一、环境搭建
安装ndk r10e,必须得这个版本,其他版本可能导致 -fno-stack-protector 不生效!
r10e
- Darwin: https://dl.google.com/android/repository/android-ndk-r10e-darwin-x86_64.zip
- Linux: https://dl.google.com/android/repository/android-ndk-r10e-linux-x86_64.zip
- Windows: https://dl.google.com/android/repository/android-ndk-r10e-windows-x86_64.zip
二、Pwn代码编译
VSCode 新建个main.cpp文件,代码如下
#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>
#include<string.h>void callsystem()
{write(STDOUT_FILENO, "Flag:XY2024\n", 13); write(STDOUT_FILENO, "call shell...\n", 13); system("/system/bin/sh");
}void vulnerable_function() {int i = 128;char buf[i];read(STDIN_FILENO, buf, 256);
}int main(int argc, char** argv) {char buf[128] = {0};if (argc==2&&strcmp("passwd",argv[1])==0)callsystem();snprintf(buf, 128, "vulnerable_function=%p\n", vulnerable_function); write(STDOUT_FILENO, buf, strlen(buf)); write(STDOUT_FILENO, "Hello, World\n", 13); vulnerable_function();
}新建Android.mk,内容如下:
LOCAL_PATH := $(call my-dir)include $(CLEAR_VARS)LOCAL_MODULE := level6
LOCAL_SRC_FILES := main.cpp
LOCAL_LDLIBS := -llog
LOCAL_CFLAGS += -fno-stack-protector
include $(BUILD_EXECUTABLE)新建Application.mk,内容如下:
APP_ABI := armeabi-v7a
APP_STL := c++_static
APP_CFLAGS += -fno-stack-protector
APP_PLATFORM := android-21cd到项目所在目录,执行编译:
d:\android-ndk-r10e\ndk-build NDK_PROJECT_PATH=. NDK_APPLICATION_MK=Application.mk APP_BUILD_SCRIPT=Android.mk
