-
Notifications
You must be signed in to change notification settings - Fork 87
5.1 Debug a Defcon mips challenge
nongiach edited this page Jun 8, 2018
·
3 revisions
$ wget https://github.com/JonathanSalwan/ROPgadget/blob/master/test-suite-binaries/elf-Mips-Defcon-20-pwn100?raw=true -O pwn10
$ file pwn100
pwn100: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, for GNU/Linux 2.4.18, stripped
$ arm_now start mips32el --sync
press ctrl+] to kill qemu
Welcome to arm_now
buildroot login: root
# opkg list | grep binutils
binutils - 2.27-1 - The Binutils package contains a linker, an assembler, and other tools for handling object files
# opkg install binutils
Installing binutils (2.27-1) to root...
Downloading https://pkg.entware.net/binaries/mipsel/binutils_2.27-1_mipselsf.ipk
Installing ar (2.27-1) to root...
Downloading https://pkg.entware.net/binaries/mipsel/ar_2.27-1_mipselsf.ipk
Configuring ar.
Configuring binutils.
# readelf -l pwn100 | grep -i entry
Entry point 0x4001a0
# chmod +x pwn100
# gdb ./pwn100
(gdb) b *0x4001a0
Breakpoint 1 at 0x4001a0
(gdb) r
Starting program: /root/pwn100
Breakpoint 1, 0x004001a0 in ?? ()
=> 0x4001a0: move zero,ra
0x4001a4: bal 0x4001ac
0x4001a8: nop
0x4001ac: lui gp,0xfc1
(gdb) info registers
zero at v0 v1 a0 a1 a2 a3
R0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
t0 t1 t2 t3 t4 t5 t6 t7
R8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
s0 s1 s2 s3 s4 s5 s6 s7
R16 004d254c 004d252c 004cc4a7 004b0000 004d2554 77fea5b8 004d250c 00000000
t8 t9 k0 k1 gp sp s8 ra
R24 00000000 00000000 00000000 00000000 00000000 7fdc2cf0 00000000 00000000
status lo hi badvaddr cause pc
0000a713 0003f19f 0000024d 77f0fc00 10800024 004001a0
fcsr fir restart
00000000 00739300 00000000
A full french writeup here: https://blog.frizn.fr/defcon-20/pwn-100