bbrod

Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.

Discussion on reddit.

Python 2.x

$ python -m SimpleHTTPServer 8000

Even though well known methods exist to bypass ptrace deactivation on a process when spawning (fake ptrace() preloading, breakpoint on ptrace(), etc... ), it is trickier when process is already protected.

Thankfully Linux 3.2+ was generous enough to provide read/write capabilities to another process with 2 new system calls: sys_process_vm_readv and sys_process_vm_writev. (see https://github.com/torvalds/linux/blob/master/arch/x86/syscalls/syscall_64.tbl#L319)

Manual says:

These system calls transfer data between the address space of the calling

radare2 is a very cool set of tools that you probably don't know how to use! Let's go through a simple exploit CTF challenge to understand how to use it for exploit development.

We'll be focusing on "ropasaurus rex" which is a simple challenge from Plaid CTF After checking out the latest and greatest radare from git, let's get started!

Open up ropasaurusrex in r2 and call analyze on the binary. We can list the functions with "afl"

This is a brief guide on how I patched the CVE-2015-1474 for my Nexus 5 - 5.0.1. This involes downloading and building AOSP with the patch for the vuln applied. I have attached a pre-built patched version of libui.so for the Nexus5 5.0.1 in the case you are too lazy to build it yourself (and you trust me).

Building patched libui for your nexus device

repo init -u https://android.googlesource.com/platform/manifest -b android-5.0.1_r1
repo sync -j16

cd frameworks/native
# https://android.googlesource.com/platform/frameworks/native/+/38803268570f90e97452cd9a30ac831661829091%5E%21/#F0
git cherry-pick 2bc5e811a817a8c667bca4318ae98582b0ee6dc6

	# Note that target_env.login and target_env.password is global variables

	# Maybe I should add this into Fabric project (http://docs.fabfile.org/en/1.4.2/index.html).
	# This is complicated task for sure but it would be nice if Fabric could use ssh under Linux and PowerShell Remoting under Windows.

	def remote_sh(target_host, command_text, ignore_error=False):
	print('run PowerShell script block at {0}: {1}'.format(target_host, command_text))

	command_text = command_text.replace('"', '\'')

	#!/bin/sh

	adb shell pm path $1 \|\
	sed 's/package://' \|\
	tr -d '\r' \|\
	xargs -I % adb pull % $1.apk

	#!/usr/bin/env bash
	if [ -z "$1" ]; then
	echo "usage: $(basename $0) <process>"
	exit 1
	fi

	IP=$(adb shell netcfg \| grep wlan0 \| awk '{print $3}' \| cut -d '/' -f1)
	if [ $? -ne 0 ]; then
	echo "device plugged in?"
	exit 1

	#!/usr/bin/python

	'''
	Python implementation of passcode hashing algorithm used on the Samsung Galaxy S4 GT-I9505 4.2.2
	Correct PIN for hash and salt below is 1234.

	Get 40-character hash value in ascii hex format from file /data/system/password.key on the phone

	Get salt in signed numeric format by doing sqlite3 query SELECT value FROM locksettings WHERE name = 'lockscreen.password_salt' on /data/system/locksettings.db

	#!/bin/bash
	#Basic set up for an Application AndroidManifest Fuzzer
	#this requires a preexisting ant buildable application project to be set up! so get the SDK and ant1.8
	#this file reproduces the bug mentioned here http://ibrahimbalic.com/2014/android-os-memory-corruption-bug/
	#NOTE: values from 260000 and up cause SIGSEGvs to be sent to the system_server (test on KitKat 4.4.2)
	#NOTE: you should probably monitor $(adb logcat)\|\|(/system/bin/gdbserver) for responsiveness to the issue

	APP_PROJ_DIR="..." #<-- PATH TO PROJ DIR
	APP_PACKAGE_NAME="..." #<-- PACKAGE NAME
	APP_LAUNCH_COMP="..." # <--- MAIN ACTIVITY NAME

	void *find_sys_call_table(void kernel_addr, int kernel_size)
	{
	/*
	Check for the system_call_fastpath() signature, hand-written piece of
	assembly code from arch/x86/kernel/entry_64.S:

	ja badsys
	mov rcx, r10
	call sys_call_table[rax * 8]
	mov [rsp + 20h], rax