Skip to content

Latest commit

 

History

History
87 lines (49 loc) · 3.14 KB

sigreturn-oriented-programming-srop.md

File metadata and controls

87 lines (49 loc) · 3.14 KB
description
09/22/2023

🛑 Sigreturn-Oriented Programming (SROP)

Introduction

References

{% embed url="https://github.com/adwait1-g/adwait1-g.github.io/blob/master/_posts/REBESeries/2021-05-09-sigreturn-oriented-programming.md" %}

{% embed url="https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop/using-srop" %}

What is a sigreturn?

This is a special kind of syscall.

It's whole purpose is to return from the signal handler and to clean up the stack frame after a signal has been unblocked.

How does it work?

This will store all the register values on the stack.

As soon as the signal is unblocked, the values will be POP'd back into the bottom of the sigreturn frame which is the collection of register values.

Exploitation in a Nutshell?

By taking advantage of a sigreturn, we can control ALL register values at once.

However, this means that we lose the ability to pick and chose registers.

So, if we cannot pinpoint a stack leak vulnerability, it will be hard to set registers like RSP to work in our favor for our goal.

NOTE: This is a powerful exploit technique when we have limited gadgets at our disposal.

What is this exploit all about?

It will exploit a vulnerability present in the way signals are handles in Unix-based operating systems.

First, we will work on understanding what a signal is.

Then, we will get into the internals and understand how signals work.

Lastly, we will identify the vulnerability and exploit it to gain a shell!

NOTE: ROP and SROP are two different types of vulnerabilities.

Understanding Signals

A signal is a software-interrupt sent to your program when a certain event happens.

Here is the easiest example of a software-interrupt:

random.c:

#include <stdio.h>

void main()
{
    printf("Infinite loop that does nothing incoming...\n");
        while(1);
}

Compile:

gcc random.c -o random

When we ctrl+c, we will essentially kill the running program.

When we run the program normally, we can see an infinite loop that does NOTHING.

When we kill the program, we see this.

However, if we view this with strace, we see things a little differently:

See the SIGINT at the bottom?

That is our input from the keyboard (ctrl+c) being sent as a software-interrupt to kill the program.