Try   HackMD

What after RIP control?

So, you got RIP control. Now what?

ROP techniques

NX Disabled

ret2shellcode, ret2reg etc

  • Constraints:

    • You have to know address of the shellcode
    • Non-PIE for ret2reg [1]
    • Address of the shellcode is stored in a register
    • Need a jmp2reg gadget
  • Solutions:

    • Other ROP attacks to get the address

Win/flag function

ret2win

  • Constraints:
    • Non-PIE [1]
    • Win function requires arguments
  • Solutions:
    • Get a binary leak
    • Use pop gadgets or ret2csu (requires buffer overflow with > 0x8 bytes upper limit)

Have a libc leak and could only write 8 bytes

ret2one_gadget

  • Constraints:
    • Need a libc leak
    • Need to know libc version of the remote server
    • The constraints of the one_gadget must be satisfied
  • Solutions:
    • If binary is Non-PIE, leak a libc pointer from GOT (requires bof with > 0x8 bytes upper limit)
    • Use libc-database
    • That's tricky

Any printing function e.g. puts, printf, write

ret2libc

  • Constraints:
    • Non-PIE [1]
    • Need a function which prints bytes
    • Binary should not be hand-written
    • Binary should be dynamically linked
    • Need to know libc version of the remote server
    • Need a buffer overflow with >= 0x20 upper limit
  • Solutions:
    • Get a binary leak
    • That's usually the case
    • Who writes binaries by hand?
    • That's usually the case. (If it isn't then you have easier options) General ROP
    • Use libc-database
    • That's your problem

Binary has syscall gadget

Sigreturn Return Oriented Programming (SROP)

  • Constraints:
    • Non-PIE [1]
    • Need a syscall gadget
    • Need control over RAX
    • Need to have a buffer overflow with > 0x250 upper limit
    • Need address of a writable area for RSP in some cases
  • Solutions:
    • Get a binary leak
    • Get a libc leak. LibC has syscalls gadgets
    • RAX can be controlled using functions like read, write or any function whose return value can be controlled
    • You can read your ROP chain at some known address and then stack pivot. (requires a stack pivot gadget)
    • Sometimes you need to call functions which need a functional stack. Just use bss addresses.

Need to call a function with three arguments

ret2csu

  • Constraints:
    • Non-PIE [1]
    • Need to have a buffer overflow with > 0x50 upper limit
    • Need a pointer to a function which does nothing to the concerned registers i.e. RDI, RSI and RDX e.g. _fini
  • Solutions:
    • Get a binary leak
    • You can read your ROP chain at some known address and then stack pivot. (requires a stack pivot gadget). If that's not possible then its your problem
    • Write address of a ret gadget somewhere and use its pointer.

There are no printing functions and you can write to a large area

ret2dl_resolve

  • Constraints:
    • Non-PIE [1]
    • Need the ability to write to an area reachable by resolution mechanism e.g. bss or stack
    • NO RELRO or Partial RELRO
  • Solutions:
    • Get a binary leak
    • Thats an easy one
    • If you can somehow get link_map and dl_resolve address, you're fine. These are not stored in the binary in Full RELRO

Statically Linked binary

General ROP pop pop pop

  • Constraints:
    • Non-PIE [1]
    • The binary should have gadgets for concerned registers i.e. RAX, RDI, RSI, RDX etc.
  • Solutions:
    • Get a binary leak
    • Use SROP (requires a RAX gadget and buffer overflow with > 0x250 upper limit)

Notes:

[1]: Non-PIE requirement applies to almost all of them. It can be circumvented by getting a binary leak using format strings, incorrect or absence of null-termination of strings and uninitialized variables.