Added tools and fixed typos

This commit is contained in:
7Rocky 2024-04-06 15:01:06 +02:00
parent b2ce11dbfa
commit 1d9352d8be

View file

@ -24,6 +24,10 @@ Other ways to support HackTricks:
2. **Gadget Chaining**: The attacker then carefully selects and chains gadgets to perform the desired actions. This could involve setting up arguments for a function call, calling the function (e.g., `system("/bin/sh")`), and handling any necessary cleanup or additional operations. 2. **Gadget Chaining**: The attacker then carefully selects and chains gadgets to perform the desired actions. This could involve setting up arguments for a function call, calling the function (e.g., `system("/bin/sh")`), and handling any necessary cleanup or additional operations.
3. **Payload Execution**: When the vulnerable function returns, instead of returning to a legitimate location, it starts executing the chain of gadgets. 3. **Payload Execution**: When the vulnerable function returns, instead of returning to a legitimate location, it starts executing the chain of gadgets.
### Tools
Typically, gadgets can be found using **[ROPgadget](https://github.com/JonathanSalwan/ROPgadget)**, **[ropper](https://github.com/sashs/Ropper)** or directly from **pwntools** ([ROP](https://docs.pwntools.com/en/stable/rop/rop.html)).
## ROP Chain in x86 Example ## ROP Chain in x86 Example
### **x86 (32-bit) Calling conventions** ### **x86 (32-bit) Calling conventions**
@ -37,7 +41,7 @@ First, let's assume we've identified the necessary gadgets within the binary or
* `pop eax; ret`: This gadget pops the top value of the stack into the `EAX` register and then returns, allowing us to control `EAX`. * `pop eax; ret`: This gadget pops the top value of the stack into the `EAX` register and then returns, allowing us to control `EAX`.
* `pop ebx; ret`: Similar to the above, but for the `EBX` register, enabling control over `EBX`. * `pop ebx; ret`: Similar to the above, but for the `EBX` register, enabling control over `EBX`.
* `mov [ebx], eax; ret`: Moves the value in `EAX` to the memory location pointed to by `EBX` and then returns. * `mov [ebx], eax; ret`: Moves the value in `EAX` to the memory location pointed to by `EBX` and then returns. This is often called a **write-what-where gadget**.
* Additionally, we have the address of the `system()` function available. * Additionally, we have the address of the `system()` function available.
### **ROP Chain** ### **ROP Chain**
@ -60,7 +64,7 @@ p = process(binary.path)
bin_sh_addr = next(binary.search(b'/bin/sh\x00')) bin_sh_addr = next(binary.search(b'/bin/sh\x00'))
# Address of system() function (hypothetical value) # Address of system() function (hypothetical value)
system_addr = 0xdeadcode system_addr = 0xdeadc0de
# A gadget to control the return address, typically found through analysis # A gadget to control the return address, typically found through analysis
ret_gadget = 0xcafebabe # This could be any gadget that allows us to control the return address ret_gadget = 0xcafebabe # This could be any gadget that allows us to control the return address
@ -105,7 +109,7 @@ And we know the address of the **system()** function.
Below is an example using **pwntools** to set up and execute a ROP chain aiming to execute **system('/bin/sh')** on **x64**: Below is an example using **pwntools** to set up and execute a ROP chain aiming to execute **system('/bin/sh')** on **x64**:
```python ```python
pythonCopy codefrom pwn import * from pwn import *
# Assuming we have the binary's ELF and its process # Assuming we have the binary's ELF and its process
binary = context.binary = ELF('your_binary_here') binary = context.binary = ELF('your_binary_here')