Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fixes and small corrections

Browse source
This commit is contained in:
7Rocky 2024-04-06 14:56:37 +02:00
parent f6b55df44c
commit 1e25d6ed34
9 changed files with 14 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-got-plt.md
View file

@ -62,7 +62,7 @@ You can see the PLT addresses with **`objdump -j .plt -d ./vuln_binary`**
## **Protections**
The **FullRELRO** protection is meant to protect agains this kind of technique by resolving all the addresses of the functions when the binary is started and making the **GOT table read only** after it:
The **Full RELRO** protection is meant to protect agains this kind of technique by resolving all the addresses of the functions when the binary is started and making the **GOT table read only** after it:
{% content-ref url="../common-binary-protections-and-bypasses/relro.md" %}
[relro.md](../common-binary-protections-and-bypasses/relro.md)

2
reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aws2exec-.dtors-and-.fini_array.md
View file

@ -54,7 +54,7 @@ Contents of section .fini_array:
Note that this **won't** **create** an **eternal loop** because when you get back to main the canary will notice, the end of the stack might be corrupted and the function won't be recalled again. So with this you will be able to **have 1 more execution** of the vuln.
{% hint style="danger" %}
Note that with [Full Relro](../common-binary-protections-and-bypasses/relro.md), the section `.fini_array` is made **read-only**.
Note that with [Full RELRO](../common-binary-protections-and-bypasses/relro.md), the section `.fini_array` is made **read-only**.
{% endhint %}
<details>

2
reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/README.md
View file

@ -95,7 +95,7 @@ The previous data is for 32-bit systems and the reduced final entropy makes poss
for off in range(0xb7000000, 0xb8000000, 0x1000):
```
* If attacking a remote server, you could try to **burte-force the address of the `libc` function `usleep`**, passing as argument 10 (for example). If at some point the **server takes 10s extra to respond**, you found the address of this function.
* If attacking a remote server, you could try to **brute-force the address of the `libc` function `usleep`**, passing as argument 10 (for example). If at some point the **server takes 10s extra to respond**, you found the address of this function.
{% hint style="success" %}
In 64bit systems the entropy is much higher and this isn't possible.

4
reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/ret2plt.md
View file

@ -39,12 +39,12 @@ payload = flat(
)
```
Note how **`puts`** (using the address from the PLT) is called with the address of `puts` located in the `GOT`. This is because by the time `puts` prints the `GOT` entry of puts, this **entry will contain the address of `puts` in memory**.
Note how **`puts`** (using the address from the PLT) is called with the address of `puts` located in the GOT (Global Offset Table). This is because by the time `puts` prints the GOT entry of `puts`, this **entry will contain the exact address of `puts` in memory**.
Also note how the address of `main` is used in the exploit so when `puts` ends its execution, the **binary calls `main` again instead of exiting** (so the leaked address will continue to be valid).
{% hint style="danger" %}
Note how in order for this to work the **binary cannot be compiled with PIE** or you must have **found a leak to bypass PIE** in order to know the address of the `PLT`, `GOT` and `main`.
Note how in order for this to work the **binary cannot be compiled with PIE** or you must have **found a leak to bypass PIE** in order to know the address of the PLT, GOT and `main`. Otherwise, you need to bypass PIE first.
{% endhint %}
You can find a [**full example of this bypass here**](https://ir0nstone.gitbook.io/notes/types/stack/aslr/ret2plt-aslr-bypass). This was the final exploit from that example:

2
reversing-and-exploiting/linux-exploiting-basic-esp/one-gadget.md
View file

@ -29,7 +29,7 @@ rop2 = base + p64(ONE_GADGET) + "\x00"*100
To the address indicated by One Gadget you need to **add the base address where `libc`** is loaded.
{% hint style="success" %}
One Gadget is a **great help for Arbitrary Write 2 Exec techniques** and might **simplifies ROP** chains as you only need to call one address (and fulfill the requirements).
One Gadget is a **great help for Arbitrary Write 2 Exec techniques** and might **simplifie ROP chains** as you only need to call one address (and fulfill the requirements).
{% endhint %}
<details>

2
reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2esp-ret2reg.md
View file

@ -14,7 +14,7 @@ Other ways to support HackTricks:
</details>
## **Rest2esp**
## **Ret2esp**
**Because the ESP (Stack Pointer) always points to the top of the stack**, this technique involves replacing the EIP (Instruction Pointer) with the address of a **`jmp esp`** or **`call esp`** instruction. By doing this, the shellcode is placed right after the overwritten EIP. When the `ret` instruction executes, ESP points to the next address, precisely where the shellcode is stored.

2
reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/rop-leaking-libc-address/README.md
View file

@ -17,7 +17,7 @@ Other ways to support HackTricks:
## Quick Resume
1. **Find** overflow **offset**
2. **Find** `POP_RDI`, `PUTS_PLT` and `MAIN_PLT` gadgets
2. **Find** `POP_RDI` gadget, `PUTS_PLT` and `MAIN`
3. Use previous gadgets lo **leak the memory address** of puts or another libc function and **find the libc version** ([donwload it](https://libc.blukat.me))
4. With the library, **calculate the ROP and exploit it**

2
reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md
View file

@ -205,7 +205,7 @@ P.interactive() #Interact with your shell :)
## MAIN\_PLT = elf.symbols\['main'] not found
If the "main" symbol does not exist. Then you can just where is the main code:
If the "main" symbol does not exist (probably because it's a stripped binary). Then you can just where is the main code:
```python
objdump -d vuln_binary | grep "\.text"

10
reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md
View file

@ -21,8 +21,8 @@ This technique exploits the ability to manipulate the **Base Pointer (EBP)** to
As a reminder, **`leave`** basically means:
```
movl %ebp, %esp
popl %ebp
mov esp, ebp
pop ebp
ret
```
@ -65,7 +65,7 @@ Now, the **`ESP`** is controlled pointing to a desired address and the next inst
Basically this way it's possible to chain several fake EBPs to control the flow of the program.
Tbh, this is like a [ret2lib](ret2lib/), but more complex with no apparent benefit but could be interesting in some edge-cases.
This is like a [ret2lib](ret2lib/), but more complex with no apparent benefit but could be interesting in some edge-cases.
Moreover, here you have an [**example of a challenge**](https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting/exploitation/leave) that uses this technique with a **stack leak** to call a winning function. This is the final payload from the page:
@ -186,12 +186,12 @@ p.sendline(payload)
print(p.recvline())
```
### xchg \<rag>, rsp gadget
### xchg \<reg>, rsp gadget
```
pop <reg> <=== return pointer
<reg value>
xchg <rag>, rsp
xchg <reg>, rsp
```
## References