Ret2ret & Reo2pop
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
The main goal of this technique is to try to bypass ASLR by abusing an existing pointer in the stack.
Basically, stack overflows are usually caused by strings, and strings end with a null byte at the end in memory. This allows to try to reduce the place pointed by na existing pointer already existing n the stack. So if the stack contained 0xbfffffdd
, this overflow could transform it into 0xbfffff00
(note the last zeroed byte).
If that address points to our shellcode in the stack, it's possible to make the flow reach that address by adding addresses to the ret
instruction util this one is reached.
Therefore the attack would be like this:
NOP sled
Shellcode
Overwrite the stack from the EIP with addresses to ret
(RET sled)
0x00 added by the string modifying an address from the stack making it point to the NOP sled
Following this link you can see an example of a vulnerable binary and in this one the exploit.
In case you can find a perfect pointer in the stack that you don't want to modify (in ret2ret
we changes the final lowest byte to 0x00
), you can perform the same ret2ret
attack, but the length of the RET sled must be shorted by 1 (so the final 0x00
overwrites the data just before the perfect pointer), and the last address of the RET sled must point to pop <reg>; ret
.
This way, the data before the perfect pointer will be removed from the stack (this is the data affected by the 0x00
) and the final ret
will point to the perfect address in the stack without any change.
Following this link you can see an example of a vulnerable binary and in this one the exploit.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)