diff --git a/Exploits/Binaries/Alarm Reset.md b/Exploits/Binaries/Alarm Reset.md new file mode 100644 index 0000000..09e1448 --- /dev/null +++ b/Exploits/Binaries/Alarm Reset.md @@ -0,0 +1,11 @@ +# Resetting Alarms + +Like [shakuganz wrote in his blog](https://shakuganz.com/2021/07/14/hackthebox-hunting-write-up/) an alarm can be reset to a higher value to go off later + +``` +push 0x3c ; set duration for arg1 of alarm() +pop ebx +push 0x1b ; alarm systemcall +pop eax +int 0x80 +``` diff --git a/Exploits/Binaries/Egg Hunting.md b/Exploits/Binaries/Egg Hunting.md new file mode 100644 index 0000000..69f89b6 --- /dev/null +++ b/Exploits/Binaries/Egg Hunting.md @@ -0,0 +1,30 @@ +# Egg Hunting + +Egg Hunting can be applied if only a few chars are possible to use as shellcode. +A tag or egg is an already identified group of bytes in the binary the egg hunter +is trying to find. + +## Accessing Virtual Address Space + +Like [shakuganz](https://shakuganz.com/2021/07/14/hackthebox-hunting-write-up/) wrote about, ccessing unallocated memory can be done in the following way +```python +mem_addr = 0x5FFFFFFF + +if access(mem_addr, 0) == 0x2f: + jump_to_next_page() +elif value_at(mem_addr) != egg: + mem_addr += 1 +else: + print(mem_addr) +``` + + +## Tools + +Egg hunter can be found in pwntools' `pwnlib.shellcraft` + + +## Resources + +* [hick.org](http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf) +* [Chaudhary's blog](https://medium.com/@chaudharyaditya/slae-0x3-egg-hunter-shellcode-6fe367be2776) diff --git a/Exploits/Binaries/Extract Opcode.md b/Exploits/Binaries/Extract Opcode.md new file mode 100644 index 0000000..5e8c12f --- /dev/null +++ b/Exploits/Binaries/Extract Opcode.md @@ -0,0 +1,9 @@ +# Extracting Opcode + +## Extracting from ELF File + +Extracting opcode from an ELF file can be done via the following way + +```sh +objdump -d ./payload|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g' +``` diff --git a/Exploits/Binaries/References.md b/Exploits/Binaries/References.md new file mode 100644 index 0000000..59b7358 --- /dev/null +++ b/Exploits/Binaries/References.md @@ -0,0 +1,8 @@ +# Binary Exploitation References + +## Assembler +* [Online x86/x64 assembler](https://defuse.ca/online-x86-assembler.htm) + +## Syscalls + +* http://asm.sourceforge.net/intro/hello.html diff --git a/Exploits/Binaries/Syscalls.md b/Exploits/Binaries/Syscalls.md new file mode 100644 index 0000000..ef91096 --- /dev/null +++ b/Exploits/Binaries/Syscalls.md @@ -0,0 +1,27 @@ +# Syscalls + +## General + +* [Syscalls in different OSs](http://asm.sourceforge.net/intro/hello.html) + +## Linux Syscalls + +* First point of contact is `/usr/include/asm/unistd_32.h` and `/usr/include/asm/unistd_64.h` + +Manfiles are +``` +2 syscall +2 syscalls +``` + +### 32-Bit + +* [paolostivanin's syscall-table-32bit](https://github.com/paolostivanin/syscall-table-32bit.git) also contains the link to [the overview](https://syscalls32.paolostivanin.com/) + +### 64-Bit + +* [Filippo.io's x64 syscall table](https://filippo.io/linux-syscall-table/) + +### Others As Well + +* [googlesource.com](https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md) diff --git a/Exploits/Binaries/gdb CheatSheet.md b/Exploits/Binaries/gdb CheatSheet.md new file mode 100644 index 0000000..8924e6f --- /dev/null +++ b/Exploits/Binaries/gdb CheatSheet.md @@ -0,0 +1,8 @@ +# GDB CheatSheet + +## Cast a register value + +* Cast the content of a register to char +```sh +p *(char **)$rax +``` diff --git a/Miscellaneous/Sigma Rules.md b/Miscellaneous/Sigma Rules.md deleted file mode 100644 index 79dcd8e..0000000 --- a/Miscellaneous/Sigma Rules.md +++ /dev/null @@ -1,30 +0,0 @@ -# Sigma Rules - -An abstracted yaml configuration setup which can be converted into multiple queries like Splunk, Kibana, Yara etc. ... -* [SigmaHQ's repo](https://github.com/SigmaHQ/sigma.git) - - -## Fields - -A minimal configuration should contain at least the following fields -* title -* id -* status -* description -* logsource -* detection - -Additional fields may be -* falsePostivives -* levels -* tags - -## Transform Modifiers - -A detection selection can be refined through setting a pipe `|` followed by the modifier `contains`, `endswith`, `startswith` and `all`. - -## Tools - -* [sigma-cli](https://github.com/SigmaHQ/sigma-cli) -* [pySigma](https://github.com/SigmaHQ/pySigma) -* [Uncoder.io](https://uncoder.io/) diff --git a/Miscellaneous/Threat Intelligence/Sigma Rules.md b/Miscellaneous/Threat Intelligence/Sigma Rules.md new file mode 100644 index 0000000..68729e1 --- /dev/null +++ b/Miscellaneous/Threat Intelligence/Sigma Rules.md @@ -0,0 +1,48 @@ +# Sigma Rules + +An abstracted yaml configuration setup as an universal notation format which can be converted into multiple queries like Splunk, Kibana, Yara etc. ... + +* [SigmaHQ's repo](https://github.com/SigmaHQ/sigma.git) + +Specify IOC or troubleshooting issues in a data format that can be shared and versionized. +This specified configuration can be translated to multiple different tools as specific queries. + +* [Rule Creation Guide](https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide) + +## Fields + +A minimal configuration should contain at least the following fields +* title +* id (UUID) +* status +* description +* logsource +* detection +* condition + +Additional fields may be +* falsePositives +* levels +* tags + +[![Sigma Fields](https://github.com/SigmaHQ/sigma/blob/master/images/Sigma_Schema.png?raw=true)](https://github.com/SigmaHQ/sigma/blob/master/images/Sigma_Schema.png?raw=true) + +## Filters + +Filter can be used to specify detection +```sh +File|endswith +CommandLine|contains +CommandLine|startswith +``` + +## Transform Modifiers + +A detection selection can be refined through setting a pipe `|` followed by the modifier `contains`, `endswith`, `startswith` and `all`. + +## Tools + +* [sigma-cli](https://github.com/SigmaHQ/sigma-cli) +* [pySigma](https://github.com/SigmaHQ/pySigma) +* [Uncoder.io](https://uncoder.io/) +* [Sigmac](https://github.com/SigmaHQ/sigma/tree/8bb3379b6807610d61d29db1d76f5af4840b8208/tools) diff --git a/Reverse Engineering/References.md b/Reverse Engineering/References.md index 3c3a27a..49a122f 100644 --- a/Reverse Engineering/References.md +++ b/Reverse Engineering/References.md @@ -10,3 +10,9 @@ [scdbg](https://github.com/dzzie/SCDBG.git) +## Automated Solver + +* [angr](https://docs.angr.io) is a binary analysis tool and comes with an automated solver +```sh +pip install angr +```