Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

Added more techniques

Browse source
This commit is contained in:
7Rocky 2024-04-06 15:01:27 +02:00
parent 1d9352d8be
commit df793a8e83
1 changed files with 16 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-syscall-execv.md
View file

@ -16,7 +16,7 @@ Other ways to support HackTricks:
## Basic Information
This is similar to Ret2lib, however, in this case we won't be calling a function from a library. In this case, everything will be prepared to call the syscall `sys_execve` with some aregumentes to execute `/bin/sh`.
This is similar to Ret2lib, however, in this case we won't be calling a function from a library. In this case, everything will be prepared to call the syscall `sys_execve` with some arguments to execute `/bin/sh`. This technique is usually performed on binaries that are compiled statically, so there might be plenty of gadgets and syscall instructions.
In order to prepare the call for the **syscall** it's needed the following configuration:
@ -28,10 +28,10 @@ In order to prepare the call for the **syscall** it's needed the following confi
So, basically it's needed to write the string `/bin/sh` somewhere and then perform the `syscall` (being aware of the padding needed to control the stack). For this, we need a gadget to write `/bin/sh` in a known area.
{% hint style="success" %}
Another interesting syscall to call is **`mprotect`** which would allow an attacker to **modify the permissions of a page in memory**.
Another interesting syscall to call is **`mprotect`** which would allow an attacker to **modify the permissions of a page in memory**. This can be combined with [ret2shellcode](stack-shellcode.md).
{% endhint %}
## Register Gadgets
## Register gadgets
Let's start by finding **how to control those registers**:
@ -64,11 +64,19 @@ Start End Offset Perm Path
Then you need to find a way to write arbitrary content in this address
```python
```bash
ROPgadget --binary speedrun-001 | grep " : mov qword ptr \["
mov qword ptr [rax], rdx ; ret #Write in the rax address the content of rdx
```
### Automate ROP chain
The following command creates a full `sys_execve` ROP chain given a static binary when there are write-what-where gadgets and syscall instructions:
```bash
ROPgadget --binary vuln --ropchain
```
#### 32 bits
```python
@ -119,6 +127,8 @@ If you are **lacking gadgets**, for example to write `/bin/sh` in memory, you ca
[srop-sigreturn-oriented-programming.md](srop-sigreturn-oriented-programming.md)
{% endcontent-ref %}
There might be gadgets in the vDSO region, which is used to change from user mode to kernel mode. In these type of challenges, usually a kernel image is provided to dump the vDSO region.
## Exploit Example
```python
@ -196,6 +206,8 @@ target.interactive()
* 64 bits, nx, no PIE, write in some memory a ROP to call `execve` and jump there. In order to write to the stack a function that performs mathematical operations is abused
* [https://guyinatuxedo.github.io/07-bof\_static/dcquals16\_feedme/index.html](https://guyinatuxedo.github.io/07-bof\_static/dcquals16\_feedme/index.html)
* 64 bits, no PIE, nx, BF canary, write in some memory a ROP to call `execve` and jump there.
* [https://7rocky.github.io/en/ctf/other/htb-cyber-apocalypse/maze-of-mist/](https://7rocky.github.io/en/ctf/other/htb-cyber-apocalypse/maze-of-mist/)
* 32 bits, no ASLR, use vDSO to find ROP gadgets and call `execve`.
<details>