mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-01 08:59:30 +00:00
74 lines
5.2 KiB
Markdown
74 lines
5.2 KiB
Markdown
# EBP2Ret - EBP chaining
|
|
|
|
<details>
|
|
|
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
Other ways to support HackTricks:
|
|
|
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
|
|
## Basic Information
|
|
|
|
This technique exploits the ability to manipulate the **Base Pointer (EBP)** to chain the execution of multiple functions through careful use of the EBP register and the `leave; ret` instruction sequence.
|
|
|
|
As a reminder, **`leave`** basically means:
|
|
|
|
```
|
|
movl %ebp, %esp
|
|
popl %ebp
|
|
ret
|
|
```
|
|
|
|
And as the **EBP is in the stack** before the EIP it's possible to control it controlling the stack.
|
|
|
|
### EBP2Ret
|
|
|
|
This technique is particularly useful when you can **alter the EBP register but have no direct way to change the EIP register**. It leverages the behaviour of functions when they finish executing.
|
|
|
|
If, during `fvuln`'s execution, you manage to inject a **fake EBP** in the stack that points to an area in memory where your shellcode's address is located (plus 4 bytes to account for the `pop` operation), you can indirectly control the EIP. As `fvuln` returns, the ESP is set to this crafted location, and the subsequent `pop` operation decreases ESP by 4, effectively making it point to your shellcode. When the `ret` instruction is executed, control is transferred to your shellcode.
|
|
|
|
#### Exploit Construction
|
|
|
|
First you need to **inject your shellcode** somewhere in an executable memory and **get the address**, or get the address to a valid [**ONE\_GADGET**](https://github.com/david942j/one\_gadget), or make the ESP point to a place with the address of **`system()`** followed by **4 junk bytes** and the address of `"/bin/sh"`.
|
|
|
|
Then, create a padding and **compromise the EBP** with the `address to the shellcode/one_gadget - 4`. It must be `-4` because of the `pop`. Then, the `ESP` will be pointing to our desired address and and the `ret` will be executed.
|
|
|
|
#### Off-By-One Exploit
|
|
|
|
There's a specific variant of this technique known as an "Off-By-One Exploit". It's used when you can **only modify the least significant byte of the EBP**. In such a case, the memory location storing the shellcode's address must share the first three bytes with the EBP, allowing for a similar manipulation with more constrained conditions.
|
|
|
|
### **EBP Chaining**
|
|
|
|
Therefore, putting a controlled address in the `EBP` entry of the stack and an address to `leave; ret` in `EIP`, it's possible to **move the `ESP` to the controlled `EBP` address from the stack**.
|
|
|
|
Now, the **`ESP`** is controlled pointing to a desired address and the next instruction to execute is a `RET`. To abuse this, it's possible to place in the controlled ESP place this:
|
|
|
|
* **`&(next fake EBP)`** -> Load the new EBP because of `pop ebp` from the `leave` instruction
|
|
* **`system()`** -> Called by `ret`
|
|
* **`&(leave;ret)`** -> Called after system ends, it will move ESP to the fake EBP and start agin
|
|
* **`&("/bin/sh")`**-> Param fro `system`
|
|
|
|
Basically this way it's possible to chain several fake EBPs to control the flow of the program.
|
|
|
|
Tbh, this is like a [ret2lib](ret2lib/), but more complex with no apparent benefit but could be interesting in some edge-cases.
|
|
|
|
<details>
|
|
|
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
Other ways to support HackTricks:
|
|
|
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|