Ret2lib + Printf leak - arm64
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Ret2lib - NX bypass with ROP (no ASLR)
Compile without canary:
Find offset
x30 offset
Creating a pattern with pattern create 200
, using it, and checking for the offset with pattern search $x30
we can see that the offset is 108
(0x6c).
Taking a look to the dissembled main function we can see that we would like to jump to the instruction to jump to printf
directly, whose offset from where the binary is loaded is 0x860
:
Find system and /bin/sh
string
/bin/sh
stringAs the ASLR is disabled, the addresses are going to be always the same:
Find Gadgets
We need to have in x0
the address to the string /bin/sh
and call system
.
Using rooper an interesting gadget was found:
This gadget will load x0
from $sp + 0x18
and then load the addresses x29 and x30 form sp and jump to x30. So with this gadget we can control the first argument and then jump to system.
Exploit
Ret2lib - NX, ASL & PIE bypass with printf leaks from the stack
Compile without canary:
PIE and ASLR but no canary
Round 1:
Leak of PIE from stack
Abuse bof to go back to main
Round 2:
Leak of libc from the stack
ROP: ret2system
Printf leaks
Setting a breakpoint before calling printf it's possible to see that there are addresses to return to the binary in the stack and also libc addresses:
Trying different offsets, the %21$p
can leak a binary address (PIE bypass) and %25$p
can leak a libc address:
Subtracting the libc leaked address with the base address of libc, it's possible to see that the offset of the leaked address from the base is 0x49c40
.
x30 offset
See the previous example as the bof is the same.
Find Gadgets
Like in the previous example, we need to have in x0
the address to the string /bin/sh
and call system
.
Using rooper another interesting gadget was found:
This gadget will load x0
from $sp + 0x78
and then load the addresses x29 and x30 form sp and jump to x30. So with this gadget we can control the first argument and then jump to system.
Exploit
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Last updated