'Shellcode'에 해당되는 글 2건

  1. 2011.04.08 SOURCE: Shell Code Generator!
  2. 2010.08.10 아이폰 Jailbreaking 기술 분석
2011.04.08 22:09

SOURCE: Shell Code Generator!

Recently, ZorigoN’s open source shell code generator  – that was released a long time ago – was updated! It now has a GUI. Thought that it should be shared here.

/*
		Shell Code Generator v1.3 by ZorgioN.

		v1.3 (January 29, 2011 - by karmany)
		- Fixed getFileName
		- Add TextBox for end-line
		- Add button: About
		- Initial window in center of screen

		v1.2
		- Fixed some bugs and rebuild some parts
		  of the code.

		v1.1
		- Rebuild because of problems and to
		  remove all error messageboxes.

		v1.0
		- First release

	    Some credits for the shellcode gen.
		goes out to JoeK.

*/
#include <windows.h>
#include <stdio.h>

#define IDC_ABOUT		1001
#define IDC_CLEAR		1002
#define IDC_CLOSE		1003
#define IDC_EXIT		1004
#define IDC_GENERATE	1005
#define IDC_INFOBOX		1006
#define IDC_OPEN		1007
#define IDC_TEXT		1008
#define IDC_LABEL		1009

#define CLASS_NAME "SCG-GEN"
#define TITLE_NAME "Shell Code-Generator v1.3"

struct FILE_INFORMATION {
	char cIn_[MAX_PATH];
	char cOut_[MAX_PATH];
	char cName_[MAX_PATH];
	char cType_[MAX_PATH];
	unsigned int uiSize;
}; FILE_INFORMATION File;

HANDLE threadHandle = NULL;
HWND hEdit = NULL;
HFONT hFont = CreateFont(15,NULL,NULL,NULL,FW_DONTCARE,FALSE,FALSE,FALSE,ANSI_CHARSET,OUT_TT_PRECIS,CLIP_TT_ALWAYS,DEFAULT_QUALITY,FF_DONTCARE,"Arial");
HWND listboxWindow = NULL;

BOOL fileBrowser(bool bToggle,char *cProgram,char *cType,char *cTitle);
BOOL getFileName(char *cString,char *cReturn);
BOOL getFileType(char *cString,char *cReturn);
DWORD getFileSize(HANDLE fileHandle);
HWND createButton(HWND windowHandle,char *cName,DWORD dwStyle,int iX_axe,int iY_axe,int iWidth,int iHeight,int iItem);
LRESULT CALLBACK mainWindow(HWND windowHandle,UINT uiMessage,WPARAM wParam,LPARAM lParam);
LRESULT resetListBox(HWND windowHandle);
LRESULT setFont(HWND windowHandle,int iItem,HFONT Font);
LRESULT setListBoxFont(HWND windowHandle,DWORD dwFont);
LRESULT sendMessage(HWND windowHandle,char *cMessage, ... );
void makeShellCode(LPVOID);

int WINAPI WinMain(HINSTANCE instanceHandle,HINSTANCE Null,LPSTR lpArgument,int iShowCmd) {
	RECT rc;
	HANDLE mutexHandle = CreateMutex(NULL,TRUE,"SCG");
	if(mutexHandle == NULL) ExitProcess(NULL);
	ZeroMemory(&File,sizeof(FILE_INFORMATION));
	HWND windowHandle		= {NULL};
	MSG msg					= {NULL};
	WNDCLASSEX wincl		= {NULL};
	wincl.hInstance			= instanceHandle;
	wincl.lpszClassName		= CLASS_NAME;
	wincl.lpfnWndProc		= mainWindow;
	wincl.style				= CS_DBLCLKS;
	wincl.cbSize			= sizeof(WNDCLASSEX);
	wincl.hIcon				= LoadIcon(NULL,IDI_APPLICATION);
	wincl.hIconSm			= LoadIcon(NULL,IDI_APPLICATION);
	wincl.hCursor			= LoadCursor(NULL,IDC_ARROW);
	wincl.lpszMenuName		= NULL;
	wincl.cbClsExtra		= NULL;
	wincl.cbWndExtra		= NULL;
	wincl.hbrBackground		= (HBRUSH)COLOR_BACKGROUND;
	if(!RegisterClassEx(&wincl)) return NULL;
	windowHandle = CreateWindowEx(WS_EX_CLIENTEDGE,CLASS_NAME,TITLE_NAME,WS_SYSMENU|WS_MINIMIZEBOX,CW_USEDEFAULT,CW_USEDEFAULT,325,353,HWND_DESKTOP,NULL,instanceHandle,NULL);

	int screenWidth = GetSystemMetrics(SM_CXSCREEN);
	int screenHeight = GetSystemMetrics(SM_CYSCREEN);
	GetWindowRect(windowHandle, &rc);
	SetWindowPos(windowHandle, 0, (screenWidth - rc.right)/2, (screenHeight - rc.bottom)/2, 0, 0, SWP_NOZORDER|SWP_NOSIZE);

	ShowWindow(windowHandle,iShowCmd);

	while(GetMessage(&msg,NULL,NULL,NULL)) {
		TranslateMessage(&msg);
		DispatchMessage(&msg);
	}
	CloseHandle(mutexHandle);
	return msg.wParam;
}

BOOL fileBrowser(bool bToggle,char *cProgram,char *cType,char *cTitle) {
	char cDirectory[MAX_PATH]	= "";
	OPENFILENAME ofn			= {NULL};
	GetCurrentDirectory(sizeof(cDirectory),cDirectory);
	ofn.lStructSize				= sizeof(OPENFILENAME);
	ofn.lpstrFile				= cProgram;
	ofn.hInstance				= NULL;
	ofn.lpstrFile[0]			= '\0';
	ofn.nMaxFile				= MAX_PATH;
	ofn.lpstrInitialDir			= cDirectory;
	ofn.lpstrFilter				= cType;
	ofn.lpstrTitle				= cTitle;
	ofn.Flags					= OFN_PATHMUSTEXIST|OFN_FILEMUSTEXIST;
	if(bToggle) return GetOpenFileName(&ofn);
	else return GetSaveFileName(&ofn);
}

BOOL getFileName(char *cString,char *cReturn)
{
	int iEndOffset		= NULL;
	int i				= NULL;

	for( i = ((int)strlen(cString)); i >= 0; --i ) {
		if(cString[ i ] == '.' && iEndOffset == NULL) iEndOffset = i;
		if(cString[ i ] == '\') break;
	}
	memcpy(&cReturn[0],&cString[i+1],iEndOffset-i-1);

	if(i == 0) strcat(cReturn,"*.*");
	return TRUE;
}

BOOL getFileType(char *cString,char *cReturn) {
	int iOffset = NULL;
	int x		= NULL;
	int i		= NULL;
	if(strlen(cString) == 0) return FALSE;
	for(i = (int)(strlen(cString)-1); i != 0;i--) {
		if(cString[i] == '.') {
			iOffset = x;
			break;
		}
		x++;
	}
	for(i = 0; i < iOffset; i++) cReturn[i] = cString[(strlen(cString)-iOffset+i)];
	if(strcmp("",cReturn) == NULL) {
		ZeroMemory(cReturn,sizeof(cReturn));
		strcpy(cReturn,"unknown");
	}
	return TRUE;
}

DWORD getFileSize(HANDLE fileHandle) {
	DWORD dwHigh = NULL;
	DWORD dwLow = GetFileSize(fileHandle, &dwHigh);
	return dwLow;
}

HWND createButton(HWND windowHandle,char *cName,DWORD dwStyle,int iX_axe,int iY_axe,int iWidth,int iHeight,int iItem) {
	return CreateWindowEx(NULL,"Button",cName,dwStyle,iX_axe,iY_axe,iWidth,iHeight,windowHandle,(HMENU)iItem,NULL,NULL);
}
HWND createTextBox(HWND windowHandle,char *cName,DWORD dwStyle,int iX_axe,int iY_axe,int iWidth,int iHeight,int iItem) {
	return CreateWindowEx(NULL,"EDIT",cName,dwStyle,iX_axe,iY_axe,iWidth,iHeight,windowHandle,(HMENU)iItem,NULL,NULL);
}
HWND createLabel(HWND windowHandle,char *cName,DWORD dwStyle,int iX_axe,int iY_axe,int iWidth,int iHeight,int iItem) {
	return CreateWindowEx(NULL,"STATIC",cName,dwStyle,iX_axe,iY_axe,iWidth,iHeight,windowHandle,(HMENU)iItem,NULL,NULL);
}

LRESULT CALLBACK mainWindow(HWND windowHandle,UINT uiMessage,WPARAM wParam,LPARAM lParam) {
	switch(uiMessage) {
		case WM_DESTROY: {
			PostQuitMessage(NULL);
			break;
		}
		case WM_CREATE: {
			createButton(windowHandle,"Open",WS_VISIBLE|WS_CHILD|WS_BORDER,8,251,149,20,IDC_OPEN);
			createButton(windowHandle,"Generate",WS_VISIBLE|WS_CHILD|WS_BORDER,159,272,149,20,IDC_GENERATE);
			createButton(windowHandle,"Close File",WS_VISIBLE|WS_CHILD|WS_BORDER,8,272,149,20,IDC_CLOSE);
			createButton(windowHandle,"Clear",WS_VISIBLE|WS_CHILD|WS_BORDER,8,293,149,20,IDC_CLEAR);
			createButton(windowHandle,"About...",WS_VISIBLE|WS_CHILD|BS_PUSHBUTTON|WS_BORDER,159,293,149,20,IDC_ABOUT);
			createLabel(windowHandle,"End of line:",WS_VISIBLE|WS_CHILD|WS_BORDER|SS_CENTER,159,251,75,20,IDC_LABEL);
			hEdit = createTextBox(windowHandle," & _", WS_VISIBLE|WS_CHILD|WS_BORDER|SS_CENTER,233,251,75,20,IDC_TEXT);
			SendMessage(hEdit, EM_LIMITTEXT, WPARAM(5), 0);
			setFont(windowHandle,IDC_OPEN,hFont);
			setFont(windowHandle,IDC_CLOSE,hFont);
			setFont(windowHandle,IDC_CLEAR,hFont);
			setFont(windowHandle,IDC_GENERATE,hFont);
			setFont(windowHandle,IDC_TEXT,hFont);
			setFont(windowHandle,IDC_LABEL,hFont);
			listboxWindow = CreateWindowEx(NULL,"ListBox",NULL,WS_VISIBLE|WS_CHILD|WS_BORDER|WS_VSCROLL,8,8,300,250,windowHandle,(HMENU)IDC_INFOBOX,NULL,NULL);
			setListBoxFont(listboxWindow,SYSTEM_FIXED_FONT);
			sendMessage(listboxWindow,"Welcome to SCG v1.3");
			break;
        }
		case WM_COMMAND: {
			switch(LOWORD(wParam)) {
				case IDC_EXIT: {
					PostQuitMessage(NULL);
					break;
				}
				case IDC_ABOUT: {
					MessageBox(windowHandle,
								"n"
								"Shell Code Generator v1.3n"
								"nProgram made by ZorgioN, but some credits goes to JoeK for help with the SCG-function icon smile SOURCE: Shell Code Generator! n"
								"nVersion 1.3 (A small modification) by karmany","About",
								MB_OK|MB_ICONINFORMATION
								);
					break;
				}
				case IDC_CLOSE: {
					if(strcmp("",File.cIn_) == NULL) {
						sendMessage(listboxWindow,"Error: No file open or already closed!");
						break;
					}
					ZeroMemory(&File,sizeof(FILE_INFORMATION));
					sendMessage(listboxWindow,"Info: File closed!");
					break;
				}
				case IDC_OPEN: {
					if(strcmp("",File.cIn_) != NULL) {
						sendMessage(listboxWindow,"Error: You already got a file open!");
						break;
					}
					fileBrowser(TRUE,File.cIn_,"*.*\0", "Select file");
					if(strcmp("",File.cIn_) == NULL) {
						sendMessage(listboxWindow,"Error: No file selected !");
						break;
					}
					HANDLE fileHandle = CreateFile(File.cIn_,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
					if(fileHandle == INVALID_HANDLE_VALUE) {
						sendMessage(listboxWindow,"Error: File selected does not exist!");
						ZeroMemory(&File,sizeof(FILE_INFORMATION));
						break;
					}
					if(getFileName(File.cIn_,File.cName_) == TRUE) sendMessage(listboxWindow,"Info: File name = %s",File.cName_);
					else {
						sendMessage(listboxWindow,"Error: No file name found!");
						ZeroMemory(&File,sizeof(FILE_INFORMATION));
						sendMessage(listboxWindow,"Info: File closed!");
					}
					if(getFileType(File.cIn_,File.cType_) == TRUE) sendMessage(listboxWindow,"Info: File type = %s",File.cType_);
					else {
						sendMessage(listboxWindow,"Error: No file type found!");
						ZeroMemory(&File,sizeof(FILE_INFORMATION));
						sendMessage(listboxWindow,"Info: File closed!");
					}
					File.uiSize = getFileSize(fileHandle);
					if(File.uiSize == 0) {
						sendMessage(listboxWindow,"Error: No file size found!");
						ZeroMemory(&File,sizeof(FILE_INFORMATION));
						sendMessage(listboxWindow,"Info: File closed!");
					}
					else if(File.uiSize < 1000 && File.uiSize < 1000000) sendMessage(listboxWindow,"Info: File size = %d byte.",File.uiSize);
					else if(File.uiSize > 1000 && File.uiSize < 1000000) {
						File.uiSize = (File.uiSize / 1000);
						sendMessage(listboxWindow,"Info: File size = %d KB.",File.uiSize);
					}
					else if(File.uiSize > 1000000) {
						File.uiSize = (File.uiSize / 1000000);
						sendMessage(listboxWindow,"Info: File size = %d MB.",File.uiSize);
					}
					CloseHandle(fileHandle);
					break;
				}
				case IDC_CLEAR: {
					resetListBox(listboxWindow);
					sendMessage(listboxWindow,"Welcome to SCG v1.3");
					break;
				}
				case IDC_GENERATE: {
					if(strcmp("",File.cIn_) == NULL) {
						sendMessage(listboxWindow,"Error: You must first open a file!");
						break;
					}
					if(strcmp("",File.cOut_) != NULL) {
						sendMessage(listboxWindow,"Error: Output file already set.");
						sendMessage(listboxWindow,"...... You must close current open file too continue!");
						break;
					}
					fileBrowser(FALSE,File.cOut_,"*.*\0","Select output-file");
					if(strcmp("",File.cOut_) == NULL) {
						sendMessage(listboxWindow,"Error: No file selected!");
						break;
					}
					threadHandle = CreateThread(NULL,NULL,(LPTHREAD_START_ROUTINE)makeShellCode,NULL,NULL,NULL);
					if(threadHandle == NULL) sendMessage(listboxWindow,"Error: Unable to create thread.");
					break;
				}
			}
			break;
		}
		default: return DefWindowProc(windowHandle,uiMessage,wParam,lParam);
   	}
    return NULL;
}

LRESULT resetListBox(HWND windowHandle) {
	return SendMessage(windowHandle,LB_RESETCONTENT,(WPARAM)-1,(LPARAM)NULL);
}

LRESULT sendMessage(HWND windowHandle,char *cMessage, ... ) {
	va_list va_alist;
    char cBuffer[1024] = "";
    va_start(va_alist,cMessage);
    _vsnprintf(cBuffer,sizeof(cBuffer),cMessage,va_alist);
    va_end(va_alist);
	return SendMessage(windowHandle,LB_INSERTSTRING,(WPARAM)-1,(LPARAM)cBuffer);
}

LRESULT setFont(HWND windowHandle,int iItem,HFONT Font) {
	return SendDlgItemMessage(windowHandle,iItem,WM_SETFONT,(WPARAM)Font,(LPARAM)NULL);
}

LRESULT setListBoxFont(HWND windowHandle,DWORD dwFont) {
	return SendMessage(windowHandle,WM_SETFONT,(WPARAM)GetStockObject(dwFont),(LPARAM)1);
}

void makeShellCode(LPVOID) {
	char cFormat[4]		= "";
	char line_end[5]	= "";
	char text[50]		= "";
	int len_text		= 0;
	DWORD dwBytesRead;			// We cannot set this value to zero, because by some strange way the program gets in a loop then and writes the same buffer over and over again.
	DWORD dwFileSize	= NULL;
	int iByteCounter	= 0;
	HANDLE fileHandle = CreateFile(File.cIn_,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
	if(fileHandle == INVALID_HANDLE_VALUE) {
		sendMessage(listboxWindow,"Error: Could not open input-file!");
		ZeroMemory(&File,sizeof(FILE_INFORMATION));
		TerminateThread(threadHandle,NULL);
	}
	SendMessage(hEdit,WM_GETTEXT, sizeof(line_end),(LPARAM)line_end);
	strcpy(text, """);
	strcat(text, line_end);
	strcat(text, "rntt   "");
	len_text = strlen(text);

	dwFileSize = getFileSize(fileHandle);
	BYTE* buffer = new BYTE[dwFileSize];
	if(ReadFile(fileHandle,buffer,dwFileSize,&dwBytesRead,NULL) == 0) {
		sendMessage(listboxWindow,"Error: Problems reading input-file!");
		CloseHandle(fileHandle);
		delete buffer;
		ZeroMemory(&File,sizeof(FILE_INFORMATION));
		sendMessage(listboxWindow,"Info: File closed!");
		TerminateThread(threadHandle,NULL);
	}
	CloseHandle(fileHandle);
	fileHandle = CreateFile(File.cOut_,GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
	if(fileHandle == INVALID_HANDLE_VALUE) {
		sendMessage(listboxWindow,"Error: Could not create output-file!");
		delete buffer;
		ZeroMemory(&File,sizeof(FILE_INFORMATION));
		sendMessage(listboxWindow,"Info: File closed!");
		TerminateThread(threadHandle,NULL);
	}
	if(WriteFile(fileHandle,"BYTE ShellCode[] = "",20,&dwBytesRead,NULL) == 0) {
		sendMessage(listboxWindow,"Error: Problems writing to output-file !");
		CloseHandle(fileHandle);
		delete buffer;
		ZeroMemory(&File,sizeof(FILE_INFORMATION));
		sendMessage(listboxWindow,"Info: File closed!");
		TerminateThread(threadHandle,NULL);
	}
	for(int i = 0; i < dwFileSize; i++) {
		iByteCounter++;
		sprintf(cFormat,"\x%02x",buffer[i]);
		if(WriteFile(fileHandle,cFormat,4,&dwBytesRead,NULL) == 0) {
			sendMessage(listboxWindow,"Error: Error occur while writing to output-file !n");
			sendMessage(listboxWindow,"...... Closing and deleting output-file !");
			CloseHandle(fileHandle);
			delete buffer;
			DeleteFile(File.cOut_);
			ZeroMemory(&File,sizeof(FILE_INFORMATION));
			sendMessage(listboxWindow,"Info: File closed!");
			TerminateThread(threadHandle,NULL);
		}
		if(iByteCounter == 20) {
			//if(WriteFile(fileHandle,""rn                   "",23,&dwBytesRead,NULL) == 0) {
			if(WriteFile(fileHandle, text, len_text, &dwBytesRead,NULL) == 0) {
				sendMessage(listboxWindow,"Error: Error occur while writing to output-file !n");
				sendMessage(listboxWindow,"...... Closing and deleting output-file !");
				CloseHandle(fileHandle);
				delete buffer;
				DeleteFile(File.cOut_);
				ZeroMemory(&File,sizeof(FILE_INFORMATION));
				sendMessage(listboxWindow,"Info: File closed!");
				TerminateThread(threadHandle,NULL);
			}
			iByteCounter = 0;
		}
	}
	if(iByteCounter != 0) WriteFile(fileHandle,""",1,&dwBytesRead,NULL);
	sendMessage(listboxWindow,"Info: Shellcode generated !");
	CloseHandle(fileHandle);
	delete buffer;
	ZeroMemory(&File,sizeof(FILE_INFORMATION));
	sendMessage(listboxWindow,"Info: File closed!");
	TerminateThread(threadHandle,NULL);
}
출처 : pentestit.com

Trackback 0 Comment 0
2010.08.10 13:11

아이폰 Jailbreaking 기술 분석


먼저, 프로세스는 PDF 파일 압축 폰트 포맷 취약점(CVE - 2010-1797)을 이용합니다. 놀랍게도, 그것은 간단한 스택 기반의 버퍼 오버플로입니다. 이 취약점을 통해 지나치게 긴 CFF charString 항목으로 공격자가 $PC를 제어할 수 있다. 많은 사람들은 ROP의 다소 미숙한 기술로 복잡한 작업을 사용할 것으로 생각한다. 하지만 jailbreakme shellcode는 총 150회 이상 API를 호출하여 ROP를 실행한다. 이것은 메모리 손상과 같은 공격에 대해 방어하지 않은 실행 메모리를 의미한다. 이처럼 아이폰의 착취에 대한 현재 ROP 기법은 매우 성숙하고 안정적이다.

Apple 
IOSurface 구성 요소의 공개되지 않은 커널 취약점으로 ROP payload를 남용한다. 그 취약점은 정상적인 프로세스가 커널 메모리에 쓰기 권한을 접근할 수 있는 것 같다. 그것은 보안 검사를 우회하여 커널 공간의 데이터를 수정 후 "setuid (0)"를 호출하여 root 권한을 얻는다. 그럼, 그 이상을 할 수 있다. root 사용자한을 가진 Safari 프로세스로 무엇이든 원하는대로 할 수 있다.

이 다음 단계로, 공유 라이브러리에 로드한 "installui.dylib"를 내리고, 라이브러리에서 "iui_go" 함수를 실행한다. 이것은 사용자의 화면에 jailbreaking로 이동하는 요청 메세지가 표시된다. 그럼 jailbreakme 사이트에서 "wad.bin" 파일을 다운로드하고 "install.dylib"에 필요한 파일을 추출한다. 그리고 "do_install" 함수를 실행하여 jailbreaking 과정을 진행한다. Safari 프로세스가 커널 버그를 이용한 인수에 root 액세스 권한이 있기 때문에 이러한 모든 작업이 가능하다.

jailbreaking 단계는 일부 시스템 디렉토리를 이동 및 "/etc/fstab" 와 같은 필수 시스템 파일을 수정 같은 것을 포함한다. 또한 "/dev/kmem" 장치에서 커널 패치 플래스 또는 코드를 직접 엑세스한다. 그리고 마지막으로 "Cydia" 설치 관리자 패키지를 설치하고 "uicache" 명령을 사용하여 SpringBoard를 다시 시작한다.

여기 모든 내용은 그것이 jailbreakme 사이트가 제공하는 PDF 문서를 통해 원래 하려고 했던 더 많은 작업을 보다 쉽게 할 수 있도록 한다. 아이폰에 이런 유형의 공격에 대한 어떠한 실질적인 방어 메커니즘이 없기문에 충격적으로 곧 현실로 돌아올 것이다. 지금부터 아이폰 브라우저에 의심스러운 링크는 클릭하지 않아야 한다. 그리고 아이폰 메일이 수정될 때까지 PDF 첨부파일은 체크하지 않는 것이 좋다. 곧 패치가 나올이고 모두 설치하는 것이 좋다.

출처 : community.websense.com

Trackback 0 Comment 0