╔══════════════════════════════════════════════════════════════════════════════╗
║ ║
║ ██████╗ ██╗ ██████╗ ██████╗ ███████╗ ██████╗ ██████╗ ██████╗ ████████╗║
║ ██╔══██╗███║ ╚════██╗╚════██╗╚════██║ ██╔══██╗██╔═══██╗██╔═══██╗╚══██╔══╝║
║ ██║ ██║╚██║ █████╔╝ █████╔╝ ██╔╝ ██████╔╝██║ ██║██║ ██║ ██║ ║
║ ██║ ██║ ██║ ╚═══██╗ ╚═══██╗ ██╔╝ ██╔══██╗██║ ██║██║ ██║ ██║ ║
║ ██████╔╝ ██║ ██████╔╝██████╔╝ ██║ ██████╔╝╚██████╔╝╚██████╔╝ ██║ ║
║ ╚═════╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚═╝ ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
███╗ ███╗ ██████╗ ███╗ ██╗███████╗██╗ ██╗██╗ ██╗██╗ ██╗███╗ ██╗████████╗███████╗██████╗
████╗ ████║██╔═══██╗████╗ ██║██╔════╝╚██╗ ██╔╝██║ ██║██║ ██║████╗ ██║╚══██╔══╝██╔════╝██╔══██╗
██╔████╔██║██║ ██║██╔██╗ ██║█████╗ ╚████╔╝ ███████║██║ ██║██╔██╗ ██║ ██║ █████╗ ██████╔╝
██║╚██╔╝██║██║ ██║██║╚██╗██║██╔══╝ ╚██╔╝ ██╔══██║██║ ██║██║╚██╗██║ ██║ ██╔══╝ ██╔══██╗
██║ ╚═╝ ██║╚██████╔╝██║ ╚████║███████╗ ██║ ██║ ██║╚██████╔╝██║ ╚████║ ██║ ███████╗██║ ██║
╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝╚══════╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝ ╚═╝ ╚══════╝╚═╝ ╚═╝
# === KERNEL EXPLOITATION ===
$ cat /proc/kallsyms | grep commit_creds
ffffffff81094a50 T commit_creds
ffffffff81094b60 T prepare_kernel_cred
$ ./pwn_kernel --bypass=SMEP,SMAP,KASLR --target=commit_creds
[*] Leaking kernel base via /dev/mem...
[*] KASLR slide: 0x1e00000
[*] Building ROP chain for ret2usr...
[+] Got root. ez.
# === HEAP FENG SHUI ===
$ gdb -q ./target -ex 'b *0x401337' -ex 'r < payload'
(gdb) x/32gx $rsp
0x7fffffffe000: 0x4141414141414141 0x4242424242424242
0x7fffffffe010: 0x00007ffff7a52083 0xdeadbeefcafebabe
(gdb) heap chunks
[+] tcache[0x90]: 0x55555555a -> 0x55555555b -> 0x55555555c (corrupted)
# === BINARY DIFFING ===
$ radare2 -AA ./firmware.bin
[0x08048000]> pdf @ sym.decrypt_key
│ 0x08048000 push ebp
│ 0x08048001 mov ebp, esp
│ 0x08048003 xor eax, [ebp+0x8] ; XOR key = 0xDEAD1337
│ 0x08048009 rol eax, 0x0d ; custom rotation
└ 0x0804800c ret
$ whoami
root (uid=0 gid=0) // spawned from kernel exploit, bukan sudo -s kek bocil+ nulis exploit sendiri mass - download poc github run langsung
+ baca CVE detail sampe paham - "CVE apaan bang?"
+ debug pake gdb sampe malem - "kok segfault bang"
+ paham assembly buat ROP chain - assembly? itu merk hp?
+ reverse engineering binary - "cara decompile gimana bang"
+ bikin shellcode custom - msfvenom --payload copy paste
+ patch kernel buat privesc - "sudo su kok gak bisa"
+ ASLR bypass, heap feng shui - heap apaan? yg buat naruh barang?Address Perm Skill Level
0x00000000-0x1337 rwx binary exploitation ████████████░░ real
0x1337-0x31337 rwx reverse engineering ███████████░░░ real
0x31337-0x41414 rwx kernel hacking █████████░░░░░ real
0xdeadbeef --- copy paste ░░░░░░░░░░░░░░ gak guna
0xcafebabe --- download tool ░░░░░░░░░░░░░░ skid behavior
0x41414141 --- nanya di grup ░░░░░░░░░░░░░░ /dev/null
/*
* FAQ - Frequently Asked (stupid) Questions
* Author: orang yg capek ditanyain hal goblok
*/
struct question {
char *tanya;
char *jawab;
};
struct question faq[] = {
{"bang ajarin dong",
"RTFM anjing. man pages ada, docs ada, google ada. otak dipake"},
{"kok segfault bang?",
"gdb ./binary, run, bt full. baca sendiri kontol"},
{"cara bypass aslr gimana?",
"lu tau aslr apaan dulu gak? address space layout randomization.
ngerti gak? gak kan. sono belajar memory layout dulu"},
{"minta exploit nya dong",
"BIKIN SENDIRI GOBLOK. lu kira exploit tumbuh di pohon?"},
{"bang kok rc4 decrypt nya error?",
"key nya bener gak tolol? IV nya ada gak? padding udah bener?
atau jangan-jangan lu gak tau rc4 itu symmetric cipher?"},
{"cara decompile gimana?",
"ghidra gratis. ida ada crack. bina.re ada. tapi bohong gw
kalo lu bisa baca output nya WKWK"},
};$ cat /behavior/skid.txt
[x] download sqlmap langsung scan, gak ngerti cara kerja sql injection
[x] pake metasploit doang, gak bisa bikin exploit manual
[x] "bang hash ini crack dong" (padahal tinggal hashcat -m)
[x] nanya payload reverse shell, padahal di revshells.com ada
[x] deface web terus bangga, padahal cuma upload shell doang
[x] koleksi 0day tapi gak ngerti cara pake
[x] sok pake kali linux, terminal isinya apt install doang
[x] fork repo orang, ganti nama, claim "my tool"
[x] bilang "gw hacker" padahal ping aja pake cmdsection .rodata
msg db "intinya:", 0xa
db "download tool 1000 biji = skill tetep 0", 0xa
db "run exploit tanpa ngerti = skid behavior", 0xa
db "nanya mulu gak mau baca = goblok permanen", 0xa
db "mending mass belajar dari 0 drpd jadi skid seumur hidup", 0xa
db 0xa
db "-- boshe99", 0xa
db "-- echo $? returns 0 for real coders only", 0
section .text
global _start
_start:
; write(1, msg, len)
; kalo lu gak ngerti ini, fix skid