What after RIP control?
So, you got RIP control. Now what?
ROP techniques
NX Disabled
ret2shellcode, ret2reg etc
-
Constraints:
- You have to know address of the shellcode
- Non-PIE for ret2reg [1]
- Address of the shellcode is stored in a register
- Need a jmp2reg gadget
-
Solutions:
- Other ROP attacks to get the address
Win/flag function
ret2win
- Constraints:
- Non-PIE [1]
- Win function requires arguments
- Solutions:
- Get a binary leak
- Use pop gadgets or ret2csu (requires buffer overflow with > 0x8 bytes upper limit)
Have a libc leak and could only write 8 bytes
ret2one_gadget
- Constraints:
- Need a libc leak
- Need to know libc version of the remote server
- The constraints of the one_gadget must be satisfied
- Solutions:
- If binary is Non-PIE, leak a libc pointer from GOT (requires bof with > 0x8 bytes upper limit)
- Use libc-database
- That's tricky
Any printing function e.g. puts, printf, write
ret2libc
- Constraints:
- Non-PIE [1]
- Need a function which prints bytes
- Binary should not be hand-written
- Binary should be dynamically linked
- Need to know libc version of the remote server
- Need a buffer overflow with >= 0x20 upper limit
- Solutions:
- Get a binary leak
- That's usually the case
- Who writes binaries by hand?
- That's usually the case. (If it isn't then you have easier options) General ROP
- Use libc-database
- That's your problem
Binary has syscall gadget
Sigreturn Return Oriented Programming (SROP)
- Constraints:
- Non-PIE [1]
- Need a syscall gadget
- Need control over RAX
- Need to have a buffer overflow with > 0x250 upper limit
- Need address of a writable area for RSP in some cases
- Solutions:
- Get a binary leak
- Get a libc leak. LibC has syscalls gadgets
- RAX can be controlled using functions like read, write or any function whose return value can be controlled
- You can read your ROP chain at some known address and then stack pivot. (requires a stack pivot gadget)
- Sometimes you need to call functions which need a functional stack. Just use bss addresses.
Need to call a function with three arguments
ret2csu
- Constraints:
- Non-PIE [1]
- Need to have a buffer overflow with > 0x50 upper limit
- Need a pointer to a function which does nothing to the concerned registers i.e. RDI, RSI and RDX e.g. _fini
- Solutions:
- Get a binary leak
- You can read your ROP chain at some known address and then stack pivot. (requires a stack pivot gadget). If that's not possible then its your problem
- Write address of a ret gadget somewhere and use its pointer.
There are no printing functions and you can write to a large area
ret2dl_resolve
- Constraints:
- Non-PIE [1]
- Need the ability to write to an area reachable by resolution mechanism e.g. bss or stack
- NO RELRO or Partial RELRO
- Solutions:
- Get a binary leak
- Thats an easy one
- If you can somehow get link_map and dl_resolve address, you're fine. These are not stored in the binary in Full RELRO
Statically Linked binary
General ROP pop pop pop
- Constraints:
- Non-PIE [1]
- The binary should have gadgets for concerned registers i.e. RAX, RDI, RSI, RDX etc.
- Solutions:
- Get a binary leak
- Use SROP (requires a RAX gadget and buffer overflow with > 0x250 upper limit)
Notes:
[1]: Non-PIE requirement applies to almost all of them. It can be circumvented by getting a binary leak using format strings, incorrect or absence of null-termination of strings and uninitialized variables.