diff --git a/SUMMARY.md b/SUMMARY.md index bd38c7c2a..4c4e29333 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -700,8 +700,9 @@ * [Leaking libc - template](reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md) * [Stack Shellcode](reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-shellcode.md) * [Stack Pivoting - EBP2Ret - EBP chaining](reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md) + * [Pointer Redirecting](reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/pointer-redirecting.md) * [Ret2win](reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md) - * [Ret2ret](reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2ret.md) + * [Ret2ret & Reo2pop](reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2ret.md) * [Ret2esp / Ret2reg](reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2esp-ret2reg.md) * [SROP - Sigreturn-Oriented Programming](reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/srop-sigreturn-oriented-programming.md) * [Ret2dlresolve](reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2dlresolve.md) @@ -717,10 +718,11 @@ * [BF Addresses in the Stack](reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md) * [Relro](reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/relro.md) * [Stack Canaries](reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/README.md) - * [BF Forked Stack Canaries](reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md) + * [BF Forked & Threaded Stack Canaries](reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md) * [Print Stack Canary](reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md) * [One Gadget](reversing-and-exploiting/linux-exploiting-basic-esp/one-gadget.md) * [Arbitrary Write 2 Exec](reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/README.md) + * [AWS2Exec - .dtors & .fini\_array](reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aws2exec-.dtors-and-.fini\_array.md) * [AW2Exec - \_\_malloc\_hook](reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-\_\_malloc\_hook.md) * [AW2Exec - GOT/PLT](reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-got-plt.md) * [Common Exploiting Problems](reversing-and-exploiting/linux-exploiting-basic-esp/common-exploiting-problems.md) diff --git a/exploiting/linux-exploiting-basic-esp/README.md b/exploiting/linux-exploiting-basic-esp/README.md index de5c03c7d..0e0f21132 100644 --- a/exploiting/linux-exploiting-basic-esp/README.md +++ b/exploiting/linux-exploiting-basic-esp/README.md @@ -140,15 +140,7 @@ sc: ## **5.Métodos complementarios** -**Ret2Ret** -Útil para cuando no se puede meter una dirección del stack en el EIP (se comprueba que el EIP no contenga 0xbf) o cuando no se puede calcular la ubicación de la shellcode. Pero, la función vulnerable acepte un parámetro (la shellcode irá aquí). - -De esta forma, al cambiar el EIP por una dirección a un **ret**, se cargará la siguiente dirección (que es la dirección del primer argumento de la función). Es decir, se cargará la shellcode. - -El exploit quedaría: SHELLCODE + Relleno (hasta EIP) + **\&ret** (los siguientes bytes de la pila apuntan al inicio de la shellcode pues se mete en el stack la dirección al parámetro pasado) - -Al parecer funciones como **strncpy** una vez completas eliminan de la pila la dirección donde estaba guardada la shellcode imposibilitando esta técnica. Es decir, la dirección que pasan a la función como argumento (la que guarda la shellcode) es modificada por un 0x00 por lo que al llamar al segundo **ret** se encuentra con un 0x00 y el programa muere. @@ -162,44 +154,7 @@ De esta forma se obtendría de forma sensilla la dirección donde está la varia Esto se puede hacer gracias a que la función execle permite crear un entorno que solo tenga las variables de entorno que se deseen -**Integer overflows** -Este tipo de overflows se producen cuando una variable no está preparada para soportar un número tan grande como se le pasa, posiblemente por una confusión entre variables con y sin signo, por ejemplo: - -```c -#include -#include -#include - -int main(int argc, char *argv[]){ -int len; -unsigned int l; -char buffer[256]; -int i; -len = l = strtoul(argv[1], NULL, 10); -printf("\nL = %u\n", l); -printf("\nLEN = %d\n", len); -if (len >= 256){ -printf("\nLongitus excesiva\n"); -exit(1); -} -if(strlen(argv[2]) < l) -strcpy(buffer, argv[2]); -else -printf("\nIntento de hack\n"); -return 0; -} -``` - -En el ejemplo anterior vemos que el programa se espera 2 parámetros. El primero la longitud de la siguiente cadena y el segundo la cadena. - -Si le pasamos como primer parámetro un número negativo saldrá que len < 256 y pasaremos ese filtro, y además también strlen(buffer) será menor que l, pues l es unsigned int y será muy grande. - -Este tipo de overflows no busca lograr escribir algo en el proceso del programa, sino superar filtros mal diseñados para explotar otras vulnerabilidades. - -**Variables no inicializadas** - -No se sabe el valor que puede tomar una variable no inicializada y podría ser interesante observarlo. Puede ser que tome el valor que tomaba una variable de la función anterior y esta sea controlada por el atacante. ## @@ -209,58 +164,7 @@ No se sabe el valor que puede tomar una variable no inicializada y podría ser i ### -### **.fini\_array** - -Essentially this is a structure with **functions that will be called** before the program finishes. This is interesting if you can call your **shellcode just jumping to an address**, or in cases where you need to go back to main again to **exploit the format string a second time**. - -```bash -objdump -s -j .fini_array ./greeting - -./greeting: file format elf32-i386 - -Contents of section .fini_array: - 8049934 a0850408 - -#Put your address in 0x8049934 -``` - -Note that this **won't** **create** an **eternal loop** because when you get back to main the canary will notice, the end of the stack might be corrupted and the function won't be recalled again. So with this you will be able to **have 1 more execution** of the vuln. - -### **Format Strings to Dump Content** - -A format string can also be abused to **dump content** from the memory of the program.\ -For example, in the following situation there is a **local variable in the stack pointing to a flag.** If you **find** where in **memory** the **pointer** to the **flag** is, you can make **printf access** that **address** and **print** the **flag**: - -So, flag is in **0xffffcf4c** - -![](<../../.gitbook/assets/image (618) (2).png>) - -And from the leak you can see the **pointer to the flag** is in the **8th** parameter: - -![](<../../.gitbook/assets/image (623).png>) - -So, **accessing** the **8th parameter** you can get the flag: - -![](<../../.gitbook/assets/image (624).png>) - -Note that following the **previous exploit** and realising that you can **leak content** you can **set pointers** to **`printf`** to the section where the **executable** is **loaded** and **dump** it **entirely**! - -### **DTOR** - -{% hint style="danger" %} -Nowadays is very **weird to find a binary with a dtor section**. -{% endhint %} - -The destructor are functions that are **executed before program finishes**.\ -If you manage to **write** an **address** to a **shellcode** in **`__DTOR_END__`** , that will be **executed** before the programs ends.\ -Get the address of this section with: - -```bash -objdump -s -j .dtors /exec -rabin -s /exec | grep “__DTOR” -``` - -Usually you will find the **DTOR** section **between** the values `ffffffff` and `00000000`. So if you just see those values, it means that there **isn't any function registered**. So **overwrite** the **`00000000`** with the **address** to the **shellcode** to execute it. +### ### **Format Strings to Buffer Overflows** diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aws2exec-.dtors-and-.fini_array.md b/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aws2exec-.dtors-and-.fini_array.md new file mode 100644 index 000000000..e9a6190b2 --- /dev/null +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aws2exec-.dtors-and-.fini_array.md @@ -0,0 +1,72 @@ +# AWS2Exec - .dtors & .fini\_array + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+ +## .dtors + +{% hint style="danger" %} +Nowadays is very **weird to find a binary with a .dtors section**. +{% endhint %} + +The destructors are functions that are **executed before program finishes** (after the `main` function returns).\ +The addresses to these functions are stored inside the **`.dtors`** section of the binary and therefore, if you manage to **write** the **address** to a **shellcode** in **`__DTOR_END__`** , that will be **executed** before the programs ends. + +Get the address of this section with: + +```bash +objdump -s -j .dtors /exec +rabin -s /exec | grep “__DTOR” +``` + +Usually you will find the **DTOR** markers **between** the values `ffffffff` and `00000000`. So if you just see those values, it means that there **isn't any function registered**. So **overwrite** the **`00000000`** with the **address** to the **shellcode** to execute it. + +{% hint style="warning" %} +Ofc, you first need to find a **place to store the shellcode** in order to later call it. +{% endhint %} + +## **.fini\_array** + +Essentially this is a structure with **functions that will be called** before the program finishes, like **`.dtors`**. This is interesting if you can call your **shellcode just jumping to an address**, or in cases where you need to go **back to `main`** again to **exploit the vulnerability a second time**. + +```bash +objdump -s -j .fini_array ./greeting + +./greeting: file format elf32-i386 + +Contents of section .fini_array: + 8049934 a0850408 + +#Put your address in 0x8049934 +``` + +Note that this **won't** **create** an **eternal loop** because when you get back to main the canary will notice, the end of the stack might be corrupted and the function won't be recalled again. So with this you will be able to **have 1 more execution** of the vuln. + +{% hint style="danger" %} +Note that with [Full Relro](../common-binary-protections-and-bypasses/relro.md), the section `.fini_array` is made **read-only**. +{% endhint %} + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/README.md b/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/README.md index 41cbb6274..8d2790111 100644 --- a/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/README.md +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/README.md @@ -101,9 +101,26 @@ for off in range(0xb7000000, 0xb8000000, 0x1000): In 64bit systems the entropy is much higher and this isn't possible. {% endhint %} +### Local Information (`/proc/[pid]/stat`) + +The file **`/proc/[pid]/stat`** of a process is always readable by everyone and it **contains interesting** information such as: + +* **startcode** & **endcode**: Addresses above and below with the **TEXT** of the binary +* **startstack**: The address of the start of the **stack** +* **start\_data** & **end\_data**: Addresses above and below where the **BSS** is +* **kstkesp** & **kstkeip**: Current **ESP** and **EIP** addresses +* **arg\_start** & **arg\_end**: Addresses above and below where **cli arguments** are. +* **env\_start** &**env\_end**: Addresses above and below where **env variables** are. + +Therefore, if the attacker is in the same computer as the binary being exploited and this binary doesn't expect the overflow from raw arguments, but from a different **input that can be crafted after reading this file**. It's possible for an attacker to **get some addresses from this file and construct offsets from them for the exploit**. + +{% hint style="success" %} +For more info about this file check [https://man7.org/linux/man-pages/man5/proc.5.html](https://man7.org/linux/man-pages/man5/proc.5.html) searching for `/proc/pid/stat` +{% endhint %} + ### Having a leak -* **Challenge is giving a leak** +* **The challenge is giving a leak** If you are given a leak (easy CTF challenges), you can calculate offsets from it (supposing for example that you know the exact libc version that is used in the system you are exploiting). This example exploit is extract from the [**example from here**](https://ir0nstone.gitbook.io/notes/types/stack/aslr/aslr-bypass-with-given-leak) (check that page for more details): @@ -161,7 +178,7 @@ You can find more info about Format Strings arbitrary read in: [format-strings](../../format-strings/) {% endcontent-ref %} -### Ret2ret +### Ret2ret & Ret2pop Try to bypass ASLR abusing addresses inside the stack: diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/ret2plt.md b/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/ret2plt.md index bd2d4cec2..2a1cabc04 100644 --- a/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/ret2plt.md +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/ret2plt.md @@ -85,6 +85,13 @@ p.sendline(payload) p.interactive() ``` +## Other examples & References + +* [https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html) + * 64 bit, ASLR enabled but no PIE, the first step is to fill an overflow until the byte 0x00 of the canary to then call puts and leak it. With the canary a ROP gadget is created to call puts to leak the address of puts from the GOT and the a ROP gadget to call `system('/bin/sh')` +* [https://guyinatuxedo.github.io/08-bof\_dynamic/fb19\_overfloat/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/fb19\_overfloat/index.html) + * 64 bits, ASLR enabled, no canary, stack overflow in main from a child function. ROP gadget to call puts to leak the address of puts from the GOT and then call an one gadget. +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/README.md b/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/README.md index 05ec541bb..306e0ecca 100644 --- a/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/README.md +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/README.md @@ -30,6 +30,16 @@ This local protection identifies functions with buffers vulnerable to attacks an When a web server uses `fork()`, it enables a brute-force attack to guess the canary byte by byte. However, using `execve()` after `fork()` overwrites the memory space, negating the attack. `vfork()` allows the child process to execute without duplication until it attempts to write, at which point a duplicate is created, offering a different approach to process creation and memory handling. +### Lengths + +In `x64` binaries, the canary cookie is an **`0x8`** byte qword. The **first seven bytes are random** and the last byte is a **null byte.** + +In `x86` binaries, the canary cookie is a **`0x4`** byte dword. The f**irst three bytes are random** and the last byte is a **null byte.** + +{% hint style="danger" %} +The least significant byte of both canaries is a null byte because it'll be the first in the stack coming from lower addresses and therefore **functions that read strings will stop before reading it**. +{% endhint %} + ## Bypasses **Leaking the canary** and then overwriting it (e.g. buffer overflow) with its own value. @@ -40,12 +50,24 @@ When a web server uses `fork()`, it enables a brute-force attack to guess the ca [bf-forked-stack-canaries.md](bf-forked-stack-canaries.md) {% endcontent-ref %} -* If there is some interesting leak vulnerability in the binary it might be possible to leak it: +* If there is some interesting **leak or arbitrary read vulnerability** in the binary it might be possible to leak it: {% content-ref url="print-stack-canary.md" %} [print-stack-canary.md](print-stack-canary.md) {% endcontent-ref %} +* **Overwriting stack stored pointers** + +The stack vulnerable to a stack overflow might **contain addresses to strings or functions that can be overwritten** in order to exploit the vulnerability without needing to reach the stack canary. Check: + +{% content-ref url="../../stack-overflow/pointer-redirecting.md" %} +[pointer-redirecting.md](../../stack-overflow/pointer-redirecting.md) +{% endcontent-ref %} + +## References + +* [https://guyinatuxedo.github.io/7.1-mitigation\_canary/index.html](https://guyinatuxedo.github.io/7.1-mitigation\_canary/index.html) +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md b/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md index 4e5816ff2..2de460eb8 100644 --- a/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md @@ -1,4 +1,4 @@ -# BF Forked Stack Canaries +# BF Forked & Threaded Stack Canaries
@@ -118,7 +118,11 @@ canary = breakCanary() log.info(f"The canary is: {canary}") ``` +## Threads +Threads of the same process will also **share the same canary token**, therefore it'll be possible to **brute-forc**e a canary if the binary spawns a new thread every time an attack happens. +## Other examples & references - +* [https://guyinatuxedo.github.io/07-bof\_static/dcquals16\_feedme/index.html](https://guyinatuxedo.github.io/07-bof\_static/dcquals16\_feedme/index.html) + * 64 bits, no PIE, nx, BF canary, write in some memory a ROP to call `execve` and jump there. diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md b/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md index 28b939a0a..8e6eb71da 100644 --- a/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md @@ -24,7 +24,10 @@ With this info the attacker can **craft and send a new attack** knowing the cana Obviously, this tactic is very **restricted** as the attacker needs to be able to **print** the **content** of his **payload** to **exfiltrate** the **canary** and then be able to create a new payload (in the **same program session**) and **send** the **real buffer overflow**. -**CTF example:** [**https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html**](https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html) +**CTF examples:** + +* [**https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html**](https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html) + * 64 bit, ASLR enabled but no PIE, the first step is to fill an overflow until the byte 0x00 of the canary to then call puts and leak it. With the canary a ROP gadget is created to call puts to leak the address of puts from the GOT and the a ROP gadget to call `system('/bin/sh')` ## Arbitrary Read diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/README.md b/reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/README.md index 05240a110..a9634d1cf 100644 --- a/reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/README.md +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/README.md @@ -174,6 +174,12 @@ p.interactive() * [https://ir0nstone.gitbook.io/notes/types/stack/format-string](https://ir0nstone.gitbook.io/notes/types/stack/format-string) * [https://www.youtube.com/watch?v=t1LH9D5cuK4](https://www.youtube.com/watch?v=t1LH9D5cuK4) +* [https://guyinatuxedo.github.io/10-fmt\_strings/pico18\_echo/index.html](https://guyinatuxedo.github.io/10-fmt\_strings/pico18\_echo/index.html) + * 32 bit, no relro, no canary, nx, no pie, basic use of format strings to leak the flag from the stack (no need to alter the execution flow) +* [https://guyinatuxedo.github.io/10-fmt\_strings/backdoor17\_bbpwn/index.html](https://guyinatuxedo.github.io/10-fmt\_strings/backdoor17\_bbpwn/index.html) + * 32 bit, relro, no canary, nx, no pie, format string to overwrite the address `fflush` with the win function (ret2win) +* [https://guyinatuxedo.github.io/10-fmt\_strings/tw16\_greeting/index.html](https://guyinatuxedo.github.io/10-fmt\_strings/tw16\_greeting/index.html) + * 32 bit, relro, no canary, nx, no pie, format string to write an address inside main in `.fini_array` (so the flow loops back 1 more time) and write the address to `system` in the GOT table pointing to `strlen`. When the flow goes back to main, `strlen` is executed with user input and pointing to `system`, it will execute the passed commands.
diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/pointer-redirecting.md b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/pointer-redirecting.md new file mode 100644 index 000000000..6249bb8e7 --- /dev/null +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/pointer-redirecting.md @@ -0,0 +1,53 @@ +# Pointer Redirecting + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+ +## String pointers + +If a function call is going to use an address of a string that is located in the stack, it's possible to abuse the buffer overflow to **overwrite this address** and put an **address to a different string** inside the binary. + +If for example a **`system`** function call is going to **use the address of a string to execute a command**, an attacker could place the **address of a different string in the stack**, **`export PATH=.:$PATH`** and create in the current directory an **script with the name of the first letter of the new string** as this will be executed by the binary. + +You can find an example of this in: + +* [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/strptr.c](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/strptr.c) +* [https://guyinatuxedo.github.io/04-bof\_variable/tw17\_justdoit/index.html](https://guyinatuxedo.github.io/04-bof\_variable/tw17\_justdoit/index.html) + * 32bit, change address to flags string in the stack so it's printed bu `puts` + +## Function pointers + +Same as string pointer but applying to functions, if the **stack contains the address of a function** that will be called, it's possible to **change it** (e.g. to call **`system`**). + +You can find an example in: + +* [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/funcptr.c](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/funcptr.c) + +## References + +* [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#pointer-redirecting](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#pointer-redirecting) + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/README.md b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/README.md index b32cea750..d15fc37cc 100644 --- a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/README.md +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/README.md @@ -143,6 +143,17 @@ This basically means abusing a **Ret2lib to transform it into a `printf` format [format-strings](../../format-strings/) {% endcontent-ref %} +## Other Examples & references + +* [https://guyinatuxedo.github.io/08-bof\_dynamic/csaw19\_babyboi/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/csaw19\_babyboi/index.html) + * Ret2lib, given a leak to the address of a function in libc, using one gadget +* [https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html) + * 64 bit, ASLR enabled but no PIE, the first step is to fill an overflow until the byte 0x00 of the canary to then call puts and leak it. With the canary a ROP gadget is created to call puts to leak the address of puts from the GOT and the a ROP gadget to call `system('/bin/sh')` +* [https://guyinatuxedo.github.io/08-bof\_dynamic/fb19\_overfloat/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/fb19\_overfloat/index.html) + * 64 bits, ASLR enabled, no canary, stack overflow in main from a child function. ROP gadget to call puts to leak the address of puts from the GOT and then call an one gadget. +* [https://guyinatuxedo.github.io/08-bof\_dynamic/hs19\_storytime/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/hs19\_storytime/index.html) + * 64 bits, no pie, no canary, no relro, nx. Uses write function to leak the address of write (libc) and calls one gadget. +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2ret.md b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2ret.md index 24de43e7c..498955a71 100644 --- a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2ret.md +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2ret.md @@ -1,4 +1,4 @@ -# Ret2ret +# Ret2ret & Reo2pop
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
-## Basic Information +## Ret2ret The main goal of this technique is to try to **bypass ASLR by abusing an existing pointer in the stack**. @@ -26,9 +26,18 @@ Therefore the attack would be like this: * NOP sled * Shellcode -* Overwrite the stack from the EIP with **addresses to `ret`** +* Overwrite the stack from the EIP with **addresses to `ret`** (RET sled) * 0x00 added by the string modifying an address from the stack making it point to the NOP sled +Following [**this link**](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2ret.c) you can see an example of a vulnerable binary and [**in this one**](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2retexploit.c) the exploit. + +## Ret2pop + +In case you can find a **perfect pointer in the stack that you don't want to modify** (in `ret2ret` we changes the final lowest byte to `0x00`), you can perform the same `ret2ret` attack, but the **length of the RET sled must be shorted by 1** (so the final `0x00` overwrites the data just before the perfect pointer), and the **last** address of the RET sled must point to **`pop ; ret`**.\ +This way, the **data before the perfect pointer will be removed** from the stack (this is the data affected by the `0x00`) and the **final `ret` will point to the perfect address** in the stack without any change. + +Following [**this link**](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2pop.c) you can see an example of a vulnerable binary and [**in this one** ](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2popexploit.c)the exploit. + ## References * [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md) diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md index 18596ec86..c1466f057 100644 --- a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md @@ -96,6 +96,15 @@ The Python script sends a carefully crafted message that, when processed by the * [https://ir0nstone.gitbook.io/notes/types/stack/ret2win](https://ir0nstone.gitbook.io/notes/types/stack/ret2win) * [https://guyinatuxedo.github.io/04-bof\_variable/tamu19\_pwn1/index.html](https://guyinatuxedo.github.io/04-bof\_variable/tamu19\_pwn1/index.html) + * 32bit, no ASLR +* [https://guyinatuxedo.github.io/05-bof\_callfunction/csaw16\_warmup/index.html](https://guyinatuxedo.github.io/05-bof\_callfunction/csaw16\_warmup/index.html) + * 64 bits with ASLR, with a leak of the bin address +* [https://guyinatuxedo.github.io/05-bof\_callfunction/csaw18\_getit/index.html](https://guyinatuxedo.github.io/05-bof\_callfunction/csaw18\_getit/index.html) + * 64 bits, no ASLR +* [https://guyinatuxedo.github.io/05-bof\_callfunction/tu17\_vulnchat/index.html](https://guyinatuxedo.github.io/05-bof\_callfunction/tu17\_vulnchat/index.html) + * 32 bits, no ASLR, double small overflow, first to overflow the stack and enlarge the size of the second overflow +* [https://guyinatuxedo.github.io/10-fmt\_strings/backdoor17\_bbpwn/index.html](https://guyinatuxedo.github.io/10-fmt\_strings/backdoor17\_bbpwn/index.html) + * 32 bit, relro, no canary, nx, no pie, format string to overwrite the address `fflush` with the win function (ret2win)
diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-syscall-execv.md b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-syscall-execv.md index 5018bdc2e..081ddc80a 100644 --- a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-syscall-execv.md +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-syscall-execv.md @@ -119,7 +119,7 @@ If you are **lacking gadgets**, for example to write `/bin/sh` in memory, you ca [srop-sigreturn-oriented-programming.md](srop-sigreturn-oriented-programming.md) {% endcontent-ref %} -## Example +## Exploit Example ```python from pwn import * @@ -188,9 +188,14 @@ target.sendline(payload) target.interactive() ``` -## References +## Other Examples & References * [https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html](https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html) + * 64 bits, no PIE, nx, write in some memory a ROP to call `execve` and jump there. +* [https://guyinatuxedo.github.io/07-bof\_static/bkp16\_simplecalc/index.html](https://guyinatuxedo.github.io/07-bof\_static/bkp16\_simplecalc/index.html) + * 64 bits, nx, no PIE, write in some memory a ROP to call `execve` and jump there. In order to write to the stack a function that performs mathematical operations is abused +* [https://guyinatuxedo.github.io/07-bof\_static/dcquals16\_feedme/index.html](https://guyinatuxedo.github.io/07-bof\_static/dcquals16\_feedme/index.html) + * 64 bits, no PIE, nx, BF canary, write in some memory a ROP to call `execve` and jump there.
diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md index 08f87709f..4fd2b02d2 100644 --- a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md @@ -32,17 +32,25 @@ And as the **EBP is in the stack** before the EIP it's possible to control it co This technique is particularly useful when you can **alter the EBP register but have no direct way to change the EIP register**. It leverages the behaviour of functions when they finish executing. -If, during `fvuln`'s execution, you manage to inject a **fake EBP** in the stack that points to an area in memory where your shellcode's address is located (plus 4 bytes to account for the `pop` operation), you can indirectly control the EIP. As `fvuln` returns, the ESP is set to this crafted location, and the subsequent `pop` operation decreases ESP by 4, effectively making it point to your shellcode. When the `ret` instruction is executed, control is transferred to your shellcode. +If, during `fvuln`'s execution, you manage to inject a **fake EBP** in the stack that points to an area in memory where your shellcode's address is located (plus 4 bytes to account for the `pop` operation), you can indirectly control the EIP. As `fvuln` returns, the ESP is set to this crafted location, and the subsequent `pop` operation decreases ESP by 4, **effectively making it point to an address store by the attacker in there.**\ +Note how you **need to know 2 addresses**: The one where ESP is going to go, where you will need to write the address that is pointed by ESP. #### Exploit Construction -First you need to **inject your shellcode** somewhere in an executable memory and **get the address**, or get the address to a valid [**ONE\_GADGET**](https://github.com/david942j/one\_gadget), or make the ESP point to a place with the address of **`system()`** followed by **4 junk bytes** and the address of `"/bin/sh"`. +First you need to know an **address where you can write arbitrary data / addresses**. The ESP will point here and **run the first `ret`**. -Then, create a padding and **compromise the EBP** with the `address to the shellcode/one_gadget - 4`. It must be `-4` because of the `pop`. Then, the `ESP` will be pointing to our desired address and and the `ret` will be executed. +Then, you need to know the address used by `ret` that will **execute arbitrary code**. You could use: + +* A valid [**ONE\_GADGET**](https://github.com/david942j/one\_gadget) address. +* The address of **`system()`** followed by **4 junk bytes** and the address of `"/bin/sh"` (x86 bits). +* The address of a **`jump esp;`** gadget ([**ret2esp**](ret2esp-ret2reg.md)) followed by the **shellocde** to execute. +* Some [**ROP**](rop-return-oriented-programing.md) chain + +Remember than before any of these addresses in the controlled part of the memory, there must be **`4` bytes** because of the **`pop`** part of the `leave` instruction. It would be possible to abuse these 4B to set a **second fake EBP** and continue controlling the execution. #### Off-By-One Exploit -There's a specific variant of this technique known as an "Off-By-One Exploit". It's used when you can **only modify the least significant byte of the EBP**. In such a case, the memory location storing the shellcode's address must share the first three bytes with the EBP, allowing for a similar manipulation with more constrained conditions. +There's a specific variant of this technique known as an "Off-By-One Exploit". It's used when you can **only modify the least significant byte of the EBP**. In such a case, the memory location storing the address to jumo to with the **`ret`** must share the first three bytes with the EBP, allowing for a similar manipulation with more constrained conditions. ### **EBP Chaining** @@ -97,6 +105,37 @@ p.sendline(payload) print(p.recvline()) ``` +## EBP is useless + +As [**explained in this post**](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#off-by-one-1), if a binary is compiled with some optimizations, the **EBP never gets to control ESP**, therefore, any exploit working by controlling EBP sill basically fail because it doesn't have ay real effect.\ +This is because the **prologue and epilogue changes** if the binary is optimized. + +* **Not optimized:** + +```bash +push %ebp # save ebp +mov %esp,%ebp # set new ebp +sub $0x100,%esp # increase stack size +. +. +. +leave # restore ebp (leave == mov %ebp, %esp; pop %ebp) +ret # return +``` + +* **Optimized:** + +```bash +push %ebx # save ebx +sub $0x100,%esp # increase stack size +. +. +. +add $0x10c,%esp # reduce stack size +pop %ebx # restore ebx +ret # return +``` + ## Other ways to control RSP ### **`pop rsp`** gadget diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-shellcode.md b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-shellcode.md index 0a626d630..b9476c742 100644 --- a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-shellcode.md +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-shellcode.md @@ -94,9 +94,15 @@ The **NOP slide** (`asm('nop')`) is used to increase the chance that execution w * [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/) should be also disabled or the compromised EIP return address won't never be followed. * [**NX**](../common-binary-protections-and-bypasses/no-exec-nx.md) **stack** protection would prevent the execution of the shellcode inside the stack because that region won't be executable. -## Other Examples +## Other Examples & References * [https://ir0nstone.gitbook.io/notes/types/stack/shellcode](https://ir0nstone.gitbook.io/notes/types/stack/shellcode) +* [https://guyinatuxedo.github.io/06-bof\_shellcode/csaw17\_pilot/index.html](https://guyinatuxedo.github.io/06-bof\_shellcode/csaw17\_pilot/index.html) + * 64bit, ASLR with stack address leak, write shellcode and jump to it +* [https://guyinatuxedo.github.io/06-bof\_shellcode/tamu19\_pwn3/index.html](https://guyinatuxedo.github.io/06-bof\_shellcode/tamu19\_pwn3/index.html) + * 32 bit, ASLR with stack leak, write shellcode and jump to it +* [https://guyinatuxedo.github.io/06-bof\_shellcode/tu18\_shellaeasy/index.html](https://guyinatuxedo.github.io/06-bof\_shellcode/tu18\_shellaeasy/index.html) + * 32 bit, ASLR with stack leak, comparison to prevent call to exit(), overwrite variable with a value and write shellcode and jump to it