7

I have a program with a stack based buffer overflow. It is running PIE with ASLR and DEP, however there is a section of executable code that is at a fixed location.

However, this region does not contain an int 0x80; ret gadget. I can control eax, ebx, ecx, and edx. How can I execute arbitrary syscalls to, say, call mprotect and read in shellcode? Every syscall seems to require an int 0x80, and I'm not sure how to bypass this.

There is an int 0x80 gadget in the relevant code, however it is followed by a jmp instruction.

So I'm looking for either a way to make syscalls without 0x80, or a way to make two syscalls at once (to set memory protections, read in, and execute shellcode)

robertkin
  • 277
  • 2
  • 6

1 Answers1

3

int 0x80 is a really old way to make system calls. I'm not sure if it is even supported anymore. You might want to look for syscall/systenter instruction in the image. Ofcourse this depends on what underlying hardware and OS you are using. If you are using any hardware/hardware vm emulator and software newer than from 1995, you should probably be looking for syscall/sysenter instruction.

Syscall/Sysenter are used(one or the other used depending on if the executable is 32bit or 64 bit) to make system calls. Register configuration for using syscall and int 0x80 should be the same. You should be able to find syscall/sysenter easily. most applications should have vdso.so mapped into its address space. You can maybe use this knowledge to find syscall ret gadget. Refer

https://man7.org/linux/man-pages/man7/vdso.7.html

You cannot make two syscalls on the same core at the same time.

forest
  • 64,616
  • 20
  • 206
  • 257
Raghu
  • 351
  • 3
  • 9