hacktricks/binary-exploitation/stack-overflow/pointer-redirecting.md

# Pointer Redirecting

{% hint style="success" %}
Impara e pratica il hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Impara e pratica il hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Supporta HackTricks</summary>

* Controlla i [**piani di abbonamento**](https://github.com/sponsors/carlospolop)!
* **Unisciti al** 💬 [**gruppo Discord**](https://discord.gg/hRep4RUj7f) o al [**gruppo telegram**](https://t.me/peass) o **seguici** su **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Condividi trucchi di hacking inviando PR ai** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos su github.

</details>
{% endhint %}

## String pointers

Se una chiamata di funzione utilizza un indirizzo di una stringa che si trova nello stack, è possibile abusare del buffer overflow per **sovrascrivere questo indirizzo** e mettere un **indirizzo a una stringa diversa** all'interno del binario.

Se ad esempio una chiamata alla funzione **`system`** deve **utilizzare l'indirizzo di una stringa per eseguire un comando**, un attaccante potrebbe posizionare l'**indirizzo di una stringa diversa nello stack**, **`export PATH=.:$PATH`** e creare nella directory corrente uno **script con il nome della prima lettera della nuova stringa** poiché questo sarà eseguito dal binario.

Puoi trovare un **esempio** di questo in:

* [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/strptr.c](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/strptr.c)
* [https://guyinatuxedo.github.io/04-bof\_variable/tw17\_justdoit/index.html](https://guyinatuxedo.github.io/04-bof\_variable/tw17\_justdoit/index.html)
* 32bit, cambia l'indirizzo alla stringa delle flag nello stack in modo che venga stampato da `puts`

## Function pointers

Stesso concetto dei puntatori a stringa ma applicato alle funzioni, se lo **stack contiene l'indirizzo di una funzione** che verrà chiamata, è possibile **cambiarlo** (ad es. per chiamare **`system`**).

Puoi trovare un esempio in:

* [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/funcptr.c](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/funcptr.c)

## References

* [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#pointer-redirecting](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#pointer-redirecting)

{% hint style="success" %}
Impara e pratica il hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Impara e pratica il hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Supporta HackTricks</summary>

* Controlla i [**piani di abbonamento**](https://github.com/sponsors/carlospolop)!
* **Unisciti al** 💬 [**gruppo Discord**](https://discord.gg/hRep4RUj7f) o al [**gruppo telegram**](https://t.me/peass) o **seguici** su **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Condividi trucchi di hacking inviando PR ai** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos su github.

</details>
{% endhint %}
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:12:19 +00:00			`# Pointer Redirecting`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-04-07 02:49:58 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:12:19 +00:00			`{% hint style="success" %}`
			`Impara e pratica il hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Impara e pratica il hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-04-07 02:49:58 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:12:19 +00:00			`<details>`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-04-07 02:49:58 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:12:19 +00:00			`<summary>Supporta HackTricks</summary>`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-04-07 02:49:58 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:12:19 +00:00			`* Controlla i [piani di abbonamento](https://github.com/sponsors/carlospolop)!`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-04-07 02:49:58 +00:00			`* Unisciti al 💬 [gruppo Discord](https://discord.gg/hRep4RUj7f) o al [gruppo telegram](https://t.me/peass) o seguici su Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:12:19 +00:00			`* Condividi trucchi di hacking inviando PR ai [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos su github.`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-04-07 02:49:58 +00:00
			`</details>`
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:12:19 +00:00			`{% endhint %}`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-04-07 02:49:58 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:12:19 +00:00			`## String pointers`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-04-07 02:49:58 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:12:19 +00:00			`Se una chiamata di funzione utilizza un indirizzo di una stringa che si trova nello stack, è possibile abusare del buffer overflow per sovrascrivere questo indirizzo e mettere un indirizzo a una stringa diversa all'interno del binario.`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-04-07 02:49:58 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:12:19 +00:00			Se ad esempio una chiamata alla funzione `system` deve utilizzare l'indirizzo di una stringa per eseguire un comando, un attaccante potrebbe posizionare l'indirizzo di una stringa diversa nello stack, `export PATH=.:$PATH` e creare nella directory corrente uno script con il nome della prima lettera della nuova stringa poiché questo sarà eseguito dal binario.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-04-07 02:49:58 +00:00
			`Puoi trovare un esempio di questo in:`

			`* [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/strptr.c](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/strptr.c)`
			`* [https://guyinatuxedo.github.io/04-bof\_variable/tw17\_justdoit/index.html](https://guyinatuxedo.github.io/04-bof\_variable/tw17\_justdoit/index.html)`
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:12:19 +00:00			* 32bit, cambia l'indirizzo alla stringa delle flag nello stack in modo che venga stampato da `puts`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-04-07 02:49:58 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:12:19 +00:00			`## Function pointers`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-04-07 02:49:58 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:12:19 +00:00			Stesso concetto dei puntatori a stringa ma applicato alle funzioni, se lo stack contiene l'indirizzo di una funzione che verrà chiamata, è possibile cambiarlo (ad es. per chiamare `system`).
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-04-07 02:49:58 +00:00
			`Puoi trovare un esempio in:`

			`* [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/funcptr.c](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/funcptr.c)`

Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:12:19 +00:00			`## References`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-04-07 02:49:58 +00:00
			`* [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#pointer-redirecting](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#pointer-redirecting)`

Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:12:19 +00:00			`{% hint style="success" %}`
			`Impara e pratica il hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Impara e pratica il hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-04-07 02:49:58 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:12:19 +00:00			`<details>`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-04-07 02:49:58 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:12:19 +00:00			`<summary>Supporta HackTricks</summary>`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-04-07 02:49:58 +00:00
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:12:19 +00:00			`* Controlla i [piani di abbonamento](https://github.com/sponsors/carlospolop)!`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-04-07 02:49:58 +00:00			`* Unisciti al 💬 [gruppo Discord](https://discord.gg/hRep4RUj7f) o al [gruppo telegram](https://t.me/peass) o seguici su Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:12:19 +00:00			`* Condividi trucchi di hacking inviando PR ai [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos su github.`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-04-07 02:49:58 +00:00
			`</details>`
Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:12:19 +00:00			`{% endhint %}`