From b2ce11dbfaf60ea0090ca2ae972fef13a8d6e47f Mon Sep 17 00:00:00 2001 From: 7Rocky Date: Sat, 6 Apr 2024 14:59:37 +0200 Subject: [PATCH] Added partial overwrite --- .../linux-exploiting-basic-esp/stack-overflow/ret2win.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md index c1466f057..6337b6449 100644 --- a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md @@ -16,7 +16,7 @@ Other ways to support HackTricks: ## Basic Information -**Ret2win** challenges are a popular category in **Capture The Flag (CTF)** competitions, particularly in tasks that involve **binary exploitation**. The goal is to exploit a vulnerability in a given binary to execute a specific, uninvoked function within the binary, often named something like `win`, `ret2win`, etc. This function, when executed, usually prints out a flag or a success message. The challenge typically involves overwriting the **return address** on the stack to divert execution flow to the desired function. Here's a more detailed explanation with examples: +**Ret2win** challenges are a popular category in **Capture The Flag (CTF)** competitions, particularly in tasks that involve **binary exploitation**. The goal is to exploit a vulnerability in a given binary to execute a specific, uninvoked function within the binary, often named something like `win`, `flag`, etc. This function, when executed, usually prints out a flag or a success message. The challenge typically involves overwriting the **return address** on the stack to divert execution flow to the desired function. Here's a more detailed explanation with examples: ### C Example @@ -89,7 +89,7 @@ The Python script sends a carefully crafted message that, when processed by the ## Protections -* [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded. +* [**PIE**](../common-binary-protections-and-bypasses/pie/) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded. In some cases, when the function that causes the overflow is `read` or similar, you can do a **Partial Overwrite** of 1 or 2 bytes to change the return address to be the win function. Because of how ASLR works, the last three hex nibbles are not randomized, so there is a **1/16 chance** (1 nibble) to get the correct return address. * [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/) should be also disabled or the compromised EIP return address won't never be followed. ## Other examples & References @@ -105,6 +105,8 @@ The Python script sends a carefully crafted message that, when processed by the * 32 bits, no ASLR, double small overflow, first to overflow the stack and enlarge the size of the second overflow * [https://guyinatuxedo.github.io/10-fmt\_strings/backdoor17\_bbpwn/index.html](https://guyinatuxedo.github.io/10-fmt\_strings/backdoor17\_bbpwn/index.html) * 32 bit, relro, no canary, nx, no pie, format string to overwrite the address `fflush` with the win function (ret2win) +* [https://7rocky.github.io/en/ctf/other/blackhat-ctf/fno-stack-protector/](https://7rocky.github.io/en/ctf/other/blackhat-ctf/fno-stack-protector/) + * 64 bit, relro, no canary, nx, pie. Partial overwrite to call the win function (ret2win)