一、环境搭建
安装ndk r10e,必须得这个版本,其他版本可能导致 -fno-stack-protector 不生效!
r10e
- Darwin: https://dl.google.com/android/repository/android-ndk-r10e-darwin-x86_64.zip
- Linux: https://dl.google.com/android/repository/android-ndk-r10e-linux-x86_64.zip
- Windows: https://dl.google.com/android/repository/android-ndk-r10e-windows-x86_64.zip
二、Pwn代码编译
VSCode 新建个main.cpp文件,代码如下
#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>
#include<string.h>
void callsystem()
{
write(STDOUT_FILENO, "Flag:XY2024\n", 13);
write(STDOUT_FILENO, "call shell...\n", 13);
system("/system/bin/sh");
}
void vulnerable_function() {
int i = 128;
char buf[i];
read(STDIN_FILENO, buf, 256);
}
int main(int argc, char** argv) {
char buf[128] = {0};
if (argc==2&&strcmp("passwd",argv[1])==0)
callsystem();
snprintf(buf, 128, "vulnerable_function=%p\n", vulnerable_function);
write(STDOUT_FILENO, buf, strlen(buf));
write(STDOUT_FILENO, "Hello, World\n", 13);
vulnerable_function();
}新建Android.mk,内容如下:
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
LOCAL_MODULE := level6
LOCAL_SRC_FILES := main.cpp
LOCAL_LDLIBS := -llog
LOCAL_CFLAGS += -fno-stack-protector
include $(BUILD_EXECUTABLE)新建Application.mk,内容如下:
APP_ABI := armeabi-v7a
APP_STL := c++_static
APP_CFLAGS += -fno-stack-protector
APP_PLATFORM := android-21cd到项目所在目录,执行编译:
d:\android-ndk-r10e\ndk-build NDK_PROJECT_PATH=. NDK_APPLICATION_MK=Application.mk APP_BUILD_SCRI
