findretloc.c

一个自动查找retloc的小脚本,主要在于可以提取其中的findretloc函数使exploit更加智能化,具体使用参看源代码.灵感来自coresecurity paper和dvdman的exploi

#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#define OBJDUMP "/usr/bin/objdump"
#define VICTIM "./vul"
#define GREP "/bin/grep"

int findretloc(int type,char *funcname) {

FILE * f;
char tempbuf[128];
unsigned long int func_addr;
unsigned long int retloc_addr;
long ret;

if (type == 1)
snprintf (tempbuf, sizeof (tempbuf), "%s -R %s | %s %s \n",OBJDUMP,VICTIM,GREP,funcname);

if (type == 2)
snprintf (tempbuf, sizeof (tempbuf), "%s -h %s | %s %s | awk {'print $4'} \n",OBJDUMP,VICTIM,GREP,"dtors");

if (type == 3)
snprintf (tempbuf, sizeof (tempbuf), "%s -R %s | %s %s \n",OBJDUMP,VICTIM,GREP,funcname);


f = popen (tempbuf, "r");

if (fscanf (f, "%x", &func_addr) != 1){
pclose(f);
printf("Error: Cannot find address!\n");
return (0);
}
if (type == 1)
retloc_addr = func_addr;
if (type == 2)
retloc_addr = func_addr +4;
if (type == 3)
retloc_addr = func_addr - 12;

printf("LOOK:retloc address is: 0x%x\n\n", retloc_addr);
return(retloc_addr);
}

int main(int argc, char **argv[])
{
        printf(" ======    Code by OYXin     =====      \n");
        printf(" ====== OYXin at ph4nt0m.net =====      \n");
        printf(" usage:%s type funcname\n",argv[0]);
        printf("type 1 = GOT,2 = dtors ,3 = malloc()/free()\n\n\n");
        if((argc >3) || (argc <2)){
        printf("wrong argc!\n");
        exit(0);
        }
        int t = atoi(argv[1]);
        char *n =(char *)argv[2];
        findretloc(t,n);
}