Don't like this style? Click here to change it! blue.css

Welcome .... Click here to logout

syscalls and SROP: SigReturn Oriented Programming

OK so this is another cool tool for your PWN utility belt.

Here's the promise:

Imagine the ability to set every. single. register. at once.

With that kind of power you can set the instruction pointer to any location and pass it whatever arguments you need.

You could rework the location of the entire stack.

A pretty powerful PWN primitive.

Well all you need is syscall 0xf and about 300 bytes

(In 32-bit that's 0x77 and int 0x80)

Let's see it in action.

What's a syscall?

syscall is a low-level operation where the CODE can call the KERNEL. This is how operating systems separate processes from all the low-level concerns of where files live and spawning a sub-process or interrupting a process, etc.

The way it works is pretty simple LINK TO THE TABLE:

OK so it's a new kind of calling convention:

If you have a gadget using syscall you'll need a way to load/change RAX (which is the return value of most functions including some syscalls).

In 32-bit it's called int 0x80 not syscall, it also get's its own 32-bit table

Key syscall functions:

Live Demo: small_boi

Walkthrough time: srop from Rooters 2019

I have the binary for you at /ctf/srop/vuln if you'd like to follow along.

There are also several write-ups on the internet out there which you can use to get started when you're ready.

So our job is to execve("/bin/sh\x00") and we can control all of the registers at once.

Since we have to manufacture a win function we need to:

Minor Aside:

The pwntools ELF tool is awesome.

elf.writable_segments is a list of any segments that are writable.

elf.writable_segments[0].header['p_paddr'] although fart around don't copy paste this one.

Using the SROP:

pwntools makes this easy:

Writing /bin/sh

So we've found a writable segment, let's call it: dataseg

We need to write to the dataseg and craft our own baby stack over there.

So that might look something like this: