ELF INFO
#Hex to Decimal
printf "%d\n" 0x18
#Get ELF headers
readelf -h hello_world
#Get Program Headers - 9 Headers
readelf --wide -l hello_world
#Get Sections from ean ELF
readelf --wide -S hello_world
#Get the contents of a section
readelf -x .rodata hello_world
#get the hex data of any section from a binary file
readelf -x .text hello_world
readelf -x .rodata hello_world
#get a specific function using readelf
readelf -a /usr/lib32/libc-2.31.so | grep mprotect
#Print Symbols from a binary
objdump --wide -t symbol
#Object Dump
objdump -D hello_world
#get shellcode from the binary
for i in $(objdump -d ./Hello_stack |grep "^ " |cut -f2); do echo -n '\x'$i; done; echo
#Generate assembly instructions - it will generate Hello.S file
gcc -S hello.c
#Linking a file; will generate linke file 0 hello.o
gcc -c hello.c
#Compile a file
gcc hello.c -o hello
Make sure to set a breakpoint and run the program before running below commands when trying from GDB
#Search for system or any function address from a binary using objdump or from
# gdb- using `p system`
objdump -M intel -D vuln | grep 'system' -A 3
#Get PLT/GOT function names after disassembling all sections
objdump -d vuln | grep ">:"
#Display the dynamic relocation entries in the file
#address of functions in the GOT
objdump -R vuln
# Find system address
p system
xinfo system
#Find Exit address
p exit
#Chek if libc is being used or not - copy libc to current working directory for ease of use.
# Copy Libc base address
# Default path = /lib/x86_64-linux-gnu/libc-2.27.so
vmmap libc
#Find JMP RSP or JMP RAX or any other instruction
# if you are unable to find an instruction in your vuln binary, search for the string in libc
ropper
file ./vuln or file ./libc
search jmp rsp
#if you are unable to find JMP instruction try CALL
search call rsp
#Finding "/bin/sh"
find "/bin/sh" # peda
search-pattern "sh" # gef
strings -a -t x libc-2.27.so | grep "/bin/sh"
ropper --file libc-2.27.so --string '/bin/sh'
# Search for ret instruction, look for a single ret without any other instructions.
ropper --file libc-2.27.so --search "ret"
0x00000000000008aa: ret;
#When you take an address from libc externally or using ropper, you need to add libc base address that you got from `vmmap libc` first address with the address that you got from ropper or strings. - its the same with any other instructions.
#Change ropper search depth -
# 1 - 1 level down, /2/ - 2 levels down
# better to pick a gadget that ends with ret for ret2libc
ropper
> file ./vuln_file or file ./libc
> search /1/ pop rdi
#Keep the STDIN open
(cat payload;cat ) | ./vuln
# if we are unable to find the exact instruction
- Ex; we are looking for `pop rdx; ret;` but found `pop rdx; pop r12; ret;` - after we pass the argument for pop rdx- send some dummy data into pop r12 as shown below
- buffer += pack("<Q",0x414141414141) #Dummy for pop r12
#Get Base address of Stack
- set a breakpoint at main and run the program, take the first address of the stack
- you can check if the stack is executable or not here
vmmap stack
#Get Base address of LIBC
vmmap libc
# When trying any Return2 Exploits
- better to add extra "ret" address before pop rdi, ret instructions
- this is to avoid 16-bit alignment issues
No comments:
Post a Comment