ROP and Shellcode
Source
Super standard binary.
Exploitation
Let's get all the basic setup done.
Now we're going to do something interesting - we are going to call gets
again. Most importantly, we will tell gets
to write the data it receives to a section of the binary. We need somewhere both readable and writeable, so I choose the GOT. We pass a GOT entry to gets
, and when it receives the shellcode we send it will write the shellcode into the GOT. Now we know exactly where the shellcode is. To top it all off, we set the return address of our call to gets
to where we wrote the shellcode, perfectly executing what we just inputted.
Final Exploit
64-bit
I wonder what you could do with this.
ASLR
No need to worry about ASLR! Neither the stack nor libc is used, save for the ROP.
The real problem would be if PIE was enabled, as then you couldn't call gets
as the location of the PLT would be unknown without a leak - same problem with writing to the GOT.
Potential Problems
Thank to clubby789 and Faith from the HackTheBox Discord server, I found out that the GOT often has Executable permissions simply because that's the default permissions when there's no NX. If you have a more recent kernel, such as 5.9.0
, the default is changed and the GOT will not have X permissions.
As such, if your exploit is failing, run uname -r
to grab the kernel version and check if it's 5.9.0
; if it is, you'll have to find another RWX region to place your shellcode (if it exists!).
Last updated