From df793a8e83cb54b6521a7127bda0294fb0c7fc18 Mon Sep 17 00:00:00 2001 From: 7Rocky Date: Sat, 6 Apr 2024 15:01:27 +0200 Subject: [PATCH] Added more techniques --- .../stack-overflow/rop-syscall-execv.md | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-syscall-execv.md b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-syscall-execv.md index 081ddc80a..3289fc12c 100644 --- a/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-syscall-execv.md +++ b/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-syscall-execv.md @@ -16,7 +16,7 @@ Other ways to support HackTricks: ## Basic Information -This is similar to Ret2lib, however, in this case we won't be calling a function from a library. In this case, everything will be prepared to call the syscall `sys_execve` with some aregumentes to execute `/bin/sh`. +This is similar to Ret2lib, however, in this case we won't be calling a function from a library. In this case, everything will be prepared to call the syscall `sys_execve` with some arguments to execute `/bin/sh`. This technique is usually performed on binaries that are compiled statically, so there might be plenty of gadgets and syscall instructions. In order to prepare the call for the **syscall** it's needed the following configuration: @@ -28,10 +28,10 @@ In order to prepare the call for the **syscall** it's needed the following confi So, basically it's needed to write the string `/bin/sh` somewhere and then perform the `syscall` (being aware of the padding needed to control the stack). For this, we need a gadget to write `/bin/sh` in a known area. {% hint style="success" %} -Another interesting syscall to call is **`mprotect`** which would allow an attacker to **modify the permissions of a page in memory**. +Another interesting syscall to call is **`mprotect`** which would allow an attacker to **modify the permissions of a page in memory**. This can be combined with [ret2shellcode](stack-shellcode.md). {% endhint %} -## Register Gadgets +## Register gadgets Let's start by finding **how to control those registers**: @@ -64,11 +64,19 @@ Start End Offset Perm Path Then you need to find a way to write arbitrary content in this address -```python +```bash ROPgadget --binary speedrun-001 | grep " : mov qword ptr \[" mov qword ptr [rax], rdx ; ret #Write in the rax address the content of rdx ``` +### Automate ROP chain + +The following command creates a full `sys_execve` ROP chain given a static binary when there are write-what-where gadgets and syscall instructions: + +```bash +ROPgadget --binary vuln --ropchain +``` + #### 32 bits ```python @@ -119,6 +127,8 @@ If you are **lacking gadgets**, for example to write `/bin/sh` in memory, you ca [srop-sigreturn-oriented-programming.md](srop-sigreturn-oriented-programming.md) {% endcontent-ref %} +There might be gadgets in the vDSO region, which is used to change from user mode to kernel mode. In these type of challenges, usually a kernel image is provided to dump the vDSO region. + ## Exploit Example ```python @@ -196,6 +206,8 @@ target.interactive() * 64 bits, nx, no PIE, write in some memory a ROP to call `execve` and jump there. In order to write to the stack a function that performs mathematical operations is abused * [https://guyinatuxedo.github.io/07-bof\_static/dcquals16\_feedme/index.html](https://guyinatuxedo.github.io/07-bof\_static/dcquals16\_feedme/index.html) * 64 bits, no PIE, nx, BF canary, write in some memory a ROP to call `execve` and jump there. +* [https://7rocky.github.io/en/ctf/other/htb-cyber-apocalypse/maze-of-mist/](https://7rocky.github.io/en/ctf/other/htb-cyber-apocalypse/maze-of-mist/) + * 32 bits, no ASLR, use vDSO to find ROP gadgets and call `execve`.