search

Boyan-MILANOV / ropium

ROPium is a tool that helps you building ROP exploits by finding and chaining gadgets together
382 stars 41 forks source link

Crash when generate shellcode (memcpy missing in PLT) #5

Closed fraf0 closed 5 years ago

fraf0 commented 5 years ago

Hi,

There is a crash when I try to generate a shellcode. I think this is due to the fact the the tested binary doesn't have the memcpy in its PLT table.

$ sudo ROPGenerator
[sudo] password for fraf:

▒▒▒▒▒▒▒╗░▒▒▒▒▒▒╗░▒▒▒▒▒▒  ═════════════════════════
▒▒╔══▒▒║▒▒╔═══▒▒╗▒▒╔══▒╗
▒▒▒▒▒▒╔╝▒▒║   ▒▒║▒▒▒▒▒▒║ G  E  N  E  R  A  T  O  R
▒▒╔══▒▒╗╚▒▒▒▒▒▒╔╝▒▒╔═══╝
╚═╝  ╚═╝ ╚═════╝ ╚═╝     ════════════════════ v1.2

(main)> load my_binary

[+] Extracting gadgets from file 'my_binary'
  % ELF 32-bits detected
  % Executing ROPgadget as: ROPgadget
  % Finished : 140 gadgets generated
[+] Creating gadget database
        % Gadgets analyzed : 140
  % Successfully translated : 115
  % Computation time : 0:00:00.495802
[+] Initializing Semantic Engine
        % Optimization rate : 92%
  % Computation time : 0:00:00.390653

(main)> exploit
(exploit)> pwn --help

  ________________________

  'pwn' command
  (Generate full exploits)
  ________________________

  Usage:
    pwn [OPTIONS] <subcommand> [SUBCOMMAND_OPTIONS]

  Subcommands:
  (For more info use 'pwn <subcommand> -h')

    deliver-shellcode  Inject a shellcode an execute it

  Options:

    -b,--bad-bytes <bytes>   Bad bytes for payload.
           Expected format is a list of bytes
           separated by comas (e.g '-b 0A,0B,2F')

    -m,--max-length <int>  Max length of the ROPChain in bytes

    -pb,--padding-byte <byte> Byte for payload padding

    -pl,--padding-len <int>  Length of payload padding

    -off,--offset <int>  Offset to add to gadget addresses

    -f,--output-format <fmt> Output format for ropchains.
           Expected format is one of the
           following: console,python

    -o,--output-file <file>  Save payload in a file

    -h,--help    Show this help

  Examples:
    No examples yet

(exploit)> shellcode -l X86

  _________________________________

  Available shellcodes for arch X86
  _________________________________

  (1) Linux x86 exec /bin/sh (ragg2)
  '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\...' - 24 bytes

(exploit)> pwn --bad-bytes 0a --padding-len 128 --output-format python deliver-shellcode --address 0xffffd040

  _________________________________

  Available shellcodes for arch X86
  _________________________________

  (1) Linux x86 exec /bin/sh (ragg2)
  '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\...' - 24 bytes

  > Select a shellcode:
        > 1

[+] Building exploit: deliver-shellcode strategy

  % Building chain to copy shellcode in memory
  ERROR DEBUG The file has no .rela.plt section
Traceback (most recent call last):
  File "/usr/local/bin/ROPGenerator", line 4, in <module>
    __import__('pkg_resources').run_script('ropgenerator==1.1', 'ROPGenerator')
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 661, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 1441, in run_script
    exec(code, namespace, namespace)
  File "/usr/local/lib/python2.7/dist-packages/ropgenerator-1.1-py2.7.egg/EGG-INFO/scripts/ROPGenerator", line 5, in <module>
    Main.main()
  File "/usr/local/lib/python2.7/dist-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/Main.py", line 77, in main
    if( not exploit_mode()):
  File "/usr/local/lib/python2.7/dist-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/exploit/Main.py", line 58, in exploit_mode
    pwn(args[1:])
  File "/usr/local/lib/python2.7/dist-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/exploit/Pwn.py", line 267, in pwn
    payload = dshell(args[i+1:], constraint, assertion, lmax=clmax)
  File "/usr/local/lib/python2.7/dist-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/exploit/pwn/DeliverShellcode.py", line 146, in dshell
    res = build_dshell(shellcode, constraint, assertion, address, limit, lmax)
  File "/usr/local/lib/python2.7/dist-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/exploit/pwn/DeliverShellcode.py", line 178, in build_dshell
    (shellcode_address, STRtoMEM_chain) = STRtoMEM(shellcode, address, constraint, assertion, limit=limit, lmax=lmax, addr_str=addr_str, hex_info=True, optimizeLen=optimizeLen)
  File "/usr/local/lib/python2.7/dist-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/exploit/HighLevelUtils.py", line 42, in STRtoMEM
    (addr,chain) = STRtoMEM_memcpy(string, address, constraint, assertion, limit, lmax, addr_str, hex_info)
  File "/usr/local/lib/python2.7/dist-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/exploit/HighLevelUtils.py", line 141, in STRtoMEM_memcpy
    (func_name, func_addr ) = getFunctionAddress('memcpy')
  File "/usr/local/lib/python2.7/dist-packages/ropgenerator-1.1-py2.7.egg/ropgenerator/exploit/Scanner.py", line 95, in getFunctionAddress
    relasec_addr = relasec.header['sh_addr']
AttributeError: 'NoneType' object has no attribute 'header'

$

Regards,

Boyan-MILANOV commented 5 years ago

Hey,

This is a bug triggered by debugging code I forgot to remove.... Fixed it :)