In Linux operating systems, the function prologue is the one in charge of creating the canary and adding it to the stack. The epilogue is the one in charge of comparing the canary.

Let’s see the stack layout:

[...] -> 0xffffffff
RET ADDRESS 
BASE EBP
CANARY
VALUE -> 0x00000000

Canary is after base EBP and return address, in order to guard them both. Note: Canary first byte is always null byte -> The printf function cannot be exploited to leak the canary. Libc stores canary info in its own libc memory space, unless threads are created. In that case, the canary is independent per thread and each thread has its own stack canary.

Continue reading 

Hardware / Software setup

Orange Pi 5 8GB RAM

• Ubuntu OS for OrangePi (debian works strange with pihole and some other containers, have tested).
• Static IP address in LAN (192.168.0.2).
• Docker containers:
  • Wireguard -> VPN easy to manage
  • Pihole -> Act as DNS server
  • Syncthing -> Backup of courses, blog, etc

Steps to deploy homelab

1. Disable CGNAT
2. Enable Port Forwarding from 0.0.0.0 WAN to Orange PI LAN IP (UDP port 51820)
3. Assign Orange PI LAN IP as main DNS
4. Assign Static IP to Orange Pi
5. Enable docker containers (Note: User docker compose, not docker-compose. Install docker from official repo via curl, not apt) Router assigns 192.168.0.128 to 192.168.0.255 via DHCP 192.168.0.2 to 192.168.0.127 are IP addresses for my personal lab devices.

Proxmox

Steps to add new disk

You would need to format the drive via the UI (Click on the Node > Disks > Select your disk > Initialize disk with GPT). Depending on what kind of storage you want to create with your disk, the next steps differ.  
  
If you want to create a directory storage, you would simply navigate to Directory in the sidebar and then click 'Create'. There you just supply the sdb disk and enter a name and a type of filesystem.  
Be aware that Directory storage does not support many features offered by PVE such as Snapshots (you can check the capabilities of the different storage types in our documentation: [1]).  
  
You could also create an LVM-thin storage, which provides more features than a simple directory storage (which is probably what you currently have on your existing disk with name local). For this, instead of going to Directory in the sidebar, you can navigate to LVM-thin, then click 'Create Thinpool' . Then you just enter a name for your new pool and wait until the creation has finished. Your disk should then be ready to use. I would recommend for you to use this for now as LVM-thin offers more features and capabilities than simple Directory storage, while still being relatively simple to use for beginners.  
  
[1] [https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_storage_types](https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_storage_types)

Steps to import VM

QCOW format

Push via SCP qcow file in qcow folder:

Continue reading 

What is ASLR

Due to the invention of ROP, operating system developers introduced Address Space Layout Randomization (ASLR) as an additional mitigation technique. The goal of ASLR was to mitigate exploits that defeat DEP with ROP. At a high level, ASLR defeats ROP by randomizing an EXE or DLL’s loaded address each time the application starts. This way, gadgets cannot be used as the memory address of the gadget won’t be the same each time the module is loaded.

Continue reading 

Our buffer is not always in a predictable location

Normally, in the base stack overflows, after we overwrite EIP we see that the ESP register points to our controlled buffer, which would store the shellcode. Then, we find a JMP ESP to jump to our shellcode. However, there are some scenarios in which our shellcode is not directly accessible via ESP, or in a predictable location in memory. Sometimes, it is possible to store a payload somewhere else in the address space of the process, and point to such address by “searching” for our payload in the code. Let’s see how to do it. First, we have the Savant Web Server 3.1, which has a vulnerability that allows us overwriting EIP via a large HTTP GET buffer:

Continue reading 

When doing the classical egghunter shellcode, we observed that the NtAccessCheckAndAuditAlarm function did not work because the system call number was changed between Windows versions. We fixed this by changing the system call number, but this fix comes at the cost of portability. In order for our exploit to work, we would have to identify the Windows version beforehand to craft a proper exploit.

Continue reading 