13.1.3. Cross-Compiling Exploit Code

Compilation muammolarini oldini olish uchun, odatda, kod nishon qilingan operating system uchun native compilers dan foydalanish tavsiya etiladi; ammo, bu har doim ham mumkin bo‘lmasligi mumkin.

Ba’zi stsenariylarda biz faqat bitta attack environment (masalan, Kali) ga kirish imkoniyatiga ega bo‘lishimiz mumkin, lekin boshqa platforma uchun yozilgan exploit dan foydalanishimiz kerak bo‘ladi. Bunday hollarda cross-compiler juda foydali bo‘lishi mumkin.

Ushbu bo‘limda biz juda mashhur mingw-w64 cross-compiler dan foydalanamiz. Agar u hali o‘rnatilmagan bo‘lsa, uni apt yordamida o‘rnatishimiz mumkin:

kali@kali:~$ sudo apt install mingw-w64

Ro‘yxat 7 - Kali’da mingw-w64 cross-compiler ni o‘rnatish

Biz mingw-w64 dan foydalanib, kodni Windows Portable Executable (PE) fayliga compile qilishimiz mumkin. Birinchi qadam – exploit kodi xatosiz compile qilinadimi yoki yo‘qligini aniqlash. Buni cross-compiler ni chaqirish, C manba faylini birinchi argument sifatida va chiqish PE fayl nomini -o parametri bilan ikkinchi argument sifatida uzatish orqali amalga oshirish mumkin:

kali@kali:~$ **i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe**
/usr/bin/i686-w64-mingw32-ld: /tmp/cchs0xza.o:42341.c:(.text+0x97): undefined reference to **`_imp__WSAStartup@8'**
/usr/bin/i686-w64-mingw32-ld: /tmp/cchs0xza.o:42341.c:(.text+0xa5): undefined reference to `_imp__WSAGetLastError@0'
/usr/bin/i686-w64-mingw32-ld: /tmp/cchs0xza.o:42341.c:(.text+0xe9): undefined reference to `_imp__socket@12'
/usr/bin/i686-w64-mingw32-ld: /tmp/cchs0xza.o:42341.c:(.text+0xfc): undefined reference to `_imp__WSAGetLastError@0'
/usr/bin/i686-w64-mingw32-ld: /tmp/cchs0xza.o:42341.c:(.text+0x126): undefined reference to `_imp__inet_addr@4'
/usr/bin/i686-w64-mingw32-ld: /tmp/cchs0xza.o:42341.c:(.text+0x146): undefined reference to `_imp__htons@4'
/usr/bin/i686-w64-mingw32-ld: /tmp/cchs0xza.o:42341.c:(.text+0x16f): undefined reference to `_imp__connect@12'
/usr/bin/i686-w64-mingw32-ld: /tmp/cchs0xza.o:42341.c:(.text+0x1b8): undefined reference to `_imp__send@16'
/usr/bin/i686-w64-mingw32-ld: /tmp/cchs0xza.o:42341.c:(.text+0x1eb): undefined reference to `_imp__closesocket@4'
collect2: error: ld returned 1 exit status

Ro‘yxat 8 - mingw-64 yordamida exploit ni compile qilishga urinishdan so‘ng ko‘rsatilgan xatolar

Compilation jarayonida nimadir noto‘g‘ri ketdi va Ro‘yxat 8 dagi xatolar noma’lum bo‘lib tuyulishi mumkin bo‘lsa-da, “WSAStartup” bilan bog‘liq birinchi xatoni Google’da qidirish bu funksiyaning winsock.h da mavjud ekanligini ko‘rsatadi. Qo‘shimcha tadqiqotlar shuni ko‘rsatadiki, bu xatolar linker winsock kutubxonasini topa olmaganida yuzaga keladi va i686-w64-mingw32-gcc buyrug‘iga -lws2_32 parametrini qo‘shish muammoni hal qilishi kerak:

kali@kali:~$ **i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe -lws2_32**

kali@kali:~$ **ls -lah**
total 372K
drwxr-xr-x  2 root root 4.0K Feb 24 17:13 .
drwxr-xr-x 17 root root 4.0K Feb 24 15:42 ..
-rw-r--r--  1 root root 4.7K Feb 24 15:46 42341.c
-rwxr-xr-x  1 root root 355K Feb 24 17:13 **syncbreeze_exploit.exe**

Ro‘yxat 9 - mingw-64 buyrug‘ini winsock kutubxonasini ulash uchun sozlagandan so‘ng kodni muvaffaqiyatli compile qilish

Bu safar mingw32 hech qanday compilation xatolarisiz executable faylni yaratdi. -l opsiyasi bilan biz mingw-w64 ga ws2_32 DLL ni qidirish va uni yakuniy executable ga static linking orqali kiritishni buyuramiz.

Biz allaqachon ushbu exploit remotely-accessible zaiflikni nishonga olishini bilamiz, ya’ni kodimiz bir nuqtada target bilan aloqa o‘rnatishi kerak.

C kodini tekshirib, IP address va port maydonlari uchun hard-coded qiymatlar ishlatilganini ko‘ramiz:

printf("[>] Socket created.\\\\n");
server.sin_addr.s_addr = inet_addr("**10.11.0.22**");
server.sin_family = AF_INET;
server.sin_port = htons(**80**);

Ro‘yxat 10 - IP address va port uchun javobgar kod qatorlarini aniqlash

Bular bizning exploit da sozlashimiz kerak bo‘lgan birinchi qiymatlar bo‘ladi.