Hackerone platformasida PII (shaxsni tasdiqlovchi ma'lumot) larga hechqanday ruxsatlarsiz kirish haqidagi hisobot topshirilganda, hisobot Critical darajada qabul qilinishi shart.
Bunday holatda CVSS zarar darajasini to'liq hisoblashga yordam berolmasligi mumkin* (Hackerone platformasi standartlari)
Bu degani zaiflik zarar darajasini CVSS aniq hisoblamaydi. Bu yangilikmas, ko'pchilik osmonga qarab o'lchaydi zararni)
Hackerone platform standarts - link
π1π1
AppSec Guy
Just get some SIEM agent and reverse engineer it as your C2 implant...
Just tell Windows Defender to block EDR, like writing custom signatures to block EDR or taking advantage of Defender's features..
π1
Ropper-ng
- Binary import qilgan kutubxonani o'zi topadi;
- Binarydagi security featurelarni o'zi tekshiradi;
- Gadgetlarni Ropperdan ko'ra tezroq topadi (hozircha cheklangan);
- Bulky ROP chain o'rniga qo'lda topilgan kichkina, ishlatishga osonlarini topib beradi kutubxonalarga qarab (endi qo'shiladi).
Github
- Binary import qilgan kutubxonani o'zi topadi;
- Binarydagi security featurelarni o'zi tekshiradi;
- Gadgetlarni Ropperdan ko'ra tezroq topadi (hozircha cheklangan);
- Bulky ROP chain o'rniga qo'lda topilgan kichkina, ishlatishga osonlarini topib beradi kutubxonalarga qarab (endi qo'shiladi).
Tool ishni tezlatishga qaratilgan, debugger bilan Ropperni bir paytta ochib qayta-qayta tekshirish o'rniga bitta tool orqali qurish uchun ROP chainlarni.
Keyinchalik JOP, COP larni qo'shishga harakat qilaman.
Github
7π₯2β€1π1
AppSec Guy
Ropper-ng - Binary import qilgan kutubxonani o'zi topadi; - Binarydagi security featurelarni o'zi tekshiradi; - Gadgetlarni Ropperdan ko'ra tezroq topadi (hozircha cheklangan); - Bulky ROP chain o'rniga qo'lda topilgan kichkina, ishlatishga osonlarini topibβ¦
This media is not supported in your browser
VIEW IN TELEGRAM
Shunaqa gaplar hullas
π2π’2
Media is too big
VIEW IN TELEGRAM
CVE-2018-9059 - Easy file share 7.2 SEH Stack based Buffer overflow (DEP bypass)
Qayta yozilgan yangi ROP chain bilan, internetda bunaqangi ixcham chain yo'q) VirtualProtect() qiyin ekan ancha. Keyinroq githubga qo'yaman.
Qayta yozilgan yangi ROP chain bilan, internetda bunaqangi ixcham chain yo'q) VirtualProtect() qiyin ekan ancha. Keyinroq githubga qo'yaman.
1π₯5π1π«‘1
Media is too big
VIEW IN TELEGRAM
CVE-2017-8869 - MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH)
Eski exploitda reverse shell qaytarmasdi. Bad chars qiynadi lekin.
Eski exploitda reverse shell qaytarmasdi. Bad chars qiynadi lekin.
10π₯4β€3π1
ASLR yoniq bo'lganda debugging qilib kerakli function address topish o'rniga pwntools bilan address o'zini olsak bo'ladi:
Masalan GOT entrydan built-in function olish:
Yana Stack smashing paytida odatda basic usuli Canary tokenni leak qilib, offset topib payloadda o'rniga qo'yish bo'lardi, ozgina g'alati lekin zo'r yo'li Stack smashingni tekshiradigan funksiyaga Smash bo'lganda call bo'ladi, call bo'ladigan addressni o'zini Main functionga o'zgartirib qo'ysak bo'ladi, shunda Stack canay bypass bo'ladi.
Qanday functionni addressini overwrite qilamiz?
GOT entry tableni overwrite qilish kerak.
Yana Format string bugga qo'lda payload yozish o'rniga pwn.binary.fmtstr dan foydalansa bo'ladi
Masalan %n bilan GOT entryda overwrite qilamiz:
Tushinish qiyin lekin oson aslida, fmtstr_payload stack check function o'rniga main function ni addresini overwrite qilyabdi GOT entry addresiga yetib borib.
payload taxminan shunga o'xshash:
Shunaqa qilib manual payloadni kichkina kod bilan avtomatlashtirsa bo'ladi.
P.S. ASLR yoniq bo'lsa qanaqa qilib absolute path olinadi binary.got da? Environment variable odatda memoryda .data sectionda teparoq addressda turadi, odatda shu yeri o'zgarmaydi, shundan foydalansa bo'ladi, agar PIE bilan link qilingan bo'lsa .data section gayam tasir qiladi Chatgpt aytishi bo'yicha, unda bizda format string bug bor) ASLR 101% bypass qilinadi to'g'ri offset lar bilan/
Hozirgi tushuntirilgan narsani qilish uchun kodda 2ta binary ishlatganman, localdagi binarydan offset uchun address olib keyin offset hisoblab remote huddi o'sha binaryga ishlatilgan, o'zi qo'lda address topib yozishadi kodga 2ta binary ko'rsatmasdan, bu dangasa yo'li.
#binary.sym.items() bu symbols list
mainf_address = binary.sym.main
Masalan GOT entrydan built-in function olish:
# GOT entry table list => binary.got.items()
stack_chk_failf = binary.got.__stack_chk_fail
Yana Stack smashing paytida odatda basic usuli Canary tokenni leak qilib, offset topib payloadda o'rniga qo'yish bo'lardi, ozgina g'alati lekin zo'r yo'li Stack smashingni tekshiradigan funksiyaga Smash bo'lganda call bo'ladi, call bo'ladigan addressni o'zini Main functionga o'zgartirib qo'ysak bo'ladi, shunda Stack canay bypass bo'ladi.
Qanday functionni addressini overwrite qilamiz?
GOT entry tableni overwrite qilish kerak.
Yana Format string bugga qo'lda payload yozish o'rniga pwn.binary.fmtstr dan foydalansa bo'ladi
Masalan %n bilan GOT entryda overwrite qilamiz:
payload = fmtstr_payload(8,{stack_chk_fail:main_function})Tushinish qiyin lekin oson aslida, fmtstr_payload stack check function o'rniga main function ni addresini overwrite qilyabdi GOT entry addresiga yetib borib.
payload taxminan shunga o'xshash:
payload = p32(printf_got_address)
payload += b"%1111x" # integer kiritish
payload += b"%8$n" # tepada turgan integerni write qiladi 8ta byte dan keyin decimal qilib
Shunaqa qilib manual payloadni kichkina kod bilan avtomatlashtirsa bo'ladi.
P.S. ASLR yoniq bo'lsa qanaqa qilib absolute path olinadi binary.got da? Environment variable odatda memoryda .data sectionda teparoq addressda turadi, odatda shu yeri o'zgarmaydi, shundan foydalansa bo'ladi, agar PIE bilan link qilingan bo'lsa .data section gayam tasir qiladi Chatgpt aytishi bo'yicha, unda bizda format string bug bor) ASLR 101% bypass qilinadi to'g'ri offset lar bilan/
Hozirgi tushuntirilgan narsani qilish uchun kodda 2ta binary ishlatganman, localdagi binarydan offset uchun address olib keyin offset hisoblab remote huddi o'sha binaryga ishlatilgan, o'zi qo'lda address topib yozishadi kodga 2ta binary ko'rsatmasdan, bu dangasa yo'li.
π₯4π1
Tushimda yozgan exploitimga reverse shell kelibdiποΈ
Please open Telegram to view this post
VIEW IN TELEGRAM
π12
Forwarded from AUT Career Centre
π Penetration Tester Intern
π Location: Tashkent (onsite)
β³ Work Schedule: Full-time
πΉ About Us:
Turan Security is a top cybersecurity company in Uzbekistan with proven expertise.
π Responsibilities:
π Assist in manual & automated testing of web apps and systems.
π Help draft reports on vulnerabilities.
β Requirements:
πΉ Basic knowledge of network, API & web app pentesting.
πΉ Understanding of OWASP Top 10 & mitigation strategies.
πΉ Experience in any programming language.
πΉ Linux proficiency & strong networking/HTTP knowledge.
π Preferred:
π CTF experience, π security certifications (eJPT, CAPen, etc.), π¨βπ» developer background, or bug bounty results.
π‘ Why TuranSec?
π₯ Real-world project experience.
π₯ Work with experts.
π° Paid internship.
π©Send your CV to @turan_admin
π Location: Tashkent (onsite)
β³ Work Schedule: Full-time
πΉ About Us:
Turan Security is a top cybersecurity company in Uzbekistan with proven expertise.
π Responsibilities:
π Assist in manual & automated testing of web apps and systems.
π Help draft reports on vulnerabilities.
β Requirements:
πΉ Basic knowledge of network, API & web app pentesting.
πΉ Understanding of OWASP Top 10 & mitigation strategies.
πΉ Experience in any programming language.
πΉ Linux proficiency & strong networking/HTTP knowledge.
π Preferred:
π CTF experience, π security certifications (eJPT, CAPen, etc.), π¨βπ» developer background, or bug bounty results.
π‘ Why TuranSec?
π₯ Real-world project experience.
π₯ Work with experts.
π° Paid internship.
π©Send your CV to @turan_admin
π₯3π1
Bularni olish katta narsa bizda
pwn.college ga kam kiryabman, motiv bo'lsin deb qo'ydim ohiri.
keyinroq tushuntirib beraman.
pwn.college ga kam kiryabman, motiv bo'lsin deb qo'ydim ohiri.
keyinroq tushuntirib beraman.
π₯3
AppSec Guy
Bularni olish katta narsa bizda pwn.college ga kam kiryabman, motiv bo'lsin deb qo'ydim ohiri. keyinroq tushuntirib beraman.
pwn.college kiber xavfsizlikni 0 dan pastga qarab o'rgatadi.
Nimaga tepagamas?)
Uyog'dagi darslar Low level securityga qaratilgan. Boshida boshqa mavzular bor lekin kernel exploitationgacha olib boradi ohirada baribir. Platformada hamma narsani Dojo deymiz, Dojo VNC, Dojo challenge, etc.
Rank oshgan xakerlarga belbog' beriladi karatedagi ranklarga o'xshab. Eng katta belbog'ni Blue belt deyishadi. Blue beltgacha borganlar OSEEga o'xshab kernel exploitationgacha yetib borgan bo'ladi, shunga Blue belt olish katta "Honor".
Yana platforma Arizona state universityga qarashli, hamma darslar tekin. Zo'r tomoni ichida HTBga o'xshab Pwnbox bor brauzer ichida sistema VNC bilan, VS codeniyam ochib berishgan tekinga brauzerdan.
Bu OST2 dan keyin aytiladigan eng zo'r platforma Binary exploitation o'rgangani tekinga.
Buni bizda hechkim eshitmagan adashmasam, kimdur Binary exploitationga kiraman desa shu postlar foyda berib qoladi biror kun. Rasmda sariq bilan ko'k belt turibdi, Ko'k belt rank olganlarga yetkizib berishadi. Menam birorkun post qo'yarman yetib keldi deb.
Nimaga tepagamas?)
Uyog'dagi darslar Low level securityga qaratilgan. Boshida boshqa mavzular bor lekin kernel exploitationgacha olib boradi ohirada baribir. Platformada hamma narsani Dojo deymiz, Dojo VNC, Dojo challenge, etc.
Rank oshgan xakerlarga belbog' beriladi karatedagi ranklarga o'xshab. Eng katta belbog'ni Blue belt deyishadi. Blue beltgacha borganlar OSEEga o'xshab kernel exploitationgacha yetib borgan bo'ladi, shunga Blue belt olish katta "Honor".
Yana platforma Arizona state universityga qarashli, hamma darslar tekin. Zo'r tomoni ichida HTBga o'xshab Pwnbox bor brauzer ichida sistema VNC bilan, VS codeniyam ochib berishgan tekinga brauzerdan.
Bu OST2 dan keyin aytiladigan eng zo'r platforma Binary exploitation o'rgangani tekinga.
Buni bizda hechkim eshitmagan adashmasam, kimdur Binary exploitationga kiraman desa shu postlar foyda berib qoladi biror kun. Rasmda sariq bilan ko'k belt turibdi, Ko'k belt rank olganlarga yetkizib berishadi. Menam birorkun post qo'yarman yetib keldi deb.
π6π₯2π’1