0001-01-01

Hardware / Software setup

Orange Pi 5 8GB RAM

  • Ubuntu OS for OrangePi (debian works strange with pihole and some other containers, have tested).
  • Static IP address in LAN (192.168.0.2).
  • Docker containers:
    • Wireguard -> VPN easy to manage
    • Pihole -> Act as DNS server
    • Syncthing -> Backup of courses, blog, etc

Steps to deploy homelab

  1. Disable CGNAT
  2. Enable Port Forwarding from 0.0.0.0 WAN to Orange PI LAN IP (UDP port 51820)
  3. Assign Orange PI LAN IP as main DNS
  4. Assign Static IP to Orange Pi
  5. Enable docker containers (Note: User docker compose, not docker-compose. Install docker from official repo via curl, not apt) Router assigns 192.168.0.128 to 192.168.0.255 via DHCP 192.168.0.2 to 192.168.0.127 are IP addresses for my personal lab devices.

Continue reading 

0001-01-01

Our buffer is not always in a predictable location

Normally, in the base stack overflows, after we overwrite EIP we see that the ESP register points to our controlled buffer, which would store the shellcode. Then, we find a JMP ESP to jump to our shellcode. However, there are some scenarios in which our shellcode is not directly accessible via ESP, or in a predictable location in memory. Sometimes, it is possible to store a payload somewhere else in the address space of the process, and point to such address by “searching” for our payload in the code. Let’s see how to do it. First, we have the Savant Web Server 3.1, which has a vulnerability that allows us overwriting EIP via a large HTTP GET buffer:

Continue reading 

0001-01-01

When doing the classical egghunter shellcode, we observed that the NtAccessCheckAndAuditAlarm function did not work because the system call number was changed between Windows versions. We fixed this by changing the system call number, but this fix comes at the cost of portability. In order for our exploit to work, we would have to identify the Windows version beforehand to craft a proper exploit.

Continue reading 

0001-01-01

Locating the crash

Generate the pattern with KALI or online. Put the pattern as payload and detect the offset of the crash. Once the offset is located, fill with As.

msf-pattern_create -l 2600

When crashing, EIP will have a certain value. Copy the value to obtain the exact offset: msf-pattern_offset -l 2600 -q “TBD_EIP”

Continue reading 

0001-01-01

ROP Lore

Why is ROP needed

The classic buffer overflows manage to execute arbitrary code by redirecting the execution flow to something in the stack (that is normally also user-controlled). However, the normal program flow does not need to redirect the execution flow of the stack as the code that is being executed is normally in the .text section of the binary. The stack is used to store and manage local variables and parameters to functions.

Continue reading 