maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md

112 lines
9.0 KiB
Markdown
Raw Blame History

# Msingi wa Mbinu za Ukatili wa Kihandisi
{{#include ../../banners/hacktricks-training.md}}
## Taarifa za Msingi za ELF
Kabla ya kuanza kutumia chochote, ni muhimu kuelewa sehemu ya muundo wa **ELF binary**:
{{#ref}}
elf-tricks.md
{{#endref}}
## Zana za Kutumia
{{#ref}}
tools/
{{#endref}}
## Mbinu ya Stack Overflow
Kwa mbinu nyingi, ni vizuri kuwa na mpango wa wakati mbinu kila moja itakuwa na manufaa. Kumbuka kwamba ulinzi sawa utaathiri mbinu tofauti. Unaweza kupata njia za kupita ulinzi katika kila sehemu ya ulinzi lakini si katika mbinu hii.
## Kudhibiti Mchakato
Kuna njia tofauti ambazo unaweza kumaliza kudhibiti mchakato wa programu:
- [**Stack Overflows**](../stack-overflow/index.html) kuandika upya kiashiria cha kurudi kutoka kwenye stack au EBP -> ESP -> EIP.
- Inaweza kuhitaji kutumia [**Integer Overflows**](../integer-overflow.md) ili kusababisha overflow
- Au kupitia **Arbitrary Writes + Write What Where to Execution**
- [**Format strings**](../format-strings/index.html)**:** Tumia `printf` kuandika maudhui yasiyo na mipaka katika anwani zisizo na mipaka.
- [**Array Indexing**](../array-indexing.md): Tumia mbinu mbaya ya indexing ili uweze kudhibiti baadhi ya arrays na kupata kuandika yasiyo na mipaka.
- Inaweza kuhitaji kutumia [**Integer Overflows**](../integer-overflow.md) ili kusababisha overflow
- **bof to WWW via ROP**: Tumia overflow ya buffer kujenga ROP na uweze kupata WWW.
Unaweza kupata mbinu za **Write What Where to Execution** katika:
{{#ref}}
../arbitrary-write-2-exec/
{{#endref}}
## Mizunguko ya Milele
Kitu cha kuzingatia ni kwamba kawaida **ku exploit udhaifu mmoja hakutoshi** kutekeleza exploit yenye mafanikio, hasa baadhi ya ulinzi zinahitaji kupitishwa. Kwa hivyo, ni muhimu kujadili baadhi ya chaguzi za **kufanya udhaifu mmoja uweze kutumika mara kadhaa** katika utekelezaji mmoja wa binary:
- Andika katika mnyororo wa **ROP** anwani ya **`main` function** au anwani ambapo **udhaifu** unafanyika.
- Kwa kudhibiti mnyororo sahihi wa ROP unaweza kuwa na uwezo wa kutekeleza vitendo vyote katika mnyororo huo
- Andika katika **`exit` address in GOT** (au kazi nyingine yoyote inayotumiwa na binary kabla ya kumaliza) anwani ya kurudi **kwenye udhaifu**
- Kama ilivyoelezwa katika [**.fini_array**](../arbitrary-write-2-exec/www2exec-.dtors-and-.fini_array.md#eternal-loop)**,** hifadhi kazi 2 hapa, moja ya kuita udhaifu tena na nyingine ya kuita **`__libc_csu_fini`** ambayo itaita tena kazi kutoka `.fini_array`.
## Malengo ya Ukatili
### Lengo: Kuita kazi iliyopo
- [**ret2win**](#ret2win): Kuna kazi katika msimbo unahitaji kuitia (labda na baadhi ya parameta maalum) ili kupata bendera.
- Katika **bof ya kawaida bila** [**PIE**](../common-binary-protections-and-bypasses/pie/index.html) **na** [**canary**](../common-binary-protections-and-bypasses/stack-canaries/index.html) unahitaji tu kuandika anwani katika anwani ya kurudi iliyohifadhiwa kwenye stack.
- Katika bof yenye [**PIE**](../common-binary-protections-and-bypasses/pie/index.html), itabidi upite
- Katika bof yenye [**canary**](../common-binary-protections-and-bypasses/stack-canaries/index.html), itabidi upite
- Ikiwa unahitaji kuweka parameta kadhaa ili kuitia kazi ya **ret2win** kwa usahihi unaweza kutumia:
- Mnyororo wa [**ROP**](#rop-and-ret2...-techniques) **ikiwa kuna gadgets za kutosha** kuandaa parameta zote
- [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming/index.html) (ikiwa unaweza kuita syscall hii) kudhibiti register nyingi
- Gadgets kutoka [**ret2csu**](../rop-return-oriented-programing/ret2csu.md) na [**ret2vdso**](../rop-return-oriented-programing/ret2vdso.md) kudhibiti register kadhaa
- Kupitia [**Write What Where**](../arbitrary-write-2-exec/index.html) unaweza kutumia udhaifu mwingine (sio bof) kuitia kazi ya **`win`**.
- [**Pointers Redirecting**](../stack-overflow/pointer-redirecting.md): Ikiwa stack ina viashiria vya kazi ambavyo vitaitwa au kwa string ambayo itatumika na kazi ya kuvutia (system au printf), inawezekana kuandika upya anwani hiyo.
- [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) au [**PIE**](../common-binary-protections-and-bypasses/pie/index.html) inaweza kuathiri anwani.
- [**Uninitialized variables**](../stack-overflow/uninitialized-variables.md): Hujui kamwe.
### Lengo: RCE
#### Kupitia shellcode, ikiwa nx imezimwa au kuchanganya shellcode na ROP:
- [**(Stack) Shellcode**](#stack-shellcode): Hii ni muhimu kuhifadhi shellcode kwenye stack kabla au baada ya kuandika upya kiashiria cha kurudi na kisha **kuruka kwake** ili kuitekeleza:
- **Katika hali yoyote, ikiwa kuna** [**canary**](../common-binary-protections-and-bypasses/stack-canaries/index.html)**,** katika bof ya kawaida itabidi upite (leak) hiyo
- **Bila** [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) **na** [**nx**](../common-binary-protections-and-bypasses/no-exec-nx.md) inawezekana kuruka kwenye anwani ya stack kwani haitabadilika kamwe
- **Na** [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) itabidi utumie mbinu kama [**ret2esp/ret2reg**](../rop-return-oriented-programing/ret2esp-ret2reg.md) ili kuruka huko
- **Na** [**nx**](../common-binary-protections-and-bypasses/no-exec-nx.md), itabidi utumie baadhi ya [**ROP**](../rop-return-oriented-programing/index.html) **kuitia `memprotect`** na kufanya baadhi ya ukurasa `rwx`, ili kisha **kuhifadhi shellcode huko** (kuita kusoma kwa mfano) na kisha kuruka huko.
- Hii itachanganya shellcode na mnyororo wa ROP.
#### Kupitia syscalls
- [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv/index.html): Inatumika kuitia `execve` ili kuendesha amri zisizo na mipaka. Unahitaji kuwa na uwezo wa kupata **gadgets za kuita syscall maalum na parameta**.
- Ikiwa [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) au [**PIE**](../common-binary-protections-and-bypasses/pie/index.html) zimewezeshwa itabidi uzishinde **ili kutumia gadgets za ROP** kutoka kwa binary au maktaba.
- [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming/index.html) inaweza kuwa muhimu kuandaa **ret2execve**
- Gadgets kutoka [**ret2csu**](../rop-return-oriented-programing/ret2csu.md) na [**ret2vdso**](../rop-return-oriented-programing/ret2vdso.md) kudhibiti register kadhaa
#### Kupitia libc
- [**Ret2lib**](../rop-return-oriented-programing/ret2lib/index.html): Inatumika kuitia kazi kutoka maktaba (kawaida kutoka **`libc`**) kama **`system`** na baadhi ya hoja zilizopangwa (mfano `'/bin/sh'`). Unahitaji binary ili **kupakia maktaba** yenye kazi unayotaka kuitia (libc kawaida).
- Ikiwa **imeandikwa kwa statically na hakuna** [**PIE**](../common-binary-protections-and-bypasses/pie/index.html), **anwani** ya `system` na `/bin/sh` haitabadilika, hivyo inawezekana kuzitumia kwa statically.
- **Bila** [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) **na kujua toleo la libc** lililopakiwa, **anwani** ya `system` na `/bin/sh` haitabadilika, hivyo inawezekana kuzitumia kwa statically.
- Na [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) **lakini hakuna** [**PIE**](../common-binary-protections-and-bypasses/pie/index.html)**, kujua libc na binary ikitumia kazi ya `system`** inawezekana **`ret` kwa anwani ya system katika GOT** na anwani ya `'/bin/sh'` katika param (utahitaji kufahamu hili).
- Na [ASLR](../common-binary-protections-and-bypasses/aslr/index.html) lakini hakuna [PIE](../common-binary-protections-and-bypasses/pie/index.html), kujua libc na **bila binary ikitumia `system`**:
- Tumia [**`ret2dlresolve`**](../rop-return-oriented-programing/ret2dlresolve.md) kutatua anwani ya `system` na kuitia
- **Pitisha** [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) na kuhesabu anwani ya `system` na `'/bin/sh'` katika kumbukumbu.
- **Na** [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) **na** [**PIE**](../common-binary-protections-and-bypasses/pie/index.html) **na bila kujua libc**: Unahitaji:
- Pitisha [**PIE**](../common-binary-protections-and-bypasses/pie/index.html)
- Pata **`libc` version** iliyotumika (leak anwani kadhaa za kazi)
- Angalia **hali za awali na ASLR** ili kuendelea.
#### Kupitia EBP/RBP
- [**Stack Pivoting / EBP2Ret / EBP Chaining**](../stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md): Kudhibiti ESP ili kudhibiti RET kupitia EBP iliyohifadhiwa kwenye stack.
- Inatumika kwa **off-by-one** stack overflows
- Inatumika kama njia mbadala ya kumaliza kudhibiti EIP wakati unatumia EIP kujenga payload katika kumbukumbu na kisha kuruka kwake kupitia EBP
#### Mambo Mengine
- [**Pointers Redirecting**](../stack-overflow/pointer-redirecting.md): Ikiwa stack ina viashiria vya kazi ambavyo vitaitwa au kwa string ambayo itatumika na kazi ya kuvutia (system au printf), inawezekana kuandika upya anwani hiyo.
- [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) au [**PIE**](../common-binary-protections-and-bypasses/pie/index.html) inaweza kuathiri anwani.
- [**Uninitialized variables**](../stack-overflow/uninitialized-variables.md): Hujui kamwe.
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink