|
|
|---|---|
|
|
首先对分析过程和exp格式表示感谢~!对新手非常友好,注释一看就能懂,复现也非常容易~
 想请问一下,gadgets数组是怎么得到的?我跟踪exp猜测是先在libc中找execve函数的引用 Direction Type Address Text Up p sub_3A850+444 call execve Down p fexecve+62 call execve Down p execv+1F call execve Down p execle+B5 call execve Down p execle+148 call execve Down p execl+C3 call execve Down p execl+159 call execve Down p execvpe+41 call execve Down p execvpe+10C call execve Down p execvpe+246 call execve Down p execvpe+2E3 call execve Down p sub_D0330+7B1 call execve Down p sub_D4580+8E call execve Down p sub_D4630+268 call execve Down p sub_D4630+5FA call execve Up o LOAD:00009FA8 Elf32_Sym <offset aFexecve+1 - offset byte_D618, offset execve, 26h, \; "execve" 拿第一个举例,戳进去再把调用之前,push之后的复制下来,是这样吗 .text:0003AC5C push 0 .text:0003AC5E push [esp+164h+var_154] .text:0003AC62 push 2 .text:0003AC64 call sigprocmask .text:0003AC69 mov eax, ds:(environ_ptr_0 - 1B2000h)[esi] .text:0003AC6F add esp, 0Ch .text:0003AC72 mov ds:(dword_1B3620 - 1B2000h)[esi], 0 .text:0003AC7C mov ds:(dword_1B3624 - 1B2000h)[esi], 0 .text:0003AC86 push dword ptr [eax] .text:0003AC88 lea eax, [esp+164h+var_138] .text:0003AC8C push eax .text:0003AC8D lea eax, (loc_15BA08+3 - 1B2000h)[esi] .text:0003AC93 push eax .text:0003AC94 call execve |
|
|
您好,感谢您复现我的exp。这里的gadgets是通过一个名为one_gadget的开源工具得到的,官方地址为bfdK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6V1j5i4k6A6k6o6V1@1x3X3A6Q4x3V1k6G2L8X3g2Q4y4h3k6Y4j5h3c8Y4k6i4c8Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0c8Q4b7V1c8Q4b7V1k6Q4c8e0N6Q4z5e0c8Q4b7e0S2Q4c8e0k6Q4z5e0k6Q4b7U0W2Q4c8e0k6Q4b7U0y4Q4z5e0g2Q4c8e0c8Q4b7U0S2Q4b7V1q4G2L8X3g2Q4y4h3k6Y4j5h3c8Y4k6i4c8Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6u0W2i4K6u0r3L8r3W2T1j5#2)9J5k6i4y4G2i4K6u0W2y4W2!0q4x3#2)9^5x3q4)9^5x3W2!0q4y4g2)9^5c8q4!0n7x3#2!0q4y4g2)9^5c8W2!0m8c8W2!0q4z5q4)9^5c8g2!0n7y4#2!0q4y4g2!0n7c8g2)9&6y4$3N6S2k6r3N6W2N6s2y4Q4c8e0y4Q4z5o6m8Q4z5o6u0Q4c8e0S2Q4b7V1k6Q4z5e0W2Q4c8e0W2Q4z5o6N6Q4z5p5y4Q4c8e0c8Q4b7V1c8Q4b7V1k6Q4c8e0N6Q4z5e0c8Q4b7e0S2Y4j5h3c8Y4k6i4c8K6i4@1f1@1i4@1u0o6i4K6W2m8i4@1f1#2i4@1q4r3i4@1t1&6i4@1f1#2i4@1q4r3i4K6R3@1i4@1f1#2i4@1q4p5i4K6V1^5i4@1f1#2i4K6V1&6i4@1p5^5i4@1f1$3i4K6W2o6i4K6R3&6i4@1f1@1i4@1t1^5i4K6R3H3i4@1f1@1i4@1u0m8i4K6W2n7i4@1f1&6i4K6V1&6i4K6V1H3i4@1f1#2i4K6R3^5i4@1t1$3i4@1f1$3i4K6W2p5i4@1p5I4i4@1f1@1i4@1u0n7i4@1t1$3i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1@1i4@1u0p5i4@1u0r3i4@1f1%4i4K6V1@1i4@1p5^5i4@1f1%4i4K6W2m8i4K6R3@1i4@1f1$3i4K6V1%4i4@1t1$3i4@1f1#2i4K6R3H3i4K6V1&6i4@1f1^5i4@1p5$3i4K6R3I4i4@1f1^5i4K6R3%4i4@1q4m8i4@1f1#2i4@1t1%4i4@1t1I4i4@1f1#2i4@1p5@1i4K6W2m8i4@1f1^5i4@1q4r3i4K6V1#2i4@1f1#2i4K6R3%4i4@1p5H3i4@1f1@1i4@1t1^5i4@1q4m8i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1$3i4K6W2o6i4K6R3&6i4@1f1$3i4K6V1%4i4@1t1$3i4@1f1#2i4K6R3H3i4K6V1&6i4@1f1&6i4K6R3K6i4@1u0p5i4@1f1@1i4@1t1^5i4K6S2p5i4@1f1#2i4K6S2r3i4@1q4r3i4@1f1@1i4@1u0n7i4@1p5#2i4@1f1^5i4@1u0r3i4K6V1^5i4@1f1$3i4K6V1^5i4@1q4r3i4@1f1#2i4@1u0q4i4K6V1%4i4@1f1$3i4K6W2q4i4K6R3@1i4@1f1&6i4K6R3H3i4@1p5H3M7%4W2K6N6r3g2E0i4K6t1^5i4K6t1%4i4K6u0r3j5X3W2F1i4K6u0r3M7$3S2Q4x3U0N6Q4x3U0W2Q4c8e0k6Q4z5o6S2Q4z5e0k6Q4c8e0S2Q4z5o6m8Q4z5o6g2Q4c8e0g2Q4z5f1y4Q4b7e0S2Q4c8e0g2Q4b7e0m8Q4z5o6k6Q4c8e0N6Q4z5f1q4Q4z5o6c8Q4c8e0W2Q4b7e0u0Q4z5e0S2Q4c8e0W2Q4z5o6N6Q4z5p5y4Q4c8e0g2Q4z5p5k6Q4b7f1k6Q4c8e0c8Q4b7V1u0Q4b7e0g2Q4c8e0c8Q4b7V1c8Q4b7V1k6Q4c8e0N6Q4z5e0c8Q4b7e0S2J5k6h3q4D9L8r3!0U0i4K6g2X3K9r3!0G2K9#2!0q4y4q4!0n7z5q4!0m8c8q4!0q4z5q4!0n7c8q4!0m8b7#2!0q4y4W2)9&6c8q4!0m8y4g2!0q4y4W2!0n7b7W2!0m8x3g2!0q4z5q4!0n7y4W2!0n7x3$3N6S2k6r3N6W2N6s2y4Q4c8e0N6Q4z5f1q4Q4z5o6c8Q4c8e0c8Q4b7V1c8Q4b7V1k6Q4c8e0N6Q4z5e0c8Q4b7e0S2Q4c8e0k6Q4z5f1c8Q4b7e0q4Q4c8e0c8Q4b7V1u0Q4b7U0k6Q4c8e0y4Q4z5o6m8Q4z5o6t1`. |
|
|
谢谢回复。我再研究研究开源工具 再次谢谢分享。
|
