Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

GITBOOK-4310: No subject

Browse source
This commit is contained in:
CPol 2024-04-13 14:12:48 +00:00 committed by gitbook-bot
parent 60b4b1aa07
commit e84358a8b5
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
7 changed files with 84 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
SUMMARY.md
View file

@ -709,7 +709,8 @@
* [Ret2syscall](binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md)
* [Ret2syscall - ARM64](binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md)
* [Ret2vDSO](binary-exploitation/rop-return-oriented-programing/ret2vdso.md)
* [SROP - Sigreturn-Oriented Programming](binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming.md)
* [SROP - Sigreturn-Oriented Programming](binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md)
* [SROP - ARM64](binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md)
* [Array Indexing](binary-exploitation/array-indexing.md)
* [Integer Overflow](binary-exploitation/integer-overflow.md)
* [Format Strings](binary-exploitation/format-strings/README.md)

4
binary-exploitation/basic-binary-exploitation-methodology/README.md
View file

@ -69,7 +69,7 @@ Something to take into account is that usually **just one exploitation of a vuln
* In a bof with [**canary**](../common-binary-protections-and-bypasses/stack-canaries/), you will need to bypass it
* If you need to set several parameter to correctly call the **ret2win** function you can use:
* A [**ROP**](./#rop-and-ret2...-techniques) **chain if there are enough gadgets** to prepare all the params
* [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming.md) (in case you can call this syscall) to control a lot of registers
* [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming/) (in case you can call this syscall) to control a lot of registers
* Gadgets from [**ret2csu**](../rop-return-oriented-programing/ret2csu.md) and [**ret2vdso**](../rop-return-oriented-programing/ret2vdso.md) to control several registers
* Via a [**Write What Where**](../arbitrary-write-2-exec/) you could abuse other vulns (not bof) to call the **`win`** function.
* [**Pointers Redirecting**](../stack-overflow/pointer-redirecting.md): In case the stack contains pointers to a function that is going to be called or to a string that is going to be used by an interesting function (system or printf), it's possible to overwrite that address.
@ -91,7 +91,7 @@ Something to take into account is that usually **just one exploitation of a vuln
* [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv/): Useful to call `execve` to run arbitrary commands. You need to be able to find the **gadgets to call the specific syscall with the parameters**.
* If [**ASLR**](../common-binary-protections-and-bypasses/aslr/) or [**PIE**](../common-binary-protections-and-bypasses/pie/) are enabled you'll need to defeat them **in order to use ROP gadgets** from the binary or libraries.
* [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming.md) can be useful to prepare the **ret2execve**
* [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming/) can be useful to prepare the **ret2execve**
* Gadgets from [**ret2csu**](../rop-return-oriented-programing/ret2csu.md) and [**ret2vdso**](../rop-return-oriented-programing/ret2vdso.md) to control several registers
#### Via libc

2
binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md
View file

@ -25,7 +25,7 @@ Therefore, it's possible to **fake all these structures** to make the dynamic li
Usually, all these structures are faked by making an **initial ROP chain that calls `read`** over a writable memory, then the **structures** and the string **`'/bin/sh'`** are passed so they are stored by read in a known location, and then the ROP chain continues by calling **`_dl_runtime_resolve`** , having it **resolve the address of `system`** in the fake structures and **calling this address** with the address to `$'/bin/sh'`.
{% hint style="success" %}
This technique is useful specially if there aren't syscall gadgets (to use techniques such as [**ret2syscall**](rop-syscall-execv/) or [SROP](srop-sigreturn-oriented-programming.md)) and there are't ways to leak libc addresses.
This technique is useful specially if there aren't syscall gadgets (to use techniques such as [**ret2syscall**](rop-syscall-execv/) or [SROP](srop-sigreturn-oriented-programming/)) and there are't ways to leak libc addresses.
{% endhint %}
You can find a better explanation about this technique in the second half of the video:

4
binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md
View file

@ -123,8 +123,8 @@ rop += writeGadget #Address to: mov qword ptr [rax], rdx
If you are **lacking gadgets**, for example to write `/bin/sh` in memory, you can use the **SROP technique to control all the register values** (including RIP and params registers) from the stack:
{% content-ref url="../srop-sigreturn-oriented-programming.md" %}
[srop-sigreturn-oriented-programming.md](../srop-sigreturn-oriented-programming.md)
{% content-ref url="../srop-sigreturn-oriented-programming/" %}
[srop-sigreturn-oriented-programming](../srop-sigreturn-oriented-programming/)
{% endcontent-ref %}
## Exploit Example

14
binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md
View file

@ -62,7 +62,7 @@ In order to prepare the call for the **syscall** it's needed the following confi
* `x1: 0 specify no arguments passed`
* `x2: 0 specify no environment variables passed`
Using ROPgadget.py I was able to locate the following gadgets:
Using ROPgadget.py I was able to locate the following gadgets in the libc library of the machine:
{% code overflow="wrap" %}
```armasm
@ -76,15 +76,19 @@ Using ROPgadget.py I was able to locate the following gadgets:
;Move execve syscall (0xdd) to x8 and call it
0x00000000000bb97c :
nop ;
nop ;
mov x8, #0xdd ;
svc #0
nop ;
nop ;
mov x8, #0xdd ;
svc #0
```
{% endcode %}
With the previous gadgets we can control all the needed registers from the stack and use x5 to jump to the second gadget to call the syscall.
{% hint style="success" %}
Note that knowing this info from the libc library also allows to do a ret2libc attack, but lets use it for this current example.
{% endhint %}
### Exploit
```python

10
binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming.md → binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md
View file

@ -28,8 +28,8 @@ Calling the syscall **`sigreturn`** from a ROP chain and **adding the registry v
Note how this would be a **type of Ret2syscall** that makes much easier to control params to call other Ret2syscalls:
{% content-ref url="rop-syscall-execv/" %}
[rop-syscall-execv](rop-syscall-execv/)
{% content-ref url="../rop-syscall-execv/" %}
[rop-syscall-execv](../rop-syscall-execv/)
{% endcontent-ref %}
If you are curious this is the **sigcontext structure** stored in the stack to later recover the values (diagram from [**here**](https://guyinatuxedo.github.io/16-srop/backdoor\_funsignals/index.html)):
@ -145,11 +145,11 @@ target.interactive()
* [https://youtu.be/ADULSwnQs-s?feature=shared](https://youtu.be/ADULSwnQs-s?feature=shared)
* [https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop](https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop)
* [https://guyinatuxedo.github.io/16-srop/backdoor\_funsignals/index.html](https://guyinatuxedo.github.io/16-srop/backdoor\_funsignals/index.html)
* Assembly binary that allows to **write to the stack** and then calls the **`sigreturn`** syscall. It's possible to write on the stack a [**ret2syscall**](rop-syscall-execv/) via a **sigreturn** structure and read the flag which is inside the memory of the binary.
* Assembly binary that allows to **write to the stack** and then calls the **`sigreturn`** syscall. It's possible to write on the stack a [**ret2syscall**](../rop-syscall-execv/) via a **sigreturn** structure and read the flag which is inside the memory of the binary.
* [https://guyinatuxedo.github.io/16-srop/csaw19\_smallboi/index.html](https://guyinatuxedo.github.io/16-srop/csaw19\_smallboi/index.html)
* Assembly binary that allows to **write to the stack** and then calls the **`sigreturn`** syscall. It's possible to write on the stack a [**ret2syscall**](rop-syscall-execv/) via a **sigreturn** structure (the binary has the string `/bin/sh`).
* Assembly binary that allows to **write to the stack** and then calls the **`sigreturn`** syscall. It's possible to write on the stack a [**ret2syscall**](../rop-syscall-execv/) via a **sigreturn** structure (the binary has the string `/bin/sh`).
* [https://guyinatuxedo.github.io/16-srop/inctf17\_stupidrop/index.html](https://guyinatuxedo.github.io/16-srop/inctf17\_stupidrop/index.html)
* 64 bits, no relro, no canary, nx, no pie. Simple buffer overflow abusing `gets` function with lack of gadgets that performs a [**ret2syscall**](rop-syscall-execv/). The ROP chain writes `/bin/sh` in the `.bss` by calling gets again, it abuses the **`alarm`** function to set eax to `0xf` to call a **SROP** and execute a shell.
* 64 bits, no relro, no canary, nx, no pie. Simple buffer overflow abusing `gets` function with lack of gadgets that performs a [**ret2syscall**](../rop-syscall-execv/). The ROP chain writes `/bin/sh` in the `.bss` by calling gets again, it abuses the **`alarm`** function to set eax to `0xf` to call a **SROP** and execute a shell.
* [https://guyinatuxedo.github.io/16-srop/swamp19\_syscaller/index.html](https://guyinatuxedo.github.io/16-srop/swamp19\_syscaller/index.html)
* 64 bits assembly program, no relro, no canary, nx, no pie. The flow allows to write in the stack, control several registers, and call a syscall and then it calls `exit`. The selected syscall is a `sigreturn` that will set registries and move `eip` to call a previous syscall instruction and run `memprotect` to set the binary space to `rwx` and set the ESP in the binary space. Following the flow, the program will call read intro ESP again, but in this case ESP will be pointing to the next intruction so passing a shellcode will write it as the next instruction and execute it.

63
binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md Normal file
View file

@ -0,0 +1,63 @@
# SROP - ARM64
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
## Code
```c
#include <stdio.h>
#include <string.h>
void do_stuff(int do_arg){
if (do_arg == 1)
__asm__("mov x0, #139; svc #0;");
return;
}
char* vulnerable_function() {
char buffer[64];
fgets(buffer, sizeof(buffer)*3, stdin);
return buffer;
}
int main(int argc, char **argv) {
char* b = vulnerable_function();
do_stuff(2);
return 0;
}
```
Compile it with:
```bash
clang -o srop srop.c -fno-stack-protector
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space # Disable ASLR
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>