Compilation
Find out the platform arch
uname -m
https://www.aldeid.com/wiki/TryHackMe-GoldenEye
The program ‘gcc’ is currently not installed. To run ‘gcc’ please ask your administrator to install the package ‘gcc’
#gcc is not installed, but cc is available
which cc
export PATH=$PATH
Replace gcc by cc in the exploit:
sed -i "s/gcc/cc/g" 37292.c
To compile C/C++ Windows exploit on Linux: Use mingw32-gcc (windows https://sourceforge.net/projects/mingw/)
i686-w64-mingw32-gcc [.c] -o [.exe] [-lws2_32]
i686-w64-mingw32-g++ [.cpp] -o [.exe] [-lws2_32]
Easiest way to compile binaries
https://jensd.be/1126/linux/cross-compiling-for-arm-or-aarch64-on-debian-or-ubuntu
x86_64
# hello-x86_64: ELF 64-bit LSB executable, x86-64
x86_64-linux-gnu-gcc -static hello.c -o hello-x86_64
x86_64-linux-gnu-gcc -static CVE-2022-2586.c -o CVE-2022-2586_exploit -lmnl -no-pie -lpthread
32 bit
# hello-arm: ELF 32-bit LSB executable
arm-linux-gnueabi-gcc hello.c -o hello-arm -static
needs the following
sudo apt install gcc make gcc-arm-linux-gnueabi binutils-arm-linux-gnueabi
32 bit (i386)
# hello-i386: ELF 32-bit LSB executable, Intel 80386
i686-linux-gnu-gcc hello.c -o hello-i386 -static
requires the following
sudo apt install gcc-i686-linux-gnu
64 bit - aarch64
# hello-aarch64: ELF 64-bit LSB executable, ARM aarch64,
aarch64-linux-gnu-gcc hello.c -o hello-aarch64 -static
needs the following
sudo apt install gcc make gcc-aarch64-linux-gnu binutils-aarch64-linux-gnu
Docker
https://github.com/X0RW3LL/XenSpawn
https://github.com/multiarch/crossbuild
#32 bit arm
docker run --rm -v $(pwd):/workdir -e CROSS_TRIPLE=arm-linux-gnueabi multiarch/crossbuild make hello
docker run --rm -it -v `pwd`:/src -w /src ev3dev/debian-stretch-cross
docker run --rm -it -v `pwd`:/usr/src/myapp -w /usr/src/myapp gcc:4.9
gcc -o myapp myapp.c
docker pull bdobyns/centos4.4_i386
With the update to Kernel 5.18.0-kali7-amd64 in Kali 2022.3 (2022 Kali Rolling release), GCC 12.2.0 no longer includes libraries required by older Linux Kernels. In order to compile C and C++ exploits that can be run on older generation targets (< Kernel 2.6), we recommend:
Guide to installing docker on Kali: https://www.kali.org/docs/containers…ocker-on-kali/
As an example, to use GCC version 4.9 to compile exploits using docker, the following steps should be followed: Pull the docker image
docker pull gcc:4.9
# 4.9: Pulling from library/gcc
# Digest: sha256:6356ef8b29cc3522527a85b6c58a28626744514bea87a10ff2bf67599a7474f5
# Status: Image is up to date for gcc:4.9
# docker.io/library/gcc:4.9
Place the exploit.c in the current directory and run the docker command (as root or user in docker group)
docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp gcc:4.9 gcc -o exploit exploit.c
file exploit
# exploit: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked,
# interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, not stripped
Docker image for GCC: https://hub.docker.com/_/gcc/tags (edited)
Few tools to discover the program
file binary
file *
got missing character with vim then use
hexdump -C binary
xxd myfile | less
strings binary
strings -e l myfile
strings -e L myfile
strings -e B myfile
objectdump -d binary
objectdump -x binary | less
strace ./binary
strace ./binary MY_SEARCH_STRING
ltrace ./binary
ltrace ./binary MY_SEARCH_STRING
Debug tools
-
hopper v3 dissassembler on mac
-
radare2
r2 binary
> aaa #automatically analyse alternate function
> afl #print all function found
> ? #help
- gdb-pwndbg
python2 -c 'print "B" * 100'
python3 -c "print('A' * 100)"
Random
Jar analysis
jar -xf BlockyCore.jar && find . -iname "*.class" | xargs /opt/jad -r