This week I've been working on writing 2 demo examples for demonstrating how you can use SROP with binjitsu. I've also done a bit of work on the ARM end. I've been testing on an RPi and so far I've been unsuccessful at loading up R0 when the sigreturn call happens(so that's what I'll be working on next week).
The example that demonstrates SROP usage can be seen here : https://github.com/binjitsu/examples/pull/4/files
The first example has a regular binary that is statically linked against libc and has a very convenient PoC style information leak. We use SROP to execve a shell.
The second example is a binary that has a wrapper around the open system call but does not have wrappers for any other system calls. We use this example to demonstrate SROP-ROP integration. First, we make a call to "open" to open up the flag file. Second, we make a call to "sendfile" to the send the file contents over. There is no sendfile wrapper present in the binary so the library automatically switches over to SROP and makes the corresponding system call.
A description of the box on which tests were performed can be seen at the top of the patch in the above link.
The example that demonstrates SROP usage can be seen here : https://github.com/binjitsu/examples/pull/4/files
The first example has a regular binary that is statically linked against libc and has a very convenient PoC style information leak. We use SROP to execve a shell.
The second example is a binary that has a wrapper around the open system call but does not have wrappers for any other system calls. We use this example to demonstrate SROP-ROP integration. First, we make a call to "open" to open up the flag file. Second, we make a call to "sendfile" to the send the file contents over. There is no sendfile wrapper present in the binary so the library automatically switches over to SROP and makes the corresponding system call.
A description of the box on which tests were performed can be seen at the top of the patch in the above link.