Tutorial 7
Contents
It's :trivial: when we have a win function and/or NX enabled/disabled.
When disabled, we need to use ROP chains!
This solution was found in around 1997
Buffer that we control contains pointers to instructions that exist in the program.
When we override the return address.
The program will then set the EIP to that address.
The ESP probably won't change, meaning that the next ret
will cause the EIP to change to the next gadget!
When using a gadget that takes arguments, in order to clear up the arguments from the stack we need to find a pop ret
gadget
Stack Pivots
These are gadgets which modify the ESP
For example
|
|
libc
libc
is a library that contains many useful functions things for the program to use.
It also contains many useful gadgets :)
If we can find the version of libc
that is used, we can use the addresses specific to that libc
library
We'll need a pointer to libc
though... which we might be able to leak from the GOT!
Note: We can only leak from the GOT once the function has been linked.
puts(puts)
ldd
Print shared object dependencies
|
|
Using your own LIBC
1
| LD_PRELOAD=/my/abs/path/to/my_custom_libc.so ./program |
Finding Gadgets
- Ropper
ropper -f file
- Search |
ropper -f file --search "asm instruction"
(Search for exact) - Search |
ropper -f file --nocolor | grep "asm instruction"
(Search contains)
Finding Strings
strings -t x file
- BINJAAAA
Useful gadgets to find
- Syscall gadget (
int 0x80
)
Pwning
checksec
- Find useful gadgets and addresses
ropper
on the programropper
on libcstrings
- Check PIE
- If enabled, leak base
- If disabled, add PIE base
- Overflow to control the return (get it to crash by going to an address)
- Fill buffer with gadgets
Lazy
Add to your .bashrc
1
| gropper () { ropper -f "$1" --nocolor | grep "$2"; } |
Then you can run gropper program "ret"