zhengmin1989 / rop_step_by_step Goto Github PK
View Code? Open in Web Editor NEW一步一步学ROP
一步一步学ROP
蒸米师傅我在用pattern生成的150字节数据填充gdb附加的level1的时候,返回信息如下:
(gdb) run
Starting program: /root/test1
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9
Program received signal SIGSEGV, Segmentation fault.
0x00005555555546aa in vulnerable_function ()
(gdb)
这里的地址0x00005555555546aa格式为什么是这样,是哪里出了问题还是编译的时候ASLR关闭失败了?
刚入门二进制学习,想请问一下pattern.py 是如何只通过栈顶地址来计算溢出点的
Hello, thank you for sharing these examples.
I'm just curious, how did you compile binaries for the linux_x64
?
I am able to successfully exploit the binary that comes with the repository as shown below:
~/Downloads/ROP_STEP_BY_STEP/linux_x64 (master*) » python3 exp5.py
[*] '/home/Downloads/ROP_STEP_BY_STEP/linux_x64/level3'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[+] Starting local process './level3': pid 74600
[*] Switching to interactive mode
Hello, World
$ pwd
/home/Downloads/ROP_STEP_BY_STEP/linux_x64
$ exit
[*] Got EOF while reading in interactive
$
[*] Process './level3' stopped with exit code -11 (SIGSEGV) (pid 74600)
[*] Got EOF while sending in interactive
However, if I try to compile the binary by myself such as using the option shown below:
gcc level3.c -o level3_custom -fno-stack-protector -no-pie
Then it won't work:
~/Downloads/ROP_STEP_BY_STEP/linux_x64 (master*) » python3 exp5.py
[*] '/home/Downloads/ROP_STEP_BY_STEP/linux_x64/level3_custom'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[+] Starting local process './level3_custom': pid 75948
[*] Switching to interactive mode
Hello, World
[*] Got EOF while reading in interactive
$ whoami
[*] Process './level3_custom' stopped with exit code -11 (SIGSEGV) (pid 75948)
[*] Got EOF while sending in interactive
I have made sure to adjust the exp5.py
by using gdb
to figure out what is the system@plt
address with 0x401040
:
~/Downloads/ROP_STEP_BY_STEP/linux_x64 (master*) » gdb ./level3_custom
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
...
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./level3_custom...(no debugging symbols found)...done.
>>> disas callsystem
Dump of assembler code for function callsystem:
0x0000000000401142 <+0>: push %rbp
0x0000000000401143 <+1>: mov %rsp,%rbp
0x0000000000401146 <+4>: lea 0xeb7(%rip),%rdi # 0x402004
0x000000000040114d <+11>: callq 0x401040 <system@plt>
...
Thank you in advance.
虽然说大大的文章都有备份,但是这个失效的链接有空记得修复下hhh
payload += p32(0) + p32(notelen+0x9)+ "B" * (notelen-0x10)
payload最后-0x10的原因是什么
一步一步学ROP之linux_x64篇的第一节“ Memory Leak & DynELF - 在不获取目标libc.so的情况下进行ROP攻击”。测试的时候,发现exp4.py使用vulfun_addr无法成功,使用main地址则可以成功。环境是Ubuntu 16.04.1 64位系统。使用vulfun_addr时,GDB调试发现system函数执行没有效果,返回值为0x7f00 (32512),然后继续执行vulfun,最后执行.bss,然后收到SIGSEG信号。
这个地方非常困惑。从栈内容上看,一切都符合预期,为什么vulfun_addr就无法成功?为什么用main就可以了,用vulfun怎样才可以成功,有什么诀窍?
希望能解答一下小白的疑惑,谢谢!
Hi,您好!我在android5.1.1上用arm32/exp/level6.py exploit时出现了一点问题。arm32/exp/level6.py中callsystem函数的地址取的是其在文件中的偏移,在android5.1.1上运行时会出错,callsystemaddr还必须加上level6在内存中的基址才是callsystem在内存中的实际地址,这样修改后才成功exploit。
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.