syscalls and SROP: SigReturn Oriented Programming

OK so this is another cool tool for your PWN utility belt.

Here's the promise:

Imagine the ability to set every. single. register. at once.

With that kind of power you can set the instruction pointer to any location and pass it whatever arguments you need.

You could rework the location of the entire stack.

A pretty powerful PWN primitive.

Well all you need is syscall 0xf and about 300 bytes

(In 32-bit that's 0x77 and int 0x80)

Let's see it in action.

Walkthrough time: srop from Rooters 2019

I have the binary for you at /ctf/srop/vuln if you'd like to follow along.

There are also several write-ups on the internet out there which you can use to get started when you're ready.

• Scouting: no win function
• Scouting: pop rax; syscall - not a lot of other gadgets
• Scouting: 0x400 bytes so room for a stack frame
• Scouting: No "/bin/sh\x00" string

So our job is to execve("/bin/sh\x00") and we can control all of the registers at once.

Since we have to manufacture a win function we need to:

• first: write /bin/sh into memory somewhere we know
• second: do syscall with execve using that string address

Minor Aside:

The pwntools ELF tool is awesome.

elf.writable_segments is a list of any segments that are writable.

elf.writable_segments[0].header['p_paddr'] although fart around don't copy paste this one.

Using the SROP:

pwntools makes this easy:

Writing /bin/sh

So we've found a writable segment, let's call it: dataseg

We need to write to the dataseg and craft our own baby stack over there.

So that might look something like this: