0

I'm following this tutorial for ROP exploitation . When I retrieve the vulnerable program memory map I get that <__data_start> is at 0x0000201c which is much lover that what supposed by the tutorial. To write at this location I prepare the address in eax with the following gadgets

xor eax, eax;;      ; eax = 0
add eax, 0xd;;      ; eax = 0x0000000d
mov ah, 0x13;;      ; eax = 0x0000130d
add ah, al;;        ; eax = 0x0000200d
add eax, 0xf;;      ; eax = 0x0000201c

finally I use a mov [eax] ecx instruction to write at .data that should be RW but I get a SINSEGV segmentation fault. I also tried to read from gdb at that address but I got a message similar to "memory at 0x201c cannot be read". Since .data should be in the address space of the process I get confused...I assume it must be some kind of protection either by gcc or the OS, but I do not understand which one. Any idea? if so, can you explain how it does work and if it is possible to disable it?

I have disabled the ASLR and I'm executing a kali 32bit (Debian 4.14.12-2kali1 (2018-01-08) ) with gcc version 7.3.0 (Debian 7.3.0-11).

shilovk
  • 11,718
  • 17
  • 75
  • 74
Luigi
  • 21
  • 4
  • `0x201c` looks like a relative offset from the start of a page or something, probably the alignment of the data segment within the executable file. Use a debugger to check the address at runtime. (You probably have a PIE executable with ASLR, and note that GDB disables ASLR by default, so it might only have the same address every time when run inside GDB). – Peter Cordes May 09 '18 at 20:07
  • 1
    from gdb, by using "maintenance info sections" I got: [23] 0x201c->0x2024 at 0x0000101c: .data ALLOC LOAD DATA HAS_CONTENTS Whereas by using "info files" I got: "0x0040201c - 0x00402024 is .data" finally if I compile with no-pie and I use objdump to retrieve the .data address I get 0804a01c <__data_start>: Thanks a lot!!! – Luigi May 09 '18 at 21:04
  • You can also get section / segment info with `readelf -a`. And yup, with `gcc -no-pie`, the final runtime addresses are known at link time, and `objdump` can get them from the executable. [PIE executables are the default on many recent distros.](https://stackoverflow.com/questions/43367427/32-bit-absolute-addresses-no-longer-allowed-in-x86-64-linux), so examples / tutorials can be confusing if they were written on systems where `-no-pie` was the default. – Peter Cordes May 09 '18 at 23:17

0 Answers0