[R.O.P.] ropeme 사용하여 ROP 가젯 쉽게 구하기.

ropeme 사용하여 ROP 가젯 쉽게 구하기.

ropeme-bhus10.tbz2

파일을 리눅스에 올리고 압축을 풀어주고 들어가면 distorm 이 있는데 그것가지 압축을 풀어준다.

root@ubuntu:/home/root/ropeme-bhus10# ls

README  distorm-1.7.30  distorm-1.7.30.tar.gz  exploit.py  ropeme  vuln  vuln.c

root@ubuntu:/home/root/ropeme-bhus10#tar -xvf distorm-1.7.30.tar.gz

root@ubuntu:/home/root/ropeme-bhus10# cd distorm-1.7.30/

root@ubuntu:/home/root/ropeme-bhus10/distorm-1.7.30# ls

COPYING   PKG-INFO  cygwin-x86  linux-x86_64  macosx-x86  setup.py       windows-x86

MANIFEST  build     linux-x86   macosx-ppc    setup.cfg   windows-amd64

각 환경에 맞게 설치가 되도록 되어 있다.

root@ubuntu:/home/root/ropeme-bhus10/distorm-1.7.30# ./setup.py build

root@ubuntu:/home/root/ropeme-bhus10/distorm-1.7.30# ./setup.py install

설치를 해준뒤 ropeme 폴더로 이동한다.

root@ubuntu:/home/root/ropeme-bhus10/ropeme# ./ropshell.py 

Simple ROP interactive shell: [generate, load, search] gadgets

ROPeMe> 

그리고 취약한 파일을 어셈으로 덤프를 뜨는 명령어를 쓴다.

root@ubuntu:/home/root/ropeme-bhus10# ls

README  distorm-1.7.30  distorm-1.7.30.tar.gz  exploit.py  ropeme  vuln  vuln.c

root@ubuntu:/home/root/ropeme-bhus10# ./ropeme/ropshell.py 

Simple ROP interactive shell: [generate, load, search] gadgets

ROPeMe> generate vuln

Generating gadgets for vuln with backward depth=3

It may take few minutes depends on the depth and file size...

Processing code block 1/1

Generated 60 gadgets

Dumping asm gadgets to file: vuln.ggt ...

OK

ROPeMe> 

ROPeMe> search pop ?     //? 는 검색문자열의 주소이고 

Searching for ROP gadget:  pop ? with constraints: []

0x80484b4L: pop ebp ;;

0x8048573L: pop ebp ;;

0x80485d8L: pop ebp ;;

ROPeMe> search pop %   //% 는 검색 문자열의 포함 주소이다.

Searching for ROP gadget:  pop % with constraints: []

0x8048384L: pop eax ; pop ebx ; leave ;;

0x80485d8L: pop ebp ; ret ; mov ebx [esp] ;;

0x80484b4L: pop ebp ;;

0x8048573L: pop ebp ;;

0x80485d8L: pop ebp ;;

0x8048385L: pop ebx ; leave ;;

0x8048625L: pop ebx ; leave ;;

0x80484b3L: pop ebx ; pop ebp ;;

0x8048608L: pop ebx ; pop ebp ;;

0x8048624L: pop ecx ; pop ebx ; leave ;;

0x80485d7L: pop edi ; pop ebp ;;

0x80485d6L: pop esi ; pop edi ; pop ebp ;;

ROPeMe>