1 of 5

Reliable Shellcode

Shellcode, but without the guesswork

Utilising ROP

The problem with shellcode exploits as they are is that the locations of it are questionable - wouldn't it be cool if we could control where we wrote it to?

Well, we can.

Instead of writing shellcode directly, we can instead use some ROP to take in input again - except this time, we specify the location as somewhere we control.

Using ESP

If you think about it, once the return pointer is popped off the stack ESP will points at whatever is after it in memory - after all, that's the entire basis of ROP. But what if we put shellcode there?

It's a crazy idea. But remember, ESP will point there. So what if we overwrite the return pointer with a jmp esp gadget! Once it gets popped off, ESP will point at the shellcode and thanks to the jmp esp it will be executed!

ret2reg

ret2reg extends the use of jmp esp to the use of any register that happens to point somewhere you need it to.

ROP and Shellcode

Source

Super standard binary.

Exploitation

Using RSP

Source

You can ignore most of it as it's mostly there to accomodate the existence of jmp rsp - we don't actually want it called, so there's a negative if statement.

The chance of jmp esp gadgets existing in the binary are incredible low, but what you often do instead is find a sequence of bytes that code for jmp rsp and jump there - jmp rsp is \xff\xe4 in shellcode, so if there's is any part of the executable section with bytes in this order, they can be used as if they are a jmp rsp.

Exploitation

Try to do this yourself first, using the explanation on the previous page. Remember, RSP points at the thing after the return pointer once ret has occured, so your shellcode goes after it.

Solution

Limited Space

You won't always have enough overflow - perhaps you'll only have 7 or 8 bytes. What you can do in this scenario is make the shellcode after the RIP equivalent to something like

Where 0x20 is the offset between the current value of RSP and the start of the buffer. In the buffer itself, we put the main shellcode. Let's try that!

The 10 is just a placeholder. Once we hit the pause(), we attach with radare2 and set a breakpoint on the ret, then continue. Once we hit it, we find the beginning of the A string and work out the offset between that and the current value of RSP - it's 128!

Solution

We successfully pivoted back to our shellcode - and because all our addresses are relative, it's completely reliable! ASLR beaten with pure shellcode.

This is harder with PIE as the location of jmp rsp will change, so you might have to leak PIE base!

ret2reg

Using Registers to bypass ASLR

ret2reg simply involves jumping to register addresses rather than hardcoded addresses, much like Using RSP for Shellcode. For example, you may find RAX always points at your buffer when the ret is executed, so you could utilise a call rax or jmp rax to continue from there.

The reason RAX is the most common for this technique is that, by convention, the return value of a function is stored in RAX. For example, take the following basic code:

#include <stdio.h>

int test() {
    return 0xdeadbeef;
}

int main() {
    test();
    return 0;
}

If we compile and disassemble the function, we get this:

0x55ea94f68125      55             push rbp
0x55ea94f68126      4889e5         mov rbp, rsp
0x55ea94f68129      b8efbeadde     mov eax, 0xdeadbeef
0x55ea94f6812e      5d             pop rbp
0x55ea94f6812f      c3             ret

As you can see, the value 0xdeadbeef is being moved into EAX.

Using ret2reg

Source

Any function that returns a pointer to the string once it acts on it is a prime target. There are many that do this, including stuff like gets(), strcpy() and fgets(). We''l keep it simple and use gets() as an example.

Using RSP

Source

#include <stdio.h>

int test = 0;

int main() {
    char input[100];

    puts("Get me with shellcode and RSP!");
    gets(input);

    if(test) {
        asm("jmp *%rsp");
        return 0;
    }
    else {
        return 0;
    }
}

You can ignore most of it as it's mostly there to accomodate the existence of jmp rsp - we don't actually want it called, so there's a negative if statement.

Exploitation

Try to do this yourself first, using the explanation on the previous page. Remember, RSP points at the thing after the return pointer once ret has occured, so your shellcode goes after it.

Solution

Limited Space

You won't always have enough overflow - perhaps you'll only have 7 or 8 bytes. What you can do in this scenario is make the shellcode after the RIP equivalent to something like

Where 0x20 is the offset between the current value of RSP and the start of the buffer. In the buffer itself, we put the main shellcode. Let's try that!

Solution

We successfully pivoted back to our shellcode - and because all our addresses are relative, it's completely reliable! ASLR beaten with pure shellcode.

This is harder with PIE as the location of jmp rsp will change, so you might have to leak PIE base!

ret2reg

Using Registers to bypass ASLR

The reason RAX is the most common for this technique is that, by convention, the return value of a function is stored in RAX. For example, take the following basic code:

#include <stdio.h>

int test() {
    return 0xdeadbeef;
}

int main() {
    test();
    return 0;
}

If we compile and disassemble the function, we get this:

0x55ea94f68125      55             push rbp
0x55ea94f68126      4889e5         mov rbp, rsp
0x55ea94f68129      b8efbeadde     mov eax, 0xdeadbeef
0x55ea94f6812e      5d             pop rbp
0x55ea94f6812f      c3             ret

As you can see, the value 0xdeadbeef is being moved into EAX.

Reliable Shellcode

Utilising ROP

Using ESP

ret2reg

ROP and Shellcode

Source

Exploitation

Using RSP

Source

Exploitation

Solution

Limited Space

Solution

ret2reg

Using ret2reg

Source

Using RSP

Source

Exploitation

Solution

Limited Space

Solution

ret2reg

ROP and Shellcode

Source

Exploitation

Using ret2reg

Source

Final Exploit

64-bit

ASLR

Potential Problems

Exploitation

Reliable Shellcode

Utilising ROP

Using ESP

ret2reg

Reliable Shellcode

hashtagUtilising ROP

hashtagUsing ESP

hashtagret2reg

ROP and Shellcode

hashtagSource

hashtagExploitation

Using RSP

hashtagSource

hashtagExploitation

hashtagSolution

hashtagLimited Space

hashtagSolution

ret2reg

Using ret2reg

hashtagSource

Using RSP

hashtagSource

hashtagExploitation

hashtagSolution

hashtagLimited Space

hashtagSolution

ret2reg

ROP and Shellcode

hashtagSource

hashtagExploitation

Using ret2reg

hashtagSource

hashtagFinal Exploit

hashtag64-bit

hashtagASLR

hashtagPotential Problems

hashtagExploitation

Reliable Shellcode

hashtagUtilising ROP

hashtagUsing ESP

hashtagret2reg

Utilising ROP

Using ESP

ret2reg

Source

Exploitation

Source

Exploitation

Solution

Limited Space

Solution

Source

Source

Exploitation

Solution

Limited Space

Solution

Source

Exploitation

Source

Final Exploit

64-bit

ASLR

Potential Problems

Exploitation

Utilising ROP

Using ESP

ret2reg