A friend of mine sent me a challenge called unexploitable download from here (elf64) here it has the following source code :
also full aslr is enabled. The binary is small therefore not many gadgets exist to do awesome things. Let us use what we have, an important gadget exists in __libc_csu_init, this can allow us to control the first three params (rdi,rsi,rdx).
and above it is the call portion
equivalent to (r12+rbx*8)(r13d,r14,r15), if we point r12 to 0x601000 we can call read with three params, this allows us to control rax, and to write anywhere writeable. Something like :
another important gadget is
So now we have all the parts needed to exploit this successfully, our approach is as follows :
- do csu_read to write our rop into known memory at 0x601010
- pop rbp; ret to set rbp to our new rop location 0x601010-8
- stack pivot
in our new rop we do the following
- read SYS_sigreturn number of bytes into whatever writeable memory
- do syscall/sigreturn
- setup sigreturn frame that is used by sigreturn
- sigreturn frame does an execve to /bin/sh
we also set the /bin/sh string and a pointer to it and to the envp somewhere inside the known rop location that we're using.
full exploit :