Merge pull request #2016 from HackTricks-wiki/research_update_src_binary-exploitation_rop-return-oriented-programing_ret2vdso_20260317_023759

Research Update Enhanced src/binary-exploitation/rop-return-...

Author: carlospolop

src/binary-exploitation/rop-return-oriented-programing/ret2vdso.md

@@ -4,7 +4,13 @@
 
 ## Basic Information
 
-There might be **gadgets in the vDSO region**, which is used to change from user mode to kernel mode. In these type of challenges, usually a kernel image is provided to dump the vDSO region.
+There might be **gadgets in the vDSO region**, which is a small ELF DSO mapped by the kernel to provide fast user-space implementations of some kernel helpers. In these type of challenges, usually a kernel image is provided to dump the vDSO region.
+
+### Locating the vDSO base and exports
+
+The vDSO base address is passed in the auxiliary vector as `AT_SYSINFO_EHDR`, so if you can read `/proc/<pid>/auxv` (or call `getauxval` in a helper process), you can recover the base without relying on a memory leak. See [Auxiliary Vector (auxv) and vDSO](../basic-stack-binary-exploitation-methodology/elf-tricks.md) for practical ways to obtain it.
+
+Once you have the base, treat the vDSO like a normal ELF DSO (`linux-vdso.so.1`): dump the mapping and use `readelf -Ws`/`objdump -d` (or the kernel reference parser `tools/testing/selftests/vDSO/parse_vdso.c`) to resolve exported symbols and look for gadgets. On x86 32-bit the vDSO commonly exports `__kernel_vsyscall`, `__kernel_sigreturn`, and `__kernel_rt_sigreturn`; on x86_64 typical exports include `__vdso_clock_gettime`, `__vdso_gettimeofday`, and `__vdso_time`. Because the vDSO uses symbol versioning, match the expected version when resolving symbols.
 
 Following the example from [https://7rocky.github.io/en/ctf/other/htb-cyber-apocalypse/maze-of-mist/](https://7rocky.github.io/en/ctf/other/htb-cyber-apocalypse/maze-of-mist/) it's possible to see how it was possible to dump the vdso section and move it to the host with:
 
@@ -60,13 +66,16 @@ pop_ebx_pop_esi_pop_ebp_ret = vdso_addr + 0x15cd
 
 ### ARM64
 
-After dumping and checking the vdso section of a binary in kali 2023.2 arm64, I couldn't find in there any interesting gadget (no way to control registers from values in the stack or to control x30 for a ret) **except a way to call a SROP**. Check more info int eh example from the page:
+After dumping and checking the vdso section of a binary in kali 2023.2 arm64, I couldn't find in there any interesting gadget (no way to control registers from values in the stack or to control x30 for a ret) **except a way to call a SROP**. Check more info in the example from the page:
 
 
 {{#ref}}
 srop-sigreturn-oriented-programming/srop-arm64.md
 {{#endref}}
 
-{{#include ../../banners/hacktricks-training.md}}
+## References
 
+- [https://man7.org/linux/man-pages/man7/vdso.7.html](https://man7.org/linux/man-pages/man7/vdso.7.html)
+- [https://www.kernel.org/doc/Documentation/ABI/stable/vdso](https://www.kernel.org/doc/Documentation/ABI/stable/vdso)
 
+{{#include ../../banners/hacktricks-training.md}}