Cross-Compiling Exploits
Cross-Compiling Exploits
In certain cases, exploit code will be developed in C/C++/C#, as a result, you will need to compile the exploit code in to a PE (Portable Executable) or binary.
Cross-Compiling is the process of compiling code for a platform other than the one performing the compilation.
As a penetration tester, you will need to have the skills necessary to compile exploit code developed in C.
交叉编译漏洞利用
交叉编译漏洞利用
在某些情况下,利用代码将在 C/C++/C# 中开发,因此,您需要将利用代码编译为 PE(可移植可执行文件)或二进制文件。
交叉编译是为执行编译的平台以外的平台编译代码的过程。
作为渗透测试人员,您需要具备编译用 C 语言开发的漏洞利用代码所需的技能。
Demo: Cross-Compiling Exploits(演示:交叉编译漏洞利用)
We will be taking a look at the process of compiling exploits, Linux exploits, as well as cross-compiling Windows exploits on Linux.
What’s compilation and what’s cross-compilation?
Typically, during a penetration test, you’re primarily going to be working from Kali Linux. As a result, you will be in situations where you will need to compile Windows exploits on a Linux system, and that is why this process is referred to as cross-compiling or cross-compilation. If you’re just compiling a Linux exploit on Kali Linux, then that is known simply as compiling.
I’ve already identified the exploits that have been written in C that I’m going to compile and cross-compile.
In the case of the Windows exploit:
VideoLAN VLC Media Player 0.8.6f - ‘smb://’ URI Handling Remote Buffer Overflow
In this case of Linux:
In the case of Windows compilation on Linux or cross-compiling a Windows exploit on Linux, you require a few tools, one of which is mingw-w64,
Mingw-w64 是原始 mingw.org 项目的进步,创建它是为了支持 Windows 系统上的 GCC 编译器。
1
sudo apt-get install mingw-w64
In the case of compiling C code or Linux exploits, you need to have the GNU C compiler installed.
1
sudo apt-get install gcc
We can take a look at how to compile the Windows exploit first.
1
2
pwd
/home/kali/Desktop/Exploits
VideoLAN VLC Media Player 0.8.6f - ‘smb://’ URI Handling Remote Buffer Overflow:
EDB-ID: 9303
In terms of compilation, we can compile either a 32-bit version of the exploit or a 64-bit version. And I would typically recommend compiling the 32-bit version of the exploit, as it’ll run on both 32-bit systems as well as 64-bit systems.
I can download it directly from the ExploitDB website or I can utilize searchsploit to copy it over.
1
searchsploit VideoLAN VLC SMB
Copy it with searchsploit to my current working directory.
1
searchsploit -m 9303
In the case of exploits that have been written in C, if the exploits have been well-documented, they might contain information regarding how to compile this specific exploit in regards to the mingw compilation instructions and arguments that you need to provide.
So we will need to use the default compilation options or the default compilation syntax.
In order to compile this exploit written in C, we will start off by compiling the 64-bit version first.
-o
: output it into another file. This is going to be the portable executable.
1
i686-w64-mingw32-gcc 9303.c -o exploit
1
ls
That is how to perform Windows cross-compilation on Linux.
In some cases, you may find a few errors. And that will come down to the compilation arguments that you need to provide.
If you want to compile it for 32-bit systems:
1
rm exploit.exe
lws2_32
: Specify that this is for 32-bit systems or 32-bit versions of Windows.
1
i686-w64-mingw32-gcc 9303.c -o exploit -lws2_32
It compiles the 32-bit exploit.
1
ls -al
We have been able to compile both the 64-bit portable executable and the 32-bit portable executable.
1
rm exploit.exe
How to compile Linux exploits that have been written in C.
Linux Kernel 2.6.22 < 3.9 - ‘Dirty COW’ ‘PTRACE_POKEDATA’ Race Condition Privilege Escalation (/etc/passwd Method)
EDB-ID: 40839
This particular exploit has fantastic documentation, in that it provides you with compilation instructions and the arguments that you need to specify during the compilation.
1
searchsploit Dirty Cow
1
searchsploit -m 40839
This is going to be an ELF binary, which means it can only be executed on a Linux or Unix system.
1
gcc -pthread 40839.c -o exploit -lcrypt
1
ls -al
We have the Linux binary or ELF binary called exploit, which we can execute on Kali Linux.
It’s one of the, at least in my experience, one of the most well-developed and documented exploits out there, especially in the context of C.
We have successfully taken a look at how to cross-compile Windows exploits that have been developed in C on Linux, as well as compiling Linux exploits that have been developed in C.
offensive-security/exploitdb-bin-sploits
This is a Github repository that contains a list of precompiled binaries, more specifically, Windows binaries and a few Linux binaries as well. The reason this is provided is primarily because in certain cases cross-compiling Windows exploits on Linux may not be successful and may bring up a lot of errors. In that case, you can always rely on this vetted source in terms of precompiled binaries, in that you know that they don’t perform anything else that they’re not supposed to do in terms of their functionality.
复现视频内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(root㉿kali)-[~/tmp]
└─# pwd
/root/tmp
┌──(root㉿kali)-[~/tmp]
└─# searchsploit VideoLAN VLC SMB
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
VideoLAN VLC Client (Windows x86) - 'smb://' URI Buffer Overflow (Metasploit) | windows_x86/local/16678.rb
VideoLAN VLC Media Player 0.8.6f - 'smb://' URI Handling Remote Buffer Overflow | windows/remote/9303.c
VideoLAN VLC Media Player 0.8.6f - 'smb://' URI Handling Remote Universal Buffer Overflow | windows/remote/9318.py
VideoLAN VLC Media Player 0.9.9 - 'smb://' URI Stack Buffer Overflow (PoC) | windows/dos/9029.rb
VideoLAN VLC Media Player 1.0.0/1.0.1 - 'smb://' URI Handling Buffer Overflow (PoC) | windows/dos/9427.py
VideoLAN VLC Media Player 1.0.2 - 'smb://' URI Stack Overflow | windows/remote/9816.py
VideoLAN VLC Media Player 1.0.3 - 'smb://' URI Handling Remote Stack Overflow (PoC) | windows/dos/10333.py
VideoLAN VLC Media Player < 1.1.4 - '.xspf smb://' URI Handling Remote Stack Overflow (PoC) | windows/dos/14892.py
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
┌──(root㉿kali)-[~/tmp]
└─# searchsploit -m 9303
Exploit: VideoLAN VLC Media Player 0.8.6f - 'smb://' URI Handling Remote Buffer Overflow
URL: https://www.exploit-db.com/exploits/9303
Path: /usr/share/exploitdb/exploits/windows/remote/9303.c
Codes: N/A
Verified: True
File Type: C source, ASCII text
Copied to: /root/tmp/9303.c
1
2
3
4
5
6
┌──(root㉿kali)-[~/tmp]
└─# i686-w64-mingw32-gcc 9303.c -o exploit
┌──(root㉿kali)-[~/tmp]
└─# ls
39446.py 39525.py 42031.py 49757.py 9303.c exploit.exe
1
2
3
4
5
6
┌──(root㉿kali)-[~/tmp]
└─# i686-w64-mingw32-gcc 9303.c -o exploit32 -lws2_32
┌──(root㉿kali)-[~/tmp]
└─# ls
39446.py 39525.py 42031.py 49757.py 9303.c exploit32.exe exploit.exe
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root㉿kali)-[~/tmp]
└─# searchsploit Dirty Cow
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1) | linux/dos/43199.c
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2) | linux/dos/44305.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method) | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method) | linux/local/40838.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40839.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method) | linux/local/40611.c
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
┌──(root㉿kali)-[~/tmp]
└─# searchsploit -m 40839
Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)
URL: https://www.exploit-db.com/exploits/40839
Path: /usr/share/exploitdb/exploits/linux/local/40839.c
Codes: CVE-2016-5195
Verified: True
File Type: C source, ASCII text
Copied to: /root/tmp/40839.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root㉿kali)-[~/tmp]
└─# gcc -pthread 40839.c -o dirtycow -lcrypt
┌──(root㉿kali)-[~/tmp]
└─# ls -al
total 556
drwxr-xr-x 2 root root 4096 Apr 11 07:54 .
drwx------ 19 root root 4096 Apr 11 07:32 ..
-rwxr-xr-x 1 root root 10218 Apr 9 09:21 39446.py
-rwxr-xr-x 1 root root 13734 Apr 9 09:21 39525.py
-rw-r--r-- 1 root root 4814 Apr 11 07:52 40839.c
-rwxr-xr-x 1 root root 26086 Apr 9 08:02 42031.py
-rwxr-xr-x 1 root root 1101 Apr 9 07:31 49757.py
-rw-r--r-- 1 root root 1836 Apr 11 07:42 9303.c
-rwxr-xr-x 1 root root 17512 Apr 11 07:54 dirtycow
-rwxr-xr-x 1 root root 231143 Apr 11 07:47 exploit32.exe
-rwxr-xr-x 1 root root 231143 Apr 11 07:45 exploit.exe
offensive-security/exploitdb-bin-sploits