One Gadget RCE
When we can only over write the return address or when facing 64bits address that strcpy would only copy until '\x00' so we can only give one address, we can find a sequence of codes in the program that would result in executing execve("/bin/sh").
For example,
By returning to address libc_base + 0xE681D, we easily get the shell.
How to find one gadget rce?
We can find this kind of code segment using IDA. We may start from looking for string "/bin/sh" or by searching "execve" in code. There might be several segments that can be used. However, some might fail and I haven't found out why.
refernces:
https://www.yumpu.com/en/document/view/45633704/1bknhyv/36
https://github.com/VulnHub/ctf-writeups/blob/master/2015/whitehat-ctf/pwn200.md
For example,
.text:00000000000E681D mov rax, cs:environ_ptr_0
.text:00000000000E6824 lea rsi, [rsp+1D8h+var_168]
.text:00000000000E6829 lea rdi, aBinSh ; "/bin/sh"
.text:00000000000E6830 mov rdx, [rax]
.text:00000000000E6833 call execve
By returning to address libc_base + 0xE681D, we easily get the shell.
How to find one gadget rce?
We can find this kind of code segment using IDA. We may start from looking for string "/bin/sh" or by searching "execve" in code. There might be several segments that can be used. However, some might fail and I haven't found out why.
refernces:
https://www.yumpu.com/en/document/view/45633704/1bknhyv/36
https://github.com/VulnHub/ctf-writeups/blob/master/2015/whitehat-ctf/pwn200.md
留言
張貼留言