4.7 KiB
Ret2ret & Reo2pop
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Ret2ret
The main goal of this technique is to try to bypass ASLR by abusing an existing pointer in the stack.
Basically, stack overflows are usually caused by strings, and strings end with a null byte at the end in memory. This allows to try to reduce the place pointed by na existing pointer already existing n the stack. So if the stack contained 0xbfffffdd, this overflow could transform it into 0xbfffff00 (note the last zeroed byte).
If that address points to our shellcode in the stack, it's possible to make the flow reach that address by adding addresses to the ret instruction util this one is reached.
Therefore the attack would be like this:
- NOP sled
- Shellcode
- Overwrite the stack from the EIP with addresses to
ret(RET sled) - 0x00 added by the string modifying an address from the stack making it point to the NOP sled
Following this link you can see an example of a vulnerable binary and in this one the exploit.
Ret2pop
In case you can find a perfect pointer in the stack that you don't want to modify (in ret2ret we changes the final lowest byte to 0x00), you can perform the same ret2ret attack, but the length of the RET sled must be shorted by 1 (so the final 0x00 overwrites the data just before the perfect pointer), and the last address of the RET sled must point to pop <reg>; ret.
This way, the data before the perfect pointer will be removed from the stack (this is the data affected by the 0x00) and the final ret will point to the perfect address in the stack without any change.
Following this link you can see an example of a vulnerable binary and in this one the exploit.
References
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.