oxeo0/hacking-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/hacking-blogposts.git synced 2025-05-17 04:46:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix references

Browse source
This commit is contained in:
nihilist 2025-05-07 08:47:16 +02:00
parent fd1fec5663
commit 8e4e47a9d8
16 changed files with 19 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

2
2/calc.md
View file

@ -420,7 +420,7 @@ Now we know that there is a 0x48 bytes offset between the pattern an the return
Now we know that we will need 18 integers, Now since the binary is statically linked and there is no PIE (as we saw earlier in the pwn checksec command output), We can build a rop chain using the binary for gadgets and without an infoleak. The ROP chain will make an execve syscall to **/bin/sh** just like in the previous tutorials except that now we need to take into account 4 registers that we need to control in order to make this syscall:
As we saw in our [previous](../asm/2.html) x86_64 assembly tutorials, we need rax to take in our syscall ID, rdi to take the first arguement, rsi to take the 2nd arguement and rdx to take the third arguement. We can use this list to know more about syscalls, and since we are in x86_64 we will use the syscall ID 59 (0x3b) to trigger execve:
As we saw in our [previous](../asm/2.md) x86_64 assembly tutorials, we need rax to take in our syscall ID, rdi to take the first arguement, rsi to take the 2nd arguement and rdx to take the third arguement. We can use this list to know more about syscalls, and since we are in x86_64 we will use the syscall ID 59 (0x3b) to trigger execve:
rax : 0x3b # syscall ID

2
2/feed.md
View file

@ -410,7 +410,7 @@ So we can overwrite the stack canary one byte a a time, The byte we overwrite it
Now onto the ROP chain: Once we have the stack canary and nothing will be able to stop us from reaching the return function to get code execution as usual. Then what do we execute ? NX is turned on, so we cannot just jump to the shellcode we place on the stack. However the elf does have PIE set to enabled which randomizes the address of code, Therefore building a ROP chain without an infoleak is possible. For this ROP Chain, we will be making an execve() syscall to /bin/sh to give us a shell.
Now to build our ROP chain we need to look for ROP Gadgets as we saw in the previous 2 challenges. We will use ROPGadget for that, check out [simplecalc](calc.html) to check out how i installed it. now let's find the following gadgets:
Now to build our ROP chain we need to look for ROP Gadgets as we saw in the previous 2 challenges. We will use ROPGadget for that, check out [simplecalc](calc.md) to check out how i installed it. now let's find the following gadgets:
[ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/feed]

2
2/overf.md
View file

@ -230,7 +230,7 @@ Now that we have the got entry address, we need a gadget that pops an arguement
After we get the libc infoleak, we can just subtract the offset of puts from it to get the libc base. The only part that remains is the onegadget, check out the previous babyboi writeup to know how to set it up [here](bboi.html):
After we get the libc infoleak, we can just subtract the offset of puts from it to get the libc base. The only part that remains is the onegadget, check out the previous babyboi writeup to know how to set it up [here](bboi.md):
[ 192.168.0.18/24 ] [ /dev/pts/2 ] [binexp/2/overf]

2
2/speed.md
View file

@ -308,7 +308,7 @@ Here we see that our input address is at **0x7fffffffdad0** and the return addre
Now we know that have an offset of 0x408 bytes between our input text and the return function. Next step is to find the ROP Gadgets we will use. To do so we will use ROPGadgets.py you can check out how we installed it in the previous tutorial [here](calc.html). Now let's find the gadgets we need for the **rax, rdi, rsi and rdx** registers using the following template:
Now we know that have an offset of 0x408 bytes between our input text and the return function. Next step is to find the ROP Gadgets we will use. To do so we will use ROPGadgets.py you can check out how we installed it in the previous tutorial [here](calc.md). Now let's find the gadgets we need for the **rax, rdi, rsi and rdx** registers using the following template:
"pop register ; ret"

2
2/svc.md
View file

@ -310,7 +310,7 @@ Now we know that there is a 0xb8 offset between our input text and the return ad
So let's summarize everything we got so far:
We have a buffer overflow bug that we can use because of a gets() call and we can get to the return address with it. However the first mitigation we will need to overcome is the stack canary. The stack canary is an eight byte random integer (we saw that it was 4 bytes for x86 systems in the previous challenge [feed](feed.html))
We have a buffer overflow bug that we can use because of a gets() call and we can get to the return address with it. However the first mitigation we will need to overcome is the stack canary. The stack canary is an eight byte random integer (we saw that it was 4 bytes for x86 systems in the previous challenge [feed](feed.md))
However, before the return address is executed, it checks to see if the stack canary has the same value. If it doesn't the program will end. To bypass this, we need to leak the stack canary. That way we can just overwrite the stack canary with itself, so it will pass the stack cnary to check and execute the return address, which we will overwrite with our buffer overflow