Linux For Pentester: socat Privilege Escalation

Welcome back, to grab knowledge of another command from “Linux for pentester” series. As we know there are many tools that can help the user to transfer data. Similarly, we are going to take advantage of another command i.e. “socat” which is a utility for data transfer between two addresses. So, now we will take… Continue reading →
The post Linux For Pentester: socat Privilege Escalation appeared first on Hacking Articles.

Link: https://www.hackingarticles.in/linux-for-pentester-socat-privilege-escalation/

Firmware Slap – Discovering Vulnerabilities In Firmware Through Concolic Analysis And Function Clustering

Firmware slap combines concolic analysis with function clustering for vulnerability discovery and function similarity in firmware. Firmware slap is built as a series of libraries and exports most information as either pickles or JSON for integration with other tools.Slides from the talk can be found hereSetupFirmware slap should be run in a virtual environment. It has been tested on Python3.6python setup.py installYou will need rabbitmq and (radare2 or Ghidra)# Ubuntusudo apt install rabbitmq-server# OSXbrew install rabbitmq# Radare2git clone https://github.com/radare/radare2.gitsudo ./radare2/sys/install.sh# Ghidrawget https://ghidra-sre.org/ghidra_9.0.4_PUBLIC_20190516.zipunzip ghidra_9.0.4_PUBLIC_20190516.zip -d ghidraecho “export PATH=\$PATH:$PWD/ghidra/ghidra_9.0.4/support" >> ~/.bashrcIf you want to use the Elastic search stuff run the Elasticsearch_and_kibana.sh scriptQuickstartEnsure rabbitmq-server is running.# In a Separate terminalcelery -A firmware_slap.celery_tasks worker –loglevel=info# Basic buffer overflowDiscover_And_Dump.py examples/iwconfig# Command injectiontar -xvf examples/Almond_libs.tar.gzVuln_Discover_Celery.py examples/upload.cgi -L Almond_Root/lib/Usage# Get the firmware used for exampleswget https://firmware.securifi.com/AL3_64MB/AL3-R024-64MBbinwalk -Mre AL3-R024-64MBStart a celery work from the project root directory:# In a separate terminalcelery -A firmware_slap.celery_tasks worker –loglevel=infoIn a different terminal window, run a vulnerability discovery job.$ Vuln_Discover_Celery.py Almond_Root/etc_ro/lighttpd/www/cgi-bin/upload_bootloader.cgi -L Almond_Root/lib/[+] Getting argument functions[+] Analyzing 1 functions 0%| | 0/1 [00:01 b’`reboot`\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x00’"}]MemoryThe memory component of the object keeps track of the required memory values set to trigger the vulnerability. It also offers stack addresses and .text addresses with the offending commands for setting the required memory constraints. The first memory event required is at mtd_write_firmware+0x0 and the second is at mtd_write_firmware+0x38. Assembly is provided to help prettify future display work.In [2]: result[‘mem’] Out[2]: [{‘BBL_ADDR’: ‘0x401138’, ‘BBL_DESC’: {‘DESCRIPTION’: ‘mtd_write_firmware+0x0 in upload_bootloader.cgi (0x401138)’, ‘DISASSEMBLY’: [‘0x401138:\tlui\t$gp, 0x42’, ‘0x40113c:\taddiu\t$sp, $sp, -0x228’, ‘0x401140:\taddiu\t$gp, $gp, -0x5e90’, ‘0x401144:\tlw\t$t9, -0x7f84($gp)’, ‘0x401148:\tsw\t$a2, 0x10($sp)’, ‘0x40114c:\tlui\t$a2, 0x40’, ‘0x401150:\tmove\t$a3, $a1’, ‘0x401154:\tsw\t$ra, 0x224($sp)’, ‘0x401158:\tsw\t$gp, 0x18($sp)’, ‘0x40115c:\tsw\t$a0, 0x14($sp)’, ‘0x401160:\taddiu\t$a1, $zero, 0x200’, ‘0x401164:\taddiu\t$a0, $sp, 0x20’, ‘0x401168:\tjalr\t$t9’, ‘0x40116c:\taddiu\t$a2, $a2, 0x196c’]}, ‘DATA’: "b’`reboot`\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01 \\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\ x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00’", ‘DATA_ADDRS’: [‘0x0’]}, {‘BBL_ADDR’: ‘0x401170’, ‘BBL_DESC’: {‘DESCRIPTION’: ‘mtd_write_firmware+0x38 in upload_bootloader.cgi (0x401170)’, ‘DISASSEMBLY’: [‘0x401170:\tlw\t$gp, 0x18($sp)’, ‘0x401174:\tnop\t’, ‘0x401178:\tlw\t$t9, -0x7f68($gp)’, ‘0x40117c:\tnop\t’, ‘0x401180:\tjalr\t$t9’, ‘0x401184:\taddiu\t$a0, $sp, 0x20’]}, ‘DATA’: "b’/bin/mtd_write -o 0 -l 0 write `reboot`’", ‘DATA_ADDRS’: [‘0x7ffefe07’]}]Command Injection SpecificSince command injections are the easiest to demo, I’ve created a convenience dictionary key to demonstrate the location of the command injection easily.In [4]: result[‘Injected_Location’] Out[4]: {‘base’: ‘0x7ffefde8’, ‘type’: ‘char *’, ‘value’: ‘/bin/mtd_write -o 0 -l 0 write `reboot`’}Sample Vulnerability Cluster ScriptThe vulnerability cluster script will attempt to discover vulnerabilities using the method in the Sample Vulnerability Discovery script and then build k-means clusters of a set of given functions across an extracted firmware to find similar functions to vulnerable ones.$ Vuln_Cluster_Celery.py -husage: Vuln_Cluster_Celery.py [-h] [-L LD_PATH] [-F FUNCTION] [-V VULN_PICKLE] Directorypositional arguments: Directoryoptional arguments: -h, –help show this help message and exit -L LD_PATH, –LD_PATH LD_PATH Path to libraries to load -F FUNCTION, –Function FUNCTION -V VULN_PICKLE, –Vuln_Pickle VULN_PICKLEThe below command takes -F as a known vulnerable function. -V as a dumped pickle from a previous run to not need to discover new vulnerabilites and -L for the library path. A sample usage:$ python Vuln_Cluster_Celery.py -F mtd_write_firmware -L Almond_Root/lib/ Almond_Root/etc_ro/lighttpd/www/cgi-bin/[+] Reading Files100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████& #9608;██████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:00<00:00, 2.80it/s]Getting functions from executablesStarting main… Snip …Download Firmware_Slap

Link: http://www.kitploit.com/2019/08/firmware-slap-discovering.html

WestWild: 1.1: Vulnhub Walkthorugh

Today we are going to take a new CTF challenge WestWild. The credit for making this VM machine goes to “Hashim Alsharef” and it is a boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here. Security Level: Intermediate Penetrating Methodology: Scanning Nmap Enumeration… Continue reading →
The post WestWild: 1.1: Vulnhub Walkthorugh appeared first on Hacking Articles.

Link: https://www.hackingarticles.in/westwild-1-1-vulnhub-walkthorugh/

Get to Know Manager of Software Development, Fred Yip

With job growth projected to surge 24% over the next seven years, software engineering is one of the most demanded professional fields in the U.S. Exceptionally competitive pay and the chance to pursue careers across many industries are just a few benefits of being a software engineer. We explore how software engineers working in cybersecurity […]
The post Get to Know Manager of Software Development, Fred Yip appeared first on Webroot Blog.

Link: https://www.webroot.com/blog/2019/08/17/get-to-know-manager-of-software-development-fred-yip