search

zhengmin1989 / ROP_STEP_BY_STEP

一步一步学ROP
554 stars 194 forks source link

What are options to compile these binaries? #9

Open jjang3 opened 1 year ago

jjang3 commented 1 year ago

Hello, thank you for sharing these examples.

I'm just curious, how did you compile binaries for the linux_x64?

I am able to successfully exploit the binary that comes with the repository as shown below:

~/Downloads/ROP_STEP_BY_STEP/linux_x64 (master*) » python3 exp5.py                        
[*] '/home/Downloads/ROP_STEP_BY_STEP/linux_x64/level3'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[+] Starting local process './level3': pid 74600
[*] Switching to interactive mode
Hello, World
$ pwd
/home/Downloads/ROP_STEP_BY_STEP/linux_x64
$ exit
[*] Got EOF while reading in interactive
$
[*] Process './level3' stopped with exit code -11 (SIGSEGV) (pid 74600)
[*] Got EOF while sending in interactive

However, if I try to compile the binary by myself such as using the option shown below: gcc level3.c -o level3_custom -fno-stack-protector -no-pie

Then it won't work:

~/Downloads/ROP_STEP_BY_STEP/linux_x64 (master*) » python3 exp5.py 
[*] '/home/Downloads/ROP_STEP_BY_STEP/linux_x64/level3_custom'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[+] Starting local process './level3_custom': pid 75948
[*] Switching to interactive mode
Hello, World
[*] Got EOF while reading in interactive
$ whoami
[*] Process './level3_custom' stopped with exit code -11 (SIGSEGV) (pid 75948)
[*] Got EOF while sending in interactive

I have made sure to adjust the exp5.py by using gdb to figure out what is the system@plt address with 0x401040:

~/Downloads/ROP_STEP_BY_STEP/linux_x64 (master*) » gdb ./level3_custom 
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
...
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./level3_custom...(no debugging symbols found)...done.
>>> disas callsystem
Dump of assembler code for function callsystem:
   0x0000000000401142 <+0>:     push   %rbp
   0x0000000000401143 <+1>:     mov    %rsp,%rbp
   0x0000000000401146 <+4>:     lea    0xeb7(%rip),%rdi        # 0x402004
   0x000000000040114d <+11>:    callq  0x401040 <system@plt>
   ...

Thank you in advance.