Created
July 9, 2015 09:45
-
-
Save lieanu/ba69fe5f5906710cbe21 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| import profile | |
| from pwn import * | |
| from pprint import pprint | |
| def f1(): | |
| context.clear(arch='i386') | |
| binary = ELF.from_assembly('add esp, 0x10; ret') | |
| binary.symbols = {'read': 0xdeadbeef, 'write': 0xdecafbad, 'exit': 0xfeedface} | |
| rop = ROP(binary) | |
| rop.raw(0) | |
| rop.raw(unpack('abcd')) | |
| rop.raw(2) | |
| print rop.dump() | |
| #0x0000: 0x0 | |
| #0x0004: 0x64636261 | |
| #0x0008: 0x2 | |
| rop.call('read', [4,5,6]) | |
| print rop.dump() | |
| #0x0000: 0x0 | |
| #0x0004: 0x64636261 | |
| #0x0008: 0x2 | |
| #0x000c: 0xdeadbeef read(4, 5, 6) | |
| #0x0010: 'eaaa' <pad> | |
| #0x0014: 0x4 arg0 | |
| #0x0018: 0x5 arg1 | |
| #0x001c: 0x6 arg2 | |
| rop.write(7,8,9) | |
| rop.exit() | |
| print rop.dump() | |
| #0x0000: 0x0 | |
| #0x0004: 0x64636261 | |
| #0x0008: 0x2 | |
| #0x000c: 0xdeadbeef read(4, 5, 6) | |
| #0x0010: 0x10000000 <adjust: add esp, 0x10; ret> | |
| #0x0014: 0x4 arg0 | |
| #0x0018: 0x5 arg1 | |
| #0x001c: 0x6 arg2 | |
| #0x0020: 'iaaa' <pad> | |
| #0x0024: 0xdecafbad write(7, 8, 9) | |
| #0x0028: 0x10000000 <adjust: add esp, 0x10; ret> | |
| #0x002c: 0x7 arg0 | |
| #0x0030: 0x8 arg1 | |
| #0x0034: 0x9 arg2 | |
| #0x0038: 'oaaa' <pad> | |
| #0x003c: 0xfeedface exit() | |
| context.clear(arch='i386') | |
| c = constants | |
| assembly = 'read:' + shellcraft.read(c.STDIN_FILENO, 'esp', 1024) | |
| assembly += 'ret\n' | |
| assembly += 'add_esp: add esp, 0x10; ret\n' | |
| assembly += 'write: enter 0,0\n' | |
| assembly += ' mov ebx, [ebp+4+4]\n' | |
| assembly += ' mov ecx, [ebp+4+8]\n' | |
| assembly += ' mov edx, [ebp+4+12]\n' | |
| assembly += shellcraft.write('ebx', 'ecx', 'edx') | |
| assembly += ' leave\n' | |
| assembly += ' ret\n' | |
| assembly += 'flag: .asciz "The flag"\n' | |
| assembly += 'exit: ' + shellcraft.exit(0) | |
| binary = ELF.from_assembly(assembly) | |
| rop = ROP(binary) | |
| rop.write(c.STDOUT_FILENO, binary.symbols['flag'], 8) | |
| rop.exit() | |
| print rop.dump() | |
| #0x0000: 0x10000012 write(STDOUT_FILENO, 268435494, 8) | |
| #0x0004: 0x1000000e <adjust: add esp, 0x10; ret> | |
| #0x0008: 0x1 arg0 | |
| #0x000c: 0x10000026 flag | |
| #0x0010: 0x8 arg2 | |
| #0x0014: 'faaa' <pad> | |
| #0x0018: 0x1000002f exit() | |
| raw_rop = str(rop) | |
| print enhex(raw_rop) | |
| #120000100e000010010000002600001008000000666161612f000010 | |
| p = process(binary.path) | |
| p.send(raw_rop) | |
| print p.recvall(timeout=5) | |
| #The flag | |
| context.clear(arch='i386') | |
| c = constants | |
| assembly = 'read:' + shellcraft.read(c.STDIN_FILENO, 'esp', 1024) | |
| assembly += 'ret\n' | |
| assembly += 'pop eax; ret\n' | |
| assembly += 'int 0x80\n' | |
| assembly += 'binsh: .asciz "/bin/sh"' | |
| binary = ELF.from_assembly(assembly) | |
| context.kernel = 'amd64' | |
| print context | |
| rop = ROP(binary) | |
| binsh = binary.symbols['binsh'] | |
| rop.execve(binsh, 0, 0) | |
| print rop.dump() | |
| #0x0000: 0x1000000e pop eax; ret | |
| #0x0004: 0x77 | |
| #0x0008: 0x1000000b int 0x80 | |
| #0x000c: 0x0 gs | |
| #0x0010: 0x0 fs | |
| #0x0014: 0x0 es | |
| #0x0018: 0x0 ds | |
| #0x001c: 0x0 edi | |
| #0x0020: 0x0 esi | |
| #0x0024: 0x0 ebp | |
| #0x0028: 0x0 esp | |
| #0x002c: 0x10000012 ebx = binsh | |
| #0x0030: 0x0 edx | |
| #0x0034: 0x0 ecx | |
| #0x0038: 0xb eax | |
| #0x003c: 0x0 trapno | |
| #0x0040: 0x0 err | |
| #0x0044: 0x1000000b int 0x80 | |
| #0x0048: 0x23 cs | |
| #0x004c: 0x0 eflags | |
| #0x0050: 0x0 esp_at_signal | |
| #0x0054: 0x2b ss | |
| #0x0058: 0x0 fpstate | |
| p = process(binary.path) | |
| p.send(str(rop)) | |
| time.sleep(1) | |
| p.sendline('echo hello; exit') | |
| p.recvline() | |
| #'hello\n' | |
| print "========================================================================================" | |
| context.clear(arch = "i386", kernel = 'amd64') | |
| assembly = 'int 0x80; ret; add esp, 0x10; ret; pop eax; ret' | |
| e = ELF.from_assembly(assembly) | |
| e.symbols['funcname'] = e.address + 0x1234 | |
| r = ROP(e) | |
| r.funcname(1, 2) | |
| r.funcname(3) | |
| r.execve(4, 5, 6) | |
| print r.dump() | |
| #0x0000: 0x10001234 funcname(1, 2) | |
| #0x0004: 0x10000003 <adjust: add esp, 0x10; ret> | |
| #0x0008: 0x1 arg0 | |
| #0x000c: 0x2 arg1 | |
| #0x0010: 'eaaa' <pad> | |
| #0x0014: 'faaa' <pad> | |
| #0x0018: 0x10001234 funcname(3) | |
| #0x001c: 0x10000007 <adjust: pop eax; ret> | |
| #0x0020: 0x3 arg0 | |
| #0x0024: 0x10000007 pop eax; ret | |
| #0x0028: 0x77 | |
| #0x002c: 0x10000000 int 0x80 | |
| #0x0030: 0x0 gs | |
| #0x0034: 0x0 fs | |
| #0x0038: 0x0 es | |
| #0x003c: 0x0 ds | |
| #0x0040: 0x0 edi | |
| #0x0044: 0x0 esi | |
| #0x0048: 0x0 ebp | |
| #0x004c: 0x0 esp | |
| #0x0050: 0x4 ebx | |
| #0x0054: 0x6 edx | |
| #0x0058: 0x5 ecx | |
| #0x005c: 0xb eax | |
| #0x0060: 0x0 trapno | |
| #0x0064: 0x0 err | |
| #0x0068: 0x10000000 int 0x80 | |
| #0x006c: 0x23 cs | |
| #0x0070: 0x0 eflags | |
| #0x0074: 0x0 esp_at_signal | |
| #0x0078: 0x2b ss | |
| #0x007c: 0x0 fpstate | |
| r = ROP(e, 0x8048000) | |
| r.funcname(1, 2) | |
| r.funcname(3) | |
| r.execve(4, 5, 6) | |
| print r.dump() | |
| #0x8048000: 0x10001234 funcname(1, 2) | |
| #0x8048004: 0x10000003 <adjust: add esp, 0x10; ret> | |
| #0x8048008: 0x1 arg0 | |
| #0x804800c: 0x2 arg1 | |
| #0x8048010: 'eaaa' <pad> | |
| #0x8048014: 'faaa' <pad> | |
| #0x8048018: 0x10001234 funcname(3) | |
| #0x804801c: 0x10000007 <adjust: pop eax; ret> | |
| #0x8048020: 0x3 arg0 | |
| #0x8048024: 0x10000007 pop eax; ret | |
| #0x8048028: 0x77 | |
| #0x804802c: 0x10000000 int 0x80 | |
| #0x8048030: 0x0 gs | |
| #0x8048034: 0x0 fs | |
| #0x8048038: 0x0 es | |
| #0x804803c: 0x0 ds | |
| #0x8048040: 0x0 edi | |
| #0x8048044: 0x0 esi | |
| #0x8048048: 0x0 ebp | |
| #0x804804c: 0x8048080 esp | |
| #0x8048050: 0x4 ebx | |
| #0x8048054: 0x6 edx | |
| #0x8048058: 0x5 ecx | |
| #0x804805c: 0xb eax | |
| #0x8048060: 0x0 trapno | |
| #0x8048064: 0x0 err | |
| #0x8048068: 0x10000000 int 0x80 | |
| #0x804806c: 0x23 cs | |
| #0x8048070: 0x0 eflags | |
| #0x8048074: 0x0 esp_at_signal | |
| #0x8048078: 0x2b ss | |
| #0x804807c: 0x0 fpstate | |
| print "****************************************************************************************" | |
| context.clear(arch='i386') | |
| print context | |
| assembly = "pop ebp; ret;" | |
| assembly += "leave; ret" | |
| r = ROP(ELF.from_assembly(assembly)) | |
| r.migrate(0) | |
| print r.dump() | |
| context.clear(arch='i386') | |
| assembly = 'pop eax; ret;' | |
| assembly += 'mov ebx, eax; ret;' | |
| assembly += 'pop ecx; call eax' | |
| rop = ROP(ELF.from_assembly(assembly)) | |
| print rop.gadgets | |
| con = {'eax':1, 'ebx':2, 'ecx':3} | |
| rop.setRegisters_print(con) | |
| context.clear(arch='i386') | |
| #assembly = "read:" + shellcraft.read(0, 'esp', 0x1000) | |
| assembly = 'pop eax; ret;' | |
| assembly += 'xchg edx, ecx; jmp eax;' | |
| assembly += 'pop ecx; ret' | |
| rop = ROP(ELF.from_assembly(assembly)) | |
| for k in rop.gadgets.values(): | |
| print hex(k.address), "; ".join(k.insns) | |
| con = {'edx': unpack('_EDX')} | |
| rop.setRegisters_print(con) | |
| context.clear(arch='i386') | |
| assembly = 'mov eax, [esp]; pop ebx; ret' | |
| rop = ROP(ELF.from_assembly(assembly)) | |
| con = {'eax': 0, 'ebx':1} | |
| rop.setRegisters_print(con) | |
| context.clear(arch='i386') | |
| assembly = 'add esp, 0x10; ret;' | |
| assembly += 'add esp, 0xc; ret;' | |
| assembly += 'add esp, 0x8; ret;' | |
| assembly += 'pop eax; ret;' | |
| assembly += 'pop ebx; call eax;' | |
| assembly += 'mov ecx, ebx; ret;' | |
| assembly += 'xchg edx, ecx; jmp eax;' | |
| assembly += 'mov edi, [esp+8]; add esp, 4; ret' | |
| rop = ROP(ELF.from_assembly(assembly)) | |
| print rop.gadgets | |
| con = {'edi': 0xdeadbeef} | |
| rop.setRegisters_print(con) | |
| context.clear(arch='i386') | |
| assembly = 'pop eax; ret;' | |
| assembly += 'pop ebx; call eax;' | |
| assembly += 'mov ecx, ebx; ret;' | |
| assembly += 'xchg edx, ecx; jmp eax;' | |
| assembly += 'mov edi, edx; ret' | |
| rop = ROP(ELF.from_assembly(assembly)) | |
| con = {'eax': 1, 'ebx': 2, 'ecx': 3, 'edx': 4} | |
| rop.setRegisters_print(con) | |
| #def f2(): | |
| context.clear(arch='amd64') | |
| assembly = 'pop rax; ret\n' | |
| assembly += 'mov rbx, rax; ret\n' | |
| assembly += 'pop rcx; jmp rax' | |
| rop = ROP(ELF.from_assembly(assembly)) | |
| print rop.gadgets | |
| con = {'rax': 1, 'rbx': 2, 'rcx': 3} | |
| rop.setRegisters_print(con) | |
| context.clear(arch='arm') | |
| assembly = 'pop {r0, pc};' | |
| assembly += 'pop {r0, r1, pc};' | |
| assembly += 'pop {r0, r2, pc};' | |
| assembly += 'mov r3, r2; pop {pc};' | |
| assembly += 'mov r4, r0; blx r1' | |
| rop = ROP(ELF.from_assembly(assembly)) | |
| rop.setRegisters_print({'r4': 1}) | |
| context.clear(arch='arm') | |
| assembly = 'pop {r0, pc};' | |
| assembly += 'pop {r0, r1, pc};' | |
| assembly += 'pop {r0, r2, pc};' | |
| assembly += 'mov r3, r2; pop {pc};' | |
| assembly += 'mov r4, r0; blx r1' | |
| rop = ROP(ELF.from_assembly(assembly)) | |
| rop.setRegisters_print({'r4': 1}) | |
| context.clear(arch='arm') | |
| assembly = 'pop {lr};' | |
| assembly += 'bx lr' | |
| rop = ROP(ELF.from_assembly(assembly)) | |
| rop.setRegisters_print({'pc' : 1}) | |
| context.clear(arch='arm') | |
| assembly = 'pop {pc}' | |
| rop = ROP(ELF.from_assembly(assembly)) | |
| rop.setRegisters_print({'pc' : 0xdeadbeef}) | |
| if __name__ == "__main__": | |
| f1() | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment