need to make clear while I write this post 1. The code that I have written went through  lot of  debugging and modification and I am still modifying ( to minimize , to remove bad characters like  PUSH 0x0 can introduce bad characters so I replaced them with something that had the value NULL and then pushed them to on stack like PUSH ECX ) 2. Some code which I have written might look absurd (for example mov eax,ed