Work and Note

Pwn Note

Follow me on GitHub

basic tools

checksec to check if some hardening flags are enabled gdb_peda pwn_tool

kali parrot ModSecurity

common technique

  1. stack overflow: maybe we can overwrite return pointer on the stack
    1. on x86 stack grows down, array grows up -> we can reach return pointer
    2. for example, we can jump to previously loaded payload
    3. data execution prevention (DEP)
      1. do not allow data on stack to be executed
    4. ASLR makes it hard to get a address
  2. return oriented programming (ROP):
    1. instead of running our own payload, run pieces of existing code (gadget)
    2. typically end with ret. (subroutine call, library call)
    3. unaligned access can provide more gadget
  3. if you have control to printf’s format string, you can make it leak info based on parameter passed on stack.
    1. %p: pointer address
    2. %x: hexadecimal integer
    3. %s: string
    4. %n: store number of written characters in the pointed location
  4. uninitialized data contains info from previous stack
    1. scanf takes a pointer as parameter

get a shell

  • from pager commands: more, less
    • !'sh'
    • enter edit mode, press v. It will open editor in $EDITOR
  • from vim:
    • navigate to another file :e
    • set shell option in vim :set shell=/bin/sh
      • and to use it :shell

Reference

input sanitization

unix: /><|:& windows: unix and "\?*

web

  • the entire file folder might be exposed
  • robots.txt might point to something
  • zap
  • view and edit cookie
  • it is possible to intercept file upload and escape frontend check

html encoding OWSAP, fiddler, burpsuit

password salt

Attackers can create a rainbow table which links a hash to its raw text. Thus, a pure hash on the same password will always collide. Instead, we use a hash on password + salt. So that it is hard to construct a rainbow table Note that the salt can be store in plain text. Because its only use is to complicate the attack

php

  • session is stored in a session file in server
    • can be accessed via $_SESSION after session_start()
    • session id is sent to client and store in cookie PHPSESSID
  • when convert string to number
    • evaluate as float if contain .eE
    • evaluate as int otherwise
    • value is given by the initial part of the string
  • == will apply type juggling to “help” developer
    • if one side of comparision is number, the other side will be juggle to number
    • number like string will be juggle to number
    • always prefer === with optional type cast
  • strcmp will return null if one variable is not string
    • we can force a array if given something like test[]=1

perl

  • param can return unexpected number of argument
    • https://stackoverflow.com/questions/40273267/is-perl-function-dbh-quote-still-secure

python functions

string: immutable sequence of unicode bytes: immutable sequences of integer bytearray: mutable counterpart of bytes

  • if source is a string, a encoding must be given
    • encode() decode()
  • if source is a integer, a array of that size will be initialized
  • fromhex(): construct bytes from
  • maketrans() translate() -> tr
  • binascii hexlify() unhexlify()
urllib.parse.quote_plus
urllib.parse.unquote_plus

do not trust anything from user

mitm

5 table exist in iptables filter, nat, mangle, raw and security

https://security.stackexchange.com/questions/80158/extract-pre-master-keys-from-an-openssl-application https://docs.mitmproxy.org/stable/concepts-options/

tls -> decode key is not possible unless we know certificate using mitmproxy, we planted our own certificate

In regular mode, mitmproxy must be explicitly set in software

  • different software can have different config
  • android device will only proxy for browser
    • other app needs to specifically coded to use global proxy

In transparent mode, all traffic will go through the proxy.

  • sni missing. https://github.com/mitmproxy/mitmproxy/issues/1846
  • some apps implements certificate pinning so that mitm certificate does not work.
    • so we choose to not provide certificate in such case
SSLKEYLOGFILE="$HOME/.sslkeylogfile" mitmweb --mode transparent --ssl-insecure -s tls_passthrough.py

hw

memory access control

PAN: Privileged Access Never PXN: Privileged Execute Never XOM: execution only memory disable user read of kernel code

https://www.vdoo.com/blog/pan-and-xom-when-security-features-collide https://keenlab.tencent.com/en/2016/06/01/Emerging-Defense-in-Android-Kernel/

ring -1: virtualization

ring -2: SMM

https://www.microsoft.com/security/blog/2020/11/12/system-management-mode-deep-dive-how-smm-isolation-hardens-the-platform/

ring -3: ME

https://security.stackexchange.com/questions/129098/what-is-protection-ring-1

encryption

tpm and ftpm

Intel PTT

self encrypting drive (SED)

Opal Security Subsystem Class

sedutil

https://gchq.github.io/CyberChef/ https://cryptii.com/

power

https://www.rambus.com/introduction-to-differential-power-analysis/ https://www.rambus.com/introduction-to-differential-power-analysis-and-related-attacks/ https://www.rambus.com/security/dpa-countermeasures/ https://www.youtube.com/watch?v=OlX-p4AGhWs https://www.youtube.com/watch?time_continue=73&v=xaELqAo4kkQ&feature=emb_logo

https://www.newae.com/products-1/NAE-CW1200

disable aslr

  • /proc/sys/kernel/randomize_va_space
    • echo “kernel.randomize_va_space=2” » /etc/sysctl.conf
    • 0 = disable
    • 1 = random stack & library
    • 2 = 1 + random heap
  • gdb:
    • set disable-randomization on

signal

SIGILL: illegal instruction

https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/index.html

  • https://github.com/icedland/iced
  • http://www.capstone-engine.org/
  • https://binary.ninja/

python-uncompyle6