mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
Added tools and fixed typos
This commit is contained in:
parent
b2ce11dbfa
commit
1d9352d8be
1 changed files with 7 additions and 3 deletions
|
@ -24,6 +24,10 @@ Other ways to support HackTricks:
|
|||
2. **Gadget Chaining**: The attacker then carefully selects and chains gadgets to perform the desired actions. This could involve setting up arguments for a function call, calling the function (e.g., `system("/bin/sh")`), and handling any necessary cleanup or additional operations.
|
||||
3. **Payload Execution**: When the vulnerable function returns, instead of returning to a legitimate location, it starts executing the chain of gadgets.
|
||||
|
||||
### Tools
|
||||
|
||||
Typically, gadgets can be found using **[ROPgadget](https://github.com/JonathanSalwan/ROPgadget)**, **[ropper](https://github.com/sashs/Ropper)** or directly from **pwntools** ([ROP](https://docs.pwntools.com/en/stable/rop/rop.html)).
|
||||
|
||||
## ROP Chain in x86 Example
|
||||
|
||||
### **x86 (32-bit) Calling conventions**
|
||||
|
@ -37,7 +41,7 @@ First, let's assume we've identified the necessary gadgets within the binary or
|
|||
|
||||
* `pop eax; ret`: This gadget pops the top value of the stack into the `EAX` register and then returns, allowing us to control `EAX`.
|
||||
* `pop ebx; ret`: Similar to the above, but for the `EBX` register, enabling control over `EBX`.
|
||||
* `mov [ebx], eax; ret`: Moves the value in `EAX` to the memory location pointed to by `EBX` and then returns.
|
||||
* `mov [ebx], eax; ret`: Moves the value in `EAX` to the memory location pointed to by `EBX` and then returns. This is often called a **write-what-where gadget**.
|
||||
* Additionally, we have the address of the `system()` function available.
|
||||
|
||||
### **ROP Chain**
|
||||
|
@ -60,7 +64,7 @@ p = process(binary.path)
|
|||
bin_sh_addr = next(binary.search(b'/bin/sh\x00'))
|
||||
|
||||
# Address of system() function (hypothetical value)
|
||||
system_addr = 0xdeadcode
|
||||
system_addr = 0xdeadc0de
|
||||
|
||||
# A gadget to control the return address, typically found through analysis
|
||||
ret_gadget = 0xcafebabe # This could be any gadget that allows us to control the return address
|
||||
|
@ -105,7 +109,7 @@ And we know the address of the **system()** function.
|
|||
Below is an example using **pwntools** to set up and execute a ROP chain aiming to execute **system('/bin/sh')** on **x64**:
|
||||
|
||||
```python
|
||||
pythonCopy codefrom pwn import *
|
||||
from pwn import *
|
||||
|
||||
# Assuming we have the binary's ELF and its process
|
||||
binary = context.binary = ELF('your_binary_here')
|
||||
|
|
Loading…
Reference in a new issue