How to use gdb for vuln developement

Posted bykiddies on Rabu, 19 Mei 2010

* Start gdb:

[code]gdb 'executable-file'
gdb ./vuln // example

gdb `executable-file` `core-file`
gdb ./vuln core // example
[/code]

If program segfaults and no core image generated do something like:
hack@exploit:~ > ulimit -c 9999


* Attach running process:

[code]// launch gdb
hack@exploit:~ > gdb
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-suse-linux".
(gdb) attach 'pid'
(gdb) attach 1127 // example
[/code]

* Search anything in memory
[code]
(gdb) x/d or x 'address' show dezimal
(gdb) x/100s 'address' show next 100 dezimals
(gdb) x 0x0804846c show dezimal at 0x0804846c
(gdb) x/s 'address' show strings at address
(gdb) x/105 0x0804846c show 105 strings at 0x0804846c
(gdb) x/x 'address' show hexadezimal address
(gdb) x/10x 0x0804846c show 10 addresses at 0x0804846c
(gdb) x/b 0x0804846c show byte at 0x0804846c
(gdb) x/10b 0x0804846c-10 show byte at 0x0804846c-10
(gdb) x/10b 0x0804846c+20 show byte at 0x0804846c+20
(gdb) x/20i 0x0804846c show 20 assembler instructions at address
[/code]

* Search shellcode or return address or anything else on stack:
[code]
(gdb) break 'your function name or address'
(gdb) break main // example
Breakpoint 1 at 0x8048409
(gdb) run
Starting program: /home/hack/homepage/challenge/buf/basic

Breakpoint 1, 0x8048409 in main ()
(gdb) x/1000s 'address' // Print 1000 strings at address
(gdb) p $esp // Show esp register
$2 = (void *) 0xbffff454
(gdb) x/1000s $esp // Search 1000 strings at $esp address.
(gdb) x/1000s $esp-1000 // Search 1000 strings at $esp register
// - 1000.
(gdb) x/1000s 0xbffff4b4 // Search 1000 strings at 0xbffff4b4
[/code]

* Listen all sections of executable file:
[code]
(gdb) maintenance info sections // or
(gdb) mai i s

Exec file:
`/home/hack/homepage/challenge/buf/basic', file type elf32-i386.
0x080480f4->0x08048107 at 0x000000f4: .interp ALLOC LOAD READONLY DATA HAS_CONTENTS
0x08048108->0x08048128 at 0x00000108: .note.ABI-tag ALLOC LOAD READONLY DATA HAS_CONTENTS
0x08048128->0x08048158 at 0x00000128: .hash ALLOC LOAD READONLY DATA HAS_CONTENTS
0x08048158->0x080481c8 at 0x00000158: .dynsym ALLOC LOAD READONLY DATA HAS_CONTENTS
0x080481c8->0x08048242 at 0x000001c8: .dynstr ALLOC LOAD READONLY DATA HAS_CONTENTS
0x08048242->0x08048250 at 0x00000242: .gnu.version ALLOC LOAD READONLY DATA
HAS_CONTENTS

...

[/code]
* Break at address
[code]
(gdb) disassemble main
Dump of assembler code for function main:
0x8048400
: push %ebp
0x8048401 : mov %esp,%ebp
0x8048403 : sub $0x408,%esp
0x8048409 : add $0xfffffff8,%esp
0x804840c : mov 0xc(%ebp),%eax
0x804840f : add $0x4,%eax
0x8048412 : mov (%eax),%edx
0x8048414 : push %edx
0x8048415 : lea 0xfffffc00(%ebp),%eax
...

(gdb) break *0x8048414 // example
Breakpoint 1 at 0x8048414
(gdb) break main // example
Breakpoint 2 at 0x8048409
(gdb)

[/code]
* Delete breakpoints
[code]
(gdb) delete breakpoints // or
(gdb) d b
Delete all breakpoints? (y or n) y
(gdb)
[/code]

* Search anything in heap, bss, got, ...:
[code]
(gdb) maintanance info sections

0x08049570->0x08049588 at 0x00000570: .bss ALLOC
0x00000000->0x00000654 at 0x00000570: .stab READONLY HAS_CONTENTS
0x00000000->0x00001318 at 0x00000bc4: .stabstr READONLY HAS_CONTENTS
0x00000000->0x000000e4 at 0x00001edc: .comment READONLY HAS_CONTENTS
0x08049588->0x08049600 at 0x00001fc0: .note READONLY HAS_CONTENTS

(gdb) x/1000s 0x08049600 // print strings heap
(gdb) x/1000s 0x08049570 // print strings bss section
...

[/code]
* show registers (Very useful for stack exploits)
[code]
(gdb) break main
Breakpoint 7 at 0x8048409
(gdb) r

Starting program: /home/hack/homepage/challenge/buf/basic

Breakpoint 7, 0x8048409 in main ()
(gdb) info registers
eax 0x1 1
ecx 0x8048298 134513304
edx 0x8048400 134513664
ebx 0x400f6618 1074751000
esp 0xbffff4b4 0xbffff4b4
ebp 0xbffff8bc 0xbffff8bc
esi 0x4000aa20 1073785376
edi 0xbffff924 -1073743580
eip 0x8048409 0x8048409
eflags 0x286 646
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
(gdb)

[/code]
* Get dynamic function pointer (Useful for return into libc exploits)
[code]
(gdb) break main
Breakpoint 1 at 0x8048409
(gdb) r
Starting program: /home/hack/homepage/challenge/buf/./basic

Breakpoint 1, 0x8048409 in main ()
(gdb) p system
$1 = {} 0x40052460

(gdb) p strcpy
$5 = {char *(char *, char *)} 0x4006e880

[/code]
* Backtrace the stack
[code]
(gdb) backtrace
(gdb) bt

#0 0x8048476 in main ()
#1 0x40031a5e in __libc_start_main () at ../sysdeps/generic/libc-start.c:93
[/code]
*****************************************************************************

This is the end of the paper. Have questions ? Mail me:
I can't write english very good. Sorry for my english. My URL is www.priestmaster.org.

Port Forwarding - The Complete Guide

Posted bykiddies on Minggu, 02 Mei 2010

The Following Tutorial Includes:
Part 1: Gathering Information
Part 2: Port Forwarding
Part 3: Useful Alternatives
Part 4: Port Testing

Before we begin please regard the following:

What is Port Forwarding?
There are a couple of concepts you need to know before you can understand port forwarding. I'm going to make a couple broad statements that are almost always true. For simplicity lets assume they are true for now.

1.) Every device on the internet has at least one ip address. The IP address is a number that is used to identify a device. For more information on ip addresses refer to our What is an IP Address page.

2.) Every IP address is divided up into many ports. When one computer sends data to another computer, it sends it from a port on an ip address to a port on an ip address. For more information on ports refer to our What is a Port page.

3.) A port can only be used by one program at a time.
(PortForward)

How can we use Port forwarding?
Port forwarding can be used for many purposes. Such as gaming applications. However, we are going to use it for other programs. Port forwarding is essential for RAT's, so naturally it is a key for this for of black hatting. Without succesfully port forwarding you cannot run a rat. No matter which rat it is.



Part One: Gathering Information

What is My Router?
Knowing what router you are using is very important. For each router has a different format for it's setting's page. You will need to know your model number and the company that makes the router.

Example:

Linksys WRT54G3G
Linksys = The company

Linksys WRT54G3G
WRT54G3G = Model Number

What Port Do I Want to Forward?
Knowing which port is also important. Because, some ports are already in use, or are blocked on most computer's, including your victims. Such as port 80 and 25. Furthermore, without knowing which port to forward you cannot enter i into your RAT when you build a server.

What RAT am I Using?
You must know which RAT you are using so you know what port is best to use. This is not as important for portforwarding. But there is no point to port forward if you don't have a RAT.

Do I Have a Static Ip?
It is possible to port forward with a dynamic ip adress, but you would need to port forward every time you turn on your computer. A static ip address, however, will not change every time you restart your computer. To set up a Static Ip please referr to this guide.


Part Two: Port Forwarding

Step 1. Go into your command prompt via start menu/run/cmd.

Step 2. Type in: ip config
Rows of text will appear looking something like this:


Look for the Ip Address labeled "Default Gateway."

Step 3. Open up your web browser, and type in your "Default Gateway"
Address where you usually enter websites.

Step 4. A Pop up will show up asking for a username and password.
The Default Login Information is this:
Username: admin
Password: admin
If this does not work you will need to find out what was set.

Step 5. Log on and a new page with your Router settings should show up
It is different for each kind of router, but usually there is a tab
called either Applications & Gaming or Port Forwarding.

Step 6. Click on the tab, Applications & Gaming or Port Forwarding.

Step 7. It will ask you for this:
Application: (Just put the name of your RAT, doesnt matter)
Start Port: (The Port you wish to forward)
End Port: (The same Port you used for the the Start Port)
Protocol: (Both)
Ip Address: (Your default gateway + 00 if applicable)
Example: 127.168.1.100 not 127.168.1.1

Step 8. Check: Enable or something similar to that and click Save
Settings.

There You Go you have now succesfully Port Forwarded!


Part Three: Useful Alternatives

Method 1:
If you still cant portforward please visit this site for even more support right here. Otherwise, congratulations!

Method 2:
You can use Simple Port Forwarding Program by PCWinTech to easily port forward as well.

Download it here

We will be using the Port Forwarding Feature of this program:

Step 1. When you first open up the program two windows will
open up. Click on the option boxed in red below:



Step 2. Then another window will show up. Click Add Custom.



Step 3. The new window will show a few blank fields. Fill in what
you need:



Step 4. Click Add.

There you go you have succesfully port forwarded using a program!


Part Four: Port Testing

Method 1

Go to: CanYouSeeMe?
Type in the port you forwarded and click check.
It will tell you if you have port forwarded correctly.

Note: It will only say it worked if no program is already using that port.

Method 2

Download Port Checker from Portforward.com here
Type in your port and let it check it for you. You will also need to make sure no other program is using it at the moment.

refrence: hackforums
Langganan: Postingan (Atom)