Any progress with BOF? Can anyone share the right technique?

(April 8, 2022, 01:44 AM)mrfart Wrote: Any progress with BOF? Can anyone share the right technique?

root privileges is it?

(April 8, 2022, 07:19 AM)inferno7us Wrote:

(April 8, 2022, 01:44 AM)mrfart Wrote: Any progress with BOF? Can anyone share the right technique?

root privileges is it?

I don't get what are you trying to say...
Can you share more details into exploiting this binary?

any1 willing to type out the steps taken for the rop chain?? got buffer overflow, but can't leak any function calls to get base address or function offsets.

Also, do you have to match up the libc versions? if yes, any easier ways to do it? can grab the libraries fro the box, sure via LFI.. but can't get it to run.

(April 9, 2022, 03:29 AM)skyweasel Wrote: any1 willing to type out the steps taken for the rop chain?? got buffer overflow, but can't leak any function calls to get base address or function offsets.

Also, do you have to match up the libc versions? if yes, any easier ways to do it? can grab the libraries fro the box, sure via LFI.. but can't get it to run.

Just read base addresses from /proc/<id>/maps using LFI

I got it working locally, spawned a reverse shell using a mprotect technique. Follow this video https://youtu.be/Ge01IzQH3Rg

I’m getting an error when loading the target libc to the binary so I can update the addresses values. Anyone knows how to circumvent that?

could be worth just running it against the local variables (libc on your box) and then use the offsets for the remote libc once its working?

I'm still trying the mprotect method locally and failing. Values not ending up the the correctregisters

(April 10, 2022, 12:44 PM)mrfart Wrote: I got it working locally, spawned a reverse shell using a mprotect technique. Follow this video https://youtu.be/Ge01IzQH3Rg

I’m getting an error when loading the target libc to the binary so I can update the addresses values. Anyone knows how to circumvent that?

curious to know for an attack where you disable mprotect (which takes 3 args from 3 registers... rdi, rsi, rdx) - how did you get a gadget for RDX?.. the only pop RDI call I can see won't work as it has other instructions in there and segfaults.

I can do a system /bin/sh call (locally at least) but that doesn't help us remotely with the web-based attack vector, we need a call back.

Hence why I thought mprotect might work as we can make the stack executable and have a rev shell via custom shell code.
But as above, I fail to see how you can get control of RDX to set up and disable mprotect to then run the shellcode.

So what other ways can get a rev shell via LIBC functions??

I justdropped a shell.

@mrfart its worth remembering the stack alignment could be very different on the remote vs local, so you may not be landing on your shellcode.

@skyweasel you can execute any command using system, youre not restricted to /bin/sh

(April 11, 2022, 10:46 AM)just_another_guy Wrote: I justdropped a shell.

@mrfart its worth remembering the stack alignment could be very different on the remote vs local, so you may not be landing on your shellcode.

@skyweasel you can execute any command using system, youre not restricted to /bin/sh

But what is the right approach to exploit it? Ret2libc then call a function from system? I can call them but then I need to pass arguments, which I couldn't figure out how to.
I know we can get the libc_base_address, the binary address and the stack address from the LFI but then to bypass NX remotely with mprotect technique it is still missing analysing the stack to get the NOPS addresses(which we cant).

Can you share more details? I'm stuck in this bof for a while and I really want to know how to do it...