inaz2 / roputils Goto Github PK
View Code? Open in Web Editor NEWA Return-oriented Programming toolkit
A Return-oriented Programming toolkit
Hello,
May I make a request for more documentation and comments on the examples please ?
This seems very useful but it's hard to follow through the code for help.
Thanks,
7d2ae9f#commitcomment-10511052
tank96a commented on 7d2ae9f a day ago
I found a bug here.
self._plt[name] = self._section['.plt'][0] + (plt_stub_size * (len(self._plt)+1))
I get the wrong plt address.
puts and printf's plt addresses are both wrong for this case.
Relocation section '.rel.plt' at offset 0x3f8 contains 13 entries:
Offset Info Type Sym. Value Symbol's Name
0804b00c 00000107 R_386_JUMP_SLOT 00000000 read
0804b010 00000807 R_386_JUMP_SLOT 00000000 puts
0804b014 00000307 R_386_JUMP_SLOT 00000000 free
0804b018 00000407 R_386_JUMP_SLOT 00000000 alarm
0804b01c 00000507 R_386_JUMP_SLOT 00000000 stack_chk_fail
0804b020 00000607 R_386_JUMP_SLOT 00000000 strcpy
0804b024 00000707 R_386_JUMP_SLOT 00000000 malloc
0804b028 00000207 R_386_JUMP_SLOT 00000000 printf
0804b02c 00000907 R_386_JUMP_SLOT 00000000 __gmon_start
0804b030 00000a07 R_386_JUMP_SLOT 00000000 __libc_start_main
0804b034 00000b07 R_386_JUMP_SLOT 00000000 setvbuf
0804b038 00000c07 R_386_JUMP_SLOT 00000000 snprintf
0804b03c 00000d07 R_386_JUMP_SLOT 00000000 atoi
Symbol table '.dynsym' contains 17 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 00000000 0 NOTYPE LOCAL DEFAULT UND
1: 00000000 0 FUNC GLOBAL DEFAULT UND read@GLIBC_2.0 (2)
2: 00000000 0 FUNC GLOBAL DEFAULT UND printf@GLIBC_2.0 (2)
3: 00000000 0 FUNC GLOBAL DEFAULT UND free@GLIBC_2.0 (2)
4: 00000000 0 FUNC GLOBAL DEFAULT UND alarm@GLIBC_2.0 (2)
5: 00000000 0 FUNC GLOBAL DEFAULT UND stack_chk_fail@GLIBC_2.4 (3)
6: 00000000 0 FUNC GLOBAL DEFAULT UND strcpy@GLIBC_2.0 (2)
7: 00000000 0 FUNC GLOBAL DEFAULT UND malloc@GLIBC_2.0 (2)
8: 00000000 0 FUNC GLOBAL DEFAULT UND puts@GLIBC_2.0 (2)
9: 00000000 0 NOTYPE WEAK DEFAULT UND __gmon_start
10: 00000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@GLIBC_2.0 (2)
11: 00000000 0 FUNC GLOBAL DEFAULT UND setvbuf@GLIBC_2.0 (2)
12: 00000000 0 FUNC GLOBAL DEFAULT UND snprintf@GLIBC_2.0 (2)
13: 00000000 0 FUNC GLOBAL DEFAULT UND atoi@GLIBC_2.0 (2)
14: 0804b080 4 OBJECT GLOBAL DEFAULT 25 stdout@GLIBC_2.0 (2)
15: 08048dbc 4 OBJECT GLOBAL DEFAULT 15 _IO_stdin_used
16: 0804b060 4 OBJECT GLOBAL DEFAULT 25 stdin@GLIBC_2.0 (2)
root@ubuntu:/roputils/examples# make/roputils/examples# make getoffset
gcc -fno-stack-protector bof.c -o bof
root@ubuntu:
python getoffset.py ./bof
120
root@ubuntu:/roputils/examples# python use-offset-x86-64.py ./bof 120/roputils/examples# uname -a
Traceback (most recent call last):
File "use-offset-x86-64.py", line 9, in
got_start = rop.got('__libc_start_main')
File "/root/roputils/examples/roputils.py", line 231, in got
return self.offset(self._got[name])
KeyError: '__libc_start_main'
root@ubuntu:
Linux ubuntu 4.4.0-42-generic #62-Ubuntu SMP Fri Oct 7 23:11:45 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
root@ubuntu:~/roputils/examples#
KeyError: '__libc_start_main'
Just as the title shows, is it possible to export these feature into pwntools?
Im a big fan of your tool but it duplicates a lot of what pwntools already does.
The edge you have is the support for amd64 ropchains that is just awesome. How would you feel about developing/merging this capability into pwntools.
Let me know
I want to use this on python3. Just replace the print?
Hi, I found some strange bug in the function that get the plt address in the binary
>>> from pwn import *
>>> elf = ELF("./binary")
>>> print hex(elf.symbols['puts'])
0x8048660
>>> import roputils
>>> rop = roputils.ROP("./binary")
>>> print hex(rop.plt('puts'))
0x8048670
>>>
As you can see, I'm using both pwntools
& roputils
I expect pwntools' elf.symbols['puts']
will be the same as roputils' rop.plt('puts')
, but in fact they output different results.
More importantly, roputils
seems to have the wrong plt address. The puts
plt address is 0x08048660
, not 0x8048670
.
Due to some reason, I can't post the testing binary here, can you send me an email (bruce30262[at]gmail.com), so I can send you the testing binary & help you fix the problem?
Thanks!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.