Security
User input must be sanitized!
Weird machines
- LANGSEC Language-theoretic Security
- Page about weird machines by halvar flake
- Weird machines, exploitability, and provable unexploitability also slide
- Limiting weird machines Putting boundaries around emergent insecurity
- Exploitation and state machines Programming the “weird machine”, revisited)
- Hacking & Computer Science
- The science of insecurity
- Accidentally Turing-Complete
- Video 2010-07-28 Meredith L. Patterson and Len Sassaman - Black Hat USA 2010 - Exploiting the Forest with Trees
- From Buffer Overflows to “Weird Machines” and Theory of Computation
- On Validating Inputs
- Security, Moore’s law, and the anomaly of cheap complexity
- Proving un-exploitability of parsers
- Maths for Hackers - The Hacker Theorem
- The Good, the Bad, and the Weird
- Data oriented programming
- Secure Code Partitioning With ELF binaries, aka. SCOP
- A Guide to Undefined Behavior in C and C++, Part 1
- Now you C me
- part 1
- part 2
- How to exploit a double free when a system (like ARM) have a "weak" memory model
Unrelated for now but there is an Android's vulnerabilities CVE-2017-13156 where the system parses an APK
or a DEX
allowing to bypass signature.
Pentesting
There are several phases
- recon
- scan
- gain access
- maintain access
-
cover tracks
-
https://github.com/coreb1t/awesome-pentest-cheat-sheets
- https://github.com/nixawk/pentest-wiki
- Kali Linux Revelead PDF
- OWASP-Testing-Checklist
Bruteforce
In some cases it's important to make the space containing certain variables big enough to not be guessed in human time.
The most used tool is john the ripper: on a Linux
system is possible to edit the src/Makefile
and compile it with
$ make -C src -f Makefile linux-x86-64-native
One usage is toto generate a mangled list of word starting from a pristine one with the following command:
$ ./run/john --wordlist=wordlist.txt --stdout --rules > expanded-word-list.txt
With no options, john will start in "single" mode first, then move on to "wordlist" mode, and finally to "incremental" mode.
$ john --incremental=Digits --stdout
1952
12345
123456
0065663
- http://www.lanmaster53.com/2011/02/creating-complex-password-lists-with-john-the-ripper/
- http://backreference.org/2009/10/26/password-recovery-with-john-the-ripper/
Obviously you need a good wordlist!
Privilege escalation
Custom code execution
See also shellcode.
- Understanding the fundamentals of attacks What is happening when someone writes an exploit? awesome slides by Halvar Flake & Thomas Dullien trying to formalize exploits
- https://gbmaster.wordpress.com/2015/06/28/x86-exploitation-101-house-of-force-jedi-overflow/
- http://0x90909090.blogspot.it/2015/07/no-one-expect-command-execution.html
- GHOST vulnerability report
- commix: Automated All-in-One OS Command Injection and Exploitation Tool
- How To Heap: A repository for learning various heap exploitation techniques.
- Pure In-Memory (Shell)Code Injection In Linux Userland
- How I Hacked Google App Engine: Anatomy of a Java Bytecode Exploit
- Ret2dl_resolve x64: Exploiting Dynamic Linking Procedure In x64 ELF Binaries
Format String
Remember that using a too big string to exploit this vulnerability can overwrite sensible stuff, use a string as little as possible.
- Exploiting Format String Vulnerabilities
- Advances in format string exploitation 0x0b, Issue 0x3b, Phile #0x07 of 0x12
- Howto remotely and automatically exploit a format bug
- libformatstr Simplify format string exploitation.
- 0CTF 2017 Quals: EasiestPrintf exploiting
__free_hook
usingprintf
XPath injection
Serialization
- DISGUISE PHAR PACKAGES AS IMAGES also slide from US BlackHat 2018
Side channel
- Spectre Side Channels: Linux kernel cpu side channels guide.
- http://johoe.mooo.com/trezor-power-analysis/
- Side-channel attacks on high-security electronic safe locks
- Exploiting Timed Based RCE
- commix Automated All-in-One OS command injection and exploitation tool.
- BranchScope: A New Side-Channel Attack on Directional Branch Predictor
- Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
- Ghostbuster: Spectre exploitation in real life
- transient.fail
- cpu.fail
- Two methods for exploiting speculative control flow hijacks slide by Andrea Mambretti
- Presentation about retpoline
- The BTB in contemporary Intel chips
You can check the vulnerability of your processor from
/sys/devices/system/cpu/vulnerabilities/
.
Type juggling
This is possible in language that casts automatically different types when operators are used,
particularly when are present more than one equal operator (==
and ===
).
In PHP
this is more dangerous when a conversion from JSON
is done.
Advanced protection mechanism bypass
- ASLR Smack & Laugh Reference
- Bypassing non-executable-stack during exploitation using return-to-libc
- The advanced return-into-lib(c) exploits: PaX case study
- PAYLOAD ALREADY INSIDE: DATA REUSE FOR ROP EXPLOITS
- Linux ASLR and GNU Libc: Address space layout computing and defence, and “stack canary” protection bypass
- New bypass and protection techniques for ASLR on Linux
- Exploiting the notoriously unsafe gets() on a PAC-protected ARM64 binary
Cloud
- https://nvisium.com/documents/aws.pdf
- Hardening AWS Environments and Automating Incident Response
Hardware
Tools
- https://code.google.com/p/skipfish/
- Damn Vulnerable Web App site
- security headers: check headers of your site
- DNSteal: stealthily extract files from a victim machine through DNS requests
- pwntools CTF framework and exploit development library
Fuzzing
Phishing
DNS Rebinding
- https://lock.cmpxchg8b.com/rebinder.html
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1471&desc=2
Links
- online courses
- Exploit Development
- ssh security
- preg_replace()
- Modern Binary Exploitation
- CSAW Quals 2016 Pwn 500 - Mom's Spaghetti
- CFT Time
- Rise of the machine PDF
- Readers of popular websites targeted by stealthy Stegano exploit kit hiding in pixels of malicious ads
- Don't use VPN services
- Facebook’s ImageTragick story
- Escaping a Python sandbox with a memory corruption bug
- Jinja2 template injection filter bypasses
- Spring Boot RCE via a template code injection
- CVE-2018-13784: PrestaShop 1.6.x Privilege Escalation
- HTTP Desync Attacks: Request Smuggling Reborn
- JWT (JSON Web Token) (in)security
- Unlocking Heaven's Gate on Linux
- Linux Hardening Guide
- Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
- A Threat Modeling Field Guide